Any good attacker will tell you that expensive security monitoring and prevention tools aren’t enough to keep you secure. This practical book demonstrates a data-centric approach to distilling complex security monitoring, incident response, and threat analysis ideas into their most basic elements. You’ll learn how to develop your own threat intelligence and incident detection strategy, rather than depend on security tools alone.

Written by members of Cisco’s Computer Security Incident Response Team, this book shows IT and information security professionals how to create an InfoSec playbook by developing strategy, technique, and architecture.

• Learn incident response fundamentals―and the importance of getting back to basics
• Understand threats you face and what you should be protecting
• Collect, mine, organize, and analyze as many relevant data sources as possible
• Build your own playbook of repeatable methods for security monitoring and response
• Learn how to put your plan into action and keep it running smoothly
• Select the right monitoring and detection tools for your environment
• Develop queries to help you sort through data and create valuable reports
• Know what actions to take during the incident response phase

Table of Contents

Chapter 1. Incident Response Fundamentals

Chapter 2. What Are You Trying to Protect?

Chapter 3. What Are the Threats?

Chapter 4. A Data-Centric Approach to Security Monitoring

Chapter 5. Enter the Playbook

Chapter 6. Operationalize!

Chapter 7. Tools of the Trade

Chapter 8. Queries and Reports

Chapter 9. Advanced Querying

Chapter 10. I've Got Incidents Now! How Do I Respond?

Chapter 11. How to Stay Relevant

About the Author

Jeff Bollinger, an information security investigator with over fifteen years of information security experience, has worked as security architect and incident responder for both academic and corporate networks.

Brandon Enright is a senior information security investigator with Cisco

Systems. He’s a graduate of UC San Diego, where he conducted research in the Systems and Networking group.

Matthew Valites is a senior investigator on Cisco’s CSIRT, focusing on incident response and monitoring solutions for enterprise cloud and hosted services.