Organisations recognise the need better to understand the confluence between incident response and incident management groups. Often, companies will merge these functions into one focus scrum or group to save costs and reduce complexity. Consolidating these functions create far more challenges than most organisation realise.
Cybersecurity attacks against organisations are no longer single-thread attacks. Hackers and cybercriminals could attack many elements of an organisation simultaneously, not just one host or user. How will organisations organise, triage, and set a level before managing a multi-threat attack?
Incident management (IM) is a core business process to manage all facets of a cybersecurity crisis. IM handles all crisis workflows while providing a conduit for communication with other organisational stakeholders, including risk management, compliance, and governance while keeping the senior leadership team informed. IM will also work directly with the computer security incident response team (CSIRT). CSIRT provides forensics analysis, technical issues, and response workflows data feeds into the various stages of the ITSM framework.
CSIRT is the front-line team monitoring, responding, remediation, and documenting all security events coming into the organisation. CSIRT teams comprise several groups, including SecOps, DevOps, and NetSecOps teams. These teams are trained experts in identifying a security breach across the environment. These teams manage all the adaptive security controls, including the firewalls, IDS, identity management, cloud security, and endpoint protection. This team also handles the patching and remediation of all systems. During a multi-thread attack, CSIRT has defined standard operating procedures and security automation capabilities to isolate, contain, and remediate the various attacks. Capturing the various stages of an attack or kill chain is also a critical element of the CSIRT team. The kill chain data is fed into the instance management team. IM receives the data feeds from CSIRT and begins documenting the workflow to manage the current crisis.
Once IM reads the incident response activities data feeds from CSIRT, the teams will process the impact of incidents into various management systems, including risk management, compliance, governance monitoring, and discovery archives. IM teams globally leverage the information technology infrastructure library (ITIL) management framework. ITIL publishes several management frameworks for organisations. IM teams will leverage the information technology service management (ITSM) for security incidents management. ITSM provides a proven framework for organisations to use to manage a crisis by collecting critical data elements whiling leverage industry-wide best practices for reporting and escalation.
The ITSM framework includes the following recommended workflows:
IM processes these feeds to determine broader business impacts from malicious activity.
Like the IM team, CSIRT also follows ITIL framework recommendations to support its incident response procedures. Handling several security breaches required a consistent workflow for CSIRT can align with that provided the critical information feeds into the IM framework.
Leveraging a similar ITIL model, CSIRT follows a similar workflow:
Confluence layers with incident management and incident response
While both teams serve a similar purpose; protecting the organisation and responding to cyber security attacks, these groups also have some apparent differences.
IM sits within and across any incident management process, ensuring all stages of an incident are handled. It handles any communication and media handling, escalates and reports any issues, and pulls them together, coherently and organically.
The incident response involves triaging issues, analysing them in-depth, taking appropriate action, and recovering from incidents.
One of the most common viewpoints on the difference between incident response and incident management is that incident response focuses on the technical processes required to resolve an incident. Incontrast, incident management deals with managing the broader impacts of an incident on the organisation.
Our Incident Response and Threat Management are designed for organisations who need specialist support with the more complex cyber security products and skillsets.
Our experienced team is calm under fire to provide a measured and carefully thought-out response. They will work quickly and methodically on your behalf in a time-critical situation.
We identify risks in your IT environment and processes. Then, armed with the latest cyberthreat intelligence, we marry your risk profile with a tailored strategy to make your organisation resilient to attacks.
LinearStack is a New Zealand-owned and operated specialised cyber security services company with a global footprint.
The core focus of our business is to accelerate our customer’s cyber security operations with the help of our cyber defence services. We augment our client’s teams by acting as a true an extension of their team empowering our clients to prioritise their cyber security strategy and customers while we protect their business from cyber threats 24x7.
We believe maintaining thriving IT systems and assuring data protection are fundamental needs that all businesses deserve.
Get in touch with us today:
Phone: 0800 008 795
Email: info@linearstack.co.nz
Website: https://linearstack.co.nz