Network traffic analysis for IR: Data analysis for incident response

Introduction

While no incident is the same, security professionals have come to rely on pre-established procedures and best practices to help contain a security breach and recover from it. Having an incident response plan in place is also a requirement to remain compliant with regulations ranging from HIPAA to PCI-DSS, while its practical application is the subject of all major cybersecurity professional certifications.

One of the most common incident response plans is presented by the National Institute of Standards and Technology (NIST). While there are many others, they all often share many of the same components as that recommended by NIST: 

1. Preparation
2. Detection and analysis
3. Containment
4. Eradication
5. Recovery
6. Post-incident activity

The development, implementation and maintenance of an incident response plan, as well as the various roles played throughout an organization, can each be their own university course. But one skill in particular — data analysis — is often overlooked in the role that it can play throughout the incident life cycle. 

Therefore, the goal of this article is to highlight the different ways that security professionals utilize and analyze data throughout the incident response process and provide recommendations for organizations to follow so they can be better prepared to use the information available to them.

The role of data analysis in incident response

A common theme across incident response plans is the role of preparation: not just in creating and maintaining an incident response procedure, but also having the tools and systems in place to help an organization prevent, detect and mitigate the negative effects of an incident. 

Although many of these components can be considered more of a “science,” the way that data can help to inform, validate and support decision-making and highlight various parts and phases of incident response can be more of an “art.” (Read more...)