Security Orchestration and Automated Incident Response
Protect
Organizations must develop and implement the appropriate safeguards to limit or contain the impact of a potential cybersecurity event.
Detect
Organizations must develop an understanding of their environment to manage the cybersecurity risk to systems, assets, data and capabilities.
Identify
Organizations must implement the appropriate measures to quickly identify cyber security events
Recover
Organizations must develop and implement effective activities to restore any capabilities or services that were impaired due to a cybersecurity event.
To build a strong foundation for your incident response program you must embed industry best practices into the workflow.
Developing well-crafted playbooks to guide your incident and security management processes ensures that your entire team is working together following proven steps and removing uncertainty during emergencies.
The stages of incident response
Prepare
Prepare response plans, policies, call trees and playbooks with the members of your incident response team including external entities.
Detect
Organizations must develop an understanding of their environment to detect the cyber security attacks to systems, assets, data and capabilities.
Identify
Organizations must implement the appropriate measures to quickly identify cyber security events or incident
Contain
In the containment stage you must limit the damage caused to systems and prevent any further damage from occurring.
Eradicate
Emphasis on cleaning up system or network and getting it ready to restore from a reimage of a system, or from a known good backup.
Recover
Bring the system back in to production and monitor the system for any signs of abnormal activity.
Review
Before moving back into normal operations it is critical to review the event or incident to understand how it happened. The incorporate additional activities and knowledge into your incident response process. This will produce better future outcomes and improve additional defenses.
