PaulDotCom mailing list archives
Incident Response Tracking
From: larrymcdonald at uhost.org (Larry McDonald)
Date: Thu, 7 Jan 2010 17:13:08 -0500
you might check out the following link: http://www.enisa.europa.eu/act/cert/support/guide2/tools-equipment/tracking it lists server incident tracking tools some open source and some commercial. My work uses a custom Web application and database, which allows us to upload any files/notes and track time. I am also looking at the use of the livescribe (www.livescribe.com) pen to print out our custom docs and then allow the investigator upload notes both pdf and mp3 if needed to the database. Larry. On Thu, Jan 7, 2010 at 1:43 PM, Jason Wood <tadaka at gmail.com> wrote:
Thanks for your thoughts on this. I'm already sketching out the process before I go too far on deciding on a tracking tool. Without know what we need to do, selecting a tool is problematic at best. Your points definitely underscored that requirement. One of my requirements is that tracking and timestamping of activities must be solid and easily viewable. Have you implemented a similar requirement and how has that gone for you? Thanks again. Jason On Thu, Jan 7, 2010 at 5:49 AM, <helliott at knology.net> wrote:*On Thu 10/01/07 6:00 AM , pauldotcom-request at mail.pauldotcom.com sent: * Re: Pauldotcom Digest, Vol 16, Issue 7 To those who have a system in place for incident handling, what are your thoughts? What have you found works for you and why? What would you do different if you could? We have an online system for many of the reasons you cite. It has its problems, but it also serves us reasonably well. We are also in the process of completely rewriting it after objectively evaluating our process. Our main focus is a system that supports handoff of the event from one part of the IR team to another. IA staff receive the incident and enter it into the system, then the techs pick it up and work on it - for example, determining the internal IP, the person(s) involved, correlating firewall or server logs with the event etc This really is not possible with a spiral notebook unless you are willing to do a lot of phone calling, emailing, note-taking etc. My advice to you is to focus on the PROCESS, then pick a tool (or design one) that supports your process. DO NOT start with a tool (notebook or automated) then figure out how to live within that tool. This is essentially what we did wrong, and we now have a tool that has not grown with our procedural evolution. Spend time flowcharting a process, determining what data must be tracked and what reports are desired, what statuses will be demanded by management etc, roles played within the process, writing policies (if required) and procedures to support the process, collect the data in your paper format if desired, evolve the process, and *then* build a tool that supports the process. Herndon Elliott Madison, Al CNSNEWS.COM REPORTER: "Madame Speaker, where specifically does the Constitution grant Congress the authority to enact an individual health insurance mandate?" SPEAKER OF THE HOUSE NANCY PELOSI, D-CALIF.: "Are you serious? Are you serious?" _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- irc: Tadaka Twitter: Jason_Wood jwnetworkconsulting.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- Larry McDonald -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100107/3eb1cc48/attachment.htm
Current thread:
- Incident Response Tracking Jason Wood (Jan 06)
- <Possible follow-ups>
- Incident Response Tracking helliott at knology.net (Jan 07)
- Incident Response Tracking Jason Wood (Jan 07)
- Incident Response Tracking Larry McDonald (Jan 07)
- Incident Response Tracking Jason Wood (Jan 07)