Why and how to focus on incident management?

Talking about incident management, we must first clarify what we mean by it. We most often use the NIST CyberSecurity Framework as a point of reference, which lists six key capabilities that are required for building information security. Two of them – detection and response capabilities – provide incident management.

If an event occurs that may have a negative impact on information security, it must be detected and response steps must be taken to minimise its impact on the business process.

The incident management capability will be adequate if the necessary technological, process and human components are coordinated.

Incident management is a well-defined choreography, we always perform the same steps, regardless of whether it is a malicious code attack, unauthorised access or even an incident involving physical security.

How does incident management work?

It is necessary to know what is happening within the systems to be protected, so continuous supervision is required. Potential incidents must be recognised. The SIEM systems, the XDR, the XDR-SIEM or the Threat Detection Platforms help with this at the level of technology. After collecting logs and network traffic, these systems generate alerts based on a predefined set of rules or using some ML algorithm, taking into account various vulnerability information and threat intelligence information. If an incident is detected, priority and severity must be assigned to it and it must be categorised based on some method.

The next step is containment or isolation in order to prevent further damage from the given incident. Then, different forensics and malicious code tests are carried out during the deeper analysis, and response steps can be built as a result. After the analysis the incident is resolved and restoration is made by the teams operating the affected systems. It is important that not only technical steps are required but the incident management team must also perform communication and coordination tasks.

Since the same high-level steps must be performed for each incident, various SOAR (Security Orchestration Automation and Response) systems have appeared, primarily to help the automated, centralised execution of these steps.

In what environment may cyber security incident management be required?

In addition to IT environments, incident management is also necessary for cyber-physical (including industrial, OT) systems, cloud environments and even DevOps environments. The way of handling possible incidents must also be considered in the case of AI and LLM systems.

What should be considered for developing an effective incident management capability?

The design must be adapted to the business needs. It is necessary to take into consideration the location of the data assets that must be protected, what environments exist and what regulations apply to the organisation. Incident management does not necessarily have to be adjusted only at process level, there can often be differences in the applied technological components, depending on the environments.

Efforts must be made to establish unified supervision so that all relevant events are monitored. The detection contents must be up-to-date, adapted to the risk portfolio and to the relevant threats.

Only sufficiently mature processes should be automated, otherwise minor or major problems will be magnified.

Finally, it is important to develop an appropriate incident management culture, incident management cannot operate as a silo, it requires the cooperation of all members of the organisation.