On automation and orchestration of an initial computer security incident response by introducing centralized incident tracking system

Abstract

A critical computer security incident may cause great damage to an organization for example by a confidential data breach or malware pandemic. In order to avoid or mitigate such damage, a quick and accurate response against a computer security incident is becoming more important. In order to realize these quickness and accuracy, this paper presents the Incident Tracking System (ITS) that orchestrates several information systems and automates an initial incident response. The ITS automatically locates and isolates a suspicious host, and sends a mail notification to the person in charge of handling an incident. The ITS can also identify or suggest a user of the suspicious host by network authentication logs or other service logs.