Cyber attacks frequently target personal and business data and it is critical to respond quickly to minimize the damage should a breach occur. Cyber incident response includes those plans and activities undertaken to identify, investigate, remediate, and assess damage and prevent further damage. It’s important for organizations to have a well-thought-out cyber incident response plan that includes detailed blueprints of the activities and owners for how your organization will respond to a security incident.
A good portion of the security research done at Cygilant is done around alerting. For us, an alert occurs when a data point in a log message contains a value we were waiting to see. These data points are usually values such as: IP addresses, authentication statuses, network protocols or error codes, for example. This work is ongoing because there are continually new and better ways to determine if something unique or nefarious is occurring on systems. The log messages we parse come from devices and applications that are deployed within the environment and are commonly referred to as SIEM (security information and event management) data. Most of the hardware and software you are familiar with produce SIEM data which makes it useful determining what is happening on the systems you are monitoring.