1 hour 2 minutes
Hello. My name is David.
And welcome to you managing and it
managing. Inspect. Um,
it's tricky. Uh, Can't be calling deluded can great problems on many fronts. So, uh, hopefully we can share some experiences and some how twos and not ooze. So jump back here a little bit.
We talk about the incident response process preparation only briefly and scattered out
the presentation's the episodes, I guess on B, it's a response. Team detection. In analysis.
I didn't go in depth into it. However, in order to do proper incident either kitchen, you have to do proper preparation. And I wanted to remind you of that. Almost all of
the good uh, let's not stop it. And let's say an excellent
incident response process relies heavily on preparation. If you skip on preparation detection analysis to containment eradication, recovery, your post incident activity are all going to suffer vast again. So,
uh, well, your company your business, because you won't be able to provide adequate protections or response efforts when you get breached.
There is. I said when. Not if now I didn't find you incident so again, problem preparations comes into play. Um,
coming into, uh, the incident identification area requires us to look at our incident response analysts and ensure that they have a good firm handle. On top of that, there are a lot of, uh,
programs available. Matrix is all kinds of things to help you with that, but nothing really. Replace is good in the world experience when it comes to identifying the attack vectors. Theater Back Matrix is a great one to exposure incident response animals, too,
because it does a fantastic job playing all that out.
Hopefully, what time is course to take a quick look at that as well, and see how we could apply it
if they don't understand how they could be attacked. It's time for for analysts to be able to identify attacks when they convince. So give him a little bit of training from the black hat side of the hanky world so they can see that summer. We have some excellent courses on served by that lacking in penetration testing.
Even if your employer is not going to pay for you to do it, take a little condo on your own and spend some time in. This course is
to expand your skill set and help you identify incidents quicker. Now,
just about everything that exists in the cyber world could be considered an attack. Becker, Um,
email, traffic. Um, USB drives, uh, browsing the internet, um, can create attacks on your networks on that Could be successful. Some that might be. So.
If you're gonna identify incident, you've gotta have it in place out. One it's often overlooked is unusual. Report can't come into play here. I can't tell you how many times a user was just browsing the Internet. They got redirected to say your computer is infected with found where Please call us type.
We had users fall victim to that and actually call Anil our move access into a corporate environment. So it happens by what's key for us. And what we're considering is for us to identify these. We also have to be monitoring these
high risk pools programs, systems that are involved
for symptoms of an attack. If we're not monitoring, we will know what's going on so extremely important having tools in place in order to know that you're under attack. So what are symptoms of an incident?
This is probably the most challenging part of protecting a network is getting these tools
and methodologies in place. Now you identify. It's one of the biggest ones. Are Simms security information that management tools
the e r. Rapidly growing? Just maybe, what five years ago, your wasn't he really hurt all that much? But they rapidly come up
through the ranks of security goals, service speak and assumed a very high and worthy place
amongst the other tools are available. Then you have course intrusion detection, intrusion prevention systems that you can insult later that working the monitor for symptoms on an incident and 80 on also in High Mountain.
I can't come into play as well
if you take all these and others because some things that I did not put on here is a
one example fishing protection
vital toe have on your network, especially if you have a business that relies heavily on the mill type traffic chipping and voices out, receiving invoices in sending forms, back and board orders
Attackers love you. May also really wants something in place to help you identify Haxby. Email a cz Well,
so what you need to do is ensure that your company business, remember you're working for has done a good risk assessment
and then taking that risk assessment and utilized it in order to provide you with tools that you need to identify the symptoms incident. Now this is an example of IBM skew radar
Sim A CZ. You can see it's pretty conform. Herbal Do whatever you wanted to do does a fantastic job of helping you. I did, by incidents
a CZ. You can see there's a dash for that. You can craft to show whatever it is that you prefer to see highly personal
on. And then you have at the very pop there some different tabs. Offenses, eyes one where rules that are created by Hugh Radar, IBM on, and also by maybe your team as they are us customizable
on. Then you can also put win from different threat tight feed, saying, UM,
bars to to craft alert's around users visiting sites that are tagged by far so as being malicious so you can use thes Simms and curator is only one example. Some sense out there to help you identify incidents
on example that in point detection and response tools, carbon black is a screen shot from a carbon black installation carbon black is a
We're a muscle. Very Who featured that allows an analyst to you both receive alerts through spot it's events and then also began to conduct the initial triage. An investigation, in essence. So you're in this example. You've got somebody visiting Dropbox.
Time is running on any system
I which could cause you concern especially. You don't want insiders possibly extracting eight up your hour or
a scenario that you contract it used. I used my key radar and carbon black. And when you put those two together, you got a really fantastic cool set to help you identify incidents.
I were caution here, Um, more tools. You have more lurch, you're gonna get high. Volumes of alerts can definitely overwhelming burned out the different levels of incident response practitioners. Whether it's here, one in the sock
or two, you're doing three that are following up the work done by one analyst or
even if you're continually pushing the panic button and hit and go every time an alert comes in and do a full blood isn't response. People are. It's going to go to the boy that cried wolf say really, nobody's being engine or do good work on it anymore.
So if you put these tools in place, you need to ensure that you're doing all right and it you're managing alerts properly as well.
There are a lot of sources to look. Thio system security alerts If you see an obvious what they attacking basement, if you're monitoring that or drive the book with strange or unusual that we're Catholic
may get their party calls from other companies complaining about your network standing them or,
uh, a government entity. Three letters could contact you and saying that information you've been breached or
having forbidden. Brian Krebs calls your H R or your press company and says, Hey, and he smelt information Your company. It's rich. It's all these air ways that you can identify incidents, I ERM anymore, this is just a brief introduction.
Give you something to think about staying apart. You want to talk? O r. Want to connect in the up on cyber human being eat 135 Happy to talk to you. Have a great day