IDS mailing list archives
RE: IDS Incident Escalation Procedure
From: "john lokka" <merigoth () gmail com>
Date: Thu, 6 Sep 2007 02:43:47 +0000
Hi There, Hi, Would appreciate if anyone can share what should we include to formulate a IDS/IPS incident escalation procedure. Thanks, Jim ------- Jim, You'll want to take into account the expected effort versus the expected outcome of the incident. For example, your network has a worm outbreak. The expected effort is medium (reimage and repatch computers to a known baseline), but the expected outcome is low (non-law enforcement involvement). However, a million credit cards are stolen. The expected effort is high (create forensic-sound images, etc.) and the expected outcome is high (law enforcement involvement and severe public relations). This leads to a categorization of incidents and possibly matrixing. You may want to have columns labeled with "sysadmin", "forensics team" "cso/cio", and "president" with rows labeled "virus/worm", "unauthorized user", "unauthorized root", "Insecure Information Handling", etc. Where the boxes met, a defined response and/or a check box (meaning level of notification and this would be explained elsewhere). hopefully, this helps. R/ John Lokka, CISSP ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- IDS Incident Escalation Procedure jimmy wong (Sep 05)
- Re: IDS Incident Escalation Procedure Vijay K (Sep 07)
- Re: IDS Incident Escalation Procedure Jerry Dixon (Sep 10)
- <Possible follow-ups>
- RE: IDS Incident Escalation Procedure john lokka (Sep 06)
- Re: IDS Incident Escalation Procedure khushbu . jithra (Sep 17)
- RE: IDS Incident Escalation Procedure Dimitrios Patsos (Sep 18)
- RE: IDS Incident Escalation Procedure Simon Taylor (Sep 18)
- Re: IDS Incident Escalation Procedure Vijay K (Sep 07)