10 Incident response and remediation

 

This chapter covers

  • Using a SIEM or posture management tool to aggregate, track, and analyze security events across multiple sources
  • Writing playbooks as part of an incident response plan to mitigate threats quickly
  • Automating responses to attacks and vulnerabilities to respond quicker, reduce mistakes, and save time

In the last chapter we looked at many different types of monitoring and how to detect when there’s a potential attack or vulnerability in your system. There are many additional ways of detecting these kinds of security issues as well. You might conduct penetration tests on your applications to find potential weaknesses. You might get reports from external security researchers. You might subscribe to a feed of new vulnerabilities. There are many ways in which you will be alerted to security threats. The problem now is, how do you respond to them?

There are so many different attacks and vulnerabilities that you can’t possibly write down an appropriate response to all of them, and the appropriate response depends on your situation, so what works for one organization might not work for another. For that reason, rather than try to list out some incident responses, I’ll instead give some tips for how to make an incident response program more manageable.

10.1 Tracking security events

10.1.1 Centralizing alerts

10.1.2 Status tracking

10.1.3 Data analysis

10.2 Incident response planning

10.2.1 Playbooks

10.3 Automating incident response

10.3.1 Scripting playbooks

10.3.2 Automated response

Answers to exercises

Summary