On Jan 5, 2010, at 12:39 PM, Stefan Fouant wrote: > The trick is to try to automate as much around the process as possible - I've > worked in environments where just making little changes to incident handling > response methods reduced the time to mitigate an attack from hours to > minutes, all the while still requiring an operator to press the "big red > button" to offramp and enable the mitigation.
Concur 100% - and when the end-customer is under attack and screaming, this reduction in time to detect/classify/traceback/mitigate makes all the difference. Your very salient comments highlight the paramount importance of preparation as the key enabling phase of the six-phase security incident-handling methodology: 1. Preparation. 2. Detection/identification. 3. Classification. 4. Traceback. 5. Reaction. 6. Post-mortem (feeding lessons learned back into the Preparation phase). ----------------------------------------------------------------------- Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
