What do you use for an incident response console?

“Hi ....., We have been building information security management infrastructure for our customers at several sites. Incident response can be a part of several other tasks so it is hard to have a single console (incident response tasks listed @ http://www.cert.org/csirts/services.html). But in daily operation we do use SEM and ticketing consoles simultaneously. Depending on the reliability of the automatic correlation of events, you may even use a single ticketing console and dig down the events when needed. For me, the basic IR components are as follows: 1- Process Framework – You need a methodology for building the incident response system... Depending on your requirements, resources you may choose ISO 27001, ISACA, NIST based risk management models, or IETF, CERT, OGSF, type CSIRT procedures... Whatever you do, you need to define the incident response process well. There are a lot of resources, books, articles, guides on the technical and operational side. Let me know if you have any questions on that side. 2- Unified Log Collection and Event Correlation – Once you define your processes, it is time to choose the tools. If your infrastructure is not single vendor, you will need a centralized way of collection and correlating events... There is no silver bullet, but there are a lot of tools. Architecture wise you need to define agent based or agentless systems, remote log collectors, aggregation points, traffic forecasts, processing requirements etc. You may choose generic network management powerhouses like HP Openview, CA Unicenter, IBM Tivoli, Micromuse Netcool or specific security SEM players like RSA Envision, Arcsight, netforensics etc .. If you have homogeneous single vendor environment, Cisco Mars, Novell, Check Point Eventia, Symantec type solutions work as well. You do not need to spend big money on SEM if you have limited budget, there are open source log managers or low cost tools like what’s up. 3- Ticket Management/Escalation: For Incident Response, a solid ticketing system is very useful. Regardless of the SEM, NMC tools deployed, you need a helpdesk system. Gold standard is Remedy , but it is for the large enterprises with solid customization capabilities, once the events are correlated on SEM , and marked as incidents you can manage the whole escalation in your ticketing system. There are 1000s of alternatives for ticketing systems. You need to integrate the SEM systems with ticketing systems. 4- 3rd Party Communication and Integration: Messaging with other Computer Security Incident Response Team (CSIRT)s , private vulnerability research centers, managed security services providers, in the cloud vulnerability management services requires integration of your escalation procedures and tools, during the design phase At our own operation, we have built our own log collectors, agents, receivers, correlation engines, agent consoles, correlation and business rules engines because of the specific requirements of the operation, the main drivers were to have a single console for operators and increase efficiency, capacity and security. We still utilize Remedy for asset, change and issue management as well as regular escalation. Let me know if you have a specific question. Regards, - yinal ozkan”