Defining Incident Management Processes for CSIRTs: A Work in Progress

Alberts, Chris; Dorofee, Audrey; Killcrece, Georgia; Ruefle, Robin; Zajicek, Mark T.

doi:10.21236/ada453378

Cited by 40 publications

(45 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…As a result, a consensus as to the standardization, effectiveness and efficiency of these approaches is yet to emerge (Killcrece et al, 2003;Alberts et al, 2004;Wiik et al, 2005). While numerous security incident response processes have been discussed in the literature, Hove et al (2014) argue that many organizations find it difficult to implement established security incident response processes.…”

Section: Related Workmentioning

confidence: 99%

Enhancing security incident response follow-up efforts with lightweight agile retrospectives

Grispos

Glisson

Storer

2017

Digital Investigation

View full text Add to dashboard Cite

Security incidents detected by organizations are escalating in both scale and complexity. As a result, security incident response has become a critical mechanism for organizations in an effort to minimize the damage from security incidents. The final phase within many security incident response approaches is the feedback/follow-up phase. It is within this phase that an organization is expected to use information collected during an investigation in order to learn from an incident, improve its security incident response process and positively impact the wider security environment. However, recent research and security incident reports argue that organizations find it difficult to learn from incidents.A contributing factor to this learning deficiency is that industry focused security incident response approaches, typically, provide very little practical information about tools or techniques that can be used to extract lessons learned from an investigation. As a result, organizations focus on improving technical security controls and not examining or reassessing the effectiveness or efficiency of internal policies and procedures. An additional hindrance, to encouraging improvement assessments, is the absence of tools and/or techniques that organizations can implement to evaluate the impact of implemented enhancements in the wider organization. Hence, this research investigates the integration of lightweight agile retrospectives and meta-retrospectives, in a security incident response process, to enhance feedback and/or follow-up efforts. The research contribution of this paper is twofold. First, it presents an approach based on lightweight retrospectives as a means of enhancing security incident response follow-up efforts. Second, it presents an empirical evaluation of this lightweight approach in a Fortune 500 Financial organization's security incident response team.

show abstract

Section: Related Workmentioning

confidence: 99%

Enhancing security incident response follow-up efforts with lightweight agile retrospectives

Grispos

Glisson

Storer

2017

Digital Investigation

View full text Add to dashboard Cite

show abstract

“…Speci cally, the sending and receiving of information can occur between person and person, person and technology, person and team, and team and team, creating multiple places for errors and mistakes. 31 Although there are several descriptions for how hando s occur, there are few prescriptions for how to make them e ective. As such, checklists created by cybersecurity analysts (ideally from di erent levels) and mnemonics adapted to the CSIRT context o er realistic, actionable, and promising options for CSIRTs to improve the quality of communication during hando s. In addition, when preparing for incidents, CSIRTs Simulation tasks can be altered to represent aspects of uncertainty CSIRT members might face during incident response.…”

Section: Enhance Communication Among Csirt Membersmentioning

confidence: 99%

Improving Cybersecurity Incident Response Team Effectiveness Using Teams-Based Research

Steinke

Bolunmez

Fletcher

et al. 2015

IEEE Secur. Privacy

View full text Add to dashboard Cite

show abstract

“…Killcrece et al [14], emphasize that incident management is not purely an IT issue, but a wide overview of the organization's security, risk and IT management functions. Alberts et al [15] explains that incident management encompasses incident handling, incident response and a larger set of activities such as vulnerability handling, artefact handling, security awareness training as well as other proactive services and security quality management services.…”

Section: Incident Managementmentioning

confidence: 99%

Passing the Buck: Outsourcing Incident Response Management

Zuniga¹,

Jaatun

2015

2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom)

View full text Add to dashboard Cite

Many organizations are outsourcing computer operations to third parties, and the next logical step is to outsource management of computer security incidents as well. This paper describes a case study where we have studied several organizations who are active in this space today. Our results indicate that outsourcing of incident management is a viable security approach for many organizations, but that transitioning between providers frequently is a challenge.

show abstract

Defining Incident Management Processes for CSIRTs: A Work in Progress

Cited by 40 publications

References 0 publications

Enhancing security incident response follow-up efforts with lightweight agile retrospectives

Enhancing security incident response follow-up efforts with lightweight agile retrospectives

Improving Cybersecurity Incident Response Team Effectiveness Using Teams-Based Research

Passing the Buck: Outsourcing Incident Response Management

Contact Info

Product

Resources

About