IPS Security Incident Response Process

Hi

Im writing a process for responding to IPS security alerts. Does anyone know if there is any guidelines or official for standard for this. Something aligned with NIST would be good. Cisco have PSIRT but thats more to do with how Cisco respond to alerts by the look of it and I think its bit more in depth than what I need.

Any help is much appreciated

Find more posts tagged with

Comments

docrice

While not specific to IPS events, NIST has publication 800-61 which might help:

http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf

paul78

There may also be a few papers in the SANS reading room on SIEM processes which you may find useful.

SANS: Role of a SIEM in Detecting Events of Interest
http://www.sans.org/reading_room/whitepapers/logging/practical-application-sim-sem-siem-automating-threat-identification_1781

You may also want to check with your SIEM vendor if you are aggregating your IPS alerts.

egrizzly

Hi @cjthedj45

My suggestion is two-fold. 1) The focused answer to your request lies in section 3 of the NIST-800-61 document. It's titled Handling An Incident, and 2) Because the NIST document is so dated (2012) I recommend getting a highly rated SANS GCIH study guide (GCIH GIAC Certified Incident Handler All-in-One Exam Guide) from Amazon and also document the processes from their. The GCIH study guide was published in August 2020 and is quite up-to-date

NIST 800-61 document:
Full Link >>> http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf