Incident Management and Response
Using the structured approach of Event Stream Architecture, GBprotect covers the entire security event management lifecycle, including Incident Management and Response.
Incident Management is a critical component of an organization’s security. It’s the last stop in the security lifecycle – the final point where security-related events have passed through all filters and analyses and have now been determined to be “actionable.” By the time this phase is reached, there is significant security risk to an organization and the right investigation and response activities need to be triggered.
At this juncture, resources beyond day-to-day security operations staff are often involved, and the coordination and execution of defined strategic response activities are essential.
From the Event Stream Architecture approach GBprotect uses to define each step of the event lifecycle for our clients, to the day-to-day incident-handling operations in our 24x7x365 Security Operations Centers (SOCs), we have both consultative and operational experience in key functions of Incident Management:
- Event Analysis – We analyze event sources from the universe of operational and security events to determine which ones are relevant to clients’ environments. As shown in the diagram, we subject each raw event to filters and analysis steps to determine whether it is “actionable” and should pass into the Incident Management phase. For every client, GBprotect uses a structured analytical approach to customize these event criteria and define a baseline for how each event should be handled. These customized plans for audit reduction and data reduction narrow down events into actionable incidents.
- Process Development – In the Incident Management phase, we develop processes for alerts and notifications, escalations, case management, and reporting deliverables. We tailor these processes to each client’s specific requirements, ensuring a consistent, reliable response to each incident. This includes categorizing incidents based on severity and risk, defining escalation and reporting processes, and creating processes to coordinate, track, and adjust responses as the incident progresses.
- Definition – We help clients recognize and define the severity of the events they need to be looking for and devise plans to address any incidents that may result from those events. We create customized “run books” specific to every client so their defined processes for Incident Management and Response are executed consistently and accurately every time.
- Execution – As incidents occur, we orchestrate the investigation, analysis, and escalation activities; partner with clients to determine and carry out the appropriate response; and track all incident-handling progress in a case management system. After each incident is successfully resolved, we lead after-action and root-cause analysis reviews to help clients prevent recurrence and, where necessary, improve their incident-handling processes. Our mission, with all incidents, is to ensure that defined incident management processes are followed and that those processes are continually improved upon, for always greater security.