The importance of incident response downtime

Powered by SC Magazine
 

Responders need time to think, read and document.

This year I changed teams at the dayjob and and I've had some time to compare and contrast a few incident-response models that I've seen or participated in over the years.

The big change for me was that I went from four hours a day in meetings down to two hours a week.

Not only has my productivity gone up, but I feel much less stressed and harried, even when an incident at-hand is severe.

Common incident-response team models

I've seen incident-response teams organised into one of three ways. The choice of model seems to be dependent upon the size of the environment and the level of perceived threat.

They can be described as:

  • One-man-band
  • Volunteer fire department
  • Police department

One-man-band

The one-man-band invariably occurs in small organisations where they have only one full or part-time IT person.

I've been in the shoes of these jacks-of-all-trades and I don't envy them: They are either already master jugglers or facing a nervous breakdown.

The only advice I have for them is to try and track time spent on:

  • Building the infrastructure (design, or new installs)
  • Maintaining the infrastructure (upgrades, patching, what passes for trouble tickets in your environment.)
  • Defending the infrastructure (maintaining security tools, training users)
  • Responding when the defense fails (dealing with a compromise, or infected system)

This may help you organise your budget or lobby for more help.

Volunteer fire department

An organisation that is large enough to have a real IT staff, but not big enough or under enough (perceived) threat to justify full-time security IT staff falls into this category.

Individuals with the appropriate skills or desire may be tapped from time to time to help respond to the periodic infection, or intrusion.

As the threat or exposure grows, it seems that some people will be always responding to incidents. At this point it is time to move to the next model.

Police department

An organisation with a dedicated security staff can also become overwhelmed with the challenge of balancing the constant flow of events, and ongoing improvement of environment security.

Staff can either be pigeon-holed into tasks, or expected to know everything. Managing the personnel and their time can be very challenging.

Stand-by time

Stand-by or on-call time is set aside in the daily schedule that is devoted to incident-response.

It should focus on the first stage of incident-response, or preparation.

It's time spent keeping up to date on security news and events, updating documentation, and building tools and response processes.

Stand-by time is an interruptable time should an incident arise, but it's not interruptable for other meetings or projects.

It is important because incident response members need time to step out of event-stream and gather thoughts so they can produce the documentation the organisation needs.

Similarly, if an incident-responder is tasked with organising and managing a long-term project, but does not have time to organise and manage that project, it's going to suffer.

Scheduling stand-by time

Ideally, someone on the dedicated incident-response staff should be on stand-by during hours of operation.

This is not on-call time, but time spent in the office doing the job of keeping up to date and preparing.

Overlapping this time with other members will help in collaborating both tool-building and updating processes.

Daily chunks of stand-by time can give the incidence response team time to improve documentation.

Via the Internet Storm Center

Copyright © SC Magazine, Australia


The importance of incident response downtime
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1458

Vote