iso27diy-corp/Corpus/Standards/SANS/SANS Incident Response step 2 Identification.md

Step 2: Identification

This step involves detecting deviations from normal operations in the organization, understanding if a deviation represents a security incident, and determining how important the incident is.

The SANS incident response identification procedure includes the following elements:

• Setting up monitoring for all sensitive IT systems and infrastructure.
• Analyzing events from multiple sources including log files, error messages, and alerts from security tools.
• Identifying an incident by correlating data from multiple sources, and reporting it as soon as possible.
• Notifying CSIRT members and establishing communication with a designated command center (for example this could be senior management, IT operations)
• strong{Assigning at least two incident responders to a live incident, one as the primary handler who assesses the incident and makes the decision, and the other to help investigate and gather evidence.
• Documenting everything that incident responders are doing as part of the attack—answering the Who, What, Where, Why, and How questions.
• Threat prevention and detection capabilities across all main attack vectors.