IPS Security Incident Response Process
cjthedj45
Member Posts: 331 ■■■□□□□□□□
Hi
Im writing a process for responding to IPS security alerts. Does anyone know if there is any guidelines or official for standard for this. Something aligned with NIST would be good. Cisco have PSIRT but thats more to do with how Cisco respond to alerts by the look of it and I think its bit more in depth than what I need.
Any help is much appreciated
Im writing a process for responding to IPS security alerts. Does anyone know if there is any guidelines or official for standard for this. Something aligned with NIST would be good. Cisco have PSIRT but thats more to do with how Cisco respond to alerts by the look of it and I think its bit more in depth than what I need.
Any help is much appreciated
Comments
-
docrice Member Posts: 1,706 ■■■■■■■■■■While not specific to IPS events, NIST has publication 800-61 which might help:
http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdfHopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/ -
paul78 Member Posts: 3,016 ■■■■■■■■■■There may also be a few papers in the SANS reading room on SIEM processes which you may find useful.
SANS: Role of a SIEM in Detecting Events of Interest
http://www.sans.org/reading_room/whitepapers/logging/practical-application-sim-sem-siem-automating-threat-identification_1781
You may also want to check with your SIEM vendor if you are aggregating your IPS alerts. -
egrizzly Member Posts: 533 ■■■■■□□□□□
Hi @cjthedj45
My suggestion is two-fold. 1) The focused answer to your request lies in section 3 of the NIST-800-61 document. It's titled Handling An Incident, and 2) Because the NIST document is so dated (2012) I recommend getting a highly rated SANS GCIH study guide (GCIH GIAC Certified Incident Handler All-in-One Exam Guide) from Amazon and also document the processes from their. The GCIH study guide was published in August 2020 and is quite up-to-date
NIST 800-61 document:
Full Link >>> http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdfB.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+