Iwrote a diary a while back about process maturity called Countdown to Tuesday, using peoples patching processes as an example. Iwant to use this diary as a catalyst to understand how people tell their boss, or indeed their CxO level managers how well, or badly they are doing with security response.
Incident Response is a classic example of where your ability to respond needs to be measured, and your success or failure at doing the response presented to the powers that be.
Given that we have some key steps during our incident lifecycle, we can look at gathering data, performing analysis and then producing reports based on that data. The SANSincident response lifecycle is based on PICERL short for Preparation, Identification,. Containment, Eradication, Recovery and Lessons learned.
So when your incident response process is triggered, we have clearly entered the identification phase. But how do you keep track of when you enter containment, or Eradication, or indeed Recovery.
If you could measure between when an incident happened, and when it was identified you have a metric which shows how good your security monioring is. If you come up with the metric of how quickly you go from Identification to Containment you can then show how well your team is working. If you can work out your mean time to achieve something then you can identify and focus in on steps in your process where it went wrong, or didnt operate effectively. You can trend, and produce further statistics showing the cost of the incident if your business has an average cost for being unable to do business.
But we're getting ahead of ourselves here. How do you record this information? Drop me a note via the contact form, and i'll add it to my next diary on how you could do it using free tools, some scripts, and allow you to produce statistics you'll want to present.
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.