Incident Response Management Tools

No matter how well your data are protected or how well your WAN is designed, eventually, there will be an outage or a breach of security. It could be a human error, a vulnerability within the network device supporting the WAN, or a host of problems outside your control. No organization’s WAN connection or information security is considered perfect.

When that incident occurs, your organization will need to respond quickly in a well-thought-out process. The speed and effectiveness of the response will limit the damage. This includes how well you can control the costs and consequences resulting from the incident. To ensure an organization is well prepared, it’s typical to create an incident response plan so a well-skilled IT team and their supporting policies ensure that an incident can be quickly identified and contained. It’s this team’s responsibility to perform a careful analysis of the cause. Understanding the nature of the tack helps make changes to prevent it from reoccurring in the future.

This response team is typically a cross-functional team that is pulled together by people from multiple disciplines. The team is pulled together to respond to major incidents. Minor incidents are typically managed as part of normal operations.

Incident response policies are generally broad, covering a wide variety of security incidents. The WAN incident response plan is typically integrated into the broader response plans. This includes the classification of the incident. You classify incidents to prioritize an immediate response and to prevent a repeat of the incident in the future. To help prioritize the immediate response, you classify the potential impact on the organizations. To help prevent the incident from happening again, you classify the root cause of the incident.

An incident analysis should start immediately upon activating the response team. You must determine quickly the type of threat, the scope of the incident, and the extent of the damage. This will allow you to determine the best response. During this analysis, you are collecting information both for the immediate need to contain the incident and for future forensic analysis.

The collection of forensic evidence is an important part of the response team’s responsibility. This means collecting and preserving information that can be used to reconstruct events. The analysis depends on as much information as possible, particularly indicating the following:

• What led up to the event, such as any WAN monitoring that was taking place

• What happened during the event, such as how many circuits were impacted

• How effective the response was, such as communication with the service providers