Chapter 15 - Incident Management with ESM

Abstract

Enterprise-level ESMs can provide a secure, centralized, real-time event collection, event processing, incident notification, incident remediation and incident management solution. Additionally, it can apply the same capabilities to forensic information. ESM can provide chain-of-custody best practices along with a native case management system and/or integration with third party case management systems for seamless workflow. The ESM knowledge base can be a repository for policies, procedures, guidelines, contact information, best practices, and the like. Another valuable concept when responding to an incident is sharing information across departments. From a security analyst's perspective, real-time situational awareness assists with incident identification and investigation. Additionally, correlation, anomaly detection, and pattern discovery create a holistic view of the organization's security posture and the identification of outlier events and patterned incidents. All this is extremely valuable operationally, but an executive manager may need a high-level static report that explains the net risk. The executive manager may also require metrics for measuring employee and technology effectiveness per-incident or trends over time. For a successful incident-management program, ESM must provide all these functions. Finally, enterprise security management solutions are designed to offer enterprise-level, mission-critical solutions. They are extremely powerful, scalable, and extensible. They can be used for security management, compliance, and insider threat. They leverage correlation, anomaly detection, pattern discovery, reporting, and automation, thus reducing costs, increasing efficiencies, and delivering useful metrics. With organizations merging traditionally disparate roles such as network operations, system administration, security, compliance, and others, having visibility across an organization's entire environment is paramount. ESM is particularly effective when leveraged as part of an overall strategy that also considers people and process along with technology.