How could I have handled my colleagues unavailability during security incident response better?Handling fallout due to new security policiesHow to assist non - technical end users communicate effectively and concisely during incident response?
Why don't short runways use ramps for takeoff?
How did astronauts using rovers tell direction without compasses on the Moon?
Exploiting the delay when a festival ticket is scanned
Is it possible for a particle to decay via gravity?
Can living where Earth magnet ore is abundent provide any protection?
Reading electrical clamp tester higher voltage/amp 400A
Should I intervene when a colleague in a different department makes students run laps as part of their grade?
Narset, Parter of Veils interaction with Matter Reshaper
Is it possible to tell if a child will turn into a Hag?
Patio gate not at right angle to the house
Boots or trail runners with reference to blisters?
Why would an invisible personal shield be necessary?
Correct word for a little toy that always stands up?
Word for giving preference to the oldest child
How can Paypal know my card is being used in another account?
Move arrows along a contour
What is this kind of symbol meant to be?
Unknown indication below upper stave
Raindrops in Python
Is there any way to work simultaneously on the same DAW project remotely?
Avoiding Implicit Conversion in Constructor. Explicit keyword doesn't help here
If the Moon were impacted by a suitably sized meteor, how long would it take to impact the Earth?
Would people understand me speaking German all over Europe?
Can you continue the movement of a Bonus Action Dash granted by Expeditious Retreat if your Concentration is broken mid-move?
How could I have handled my colleagues unavailability during security incident response better?
Handling fallout due to new security policiesHow to assist non - technical end users communicate effectively and concisely during incident response?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I work as a security engineer / security analyst on the IT Security team at my workplace. One of my core job duties is triaging , remediating / containing, and as necessary, escalating of security incidents.
This afternoon I was researching some anomalous traffic from our SIEM and IDS systems. There was some alerts that I could not adequately resolve or confidently dismiss as non-issues, due to lack of knowledge of some applications we own. It just happens the two colleagues who I could have asked were not available, one on vacation and the other sick. I wanted to respect their time off, and so did not contact them.
Due to there being a potential security incident going on, the situation was very fluid, and I really felt my lack of complete knowledge and visibility into the workings of the applications where alerts were coming from hindered my ability to effectively respond. My manager was in a meeting and not immediately available to assist.
In the end, I documented my actions and analysis and provided my manager with my interpretation of the log files, and he completed the incident handling. I realize long term this may be a management issue in there is a need for greater cross training across team members. However:
Questions:
In such fluid demanding quick response, but for which I did not have full knowledge to fully and effectively respond, how could I have responded better without reliance on my manager?
Given I am in a senior role, how can I best justify the cost of additional cross training to management? How can a proposal to management be made more concrete?
security
asked 21 mins ago
AnthonyAnthony
6,33616 silver badges62 bronze badges
add a comment |
I work as a security engineer / security analyst on the IT Security team at my workplace. One of my core job duties is triaging , remediating / containing, and as necessary, escalating of security incidents.
This afternoon I was researching some anomalous traffic from our SIEM and IDS systems. There was some alerts that I could not adequately resolve or confidently dismiss as non-issues, due to lack of knowledge of some applications we own. It just happens the two colleagues who I could have asked were not available, one on vacation and the other sick. I wanted to respect their time off, and so did not contact them.
Due to there being a potential security incident going on, the situation was very fluid, and I really felt my lack of complete knowledge and visibility into the workings of the applications where alerts were coming from hindered my ability to effectively respond. My manager was in a meeting and not immediately available to assist.
In the end, I documented my actions and analysis and provided my manager with my interpretation of the log files, and he completed the incident handling. I realize long term this may be a management issue in there is a need for greater cross training across team members. However:
Questions:
In such fluid demanding quick response, but for which I did not have full knowledge to fully and effectively respond, how could I have responded better without reliance on my manager?
Given I am in a senior role, how can I best justify the cost of additional cross training to management? How can a proposal to management be made more concrete?
security
asked 21 mins ago
AnthonyAnthony
6,33616 silver badges62 bronze badges
What has been your managers response to the incident? Were they happy with how you handled it? Is there a documented escalation procedure for this scenario?
– Gregory Currie
20 mins ago
@Gregory Currie , He was satisfied with what I did, given the information constraints. We do have a robust incident response policy approved by SecOps management and CISO, but such document is very high level and does not contain guidance on specific situations such as today
– Anthony
11 mins ago
At the very least, the escalation policy should include what should happen if there is an incident, and the SA is unable to triage due to lack of knowledge. Getting that sorted is a good first step. If part of the escalation policy is to escalate up the chain, that is what you do, and your question becomes moot. Obviously you want to improve your knowledge so this particular scenario doesn't arise so much.
– Gregory Currie
1 min ago
add a comment |
I work as a security engineer / security analyst on the IT Security team at my workplace. One of my core job duties is triaging , remediating / containing, and as necessary, escalating of security incidents.
This afternoon I was researching some anomalous traffic from our SIEM and IDS systems. There was some alerts that I could not adequately resolve or confidently dismiss as non-issues, due to lack of knowledge of some applications we own. It just happens the two colleagues who I could have asked were not available, one on vacation and the other sick. I wanted to respect their time off, and so did not contact them.
Due to there being a potential security incident going on, the situation was very fluid, and I really felt my lack of complete knowledge and visibility into the workings of the applications where alerts were coming from hindered my ability to effectively respond. My manager was in a meeting and not immediately available to assist.
In the end, I documented my actions and analysis and provided my manager with my interpretation of the log files, and he completed the incident handling. I realize long term this may be a management issue in there is a need for greater cross training across team members. However:
Questions:
In such fluid demanding quick response, but for which I did not have full knowledge to fully and effectively respond, how could I have responded better without reliance on my manager?
Given I am in a senior role, how can I best justify the cost of additional cross training to management? How can a proposal to management be made more concrete?
security
asked 21 mins ago
AnthonyAnthony
6,33616 silver badges62 bronze badges
I work as a security engineer / security analyst on the IT Security team at my workplace. One of my core job duties is triaging , remediating / containing, and as necessary, escalating of security incidents.
This afternoon I was researching some anomalous traffic from our SIEM and IDS systems. There was some alerts that I could not adequately resolve or confidently dismiss as non-issues, due to lack of knowledge of some applications we own. It just happens the two colleagues who I could have asked were not available, one on vacation and the other sick. I wanted to respect their time off, and so did not contact them.
Due to there being a potential security incident going on, the situation was very fluid, and I really felt my lack of complete knowledge and visibility into the workings of the applications where alerts were coming from hindered my ability to effectively respond. My manager was in a meeting and not immediately available to assist.
In the end, I documented my actions and analysis and provided my manager with my interpretation of the log files, and he completed the incident handling. I realize long term this may be a management issue in there is a need for greater cross training across team members. However:
Questions:
In such fluid demanding quick response, but for which I did not have full knowledge to fully and effectively respond, how could I have responded better without reliance on my manager?
Given I am in a senior role, how can I best justify the cost of additional cross training to management? How can a proposal to management be made more concrete?
security
security
asked 21 mins ago
AnthonyAnthony
6,33616 silver badges62 bronze badges
asked 21 mins ago
AnthonyAnthony
6,33616 silver badges62 bronze badges
asked 21 mins ago
AnthonyAnthony
6,33616 silver badges62 bronze badges
asked 21 mins ago
AnthonyAnthony
6,33616 silver badges62 bronze badges
asked 21 mins ago
AnthonyAnthony
6,33616 silver badges62 bronze badges
6,33616 silver badges62 bronze badges
What has been your managers response to the incident? Were they happy with how you handled it? Is there a documented escalation procedure for this scenario?
– Gregory Currie
20 mins ago
@Gregory Currie , He was satisfied with what I did, given the information constraints. We do have a robust incident response policy approved by SecOps management and CISO, but such document is very high level and does not contain guidance on specific situations such as today
– Anthony
11 mins ago
At the very least, the escalation policy should include what should happen if there is an incident, and the SA is unable to triage due to lack of knowledge. Getting that sorted is a good first step. If part of the escalation policy is to escalate up the chain, that is what you do, and your question becomes moot. Obviously you want to improve your knowledge so this particular scenario doesn't arise so much.
– Gregory Currie
1 min ago
add a comment |
What has been your managers response to the incident? Were they happy with how you handled it? Is there a documented escalation procedure for this scenario?
– Gregory Currie
20 mins ago
@Gregory Currie , He was satisfied with what I did, given the information constraints. We do have a robust incident response policy approved by SecOps management and CISO, but such document is very high level and does not contain guidance on specific situations such as today
– Anthony
11 mins ago
At the very least, the escalation policy should include what should happen if there is an incident, and the SA is unable to triage due to lack of knowledge. Getting that sorted is a good first step. If part of the escalation policy is to escalate up the chain, that is what you do, and your question becomes moot. Obviously you want to improve your knowledge so this particular scenario doesn't arise so much.
– Gregory Currie
1 min ago
What has been your managers response to the incident? Were they happy with how you handled it? Is there a documented escalation procedure for this scenario?
– Gregory Currie
20 mins ago
What has been your managers response to the incident? Were they happy with how you handled it? Is there a documented escalation procedure for this scenario?
– Gregory Currie
20 mins ago
@Gregory Currie , He was satisfied with what I did, given the information constraints. We do have a robust incident response policy approved by SecOps management and CISO, but such document is very high level and does not contain guidance on specific situations such as today
– Anthony
11 mins ago
@Gregory Currie , He was satisfied with what I did, given the information constraints. We do have a robust incident response policy approved by SecOps management and CISO, but such document is very high level and does not contain guidance on specific situations such as today
– Anthony
11 mins ago
At the very least, the escalation policy should include what should happen if there is an incident, and the SA is unable to triage due to lack of knowledge. Getting that sorted is a good first step. If part of the escalation policy is to escalate up the chain, that is what you do, and your question becomes moot. Obviously you want to improve your knowledge so this particular scenario doesn't arise so much.
– Gregory Currie
1 min ago
At the very least, the escalation policy should include what should happen if there is an incident, and the SA is unable to triage due to lack of knowledge. Getting that sorted is a good first step. If part of the escalation policy is to escalate up the chain, that is what you do, and your question becomes moot. Obviously you want to improve your knowledge so this particular scenario doesn't arise so much.
– Gregory Currie
1 min ago
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "423"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f141431%2fhow-could-i-have-handled-my-colleagues-unavailability-during-security-incident-r%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to The Workplace Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f141431%2fhow-could-i-have-handled-my-colleagues-unavailability-during-security-incident-r%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What has been your managers response to the incident? Were they happy with how you handled it? Is there a documented escalation procedure for this scenario?
– Gregory Currie
20 mins ago
@Gregory Currie , He was satisfied with what I did, given the information constraints. We do have a robust incident response policy approved by SecOps management and CISO, but such document is very high level and does not contain guidance on specific situations such as today
– Anthony
11 mins ago
At the very least, the escalation policy should include what should happen if there is an incident, and the SA is unable to triage due to lack of knowledge. Getting that sorted is a good first step. If part of the escalation policy is to escalate up the chain, that is what you do, and your question becomes moot. Obviously you want to improve your knowledge so this particular scenario doesn't arise so much.
– Gregory Currie
1 min ago