DEIDRE - The process of addressing security incidents

2017-02-26

What does a company do when a security incident happens? How do they react? What is the process that they follow to resolve the issue and ensure that it doesn't happen again?

I will start to outline a process that I have adopted that I follow to help identify, resolve and document a security incident.

The process is known DEIDRE and is an acronym which stands for:

  • Discovery
  • Escalation
  • Investigation
  • Documentation
  • Remediation
  • Education

1. Discovery

This is the initial phase of identifying the incident. Was the incident discovered by a third party, was it discovered by a customer, or was it discovered by an internal engineer doing some routine tests?

2. Escalation

Immediately after the incident has been discovered it needs to be escalated to senior management ASAP. This should be done for any incident small or large so that management can carefully assess whether it is an issue worth addressing and triage it accordingly.

3. Investigation

While the escalation is happening the team responsible for working around the incident need to understand what is the new attack surface. Was this incident already known to us and considered a low priority? If this is a brand new issue how long potentially has this issue been available? Hoe many clients will be affected by this issue?

4. Documentation

When people think of documentation they usually think of long white papers, in this case documentation refers to the process of documenting the incident and the work require to fix the incident. The reason being that there needs to be an audit trail of the incident.

5. Remediation

This is process of deploying a fix, the reason that the fix comes so late in the process is because you need to ensure that your audit documented exactly how the issue occurred along with the solution. Any quick changes could affect future analysis and thus affect reporting of the issue to your stakeholders and clients.

6. Education

This process involves defining the resolution and answering all questions that occur during a security incident, i.e. How? Why? When? and most importantly what mitigations have been taken to ensure that this does not occur again. The answer to these questions should be categorised, documented and shared across the teams including management, stakeholders, and clients. By doing this you can reassure all those involved that this will not happen again.