Incident monitoring and response

How would one define an incident? Well, let me posit this to you: what would you do if a bear attacked you? Does this sound stupid? Are these way too many questions? Well, this question is a fairly direct way to understand an incident and how it is reacted to.

The bear is attacking you; it is much larger than you and, well, you don’t want it to get you. In this case, the bear attack is the incident and the bear itself is just a vector for the incident. The result of the incident depends on the response, and to have a good response, you need a good head on your shoulders (you need to monitor the situation, get it?). The report of the response to the incident will happen one way or another. However, if you want to be the one writing the report, you need to have handled the incident correctly.

Actual security incidents are not as brutal as that (not physically, anyway). Don’t worry. But they do work similarly. There is an incident, in which security is compromised in some way, there is a tool used to exploit a vulnerability, and when that vulnerability is exploited, it must be handled calmly and mitigated where possible. Once that is done and you have restored order, the incident response needs to be documented and distributed to the correct parties.

Now, here is where Python comes in. In order to respond to a security threat that potentially targets a fleet of virtual machines, Python can help run what is called a runbook, which is a series of commands that can be deployed to reset a system or to have it respond to some sort of threat. Another way to use Python in this capacity would be to look at monitoring data from the time of an incident and compare it to regular data in order to find some patterns that can be used to predict and get ahead of future incidents.