PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Incident Response Tracking

From: tadaka at gmail.com (Jason Wood)
Date: Wed, 6 Jan 2010 21:18:08 -0700
Greetings all,
I'm working on building out some incident response procedures and am
debating on how to track security incidents.  In the SANS Incident Handling
class, Ed Skoudis is a proponent of using a bound numbered journal and a
pen.  His reasons of doing so are pretty good.

   1. Its offline by definition, so an attacker can't corrupt data or
   disrupt access to it.
   2. Judges and juries respond better to pen and paper, since it is
   familiar and tangible.
   3. The numbered pages can clearly show a continuity of the events and
   there's not much doubt about data being removed or modified.

I agree with all these points, but I also have some other points to
consider.

   1. I work remote from the office and the team I'm on is in four different
   physical locations.  If we are working on an incident together, information
   sharing is going to become very difficult.
   2. If a team member becomes unavailable for some reason, the data is
   central and available to other members.
   3. If (heaven forbid) multiple incidents were going on at once or were in
   different states, reporting to management would be easier if I could just
   run a quick summary report of active incidents.
   4. Putting together periodic reports to remind management of why incident
   response is important is easier from a database than from journal entries.

I'm leaning towards the online system at this point, but I'm not sold on
it.  First, there's a lot work to do to setup a decent IR database/app.
Just finding a good starting place is taking a while.  The idea of an
attacker finding it doesn't appeal to me either, so it would have to be
heavily protected and monitored.

To those who have a system in place for incident handling, what are your
thoughts?  What have you found works for you and why?  What would you do
different if you could?

Thanks for your help.
Jason

-- 

irc: Tadaka
Twitter:  Jason_Wood
jwnetworkconsulting.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100106/65f9b14c/attachment.htm
Previous By Date Next
Previous By Thread Next

Current thread: