- - Patch Management
- - Device Compliance
- - Security Device Monitoring
- - Network and Internet Access
- - Device Identity Management
- - User Identity Management
- - User Access
- - Application Robustness
- - User Security Awareness
An incident is a chain of events that may signal an attack in your network. It is, of course, very important to have a good methodology to simplify and expedite the detection, mitigation, reporting, and analysis of an incident. All this information can be captured in a case report with a case management tool and escalated to the relevant personnel. So, my question is, how effective are you or your organization in the detection, mitigation, reporting, and analysis of an incident in your network? You should at the very minimum ask the following questions and collect the corresponding metrics.
- - How long does it take to identify an event?
- - How long does it take to identify an incident?
- - How long does it take to contain or mitigate an incident?
Let’s look at the following figure:
- To – is the time when an event occurs on the network
- Te – is the time when the event is detected on the network
- Ti – is the time when the event is classified as an incident
- Tc – is the time when the incident is contained on the network