214 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Known problems and known errors are resolved according to procedure. e
Help Desk proles previously unencountered problems and escalates them to
the appropriate second tier groups according to operating system, software applica-
tion, hardware, or service. Second tier investigation and diagnosis may result in
resolution or in escalating it to more experienced, specialized support personnel
in Tier 3 support, or even in engaging vendor support.
e primary objective of incident management is to restore normal operations
expediently. Treating the symptom may result in temporary resolution and recovery
of aected equipment or software. However, before the incident can be closed, a root
cause analysis (RCA) should be performed to be sure that the real problem is identi-
ed and resolved. Otherwise, the problem will repeat itself. A repeat of known errors
implies a need to review what triggered the known cause. A repeat of a known prob-
lem should result in escalating the incident details to those investigating the root
cause. e investigation group may be internal to the enterprise or external (e.g.,
software vendor). Note: Verify that management and legal review and approve any
information about a security incident prior to sharing it outside the organization.
A user request for a new service (e.g., new software application) is a request
for change to the Help Desk; such requests are not security events. Likewise, nei-
ther is a request for a password reset a security event. However, tracking password
resets is appropriate to be aware of patterns of excessive requests that may not be
incidents in themselves, but clues of potential broader anomalous activity. Security
operations are in part formulaic, in that you can map out scenarios and response
activities to those scenarios, i.e., you expect actions, they happen, and you respond
accordingly. Security operations are also in part an art form. Like detectives, secu-
rity operations personnel follow procedure, but with awareness that procedure only
goes so far and there are times to deviate in response to unexpected threat activity.
Monitor
Monitor the enterprise for anomalies. Not all anomalies are events; some anomalies
are just unexplained or misunderstood. An anomaly becomes an event after eorts
to explain or understand have failed. An event becomes an incident when danger of
loss to the enterprise (i.e., violation of one or more of the core security principles) is
evident. An incident becomes an attack when you discover intelligence and intent
behind the incident.
Monitoring includes the following:
◾ Audit log analysis
◾ Audit log aggregation
◾ IDS (network IDS [NIDS], host IDS [HIDS])
◾ Content ltering
◾ Firewalls