Hi There,
Hi, Would appreciate if anyone can share what should we include to formulate a IDS/IPS incident escalation procedure. Thanks, Jim ------- Jim, You'll want to take into account the expected effort versus the expected outcome of the incident. For example, your network has a worm outbreak. The expected effort is medium (reimage and repatch computers to a known baseline), but the expected outcome is low (non-law enforcement involvement). However, a million credit cards are stolen. The expected effort is high (create forensic-sound images, etc.) and the expected outcome is high (law enforcement involvement and severe public relations). This leads to a categorization of incidents and possibly matrixing. You may want to have columns labeled with "sysadmin", "forensics team" "cso/cio", and "president" with rows labeled "virus/worm", "unauthorized user", "unauthorized root", "Insecure Information Handling", etc. Where the boxes met, a defined response and/or a check box (meaning level of notification and this would be explained elsewhere). hopefully, this helps. R/ John Lokka, CISSP ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
