System Monitoring

This is as much for my own edification and future self as anything else. Three system / health monitoring tools of which I’m aware are:
Nagios and the unfortunately-named but always excellent companion nagiosexchange.
Lighter-weight tools are monit and mon. A friend of mine tried the latter and proclaimed it Good, although the names for both of those are pretty crap, especially mon. At least give it a cute tagline or something. Software authors should always google the names they’re considering; think of somebody who sort of remembers the name but maybe not quite, but wants to find it again. If the mighty GOOG returns 10,000 hits, maybe your name isn’t so good after all.

Starting an IH/R program

Andrew Hay started a good discussion of how to get started with an incident handling / incident response program over at the Security Catalyst forums.
There’s lots of good information in there. As poster Dave Hull notes, academia is good for practising your IR stuff. There are both lots of intrusions, and lots of weird things that look like intrusions, but aren’t.
Like some of the posters there, I’ve taken the SANS 504 course, although I’m not sure that I would characterize it as an in-depth introduction to incident handling. It is as much about how to avoid doing the handling in the first place as anything else, although there is definitely some good stuff in there on IR/IH.
I haven’t checked out the NIST publications yet, although that’s not the first place I’ve seen reference to them.

Cheat Sheets for incident handling

SANS has links to two cheat sheets for incident handling. One is aimed at server administrators, those who are (hopefully!) most likely to notice issues in the first place. The other is aimed at those who respond to confirmed incidents.
The server admin sheet is mostly what to do and some ways to do it; the handler’s sheet is mostly a list of questions to be answered.
The SANS links are to a handler’s website, and the result will give you a link to both PDF and Word versions.