Source |
AlienVault Blog |
Identifiant |
1003651 |
Date de publication |
2019-01-22 14:00:00 (vue: 2019-01-22 16:01:16) |
Titre |
Incident Response Steps Comparison Guide |
Texte |
What is Incident Response?
It’s a plan for responding to a cybersecurity incident methodically. If an incident is nefarious, steps are taken to quickly contain, minimize, and learn from the damage.
Not every cybersecurity event is serious enough to warrant investigation. Events, like a single login failure from an employee on premises, are good to be aware of when occurring as isolated incidents, but don’t require man hours to investigate. Your cybersecurity team should have a list of event types with designated boundaries on when each type needs to be investigated. From there, you should have customized incident response steps for each type of incident.
The Importance of Incident Response Steps
A data breach should be viewed as a “when” not “if” occurrence, so be prepared for it. Under the pressure of a critical level incident is no time to be figuring out your game plan. Your future self will thank you for the time and effort you invest on the front end.
Incident response can be stressful, and IS stressful when a critical asset is involved and you realize there’s an actual threat. Incident response steps help in these stressing, high pressure situations to more quickly guide you to successful containment and recovery. Response time is critical to minimizing damages. With every second counting, having a plan to follow already in place is the key to success.
The Two Industry Standard Incident Response Frameworks
Introduced in no particular order, NIST and SANS are the dominant institutes whose incident response steps have become industry standard.
NIST
NIST stands for National Institute of Standards and Technology. They’re a government agency proudly proclaiming themselves as “one of the nation’s oldest physical science laboratories”. They work in all-things-technology, including cybersecurity, where they’ve become one of the two industry standard go-tos for incident response with their incident response steps.
The NIST Incident Response Process contains four steps:
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity
SANS
SANS stands for SysAdmin, Audit, Network, and Security. They’re a private organization that, per their self description, is “a cooperative research and education organization”. Though more youthful than NIST, their sole focus is security, and they’ve become an industry standard framework for incident response.
The SANS Incident Response Process consists of six steps:
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
The Difference Between NIST and SANS Incident Response Steps
With two industry standard frameworks, there’s a chance you’re familiar with one but not the other. So let’s do a walk-through of their similarities and differences. First, here’s a side-by-side view of the two processes before we dive into what each step entails.
Placed side-by-side in a list format, you can see NIST and SANS have all the same components and the same flow but different verbiage and clustering. Let’s walk through what each of the steps entail to get into the nuanced differences of the frameworks.
For consistency, NIST steps will always be presented on the left and SANS on the right during the steps side-by-side compariso |
Envoyé |
Oui |
Condensat |
/19/593326742/alienvault > blogs com/ comparison edblitz guide incident response steps |
Tags |
|
Stories |
|
Notes |
|
Move |
|