INCIDENT RESPONSE
The National Institute of Standards and Technology (NIST) defines an incident response as the “mitigation of the breaking of security policies and recommended practices.” An incident response (IR) is the point at which SOC enters into high-speed mode in order to retain, eradicate and recover from an attack before the data are lost or the business is irreversibly damaged. The incident response procedure is involved in several steps and it requires a synchronised team in order to return to business as usual.
Main challenges:
1. Too many specialised tools
The incident response procedure requires too many specialised tools and in this way it slows down the analysts’ efforts and defers the necessary response steps. The firmly defined tools also require long-term manual efforts in order to prevent an attack.
2. Partial visibility
The data which is missing or isolated from an unreliable and different tool, obstruct the overall picture forcing security operations to react without sufficient information in order to set up a complete line of defense.
3. Architectural complexity
Switching to cloud and the growth of hybrid architectures expands the defense surface, complicating the investigation and the incident response procedure.
