Incident Response: Computer Security System and Data

6 Incident Response Incident response is a way to handle computer system security in the event of an attack. Incident response activities include event validation, attack analysis and containment, data collection and retention, problem repair, and service recovery. It is important, therefore, to modify the organization's incident response plan to address the differences between the organization's computing environment and the cloud. This is a prerequisite for converting applications and data, but in most cases it is ignored.

Most organizations use several types of network-based and host-based security software to detect malicious activity, protect systems and data, and support incidents. Therefore, security software is the main source of computer security log data. Common network-based and host-based security software include the following: Malware countermeasures. The most common form of anti-malware is anti-virus software that logs all cases of detected malware, attempts to disinfect files and systems, and file quarantine. An antivirus signature or software update will occur. Spyware protection and other types of malware protection (such as the rootkit detection program) are also common sources of security information.

Many of the logs in the organization contain records related to computer security events occurring in the system and the network. For example, most organizations use multiple types of security software (such as antivirus software, firewalls, intrusion prevention systems) to detect malicious activity and protect systems and data from corruption. Security software is often the main source of computer security logs. Operating systems on servers, workstations, and network devices usually record various security-related information, such as system events and audit records. Another common type of log generator is an application that can send information to OS logs or application specific logs.

Accidents must first be detected in order to resolve. This is the main step of incident response and attacks are usually detected by computer users, administrators, or other security detection software. When an event occurs, it is usually logged to record the nature of the attack, the date and time the event occurred, the affected program, and the person who reported the event. When the incident response team gets the event log, the action that the team did is called the initial correspondence. Members involved in event identification are members of this step. This phase includes efforts to gather information on incidents, organize the strategy team, and the next action phase.