[Pauldotcom] Incident Response Tracking
tadaka at gmail.com
Thu Jan 7 18:43:58 UTC 2010
Thanks for your thoughts on this. I'm already sketching out the process
before I go too far on deciding on a tracking tool. Without know what we
need to do, selecting a tool is problematic at best. Your points definitely
underscored that requirement.
One of my requirements is that tracking and timestamping of activities must
be solid and easily viewable. Have you implemented a similar requirement
and how has that gone for you?
On Thu, Jan 7, 2010 at 5:49 AM, <helliott at knology.net> wrote:
> *On Thu 10/01/07 6:00 AM , pauldotcom-request at mail.pauldotcom.com sent:
> Re: Pauldotcom Digest, Vol 16, Issue 7
> To those who have a system in place for incident handling, what are your
> thoughts? What have you found works for you and why? What would you do
> different if you could?
> We have an online system for many of the reasons you cite. It has its
> problems, but it also serves us reasonably well. We are also in the process
> of completely rewriting it after objectively evaluating our process. Our
> main focus is a system that supports handoff of the event from one part of
> the IR team to another. IA staff receive the incident and enter it into the
> system, then the techs pick it up and work on it - for example, determining
> the internal IP, the person(s) involved, correlating firewall or server logs
> with the event etc This really is not possible with a spiral notebook
> unless you are willing to do a lot of phone calling, emailing, note-taking
> My advice to you is to focus on the PROCESS, then pick a tool (or design
> one) that supports your process. DO NOT start with a tool (notebook or
> automated) then figure out how to live within that tool. This is
> essentially what we did wrong, and we now have a tool that has not grown
> with our procedural evolution. Spend time flowcharting a process,
> determining what data must be tracked and what reports are desired, what
> statuses will be demanded by management etc, roles played within the
> process, writing policies (if required) and procedures to support the
> process, collect the data in your paper format if desired, evolve the
> process, and *then* build a tool that supports the process.
> Herndon Elliott
> Madison, Al
> CNSNEWS.COM REPORTER: "Madame Speaker, where specifically does the
> Constitution grant Congress the authority to enact an individual health
> insurance mandate?"
> SPEAKER OF THE HOUSE NANCY PELOSI, D-CALIF.: "Are you serious? Are you
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pauldotcom