Incident Response Tracking

[larrymcdonald at uhost.org (Larry McDonald)]

you might check out the following link:

http://www.enisa.europa.eu/act/cert/support/guide2/tools-equipment/tracking

it lists server incident tracking tools some open source and some
commercial.

My work uses a custom Web application and database, which allows us to
upload any files/notes and track time. I am also looking at the use of the
livescribe (www.livescribe.com) pen to print out our custom docs and then
allow the investigator upload notes both pdf and mp3 if needed to the
database.


Larry.



On Thu, Jan 7, 2010 at 1:43 PM, Jason Wood <tadaka at gmail.com> wrote:

> Thanks for your thoughts on this.  I'm already sketching out the process
> before I go too far on deciding on a tracking tool.  Without know what we
> need to do, selecting a tool is problematic at best.  Your points definitely
> underscored that requirement.
>
> One of my requirements is that tracking and timestamping of activities must
> be solid and easily viewable.  Have you implemented a similar requirement
> and how has that gone for you?
>
> Thanks again.
>
> Jason
>
> On Thu, Jan 7, 2010 at 5:49 AM, <helliott at knology.net> wrote:
>
> > *On Thu 10/01/07 6:00 AM , pauldotcom-request at mail.pauldotcom.com sent:
> > *
> >
> > Re: Pauldotcom Digest, Vol 16, Issue 7
> >
> > To those who have a system in place for incident handling, what are your
> > thoughts? What have you found works for you and why? What would you do
> > different if you could?
> >
> > We have an online system for many of the reasons you cite.  It has its
> > problems, but it also serves us reasonably well.  We are also in the process
> > of completely rewriting it after objectively evaluating our process.  Our
> > main focus is a system that supports handoff of the event from one part of
> > the IR team to another.  IA staff receive the incident and enter it into the
> > system, then the techs pick it up and work on it - for example, determining
> > the internal IP, the person(s) involved, correlating firewall or server logs
> > with the event etc  This really is not possible with a spiral notebook
> > unless you are willing to do a lot of phone calling, emailing, note-taking
> > etc.
> >
> > My advice to you is to focus on the PROCESS, then pick a tool (or design
> > one) that supports your process.  DO NOT start with a tool (notebook or
> > automated) then figure out how to live within that tool.  This is
> > essentially what we did wrong, and we now have a tool that has not grown
> > with our procedural evolution.  Spend time flowcharting a process,
> > determining what data must be tracked and what reports are desired, what
> > statuses will be demanded by management etc, roles played within the
> > process, writing policies (if required) and procedures to support the
> > process, collect the data in your paper format if desired, evolve the
> > process, and *then* build a tool that supports the process.
> >
> >
> > Herndon Elliott
> > Madison, Al
> >
> > CNSNEWS.COM REPORTER: "Madame Speaker, where specifically does the
> > Constitution grant Congress the authority to enact an individual health
> > insurance mandate?"
> >
> > SPEAKER OF THE HOUSE NANCY PELOSI, D-CALIF.: "Are you serious? Are you
> > serious?"
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
>
> --
>
> irc: Tadaka
> Twitter:  Jason_Wood
> jwnetworkconsulting.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 
Larry McDonald
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100107/3eb1cc48/attachment.htm