Network Security has multiple concepts. One such model is the Before-During-After concept, which I will break out into different phases. Specific to incident and problem management in IT, this methodology plays an important role for IT teams.
Advanced persistent threats (APT) and vulnerabilities impacts increasing exposure and risks, which in turn increases the chances of attacks and breaches which can be accidental or intentional. Every security design involves various tools, processes and people that are capable of implementing various lines of defense and containment.
Since security is designed as a solution, a solution supported approach is essential during an incident or problem management. Speed to detect and remediation of the problem is of utmost importance during such incidents.
Phase 1: Discover–Enforce-Harden
The Discover-Enforce-Harden stage is a state of “What is known," what the planning involves, and what we want to protect and how to protect it. This stage should start with discovery and visibility which can include components such as users, equipment, operating systems, networks, endpoints, access controls, applications, and databases. Once the various components are identified, defining and enforcement of various policies at each level can be planned out to suit the organization's requirements.
Enforcing control and flexibility is of prime importance to ensure business continuity. Therefore, hardening of all important components in a business environment to ensure the first level of protection is a key component of the Before Phase.
The Before Phase involves immense planning, designing and implementation. This is the time to identify and select the right tools for the job with built-in automation and protection capabilities of the ever-changing latest trends to secure the organization from threats, attacks and breaches. Essentially, this phase is taking a prepared defensive approach by minimizing vulnerabilities.
Phase 2: Detect–Block–Defend
In this phase, threat agents are deployed intentionally or accidentally on the network by exploiting vulnerabilities in software and devices. Detecting these incidents is a challenging task which involves the right tools, documented observations, and knowledge of IT processes to identify suspicious deviations. Detecting attacks and breaches is not only an intelligent task but also a time sensitive task.
Once the vulnerabilities are identified, the threat needs to be blocked by invoking relevant methods and procedures. Some of the attacks can be blocked or safeguarded, which can involve using specific tools or changing policy configurations, while some attacks have to be defended to minimize the damage of intrusion.
Once the breach has occurred, either Blocking or Defending actions needs to be taken considering the tradeoff between availability of services and the impact of risk. Furthermore capturing information for forensics is also an important task.
The During Phase involves a strong operation with tools and expertise by security professionals.
Phase 3: Scope–Contain–Remediate
Once the remediation is performed, the scope of the attack and breach needs to be ascertained. The damage or possible damage needs to be classified and further analysis using forensics needs to be done. The breach needs to be contained effectively and further possible remediation needs to be assessed.
The After Phase is primarily deals with the optimization of processes and tools including logs as part of the forensics to investigate and report incidents.