Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
Like this article? We recommend

Authenticating, Preserving, and Analyzing Incident Data

These activities for processing incident data will be discussed in detail in the next article in the series, "Responding to a Customer's Security Incidents—Part 4: Processing Incident Data." In this section, brief overviews are given.

As a general rule, all criminals leave evidence behind. Authentication means that evidence you have collected during and/or after an incident must be proven to be the same as what was left behind. In practice, both proof of integrity and time stamping are provided by calculating a value that represents an electronic footprint.

Any evidence that can be used in the court of law must be preserved with extra care and security. The assigned geo-based security officers and the worldwide security manager should consult the corporate security and legal departments for the incident servicing enterprise to review the evidence.

When the time comes for analyzing the data, there is a whole range of actions and processes a VCSIRT can execute depending on the time available to analyze events thoroughly and to disclose the outcomes to its constituent customers and to other teams. The decision as to the level of analysis to be conducted lies with the team, yet the affected customer must be consulted by the VCSIRT before making a decision.

An initial broad analysis (which might include cursory forensics) must precede detailed analysis because it helps to understand which response plan to follow. You can branch out on a Denial of Service or Unauthorized Access investigation and response plan, or others, depending on the conclusions reached from the broad analysis. The best practice should be to clearly demarcate the response plan so that team resources can be channeled in the right direction at appropriate times.

  • + Share This
  • 🔖 Save To Your Account