The agile active defense process
In our original discussion in Chapter 2, Incident Response – A Key Capability in Security Operations, we defined the agile incident response loop as a feedback loop between the Contain and Detect phases and noted that this inner loop drove the agile aspect of incident response. In Chapter 3, Engineering for Incident Response, we considered an expanded incident response-based loop for security operations, which active defense is a part of.
As we pointed out in Chapter 2, Incident Response – A Key Capability in Security Operations, the inner loop of the NIST framework is one of the key elements that brings in the agile approach to security operations and active defense. The inner loop outlines the need to frequently pivot between detection, analysis, containment, eradication, and back again to detection and analysis. For the efficiency of incident response, we must understand and manage the cadence of these steps and pivot between them...