Cisco Cisco FirePOWER Appliance 8130
19-3
FireSIGHT System User Guide
Chapter 19 Handling Incidents
Incident Handling Basics
The managed devices that you deploy on your network are responsible for analyzing the traffic on the
segments where they are installed, for detecting intrusions, and for generating events that describe them.
Keep in mind that the access control policy you apply to each of the managed devices governs what kinds
of activity they detect and how it is prioritized. You can also set notification options for certain types of
intrusion events so that the incident team does not need to sift through hundreds of events. You can
specify that you are notified automatically when certain high priority, high severity events are detected.
segments where they are installed, for detecting intrusions, and for generating events that describe them.
Keep in mind that the access control policy you apply to each of the managed devices governs what kinds
of activity they detect and how it is prioritized. You can also set notification options for certain types of
intrusion events so that the incident team does not need to sift through hundreds of events. You can
specify that you are notified automatically when certain high priority, high severity events are detected.
Investigation and Qualification
Your incident handling process should specify how, after a security incident is detected, an investigation
is conducted. In some organizations, junior members of the team triage all the incidents and handle the
less severe or lower priority cases themselves. High severity and high priority incidents are handled by
more senior members of the team. You should carefully outline the escalation process so that each team
member understands the criteria for raising an incident’s importance.
is conducted. In some organizations, junior members of the team triage all the incidents and handle the
less severe or lower priority cases themselves. High severity and high priority incidents are handled by
more senior members of the team. You should carefully outline the escalation process so that each team
member understands the criteria for raising an incident’s importance.
Part of the escalation process is tied to understanding how a detected event can affect the security of your
network assets. For example, an attack against hosts running Microsoft SQL Server is not a high priority
for organizations that use a different database server. Similarly, the attack is less important to you if you
use SQL Server on your network, but you are confident that all the servers are patched and are not
vulnerable to the attack. However, if someone has recently installed a copy of the vulnerable version of
the software (perhaps for testing purposes), you may have a greater problem than a cursory investigation
would suggest.
network assets. For example, an attack against hosts running Microsoft SQL Server is not a high priority
for organizations that use a different database server. Similarly, the attack is less important to you if you
use SQL Server on your network, but you are confident that all the servers are patched and are not
vulnerable to the attack. However, if someone has recently installed a copy of the vulnerable version of
the software (perhaps for testing purposes), you may have a greater problem than a cursory investigation
would suggest.
The FireSIGHT System is particularly well suited to supporting the investigation and qualification
process. You can create your own event classifications, and then apply them in a way that best describes
the vulnerabilities on your network. When traffic on your network triggers an event, that event is
automatically prioritized and qualified for you with special indicators showing which attacks are
directed against hosts that are known to be vulnerable.
process. You can create your own event classifications, and then apply them in a way that best describes
the vulnerabilities on your network. When traffic on your network triggers an event, that event is
automatically prioritized and qualified for you with special indicators showing which attacks are
directed against hosts that are known to be vulnerable.
The incident tracking feature in the FireSIGHT System also includes a status indicator that you can
change to show which incidents have been escalated.
change to show which incidents have been escalated.
Communication
All incident handling processes should specify how an incident is communicated between the incident
handling team and both internal and external audiences. For example, you should consider what kinds
of incidents require management intervention and at what level. Also, your process should outline how
and when you communicate with outside organizations. Will some incidents require that you notify law
enforcement agencies? If your hosts are participating in a distributed denial of service (DDoS) against
a remote site, will you inform them? Do you want to share information with organizations such as the
CERT Coordination Center (CERT/CC) or FIRST?
handling team and both internal and external audiences. For example, you should consider what kinds
of incidents require management intervention and at what level. Also, your process should outline how
and when you communicate with outside organizations. Will some incidents require that you notify law
enforcement agencies? If your hosts are participating in a distributed denial of service (DDoS) against
a remote site, will you inform them? Do you want to share information with organizations such as the
CERT Coordination Center (CERT/CC) or FIRST?
The FireSIGHT System has features that you can use to gather intrusion data in standard formats such
as HTML, PDF, and CSV (comma-separated values) so that you can easily share intrusion data with
others.
as HTML, PDF, and CSV (comma-separated values) so that you can easily share intrusion data with
others.
For example, CERT/CC collects standard information about security incidents on its web site. CERT/CC
looks for the kinds of information that you can easily extract from the FireSIGHT System, such as:
looks for the kinds of information that you can easily extract from the FireSIGHT System, such as:
•
information about the affected machines, including:
•
the host name and IP
•
the time zone
•
the purpose or function of the host
•
information about the sources of the attack, including:
•
the host name and IP