6. Sound the alarm: detection and response Flashcards
Computer security incident response teams (CSIRT)
specialized group of security professionals that are trained in incident management and response
Documentation
any form of recorded content that is used for a specific purpose
Endpoint detection and response EDR
application that monitors an endpoint for malicious activity
Event
observable occurrence on a network, system, or device
False negative
state where the presence of a threat is not detected
False positive
alert that incorrectly detects the presence of a threat
Incident
occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of info or an info system; or constitutes a violation or imminent threat of violation of law, security policies, a security procedures, or acceptable uses policies
Incident handler’s journal
form of documentation used in incident response
Incident response plan
document that outlines the procedures to take in each step of incident response
Incident detection system IDS
application that monitors system activity and alerts on possible intrusions
Intrusion prevention system IPS
application that monitors system activity for intrusive activity and takes action to stop the activity
National Institute of Standards and Technology NIST Incident Response Lifecycle
framework for incident response consisting of four phases: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity
Playbook
manual that provides details about any operational action
Security information and event management SIEM
application that collects and analyzes log data to monitor critical activities in an org
Security operations center SOC
org unit dedicated to monitoring networks, systems, and devices for security threats or attacks