- analyze alerts or escalations
- create documentation trails (chain of custody, incident tracking, etc)
- contain, eradicate, recover from any incidents
- parse through your incident tracking looking for trends (repeat offenders, categorization). Don't use this as material to feed your bosses but feed it back into the incident process and learn from it.
- Don't just look at alert data. This is NSM all over again. Or is it? NSM starts at the alert and moves well past that into session and full capture data. What if we complement NSM by also starting at full capture data and looking for items that should have alerted (true negatives)? I suspect NSM advocates would say this falls under NSM but it doesn't truely seem to be practiced.
- Part of the incident lifecycle is the lessons learned branch. In my experience this isn't done on minor severities (eg, the daily one-off infection). How do we lower the transaction costs of such lessons learned to be able to quickly capture these on an operational level?
- Drills are important, you must make time for them.
That's tactical, what about strategic?
We (as in any security response team) need to make it easier for outside teams to respond with us. This means automating toolsets that we can't run remotely and they don't have to think about. and it needs to be quick. If we rely on a support center then we must provide them tools to quickly do what we need them to do; not expect them to figure it out.
An outline of capability blind spots needs to be done. Any opportunity to fill such a blind spot should be evident and taken advantage of. Too often these opportunities are missed as action is not done quickly enough.
Our capability is valuable; apply it to other needs when applicable to show that value. Think of log reviews, bandwidth troubleshooting, data preservation or identification. This should stay tactical or strategic and not become an operational duty.
create the proper barriers to limit other responsibilities from eating away at NSM and response. The balance will always tip in favor of tangible results over operational monitoring and response.