RSA Incident Handling and Response

Document created by Craig Hansen Employee on Feb 5, 2016Last modified by Elena Komarova on May 11, 2017
Version 10Show Document
  • View in full screen mode






In order to register for a class, you need to first create an EMC account
If you need further assistance, contact us




The RSA Incident Handling and Response classroombased learning prepares a security analyst to take on incident handling responsibilities in a forward-thinking Security Operations Center (SOC).



This classroom-based learning provides a thorough overview of tasks, processes, procedures, escalation workflows and tools used by a Security Analyst/Incident Handler. Through use cases, examples, and hands-on exercises, participants investigate a variety of critical incident response scenarios. The instructional material emphasizes decision-making and prioritization with the goal of teaching the students how to make an assessment in a short amount of time using security monitoring instrumentation, contextual analysis and correlation to indicators of network exploitation. Students develop a broader understanding of the role the SOC fulfills in the larger organization, including issues associated with incident response and assessing organizational risk.



Security Analysts with 6-12 months of experience working in a Security Operations Center, Network Operation Center (NOC), Critical Incident Response Team (CIRT) or similar function.


Delivery Type



3 days


Prerequisite Knowledge/Skills

Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:

6-12 months as a Level I Security Analyst


Course Objectives

Upon successful completion of this course, participants should be able to:

  • Outline sustainable and repeatable tasks, processes, procedures, escalation points and workflows of the Security Analyst/Incident Handler.
  • Ingest daily intelligence reports and previous shift logs.
  • Recognize the legal, corporate investigative responsibilities associated with incident response.
  • Participate in risk analysis for central and distributed networks to include the impact of cloud based infrastructures as part of the SOC.
  • Review, triage, investigate, and analyze escalated events and incidents from other analysts or IS groups during shift.
  • Monitor security events using all SOC data sources.
  • Investigate all incidents aligned to proper process, procedure and escalation points.
  • Prioritize incident response relative to threat severity, business context and activity volume.
  • Recommend, develop, and implement remediation procedures.
  • Create an incident report with appropriate handoffs and closure.
  • Coordinate, de-conflict and align event and incident communication.
  • Support root cause analysis.
  • Prepare communication for executives and enterprise stakeholders.


Course Outline

The Tools and Tasks of an Incident Handler

List the tasks, processes, procedures and escalation points of a level two security analyst.

Identify the tools used by the level two security analyst.

Provide examples of the types of incidents handled by the Level Two security analyst.

Ingest daily intelligence reports and previous shift logs for efficient operations handoffs, escalations and transitions.

Participating in Regulatory Compliance

Define security compliance.

Describe the types of compliance standards.

Outline the steps to become compliant with a standard.

Distinguish a security program from a compliance program.

Outline what happens during a compliance audit.

Identify the responsibilities of a security analyst for a security audit.

Contributing to Risk Assessment and Mitigation

Monitor security controls to mitigate risk.

Participate in risk analysis for central and distributed networks

List organizational assets protected by the SOC

Assess vulnerabilities of assets

Investigating an Incident

Investigate all escalated incidents.

Summarize the steps to create a malware analysis environment

Explore the tools included in the course’s malware analysis environment

Responding to an Incident

Escalate incident as required

Prioritize incident response Recommending Remediation

Recommend remediation to operations Make recommendations to appropriate department for each incident

Addressing After-Action Items

Create an incident report

Derive and incorporate threat intelligence from incident.

Root cause analysis.

Preparing Executive-level Communications

Prepare a brief to senior management

Summarize incident to Operations



Industry tools used in this course include:

RSA Security Analytics

RSA Archer








In order to register for a class, you need to first create an EMC account
If you need further assistance, contact us