PaulDotCom mailing list archives
Incident Response Tracking
From: tadaka at gmail.com (Jason Wood)
Date: Wed, 6 Jan 2010 21:18:08 -0700
Greetings all, I'm working on building out some incident response procedures and am debating on how to track security incidents. In the SANS Incident Handling class, Ed Skoudis is a proponent of using a bound numbered journal and a pen. His reasons of doing so are pretty good. 1. Its offline by definition, so an attacker can't corrupt data or disrupt access to it. 2. Judges and juries respond better to pen and paper, since it is familiar and tangible. 3. The numbered pages can clearly show a continuity of the events and there's not much doubt about data being removed or modified. I agree with all these points, but I also have some other points to consider. 1. I work remote from the office and the team I'm on is in four different physical locations. If we are working on an incident together, information sharing is going to become very difficult. 2. If a team member becomes unavailable for some reason, the data is central and available to other members. 3. If (heaven forbid) multiple incidents were going on at once or were in different states, reporting to management would be easier if I could just run a quick summary report of active incidents. 4. Putting together periodic reports to remind management of why incident response is important is easier from a database than from journal entries. I'm leaning towards the online system at this point, but I'm not sold on it. First, there's a lot work to do to setup a decent IR database/app. Just finding a good starting place is taking a while. The idea of an attacker finding it doesn't appeal to me either, so it would have to be heavily protected and monitored. To those who have a system in place for incident handling, what are your thoughts? What have you found works for you and why? What would you do different if you could? Thanks for your help. Jason -- irc: Tadaka Twitter: Jason_Wood jwnetworkconsulting.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100106/65f9b14c/attachment.htm
Current thread:
- Incident Response Tracking Jason Wood (Jan 06)
- <Possible follow-ups>
- Incident Response Tracking helliott at knology.net (Jan 07)
- Incident Response Tracking Jason Wood (Jan 07)
- Incident Response Tracking Larry McDonald (Jan 07)
- Incident Response Tracking Jason Wood (Jan 07)