Incident Management

Model | Operations | Incident Management

Once your organization has applications in operation, you’re likely to face security incidents. In this model, we define a security incident as a breach, or the threat of an imminent breach, of at least one asset’s security goals, whether due to malicious or negligent behavior. Examples of security incidents might include: - a successful Denial of Service (DoS) attack against a cloud application; - an application user accessing private data of another, by abusing a security vulnerability; or - an attacker modifying application source code. The Incident Management (IM) practice focuses on dealing with these in your organization.

Historically, many security incidents have been detected months, or even years, after the initial breach. During the “dwell time” before an incident is detected, significant damage can occur, increasing the difficulty of recovery. Our first Activity Stream, Incident Detection, focuses on decreasing that dwell time.

Once you have identified that you’re suffering from a security incident, it’s essential to respond in a disciplined, thorough manner to limit the damage, and return to normal operations as efficiently as possible.

Maturity levelStream A
Incident Detection
Stream B
Incident Response
1Best-effort incident detection and handlingUse available log data to perform best-effort detection of possible security incidents.Identify roles and responsibilities for incident response.
2Formal incident management process in placeFollow an established, well-documented process for incident detection, with emphasis on automated log evaluation.Establish a formal incident response process and ensure staff are properly trained in performing their roles.
3Mature incident managementUse a proactively managed process for detection of incidents.Employ a dedicated, well-trained incident response team.