8.5 Incident Response

00:00

Hello, everybody. And welcome to the I t Security episode number 34 80. Intend Response. My knee. My name's Alejandra gonna and I will be instructive for day session.

00:13

Learning operatives of the session is to understand and be able to identify the main concepts to put in place. And I didn t into a response process.

00:24

Uh, discord Incidents minus man is AJ's life cycle driven sets of activities wrench from planning detection is containment eradication and recovery to, you know, finally get to the learning process about what what went wrong and how to improve one's buster buster

00:45

to prevent similar feet. Future

00:47

incidents Instrument response will bury from your internal defense programs or processes with berry from different enterprise type. For example, if your organization has no intent to operate industrial system

01:03

but has personally adopt, bring your own I mean, Geron Coyote device policy,

01:07

your instant response process. My stop at the point that becomes a compromise has been identified, contained and then replicated in my not in this case extend to dip intrusion. Forensics are in on the nature off negative vulnerability because at the end,

01:23

uh, those ID's are owned by your employees and maybe you just eradicate the threat

01:30

and no longer lead that employees to connect anything to your cooperate meaning personal stuff.

01:38

But that is not the case. If you're actually implemented on scatter, for example, protocol because you're actually controlling industrial I ity systems.

01:49

So you have to, you know, uh, think about the threats on both the safety and security, And this is the difference between between a normal influence in free in response

02:02

program that for your own Oh, I infrastructure that for your i o t infrastructure because you're dealing in with safety and security. So these scenarios show that riot insurance in CNN management takes a few twists and turns from conventional I T enterprises.

02:22

For example, physical nature of the neck were things their locations who owns that are not. Praise them

02:30

the same physical expect. Often Indian response may include safety factor, even life or death,

02:38

especially for medical transportation's on other industrial idea to use cases

02:43

three cloud aspect of managing the physical things, including the fact that many of the direct incident response activities might be out off the image control from physical device itself. So this is another things, including the S L. A. With your cloud provider. If it

02:59

unsee that happens to you. How will they help you actually help you

03:02

to reduce the impact of it and eradicated attract?

03:07

Ah, the possibility that other unrelated I hear things are connected to common hubs and get waits in the proximity off. The compromise might provide interesting new Dennis that's contributing to into in detection on forensics, for example. Maybe there was a camera

03:25

outside another store new to your data center or the Cloud Data center.

03:30

So maybe a thief broke into the building. And maybe that camera that was in a store near do it can help you identify, um and, you know,

03:44

proceed with the respond program.

03:46

Uh, engine responds as you can see in the screen, uh, be broken into four main faces. That one Indian response playing, which includes, you know, team composition will be in the team communication plan, exercise and training coordination plan

04:05

everything that needs to be planets

04:08

and step number one. Step number two. Um,

04:12

uh, detection analysis.

04:15

And this, you know, threats. Sharing. 24 7 Maybe a sock secure operation center.

04:19

Uh, cloud monitoring friend. You know, forensics I mean, anything that can help you detect and analyze the trip.

04:30

Step number four, containment and eradication. These, you know, quarantine containing soon and eradicated engine or detract continuously monitoring, you know. And then I split this because at the end, most of the

04:46

the time you can see containment and eradication and recovery

04:50

on the same point by exploited, because at the end, recovery and road constant Alice is

04:56

is something different. I see that supposed incident because at the end, if you're recovering, maybe you have to move to your alternate site and you have to move back into the to your headquarters.

05:06

So recovery on road cars analysis, I put it together as a different activity. And then we have the past incident activities, you know,

05:17

follow up on any prospective lessons, lessons learned. Maybe you're creating a knowledge base, and this will be a point to gather all the information and put together a magical or something for your knowledge base. So they will happen to you again. You know, information's information, Sherry. Maybe you're running, assert,

05:38

um,

05:40

and you have to share information. Maybe your your part off the first network. Um and you have to share information with all your other Pierce sisters inserts, uh,

05:55

then you have to shirt, you know, anonymous ized our information and share it with them.

06:00

And, you know, basically fooling with this for you know, five. In this case, steps will help you to establish a good engine response, planning and program. You also need to consider the impact and probability basically the risk

06:16

based upon your I T asset inventory. It will help you decide and elaborate the instant response process as well. Uh, maybe

06:26

it's not a good idea to execute all the five steps in some cases, but in other cases, it's good to you will need to execute additional steps to these five stages and again for Temple. Everything a game changer is. The cloud

06:43

is that the end Club service providers may not provide a good

06:46

insurance Indian responsible work for you to the cloud, you know.

06:51

Remember the clouds secure online. So we talked about in the in the cloud modules. Well, they give you some topics. You should shoot really seriously. Consider, when creating the service level, a great man when your cloud service provider

07:09

for expert trouble will be your point of contact, sir, but that

07:14

who will be your points of contacts on communication channels,

07:17

the interns definitions and efficacious criteria. Will they be not find you or not,

07:24

uh, support to customers for its urine tech detection, the definitional off rolls responsibilities during the security incident

07:33

Specification off. You know that incident response testing you, you know, performed by them. Maybe they have to perform a pen testing or into a response. Distant,

07:46

um,

07:46

in their facilities. A scope of the postmodern activities, for example, Will they Will they be performing forensics after all? I mean, overall completely defined activities for your cloud service provider.

08:03

Carnie, get a Carnegie Mellon's certain organization,

08:07

uh, notes that, you know, you should you should consider, um,

08:13

the number of factors when you're selecting the stuff that will be part of your lives in a responsible in which believe that the mission will goes. Fix this stuff, experience or expertise. Uh, in

08:28

you know, the technology you have place. Maybe you want to put him on the internet response. Do you maybe want Thio? Gather people from human resources. Financial legal. Andi, off course I t That's up to you. But coming. Melon has a good list that you can check it out.

08:48

I wanted to do this.

08:50

I'm a among all of this issue. Also considered to implement a communication plan both for your internal members to they know how to react to the incident. You know who to call, what process to follow,

09:05

but also to the polling in general. So the panic doesn't spread and bad news start to affect your business image.

09:13

What does piety Indian management takes a few twists and turns from conventional I T. Enterprises. Well, basically, because we're trying safety and privacy in there, not on security

09:26

in the constant in the context of Internet response, what does Arthur say means and what it is important, what instant for road cost analysis. And it's important because it will give you the answers you were looking for in the end it for in the incident response and you will you can actually

09:45

build our knowledge base. So

09:46

this threat our India doesn't happen. You did you to you all your business again

09:52

as part of your insulin response plan. Why, it's important to have a clear S lay with your provider

10:01

because again the cloud when you when you don't own or, you know, maybe you own it, but you don't have

10:09

the device is itself or the service is the cloud should be able to. The closer's providers will be able to help you respond to an incident and, you know, give you the day that you need to fall on any clues or any is, and you have to complete and, you know, sharing information.

10:26

All the stuff they have to be your partners, and neither on extension

10:31

of your employees.

10:33

In today's lecture, we discussed the main concept you need to know to establish a good idea T incident response program.

10:43

Well, I have recommended to go to all this, um,

10:48

materials assert from the Carnegie Mellon Carnegie Mellon University. That's a good, good, good, good read for you. And nails have a lot of other

10:58

materials, not naturally, necessarily related to interim response.

11:05

Looking forward in the next video, we'll finish our girls with summary of piety, concepts, feature and security and best practices.