Today's episode: Incident response
Rishalin Pillay: Having a robust incident response plan is equally as important as having a plan in place to keep hackers off your network. Highly specialized abilities are necessary to comprehend the proper response actions to both complex and non-complex incidents. During an incident, you will work with diverse parties that includes system engineers, SOC engineers, security engineers, vendors, and more. And of course your analysts would need to work through multitudes of data in order to understand what happened. Incident response has many phases depending on the framework that you follow. One phase that is common is the detection and analysis phase. Within this phase, you would generally work through multitudes of data based on the data sets that you currently have in your enterprise and the logs of those data sets. Some of those categories can range from endpoint removable devices, web servers, email servers, applications, identity provider logs, and a lot more. The reality is that today many organizations struggle with this phase. This can be due to a number of reasons, perhaps having a solution that cannot scale or they may not have the ability to ingest all of the data from the diverse systems that they have. The key point to remember is that for the right course of action to be taken during an incident, it is essential to be able to recognize and categorize unusual behavior across multiple data sets. This means that having a good collection of data can be beneficial during an incident, as you will have more insight into what happened during an incident and the response actions that you would need to take.
