How could I have handled my colleagues unavailability during security incident response better?Handling fallout due to new security policiesHow to assist non - technical end users communicate effectively and concisely during incident response?

Why don't short runways use ramps for takeoff?

How did astronauts using rovers tell direction without compasses on the Moon?

Exploiting the delay when a festival ticket is scanned

Is it possible for a particle to decay via gravity?

Can living where Earth magnet ore is abundent provide any protection?

Reading electrical clamp tester higher voltage/amp 400A

Should I intervene when a colleague in a different department makes students run laps as part of their grade?

Narset, Parter of Veils interaction with Matter Reshaper

Is it possible to tell if a child will turn into a Hag?

Patio gate not at right angle to the house

Boots or trail runners with reference to blisters?

Why would an invisible personal shield be necessary?

Correct word for a little toy that always stands up?

Word for giving preference to the oldest child

How can Paypal know my card is being used in another account?

Move arrows along a contour

What is this kind of symbol meant to be?

Unknown indication below upper stave

Raindrops in Python

Is there any way to work simultaneously on the same DAW project remotely?

Avoiding Implicit Conversion in Constructor. Explicit keyword doesn't help here

If the Moon were impacted by a suitably sized meteor, how long would it take to impact the Earth?

Would people understand me speaking German all over Europe?

Can you continue the movement of a Bonus Action Dash granted by Expeditious Retreat if your Concentration is broken mid-move?



How could I have handled my colleagues unavailability during security incident response better?


Handling fallout due to new security policiesHow to assist non - technical end users communicate effectively and concisely during incident response?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0















I work as a security engineer / security analyst on the IT Security team at my workplace. One of my core job duties is triaging , remediating / containing, and as necessary, escalating of security incidents.



This afternoon I was researching some anomalous traffic from our SIEM and IDS systems. There was some alerts that I could not adequately resolve or confidently dismiss as non-issues, due to lack of knowledge of some applications we own. It just happens the two colleagues who I could have asked were not available, one on vacation and the other sick. I wanted to respect their time off, and so did not contact them.



Due to there being a potential security incident going on, the situation was very fluid, and I really felt my lack of complete knowledge and visibility into the workings of the applications where alerts were coming from hindered my ability to effectively respond. My manager was in a meeting and not immediately available to assist.



In the end, I documented my actions and analysis and provided my manager with my interpretation of the log files, and he completed the incident handling. I realize long term this may be a management issue in there is a need for greater cross training across team members. However:



Questions:



  • In such fluid demanding quick response, but for which I did not have full knowledge to fully and effectively respond, how could I have responded better without reliance on my manager?


  • Given I am in a senior role, how can I best justify the cost of additional cross training to management? How can a proposal to management be made more concrete?










share|improve this question
























  • What has been your managers response to the incident? Were they happy with how you handled it? Is there a documented escalation procedure for this scenario?

    – Gregory Currie
    20 mins ago












  • @Gregory Currie , He was satisfied with what I did, given the information constraints. We do have a robust incident response policy approved by SecOps management and CISO, but such document is very high level and does not contain guidance on specific situations such as today

    – Anthony
    11 mins ago












  • At the very least, the escalation policy should include what should happen if there is an incident, and the SA is unable to triage due to lack of knowledge. Getting that sorted is a good first step. If part of the escalation policy is to escalate up the chain, that is what you do, and your question becomes moot. Obviously you want to improve your knowledge so this particular scenario doesn't arise so much.

    – Gregory Currie
    1 min ago

















0















I work as a security engineer / security analyst on the IT Security team at my workplace. One of my core job duties is triaging , remediating / containing, and as necessary, escalating of security incidents.



This afternoon I was researching some anomalous traffic from our SIEM and IDS systems. There was some alerts that I could not adequately resolve or confidently dismiss as non-issues, due to lack of knowledge of some applications we own. It just happens the two colleagues who I could have asked were not available, one on vacation and the other sick. I wanted to respect their time off, and so did not contact them.



Due to there being a potential security incident going on, the situation was very fluid, and I really felt my lack of complete knowledge and visibility into the workings of the applications where alerts were coming from hindered my ability to effectively respond. My manager was in a meeting and not immediately available to assist.



In the end, I documented my actions and analysis and provided my manager with my interpretation of the log files, and he completed the incident handling. I realize long term this may be a management issue in there is a need for greater cross training across team members. However:



Questions:



  • In such fluid demanding quick response, but for which I did not have full knowledge to fully and effectively respond, how could I have responded better without reliance on my manager?


  • Given I am in a senior role, how can I best justify the cost of additional cross training to management? How can a proposal to management be made more concrete?










share|improve this question
























  • What has been your managers response to the incident? Were they happy with how you handled it? Is there a documented escalation procedure for this scenario?

    – Gregory Currie
    20 mins ago












  • @Gregory Currie , He was satisfied with what I did, given the information constraints. We do have a robust incident response policy approved by SecOps management and CISO, but such document is very high level and does not contain guidance on specific situations such as today

    – Anthony
    11 mins ago












  • At the very least, the escalation policy should include what should happen if there is an incident, and the SA is unable to triage due to lack of knowledge. Getting that sorted is a good first step. If part of the escalation policy is to escalate up the chain, that is what you do, and your question becomes moot. Obviously you want to improve your knowledge so this particular scenario doesn't arise so much.

    – Gregory Currie
    1 min ago













0












0








0








I work as a security engineer / security analyst on the IT Security team at my workplace. One of my core job duties is triaging , remediating / containing, and as necessary, escalating of security incidents.



This afternoon I was researching some anomalous traffic from our SIEM and IDS systems. There was some alerts that I could not adequately resolve or confidently dismiss as non-issues, due to lack of knowledge of some applications we own. It just happens the two colleagues who I could have asked were not available, one on vacation and the other sick. I wanted to respect their time off, and so did not contact them.



Due to there being a potential security incident going on, the situation was very fluid, and I really felt my lack of complete knowledge and visibility into the workings of the applications where alerts were coming from hindered my ability to effectively respond. My manager was in a meeting and not immediately available to assist.



In the end, I documented my actions and analysis and provided my manager with my interpretation of the log files, and he completed the incident handling. I realize long term this may be a management issue in there is a need for greater cross training across team members. However:



Questions:



  • In such fluid demanding quick response, but for which I did not have full knowledge to fully and effectively respond, how could I have responded better without reliance on my manager?


  • Given I am in a senior role, how can I best justify the cost of additional cross training to management? How can a proposal to management be made more concrete?










share|improve this question














I work as a security engineer / security analyst on the IT Security team at my workplace. One of my core job duties is triaging , remediating / containing, and as necessary, escalating of security incidents.



This afternoon I was researching some anomalous traffic from our SIEM and IDS systems. There was some alerts that I could not adequately resolve or confidently dismiss as non-issues, due to lack of knowledge of some applications we own. It just happens the two colleagues who I could have asked were not available, one on vacation and the other sick. I wanted to respect their time off, and so did not contact them.



Due to there being a potential security incident going on, the situation was very fluid, and I really felt my lack of complete knowledge and visibility into the workings of the applications where alerts were coming from hindered my ability to effectively respond. My manager was in a meeting and not immediately available to assist.



In the end, I documented my actions and analysis and provided my manager with my interpretation of the log files, and he completed the incident handling. I realize long term this may be a management issue in there is a need for greater cross training across team members. However:



Questions:



  • In such fluid demanding quick response, but for which I did not have full knowledge to fully and effectively respond, how could I have responded better without reliance on my manager?


  • Given I am in a senior role, how can I best justify the cost of additional cross training to management? How can a proposal to management be made more concrete?







security






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 21 mins ago









AnthonyAnthony

6,33616 silver badges62 bronze badges




6,33616 silver badges62 bronze badges















  • What has been your managers response to the incident? Were they happy with how you handled it? Is there a documented escalation procedure for this scenario?

    – Gregory Currie
    20 mins ago












  • @Gregory Currie , He was satisfied with what I did, given the information constraints. We do have a robust incident response policy approved by SecOps management and CISO, but such document is very high level and does not contain guidance on specific situations such as today

    – Anthony
    11 mins ago












  • At the very least, the escalation policy should include what should happen if there is an incident, and the SA is unable to triage due to lack of knowledge. Getting that sorted is a good first step. If part of the escalation policy is to escalate up the chain, that is what you do, and your question becomes moot. Obviously you want to improve your knowledge so this particular scenario doesn't arise so much.

    – Gregory Currie
    1 min ago

















  • What has been your managers response to the incident? Were they happy with how you handled it? Is there a documented escalation procedure for this scenario?

    – Gregory Currie
    20 mins ago












  • @Gregory Currie , He was satisfied with what I did, given the information constraints. We do have a robust incident response policy approved by SecOps management and CISO, but such document is very high level and does not contain guidance on specific situations such as today

    – Anthony
    11 mins ago












  • At the very least, the escalation policy should include what should happen if there is an incident, and the SA is unable to triage due to lack of knowledge. Getting that sorted is a good first step. If part of the escalation policy is to escalate up the chain, that is what you do, and your question becomes moot. Obviously you want to improve your knowledge so this particular scenario doesn't arise so much.

    – Gregory Currie
    1 min ago
















What has been your managers response to the incident? Were they happy with how you handled it? Is there a documented escalation procedure for this scenario?

– Gregory Currie
20 mins ago






What has been your managers response to the incident? Were they happy with how you handled it? Is there a documented escalation procedure for this scenario?

– Gregory Currie
20 mins ago














@Gregory Currie , He was satisfied with what I did, given the information constraints. We do have a robust incident response policy approved by SecOps management and CISO, but such document is very high level and does not contain guidance on specific situations such as today

– Anthony
11 mins ago






@Gregory Currie , He was satisfied with what I did, given the information constraints. We do have a robust incident response policy approved by SecOps management and CISO, but such document is very high level and does not contain guidance on specific situations such as today

– Anthony
11 mins ago














At the very least, the escalation policy should include what should happen if there is an incident, and the SA is unable to triage due to lack of knowledge. Getting that sorted is a good first step. If part of the escalation policy is to escalate up the chain, that is what you do, and your question becomes moot. Obviously you want to improve your knowledge so this particular scenario doesn't arise so much.

– Gregory Currie
1 min ago





At the very least, the escalation policy should include what should happen if there is an incident, and the SA is unable to triage due to lack of knowledge. Getting that sorted is a good first step. If part of the escalation policy is to escalate up the chain, that is what you do, and your question becomes moot. Obviously you want to improve your knowledge so this particular scenario doesn't arise so much.

– Gregory Currie
1 min ago










0






active

oldest

votes














Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "423"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f141431%2fhow-could-i-have-handled-my-colleagues-unavailability-during-security-incident-r%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to The Workplace Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f141431%2fhow-could-i-have-handled-my-colleagues-unavailability-during-security-incident-r%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單