Welcome » IT Booklets » Information Security » Security Monitoring » Analysis and Response » Intrusion Response
The goal of intrusion response is to minimize damage to the institution and its customers through containment of the intrusion, the restoration of systems, and providing assistance to customers.
The response primarily involves people rather than technologies. The quality of intrusion response is a function of the institution's culture, policies and procedures, and training.
Preparation determines the success of any intrusion response. This involves defining the policies and procedures that guide the response, assigning responsibilities to individuals, providing appropriate training, formalizing information flows, and selecting, installing, and understanding the tools used in the response effort. Key considerations that directly affect the institution's policies and procedures include the following:
Successful implementation of any response policy and procedure requires the assignment of responsibilities and training. Some organizations formalize the response program with the creation of a computer security incident response team (CSIRT). The CSIRT is typically tasked with performing, coordinating, and supporting responses to security incidents. Due to the wide range of technical and nontechnical issues that are posed by an intrusion, typical CSIRT membership includes individuals with a wide range of backgrounds and expertise, from many different areas within the institution. Those areas include management, legal, public relations, as well as information technology. Other organizations may outsource some of the CSIRT functions, such as forensic examinations. When CSIRT functions are outsourced, institutions should ensure that the service provider follows the institution's policies and maintains the confidentiality of data.
Institutions should assess the adequacy of their preparations through testing.
While containment strategies between institutions can vary, they typically contain the following broad elements:
Restoration strategies should address the following: