[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] logging incidents and exceptions



Chris wrote:

> For audit and compliance, we are being asked to provide documentation on
> what steps are taken for every IDS alert.  (i.e. was it an incident and
> what steps were taken, was it a false positive, and what steps were
> taken, etc.)

AFAIK, ISS's products won't cover this kind of granular, day-in, day-out
activity. You'd be better served with any of a number trouble ticketing /
issue resolution systems, since the activity you're describing will never
end.

To automate, I'd use ISS's alerting system to open tickets -- have the
sensors e-mail the ticketing system the pertinent information, and make
liberal use of the quiet time and issue coalescing functionality.

Less automatic, but more flexible, would be to institute a published shift
report (a good example is the ISC/SANS incident handler's diary, here:
http://www.incidents.org/diary.php ).

-- 
Tod Beardsley | www.planb-security.net
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.