Identification

It is possible to set up your own SIEM on a shoestring budget. "Just" need someone to maintain it, respond to incidents, gather logging. What it comes down to again is the risk appetite of the organization, the budget, the compliance needs. Do you need 24/7 protection? Where do you expect most of your threats to come from? Who do you expect most of your threats to come from? Whatever you choose, incident response is about the alert that comes from a system or external notification. For smaller companies, knowing who is responsible for what might be the most important thing during an incident. Especially if you have several suppliers. You need to know when you can call them, what hours they operate and what help they can provide, but you might also need to inform them of an incident.

For larger companies, internal communication will be a big priority. Where can employees an incident? What exactly is an incident and what isn't?

Examples

Here are several examples that might help you to understand this step better.

1. An employee has their bag stolen with phone and laptop inside Do you manage these devices? Can your erase them remotely? Are you going to assist the employee with filing a police report? Is the laptop disk encrypted? Are you going to reset the employee's accounts? Is the data on their device backed up? Do you need to notify customers? Could there be a data leak? What was on the computer?

2. It is Friday, 16:50 and your detection alerts that someone clicked a phishing link. You get these alerts a lot and usually it's nothing. The employee who clicked the link went home early so you can't ask. (Is 2FA configured? What is your risk appetite? What type of link did they click and can you analyze the incident?)

3. You find out a lot of data gets transferred by USB drives that are lying around at the office. Is this an acceptable risk? What data are you allowed to transfer this way? Where to you report this as a possible issue or risk?