Scribd
Upload
43 views

Presentation 1.7

This document provides an overview of various incident response management tools categorized by their primary functions. These include log analysis, intrusion detection, network analysis, vulnerability scanning, availability monitoring, web proxies, asset inventory, threat intelligence, data capture and forensics, system backup and recovery, patch management, and security awareness training tools. Examples of specific tools are provided for each category.

Uploaded by

Kannan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
43 views

Presentation 1.7

This document provides an overview of various incident response management tools categorized by their primary functions. These include log analysis, intrusion detection, network analysis, vulnerability scanning, availability monitoring, web proxies, asset inventory, threat intelligence, data capture and forensics, system backup and recovery, patch management, and security awareness training tools. Examples of specific tools are provided for each category.

Uploaded by

Kannan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 12

Incident response

management tools
Log Analysis, Log Management, SIEM
• Logs are your richest source for understanding what’s going on in your
network, but you’ll need an IR tool that makes sense of all of those logs,
and that’s what log analysis is all about.
• OSSIM (open source security information management)
Intrusion Detection Systems (IDS) —
Network & Host-based

• IDS’es (HIDS and NIDS) monitor server and network activity in real-
time, and typically use attack signatures or baselines to identify and
issue an alert when known attacks or suspicious activities occur on a
server (HIDS) or on a network (NIDS).
• Snort
• Suricata
• BroIDS
• OSSEC
NETWORK

• Netflow analyzers examine actual traffic within a network (and across


the border gateways too). If you are tracking a particular thread of
activity, or just getting a proper idea of what protocols are in use on
your network, and which assets are communicating amongst
themselves, netflow is an excellent approach.
• Ntop
• NfSen
• Nfdump
Vulnerability Scanners
• Vulnerability scanners identify potential areas of risk, and help to
assess the overall attack surface area of an organization, so that
remediation tasks can be implemented.
• OpenVAS
Availability Monitoring

• Availability Monitoring
• The whole point of incident response is to avoid downtime as much
as possible. So make sure that you have availability monitoring in
place, because an application or service outage could be the first sign
of an incident in progress.
• Nagios
Web Proxies
• Web Proxies are thought of as being purely for controlling access to
websites, but their ability to log what is being connected to is vital. So
many modern threats operate over HTTP – being able to log not only
the remote IP address, but the nature of the HTTP connection itself
can be vital for forensics and threat tracking.
• Squid Proxy
• IPFire
Asset Inventory

• In order to know which events to prioritize, you’ll need an


understanding of the list of critical systems in your network, and what
software is installed on them. Essentially, you need to understand
your existing environment to evaluate incident criticality as part of the
Orient/Triage process. The best way to do this is to have an
automated asset discovery and inventory that you can update when
things change (and as we know, that’s inevitable).
• OCS Inventory
Threat Intelligence Security Research
• Threat intelligence gives you global information about threats in the
real world. Things like indicators of compromise (IoCs), bad reputation
IP addresses, command-and-control servers and more, can be applied
against your own network assets, to provide a full context for the
threat.
• AlienVault OTX
• AlienVault Labs
Data Capture & Incident Response Forensics Tools

• Data Capture & Incident Response Forensics tools is a broad category


that covers all types of media (e.g. memory forensics, database
forensics, network forensics, etc.). Incident Response Forensics tools
examine digital media with the aim of identifying, preserving,
recovering, analyzing and presenting facts and opinions about the
digital information, all designed to create a legal audit trail.
• SANS Investigative Forensics Toolkit (SIFT)
• Sleuthkit
System Backup & Recovery Tools
• Patch Mgmt. and Other Systems Mgmt
• System backup and recovery and patch management tools might be
something you’ve already got in place, but it’s important to include
them here since an incident is when you’ll likely need them most.
• Opsi (Open PC Server Integration)
Security Awareness Training Tools and Programs

• Security awareness training tools and programs are an essential way


to improve your overall security posture and reduce the likelihood of
incidents.
• SANS’ Securing the Human

You might also like