The Federal Emergency Management Agency (FEMA) created the National Response Framework in 2008 to organize how the national government responds to natural disasters, terrorist attacks and other catastrophic events. Unfortunately, government resources alone can’t properly respond to disasters. That’s why the framework exists. It helps organize FEMA’s limited resources to respond to threats in the most efficient manner possible.
Similarly, incident response is an organized approach to addressing and managing the aftermath of a security breach or attack. The goal is to best organize alerts and resources within a security information and event management (SIEM) system to handle the situation in a way that limits damage and reduces recovery time and costs.
An effective SIEM solution makes it easy for security experts to manage and respond to security alerts. A modern SIEM often includes a full-featured incident response workflow to support alert-based discovery and decision-based response to security threats identified by correlation searches, monitoring data in real time or on a scheduled basis. The workflow is customizable and can be easily integrated with third-party ticketing systems.
That SIEM can further help security practitioners respond to an alert by giving them access to an incident review dashboard that displays notable events and their current status. Security analysts can use the dashboard to gain contextual insights into the severity of events occurring within a system or network.
With this visibility, practitioners can triage new notable events, assign events to analysts for review and examine notable event details to investigate leads. Security analysts get access to contextual actions associated with security alerts that enables them to change the status, urgency or reassign actions to other analysts. They can even comment on the events. The workflow helps security analysts more efficiently identify, track, remediate and audit security alerts or escalate incidents as needed to the proper responders.
Security practitioners also need a SIEM solution that gives them the ability to streamline investigations of dynamic, multi-step attacks and makes it easier to see the time relationship between various events. This helps determine the root cause and what the best next steps should be and it makes it easier to collaborate across an organization by enabling any security team member to place events, actions and annotations onto a timeline to share their perspective of the scenario.
Much like FEMA, the best security incident response and management plan is aided by tools that help organize how to respond to multiple alerts.
Are you interested in learning how machine data can support an analytics-driven SIEM solution and improve your security posture? See why Gartner named Splunk a leader for the fourth consecutive year.