LINEARSTACK
March 23, 2023

Incident Management vs. Incident Response

IM vs IR, what’s the difference? Should you merge them? What complexities does that bring?

Organisations recognise the need better to understand the confluence between incident response and incident management groups. Often, companies will merge these functions into one focus scrum or group to save costs and reduce complexity. Consolidating these functions create far more challenges than most organisation realise.

Definitions of incident management business process 

Cybersecurity attacks against organisations are no longer single-thread attacks. Hackers and cybercriminals could attack many elements of an organisation simultaneously, not just one host or user. How will organisations organise, triage, and set a level before managing a multi-threat attack?

Incident management (IM) is a core business process to manage all facets of a cybersecurity crisis. IM handles all crisis workflows while providing a conduit for communication with other organisational stakeholders, including risk management, compliance, and governance while keeping the senior leadership team informed. IM will also work directly with the computer security incident response team (CSIRT). CSIRT provides forensics analysis, technical issues, and response workflows data feeds into the various stages of the ITSM framework.

Incident response technical process 

CSIRT is the front-line team monitoring, responding, remediation, and documenting all security events coming into the organisation. CSIRT teams comprise several groups, including SecOps, DevOps, and NetSecOps teams. These teams are trained experts in identifying a security breach across the environment. These teams manage all the adaptive security controls, including the firewalls, IDS, identity management, cloud security, and endpoint protection. This team also handles the patching and remediation of all systems. During a multi-thread attack, CSIRT has defined standard operating procedures and security automation capabilities to isolate, contain, and remediate the various attacks. Capturing the various stages of an attack or kill chain is also a critical element of the CSIRT team. The kill chain data is fed into the instance management team. IM receives the data feeds from CSIRT and begins documenting the workflow to manage the current crisis. 

Understanding the role in incident management workflows

Once IM reads the incident response activities data feeds from CSIRT, the teams will process the impact of incidents into various management systems, including risk management, compliance, governance monitoring, and discovery archives. IM teams globally leverage the information technology infrastructure library (ITIL) management framework. ITIL publishes several management frameworks for organisations. IM teams will leverage the information technology service management (ITSM) for security incidents management. ITSM provides a proven framework for organisations to use to manage a crisis by collecting critical data elements whiling leverage industry-wide best practices for reporting and escalation. 

The ITSM framework includes the following recommended workflows:

  • Incident Logging - Logging the actual events from the estimated start
  • Incident Categorisation -  Categorising the attack: ransomware, DOS, brute force
  • Incident Prioritisation - Is the incident high, medium, or low?
  • Incident Assignment - Which team is the lead? CSIRT? Risk management? SecOps?
  • Task Creation & Management - Creating the agile workflow to resolve the security event.
  • SLA Management & Escalation - Setting service level agreements for service restoration
  • Incident Resolution - Document what is the resolution of the security events
  • Incident Closure - Close the event and document lessons learned.

IM processes these feeds to determine broader business impacts from malicious activity.

Operational incident response workflow

Like the IM team, CSIRT also follows ITIL framework recommendations to support its incident response procedures. Handling several security breaches required a consistent workflow for CSIRT can align with that provided the critical information feeds into the IM framework. 

Leveraging a similar ITIL model, CSIRT follows a similar workflow:

  • Prepare - Define the various response capabilities for SecOps and other departments to execute ahead of time. Working with risk management, CSIRT can development more detailed preparation strategies for the most critical     assets in the organisation first. 
  • Identity - Leveraging quarterly and annual penetration testing, CSIRT will know which systems are most vulnerable and should consider remediating of these systems before a breach occurs.
  • Contain - With the rise of ransomware attacks in recent years, CSIRT, SecOps, and NetSecOps continue to invest in containment strategies to help stop lateral movement propagation. A containment response plan should be tested and automated before any attack.
  • Eradicate - CSIRT working with DevOps, SecOps, and NetSecOps will execute all response adaptive controls, including patch management, and containment, along with shutting down systems as part of the incident response protection     strategy. Once all systems had been patched and the attack had been blocked, the various teams began the restore the systems.
  • Restore - CSIRT working with IM and risk management, will determine which systems need to be restored first. 
  • Learn - CSIRT and other teams, including IM, will capture all forensic information and place the contents into a discovery archive. This storage system will help all groups learn about the attack and how the CSIRT eradicated the event.
  • Test - CSIRT working with DevOps, SecOps, and NetSecOps, will test the adaptive control processes and automation to validate that the event is eradicated. Many organisations will execute a pen test with a third-party test team to     validate that the adaptive controls work, and the attack have stopped.
  • Repeat - Learning from the event, IM and CSIRT will document the successful event sequence as a best practice for future security events. 

Confluence layers with incident management and incident response 

While both teams serve a similar purpose; protecting the organisation and responding to cyber security attacks, these groups also have some apparent differences.

  • Technical versus Business Operation - IM is more business operation focused while CSIRT is more technical.
  • Escalation Organisational-wide- While CSIRT deals with the security breach in real time, IM handles the escalation and crisis communications across the organisation.
  • Managing several events into a single kill chain - CSIRT created the various kill chain reports to feed into the IM management system to give risk management and compliance teams near-time visibility and possible impacts     on the organisation's governance status. 
  • Coordinating resources, internal and external - CSIRT teams focus their resources on stopping the attack during the cybersecurity event. IM handles both internal and external coordination of resources to help CSIRT will additional capabilities. 
  • Active incident response activity - CSIRT, SecOps, NetSecops, and DevOps work collectively to stop the east-west lateral attacks from propagating across the entire enterprise. IM monitors the situation through data feeds and updates. 
  • Determine the risk and impact to the organisation - Processing the data feeds from CSIRT, IM coordinates with the risk management and compliance teams to determine any change of status specific to risk management and compliance mandates.
  • Make recommendations for architectural changes - After the events have subsided, CSIRT and SecOps, DevOps, and NetSecOps will recommend IM for short-term and long-term architecture changes to help prevent future attacks. These recommendations come from the learn, test, and repeat elements with the ITSM framework.

Conclusion

IM sits within and across any incident management process, ensuring all stages of an incident are handled. It handles any communication and media handling, escalates and reports any issues, and pulls them together, coherently and organically.

The incident response involves triaging issues, analysing them in-depth, taking appropriate action, and recovering from incidents.

One of the most common viewpoints on the difference between incident response and incident management is that incident response focuses on the technical processes required to resolve an incident. Incontrast, incident management deals with managing the broader impacts of an incident on the organisation.

Why LinearStack?

Our Incident Response and Threat Management are designed for organisations who need specialist support with the more complex cyber security products and skillsets.

Our experienced team is calm under fire to provide a measured and carefully thought-out response. They will work quickly and methodically on your behalf in a time-critical situation.

We identify risks in your IT environment and processes. Then, armed with the latest cyberthreat intelligence, we marry your risk profile with a tailored strategy to make your organisation resilient to attacks.

About Us

LinearStack is a New Zealand-owned and operated specialised cyber security services company with a global footprint.

The core focus of our business is to accelerate our customer’s cyber security operations with the help of our cyber defence services. We augment our client’s teams by acting as a true an extension of their team empowering our clients to prioritise their cyber security strategy and customers while we protect their business from cyber threats 24x7.

We believe maintaining thriving IT systems and assuring data protection are fundamental needs that all businesses deserve.

Get in touch with us today:

Phone: 0800 008 795

Email: info@linearstack.co.nz

Website: https://linearstack.co.nz   

Blogs

Start Reading

Our latest blogs and news are here for you

Extended Detection and Response (XDR)

XDR - What it is and how it speeds up cyber threat detection, investigation and response
Read More

Exploring MITRE ATT&CK for Threat Detection

A brief introduction to the MITRE ATT&CK Framework and how to get started using it
Read More

Difference between SANS & NIST IR Frameworks

NIST IR & SANS are key frameworks used in the data security industry – Do you know the similarities and differences?
Read More
Are you experiencing a security issue? Call us now.