The present invention may be implemented as a module to be added to an existing incident management system. For example, one such incident management system, to which the embodiments described herein may be added, is the DF Labs IncMan Suite, which is an incident management system that enables management of many kinds of information security incidents. This Suite is described in the IncMan Suite v. 2.2.3 User Manual, published by DF Labs, which manual is hereby incorporated herein by reference in its entirety.
The IncMan Suite supports the entire incident management process for every type of incident, including cybersecurity incidents, by supporting digital forensics, case management, and incident response. Although the modules of the IncMan Suite are designed to ensure maximum integration, customers can choose to use only the modules that most appropriately cover their needs.
The forensics and response section of the IncMan Suite is composed of two modules: the incident manager and the digital investigation manager.
The incident manager module (“IMAN”) of the IncMan Suite manages and tracks security incidents during incident response operations, and manages information related to response to an incident. This tool covers all aspects of incident assessment, either simple or complex. The incident manager module provides help for tracking of incidents coming from external sources, including security alerts in syslog format, for creating a case related to the incident, for managing all information and data related to the case, including task assignments, and for generating incident reports compliant with rigorous security standards. (The “case” is a sort of virtual container of an incident that allows the user to assemble, organize, and catalog elements that are part of digital forensic operations or incident response.) The incident manager allows the insertion of dozens of different items of information related to an incident, organized according to theme areas: hosts involved in the incident; methods used to perpetrate the attack; identification of the assets involved and the respective economic impacts; attachments such as log files, reports produced by the security software, and other information; actions taken or to be taken for the resolution or containment of the incident; and the point of contact for coordination of operations.
The digital investigation manager module (“DIM”) of the IncMan Suite manages digital evidence, and is designed to be used for managing information gathered during a forensics operation. The digital investigation manager supports investigators in performing case management, preparing notes, tracking evidence and records, creating clones of evidence with automatic upload of acquisition data, snapshots, and bookmarks, and generating chain of custody reports. This module can import data from all of the common computer forensic tools. The digital investigation manager module is designed to be used in information technology and investigative environments during incident response and forensic acquisition. This module enables the user to catalog all of the relevant information gathered and to generate reports. The digital investigation manager allows operations to be organized by case. Each case may contain an unlimited number of hosts (workstations, servers, laptops, etc.). Items of evidence are associated with each host (hard disk, optical disk, etc.). The digital investigation manager module makes it possible to describe the destination media and tools used in making forensic copies of the original stored media, as well as the log files generated by common computer forensic tools. One example of a digital investigation manager, which may be a module of existing incident management systems to which the embodiments described herein may be added, is described in Forte, U.S. patent application Ser. No. 11/784,794, filed Apr. 10, 2007, and published as US Patent Publication 2008/0098219, which is hereby incorporated herein by reference in its entirety.
The “ITILity” module of the IncMan Suite is built on the Information Technology Infrastructure Library (ITIL) framework, which is a set of best practices for the management of operations and IT incidents. This troubleshooting and help desk module is available for companies that need also to manage the IT incident under the ITIL standard.
The compliance and risk manager module (CoRM) of the IncMan suite is a module to enforce, track, document, and support compliance with IT regulations to gain law conformity and maintain a secure and productive business. With the compliance and risk manager module it is possible to upload all relevant compliance documents, create hierarchies of controls built on the compliance documents, assign controls to the various assets in an organization, create assessments on the various controls and assets, assign these assessments to the relevant responsible persons in the organization, and track their answers. The compliance and risk manager module provides a centralized repository for tracking compliance levels and managing risks related to an organization's assets.