RE: IDS Incident Escalation Procedure

["john lokka" <merigoth () gmail com>]

Hi There,



Hi,

Would appreciate if anyone can share what should we include to
formulate a IDS/IPS incident escalation procedure.





Thanks,

Jim
-------

Jim,

   You'll want to take into account the  expected effort versus the
expected outcome of the incident. For example, your network has a worm
outbreak. The expected effort is medium (reimage and repatch computers
to a known baseline), but the expected outcome is low (non-law
enforcement involvement). However, a million credit cards are stolen.
The expected effort is high (create forensic-sound images, etc.) and
the expected outcome is high (law enforcement involvement and severe
public relations). This leads to a categorization of incidents and
possibly matrixing. You may want to have columns labeled with
"sysadmin", "forensics team" "cso/cio", and "president" with rows
labeled "virus/worm", "unauthorized user", "unauthorized root",
"Insecure Information Handling", etc. Where the boxes met, a defined
response and/or a check box (meaning level of notification and this
would be explained elsewhere).

hopefully, this helps.

R/
John Lokka, CISSP

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------