Implementing sound security policies and procedures can lay the foundation for an effective incident response strategy. But if information technology managers want to protect networked resources from security incidents before, during and after an attack, they will need an arsenal of tools at their disposal.

Agencies should consider a range of technologies to prevent security incidents. But if attacks get through, they need tools that can help them respond quickly. Those tools should include asset, vulnerability, security event and information management software; network and host-based forensics; and help-desk systems, experts say.

An effective incident response plan should include an integrated set of technologies that enable IT managers to discover intrusions and defend their networks and systems, said Michele Perry, chief marketing officer at Sourcefire, a maker of products that detect and prevent intrusions.

"Incidents can be all over the map," Perry said, adding that the best form of defense is a policy-based response engine that alerts security managers to violations. Sourcefire's 3D System combines intrusion detection and prevention with vulnerability management technology.

3D System consists of Sourcefire Intrusion Sensors and Agents, Real Network Awareness (RNA) Sensors, and Sourcefire Defense Center. Built on Snort, an open-source rules-based detection engine, the intrusion sensors use signature-, protocol- and anomaly-based inspection methods to detect threats. The technology comes as easy-to-deploy security appliances.

RNA Sensors monitor network assets such as firewalls, PCs, routers, servers and wireless access points. The Defense Center aggregates and correlates all threat information culled from sensors and agents. It prioritizes the large volume of security events to help IT managers determine the most critical incidents, Perry said.

Symantec is also taking an appliance approach to incident response. To help users understand their environment's security, by the end of the month the company will begin offering an information management tool that performs event correlation, aggregation and storage in one appliance, said Rowan Trollope, vice president of security management solutions at Symantec.

People need technology that is easy to deploy, Trollope said. The Symantec Security Information Manager 9500 Series provides real-time integration of global early-warning threat intelligence and event correlation.

The product integrates correlation technology with the company's DeepSight Threat Management System to deliver continuous security intelligence updates, such as automated security alerts, known vulnerabilities, safeguards and attack signatures. Administrators can view updates at an integrated console, he said.

Chris Michael, technology strategist at Computer Associates International, said the principles of modern air warfare developed by Col. John Boyd, an Air Force fighter pilot during the 1950s, can be applied to incident response.