Cisco Cisco Firepower Management Center 2000
19-2
FireSIGHT System User Guide
Chapter 19 Handling Incidents
Incident Handling Basics
Generally, an incident is defined as one or more intrusion events that you suspect are involved in a
possible violation of your security policies. Cisco also uses the term to describe the feature you use in
the FireSIGHT System to track your response to an incident.
possible violation of your security policies. Cisco also uses the term to describe the feature you use in
the FireSIGHT System to track your response to an incident.
, some intrusion events are more important
than others to the availability, confidentiality, and integrity of your network assets. For example, the port
scan detection features provided by the FireSIGHT System can keep you informed of port scanning
activity on your network. Your security policy, however, may not specifically prohibit port scanning or
see it as a high priority threat, so rather than take any direct action, you may instead want to keep logs
of any port scanning for later forensic study.
scan detection features provided by the FireSIGHT System can keep you informed of port scanning
activity on your network. Your security policy, however, may not specifically prohibit port scanning or
see it as a high priority threat, so rather than take any direct action, you may instead want to keep logs
of any port scanning for later forensic study.
On the other hand, if the system generates events that indicate hosts within your network have been
compromised and are participating in distributed denial-of-service (DDoS) attacks, then this activity is
likely a clear violation of your security policy, and you should create an incident in the FireSIGHT
System to help you track your investigation of these events.
compromised and are participating in distributed denial-of-service (DDoS) attacks, then this activity is
likely a clear violation of your security policy, and you should create an incident in the FireSIGHT
System to help you track your investigation of these events.
Common Incident Handling Processes
License:
Protection
Each organization is likely to define its own process for handling security incidents. Most methodologies
include some or all of the following phases:
include some or all of the following phases:
•
•
•
•
•
•
Each of these phases is described in the sections that follow. The descriptions also explain how the
FireSIGHT System fits into each phase.
FireSIGHT System fits into each phase.
Preparation
You can prepare for incidents in two ways:
•
by having clear and comprehensive security policies in place, as well as the hardware and software
resources to enforce them
resources to enforce them
•
by having a clearly defined plan to respond to incidents and a properly trained team that can
implement the plan
implement the plan
A key part of incident handling is understanding which parts of your network are at the greatest risk. By
deploying FireSIGHT System components on those network segments, you can increase your awareness
of when and how incidents occur. Also, by taking the time to carefully tune the intrusion policy for each
managed device, you can ensure that the events that are generated are of the highest quality.
deploying FireSIGHT System components on those network segments, you can increase your awareness
of when and how incidents occur. Also, by taking the time to carefully tune the intrusion policy for each
managed device, you can ensure that the events that are generated are of the highest quality.
Detection and Notification
You cannot respond to an incident unless you can detect it. Your incident handling process should note
the kinds of security-related events that you can detect and the mechanisms, both software and hardware,
that you use to detect them. You should also note where you can detect violations of your security
policies. If your network includes segments that are not actively or passively monitored, then you need
to note that as well.
the kinds of security-related events that you can detect and the mechanisms, both software and hardware,
that you use to detect them. You should also note where you can detect violations of your security
policies. If your network includes segments that are not actively or passively monitored, then you need
to note that as well.