Mon Sep 29 18:51:30 PDT 2014

Management: Incident handling: How should incidents be managed?


Options:

Option 1: Incidents are defined and anticipated and detection designed to identify and defeat them.
Option 2: Incidents are interdicted by timely intelligence and countermeasures.
Option 3: Incidents are reported to appropriate identified individuals or mechanisms in a timely fashion.
Option 4: Decisions are made in a timely fashion and in keeping with pre-defined criteria and requirements.
Option 5: Mitigation occurs before consequences reach management defined thresholds.
Option 6: Incident conclusion and clean-up occurs with minimum cost and inconvenience.
Option 7: Appropriate forensic data is collected and retained as part of the incident handling process.
Option 8: After incident analysis is undertaken and reports generated and responded to so as to improve incident handling over time.

Decision:

Each should be applied to the level identified based on risk level and program maturity. (+ means "or higher", - means "or lower") Do ALL that apply. Indicate time frames under status and add details of who gets reports and when.
Maturity Risk Approach Status
Defined+ Medium+ Incidents are defined and anticipated and detection designed to identify and defeat them
Defined+ Medium+ Incidents are interdicted by timely intelligence and countermeasures
Repeatable+ ALL Incidents are reported to appropriate identified individuals or mechanisms in a timely fashion
Defined+ Medium+ Decisions are made in a timely fashion and in keeping with pre-defined criteria and requirements
Managed+ Medium+ Mitigation occurs before consequences reach management defined thresholds
Managed+ ALL Incident conclusion and clean-up occurs with minimum cost and inconvenience
Managed+ ALL Appropriate forensic data is collected and retained as part of the incident handling process
Managed+ Medium+ After incident analysis is undertaken and reports generated and responded to so as to improve incident handling over time.
Incident management architecture

Basis:

Incidents are defined and anticipated and detection designed to identify and defeat them.
Incidents are often misinterpreted as independent events or treated independently even though they are interlinked. The definition of what constitutes an incident and the nature and types of incidents must be defined if there is to be any hope of identifying them based on sensor and analytical capabilities. Once incidents are defined, the sets of sensors required to detect those incidents can be designed and properly places so as to detect the incidents in time to react so as to mitigate potentially serious negative consequences to within management-specified acceptable loss thresholds.

Incidents are interdicted by timely intelligence and countermeasures.
An intelligence process should be in place to identify potential sources of incidents prior to their occurrence (in most cases), typically through an information sharing approach. For example, if an enterprise depends on a particular protocol or mechanism for part of its protective architecture, as events related to that protocol or mechanism become known through intelligence gathering and sharing, interdiction should be used in anticipation of future exploitation to assure that similar sorts of events won't have serious negative consequences on the enterprise. Countermeasures may range across the spectrum of protective measures.

Incidents are reported to appropriate identified individuals or mechanisms in a timely fashion.
Assuming detection is in place, detections must be reported in a meaningful way to decision mechanisms in order for decisions to be made about how to respond to them. These mechanisms are normally defined so as to apply the right resources to the incident so as to resolve it in time to mitigate potentially serious negative consequences. Without timely reporting, timely response cannot occur. Reporting is often also required for management mandates, insurance coverage, regulatory purposes, contractual mandates, and other reasons.

Decisions are made in a timely fashion and in keeping with pre-defined criteria and requirements.
Decision-making regarding incidents must be appropriate to the incident and made in time to mitigate the potentially serious negative consequences, or those consequences may occur. While some decisions may be made off-the-cuff, most decisions about incidents should be well thought out in advance and practiced so as to meet timeliness and accuracy requirements. This applies to disaster scenarios, business continuity scenarios, and day-to-day event sequences that occur within every enterprise.

Mitigation occurs before consequences reach management defined thresholds.
If mitigation does not occur in time, the negative consequences may be realized. As a result, the objective of the incident handling program is to mitigate before the potentially serious negative consequences reach the management specified thresholds. If no such thresholds are identified, the mitigation approach cannot be defined so as to meet the needs.

Incident conclusion and clean-up occurs with minimum cost and inconvenience.
At the end of an incident, normal operations are typically the desired state. This means that incident termination has to be identified and declared and normal operations resumed. The person or system that makes such a declaration must have defined criteria for making the determination and the return to normalcy should normally include the capacity to deal with future incidents.

Appropriate forensic data is collected and retained as part of the incident handling process.
For cases where it is meaningful or useful to gather forensic evidence associated with an incident, the relevant evidence should be identified, gathered, transported, stored, and handled in a manner appropriate to retaining its forensic value for the purposes intended. This only occurs in cases where properly planning is undertaken and process is properly applied, even during the incident.

After incident analysis is undertaken and reports generated and responded to so as to improve incident handling over time.
After incidents are concluded, it is helpful to do after action reports and analysis to identify limitations or problems with the plan as executed and work toward better approaches for the future. This helps to reduce errors and omissions and optimizes the overall incident handling capability over time.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved