Security Monitoring and Incident Management (MIM)

Security Monitoring and Incident Management has become an essential element of the IT security and risk management practice. Regulatory requirements continue to be a primary driver for security monitoring and incident management. They demand capturing of security information, mandating the retention of information, emphasizing on an analysis of the same for breach investigation and asking to build an overarching process for management of incidents. The logs generated by information systems, servers, operating systems, security devices, networks and application systems provide critical information that is useful for detection of the state of security. The information generated by different types of devices on continuous basis, yields different sets of information that reflect the pattern of system behavior.

Organizations need to build a capability that enables continuous monitoring of the information flow, correlates the security patterns to detect a security incident that may compromise their security posture and responds to such incidents to minimize their impact. DSCI believes that Security Monitoring and Incident Management (MIM) is an important discipline of security that provides assurance on the capability of an organization in responding to disruptive and destructive information security events.

The success of a security program and the value being delivered by security initiatives lies in the organization’s responsiveness to an external attack and its ability to sense and manage an internal data breach. Increased disclosures of security breaches in recent years, hampering the confidence of end users over use of IT for their transactions, have resulted in policy responses witnessed in different compliance regulations that demand greater oversight and monitoring of the state of security. The compliance regulations also call for a coordinated approach to deal with events that may compromise the security of an organization.

This is attracting greater focus of the security profession towards defining concepts, finding technical solutions and identifying practices around MIM, which is helping to establish it as an important discipline of information security.DSF pays careful attention to this discipline as it represents organizations’ persuasiveness in continuous defence and demonstration of their capabilities against the compliance regulations. DSCI Best Practices represent contemporary understanding in this field – these include evolving practices around MIM and emerging technical solutions that help implement these practices.

  • Create an inventory of all information sources – that generate useful log information for detection of security events or incidents
  • Map the compliance requirements, which state the detection needs of the organization, to the in-scope systems, networks and applications
  • Define an enterprise log management system that specifies an architecture for log collection and management, processes for log management and policies for logging, monitoring and auditing
  • Ensure that the log management architecture satisfies the detection requirements of the organization covering and integrating all information sources
  • Define the incident management requirements of the organization based on compliance requirements, business criticality and security threat ecosystem around the organization
  • Define a strategy for integration of incident management function with the log management system, security intelligence mechanism and infrastructure management processes
  • Create a catalogue of all security services that are required to perform the security operations with regard to the security monitoring and incident management
  • Ensure that a significant level of resources, efforts and skills are dedicated to security monitoring and incident management function
  • Ensure that a significant visibility exists across the organization over the likely incidents, reporting incidents and incident management capabilities of the organization
  • Develop a strategic roadmap for security monitoring and incident management function for adoption of technology and tools evolving in the market, augmentation of skills, running security operation center and availing of services being offered
  • Log Management
    • Define and establish operational processes for log management – for configuration of log sources, collection of logs, storage of data, management and review of logs
    • Ensure that log collection process is extended to all sources, which generates log information that is useful for the detection requirements of the organization. Ensure that data capture includes all the key events and activity logs
    • Ensure that time consistency is maintained between all log sources through mechanisms such as time stamping and synchronization of servers
    • Ensure that log archival, retention and disposal measures are deployed as per the compliance requirements of the organization
    • Ensure that the log information is available as per the requirements of the security monitoring and forensic investigation of the organization
    • Ensure that a process is established for regular review and analysis of logs and log reports
    • Ensure that a significant level of security is deployed to secure the log management process
  • Security Intelligence
    • Ensure that a mechanism exists for updating knowledge about the threat alerts, malware outbreaks, vulnerabilities, and attack patterns
    • Ensure that the security intelligence mechanism records all historical information about all types of attack organization’s systems were subjected to, weakness of systems and reported vulnerabilities.
  • Security Incident Management
    • Create an inventory of incidents that are relevant to the organization’s environment based on the historical information and threat landscape
    • Establish the guidelines for prioritization of incidents based on – criticality of affected resources and potential technical effects of such incidents
    • Assign a category to each type of incident based on its criticality for prioritization of incidents, arranging proportionate resources, and defining SLAs for remediation services
    • Prepare an incident management plan for all incident types
    • Ensure that the roles and responsibilities for incident management process are defined and documented
    • Ensure that the technical and tactical measures are deployed to detect or report incidents
    • Ensure that a significant level of efforts are dedicated for the awareness of incident response process throughout the organization
    • Ensure that a set of business rules exists that helps to detect, identify, analyze and declare incidents from the information collected from different sources
    • Define and establish an escalation process that is accountable for response requirements of the organization
    • Ensure that a mechanism is deployed to notify or escalate to responsible teams for timely addressing and managing incidents
    • Ensure that the incident management system is integrated with infrastructure management processes
    • Ensure that a significant level of collaboration exists with internal ( security function, infrastructure management, application support and BDM) and external stakeholders (threat advisory, vulnerability and exploit databases, vendor alerts and computer emergency response teams)
    • Ensure that a security intelligence mechanism exists to manage the knowledge generated from lessons learnt while managing incidents for future use
    • Define the incident management services and strategies options to arrange the resources for these services
    • Ensure that a process exists for notifying or declaring the incident to the respective regulatory authority, as prescribed by the regulation requirements. For example, reporting an incident to CERT-In
  • Visibility over log and incident management processes
  • Coverage of the program
  • Architectural treatment to MIM
  • Information collection capability
  • Extent and accuracy of security monitoring
  • Intelligence over security information
  • Compliance demonstration
  • Involvement of operating groups
  • Amalgamation with remediation processes
  • Adequacy of resources and skills
  • Responsiveness to incidents
  • Employee awareness

Please allow pop-up in your internet browser to download DSF

DSCI Security Framework