Incident Handling Tools

00:00

Hello. My name is David. Welcome to handling incidence. We're gonna talk about a broad number of fools. I'll probably make some recommendations as we go through. I has a say in the next.

00:16

Um,

00:18

he asks, I'm teaching the scores. Yes, I've got experience. Yes, handle incidents myself before from ground up and talked down. However,

00:29

I if you go to any kind of a class in cyber security, even the instructors tell you there are no experts

00:37

because there's always more to learn. There's always a new attack coming servicing. There's a new skill that you need to learn. So coming across a friend of thousands of expert is always something that hasn't

00:52

because there's always somebody that knows more than you know, one and number two I.

00:58

So it pays to be humble in this view, I'd be willing to learn, And when it comes to tools, that's especially

01:06

because there are a ton of tools out there. They'll help you with handling, and it's

01:12

I can't give you exposure to all of them. I myself have exposure at all because there's just such a vast variety of the mountains. Keep that in mind as we start talking about our two kids together.

01:26

First of all, um, and this is far too often. Look, if you need a good method for recording everything that happens stories,

01:36

um,

01:37

a lot of companies that I've dealt with in the past used templates you something in and say a word document or a Nextel sprint. Um,

01:47

and I chucked with that because that's still probably one of the most common methods of recording. What's going on There is, or one note for Microsoft or Google dot of some sort here in the recent past. New technology on dhe I use that term loosely here

02:07

because sores have come into play.

02:08

Soldiers are a great tool to be able to use if your company will buy you one.

02:15

Um,

02:16

because what they do is they actually combine these three different technologies, which is why I use that term loosely sore as a total package because it's actually three different ones. On one the first you get security workers spiritual. Then you get threat intelligence, and the you also get is that response

02:36

methodologies the road in there

02:38

part of that spelling mistake on on this the stones, I'm gonna point that out before somebody else does to say no, but a sore can do a lot to help you

02:49

record these aspects of mints in it. Now I used Excel spreadsheets. I used one new.

02:54

I've used a shared drive and internal shared drive. All those things can be used. Hello.

03:01

Sore is probably the way todo I probably vision works. I personally think it's the waiting

03:12

some sister does. See, here's the iose, those in the executive level.

03:17

I forgot where they came from. Maybe, Or we're never there in the first place. I'm not sure, but any time a new technology comes along a new process,

03:28

it needs to be investigated. And if it's good, the *** and sore is proven.

03:32

There are a lot of different upcoming companies that use and sell soars. So I'm not gonna get into the degree of all these different companies. Kind of gives beyond the scope of our time here together. But what It is basically sore stand for security orchestration, automation in response,

03:53

and it isn't an enhancement for his response. And

03:58

all right,

03:59

I know what play on this, because I want to build your enthusiastic support to when I worked with an M s S p. We fought battle. Get a sore, enduring incident response.

04:11

Those above us

04:13

were not going along with the bourbon. Um, in the private feel again, Soar has come up again. Begin again. But yet no funding ever comes forward to put implement a sore in the environment. And that is disgraced.

04:31

Um, hopefully nobody that I

04:34

No, I will actually hear some of this, but those that I work with will say, Oh, yeah, he's right. Uh, if you're a sea level executive or your director level, put this on your most of things to get fight four, please.

04:49

Because your team needs seats. A sore can do so much to mediate time issues, personnel issues. I can't stress it enough when it comes. It's handling that you need this overarching tool that brains and your security tools brings in your threat intelligence.

05:09

It brings in your instant response processes

05:12

and it automates learned portions of that. Take that off your team.

05:16

They right now are trying to fill out itself spreadsheets, one news there

05:23

gathering information from our reviews of memory analysis, forensic reviews, and then they're happy to take that information and translated a word document translated one that you see where I'm going with that. So what a waste of time and energy

05:36

s O a sore can alleviate about. It's important, important tool in its him. Now you need lists, contact lists, names, numbers about numbers of key stakeholders. I've seen this in everything from re grain binders

05:56

to one notes thio,

05:58

internal documents.

06:00

It could be incorporated into a source. Well, now these need to be,

06:05

But they turned on external because you're gonna need all of the people that you need. You have to have during an incident, and you don't want to have to be searching for, You know, back in my day, they used something called a Rolex.

06:19

How many of you have ever seen

06:23

you re usable, Dex?

06:26

Now, though, that's all changed. So you got that list. You've got notification list. They need to be kept up to date. Need legal resources, technical resources. You're gonna need public relations. It's ah, huge element in any incident. Especially one that's gonna go public.

06:46

Um, because you'll have the old negative press. You'll have to deal with people calling in several of the waters of bridges here in the recent past. They actually have to set up our call centers in order to be able to handle the amount of calls that were coming in.

07:02

So all these things were things that you need business inhaler considering and asking about

07:09

when it comes to the entire process. Now there's even more or less than you need. That's just my cat. I'm gonna drop it in. There's, uh,

07:17

you need port list. Need packet sniffers is available in the network protocol analyzers, security documentation

07:27

network diagrams. There's a ton of things that you need to be able to access quickly. You need to know where that so that you could turn to it if you need it.

07:40

Uh, just one real quick case in point. Um, I say you have an internal database.

07:46

In fact, when the use of rewards

07:48

company handles contracts with third parties, was working on a multi $1,000,000 contract, they got sidetracked with another time issue. When they circle back around to this multi $1,000,000 contract went to log in to the database where this store it was going,

08:09

he had been deleted.

08:11

What do you do?

08:13

I mean, who has access to it. Uh, if you have your network documentation and diagrams and say a packet sniffer set up

08:22

community going out Yeah, try that. If you go,

08:26

probably gonna find yourself in the middle of an incident without the ability to get the information to need. Problem investigated. You need forensic tools

08:35

and you need imaging for a variety of different systems that celebrate up there in the upper corner. It's for cell phone house in the bring your own device environment in which we now live.

08:48

You've got tablets, you got laptops. You've got cell phones that our company on their privately owned, but they're used by police.

08:56

You need the programs to do the analysis, how you do a packet, capture house to your analysts, have access to a wire shock per diem or packets, let you have forensic software. You have, in case you have access data X ways.

09:15

You know, Sydney physical tools you need get to kick to take out the field with you. And in our other course, we know Warren definite that who's that you would need? But

09:26

you do need to understand that you have to fill this out pre emptively.