Incident Management Processes

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> We understand the need for incident response.
00:00
We understand the roles and responsibilities.
00:00
Now, we're going to go ahead and
00:00
get into incident management,
00:00
and the way the process flow.
00:00
Now this next section is going to come to us
00:00
from CMU and SEI,
00:00
from a document called Defining
00:00
the Incident Management Processes.
00:00
This is referenced in ISACA study guide for
00:00
CISM year 2015,
00:00
it's also referenced in 2016 as well.
00:00
The page number I have matches to the top 2015 edition.
00:00
But the bottom line with incident management,
00:00
incident response is there are different frameworks,
00:00
there are different approaches,
00:00
so this was the first one we're going to look at.
00:00
Again, with incident management,
00:00
all those elements that are necessary to properly
00:00
respond to an incident and
00:00
minimize the impact on the business.
00:00
Based on this strategy,
00:00
we have five steps,
00:00
prepare, protect, detect, triage and respond.
00:00
If we look at these steps,
00:00
when we look at preparation and we know how
00:00
very important preparation is.
00:00
This is the coordination of
00:00
the planning and the design phase.
00:00
We start out with planning,
00:00
just getting a feel for things.
00:00
What are our requirements and
00:00
what is the scope of our plan?
00:00
We've got to get funding from senior management
00:00
and develop the implementation plan.
00:00
Basically, what we're defining is,
00:00
what should the plan do?
00:00
What should the plan be?
00:00
How are we going to
00:00
ensure that the plan is going to work?
00:00
We're in the planning stage.
00:00
Senior management has to have
00:00
the final sign-off because
00:00
they are ultimately responsible.
00:00
Here where it says get funding and sponsorship,
00:00
again, that has to come from senior management.
00:00
Now we're also going to document how we're
00:00
going to coordinate implementation of the plan,
00:00
so we're going to have our policies
00:00
and procedures in place.
00:00
We're also going to determine what's
00:00
the criteria for labeling something an incident.
00:00
At what point in time do we implement
00:00
the incident response plan or
00:00
at what point in time do we simply
00:00
respond with risk mitigation strategies?
00:00
Because an incident really is a step up from
00:00
just a realized risk quite frequently.
00:00
[NOISE] We'll define the criticality,
00:00
we mentioned a document called the BIA,
00:00
the business impact assessment.
00:00
The BIA's job is to
00:00
define elements based on criticality,
00:00
so that we know when we have to restore processes,
00:00
we know the order in which to focus our efforts.
00:00
What are our lessons learned going to look at?
00:00
We accomplish that process
00:00
of collecting lessons learned in a postmortem,
00:00
making sure that that happens.
00:00
Then ultimately making sure that there's
00:00
a process and procedure for change management,
00:00
because in the event of an incident after recovery,
00:00
we need to make some changes so
00:00
that we're not compromised again.
00:00
Now from preparation, we go to protection.
00:00
Protection is where we're going to secure critical data.
00:00
Ultimately, the protection piece is, let's be proactive.
00:00
We're going to secure our information,
00:00
we're going to put mechanisms in place,
00:00
and again, this goes hand in hand with risk management.
00:00
Ultimately, what we're going to do,
00:00
we're going to put deterrence strategies
00:00
in place like login banners.
00:00
We are going to train our employees,
00:00
we are going to review what we have in
00:00
place and consider for improvement on a regular basis.
00:00
All those things that are necessary preemptively,
00:00
proactively to protect our environment,
00:00
to review and ensure that
00:00
the mechanisms we put in place last year are still
00:00
effective today, and vulnerability assessments,
00:00
pen-tests, we're going to go back and look
00:00
at postmortems from other incidents,
00:00
and we're going to fix the problems that we found.
00:00
[NOISE] That is going to lead
00:00
into making sure that we're
00:00
prepared to detect incidents,
00:00
and like I said, we need
00:00
clearly defined criteria of what is an incident.
00:00
Violation analysis is always
00:00
an important step where we step back and say,
00:00
is this really an incident or was it an accident?
00:00
That isn't nearly as larger
00:00
scale as we would think it is.
00:00
Is it malicious?
00:00
Is it not malicious?
00:00
How do I even know if an incident is
00:00
going to happen or has happened?
00:00
Well, we have tools like honeypots,
00:00
intrusion detection, intrusion prevention systems.
00:00
We look at network traffic,
00:00
we look at our logs,
00:00
and we look at our logs on
00:00
a regular basis as opposed to just
00:00
waiting till an incident has happened.
00:00
We want to be proactive with our logs,
00:00
but we also, in the event of a compromise,
00:00
want to have reactive mechanisms in
00:00
place so that we can detect the intrusion,
00:00
and then we move right in
00:00
to our next step, which is triage.
00:00
We've detected an incident let's get our grip,
00:00
let's get our bearing.
00:00
With triage, we're looking to categorize,
00:00
correlate, prioritize, and assign.
00:00
Triage is about prioritization.
00:00
If you've ever been to a hospital in the ER,
00:00
there's a nurse that comes out
00:00
and it's not just first-come first-serve,
00:00
they want to treat the most critically injured patients
00:00
, so that's triage.
00:00
With incident response we're going to
00:00
categorize events like is this a denial of service?
00:00
Is it a malicious user?
00:00
Is it some other disruption?
00:00
Then we're going to try to correlate
00:00
that with other relevant information.
00:00
Do we have logs that
00:00
indicate that perhaps this was
00:00
a potential event that was coming.
00:00
Do we have a previous incident response report, whatever.
00:00
In the larger picture,
00:00
what other information supports
00:00
us in evaluating the situation?
00:00
Then, like we said, prioritize,
00:00
so we direct our efforts to
00:00
the most critical aspects first,
00:00
and then that gets
00:00
assigned to individuals on the incident response team.
00:00
Could be the entire team,
00:00
could be a specific branch,
00:00
but the official assignment.
00:00
I am always going to call it the incident response team,
00:00
that's how I've been trained,
00:00
that's the term that we've used.
00:00
You'll see incident management team throughout as well.
00:00
Then the last piece,
00:00
we got to respond.
00:00
We got to take those steps to mitigate the incident.
00:00
We have technical responses
00:00
that we're going to put in place.
00:00
We may segment the impacted system,
00:00
put patches in place,
00:00
run anti-malware,
00:00
those things that we do from a technical perspective.
00:00
Management has responses and obligations,
00:00
they're going to bring in their intervention,
00:00
they're going to be responsible for
00:00
how we notify stakeholders.
00:00
Business and senior managers may be
00:00
involved for important decision-making aspects.
00:00
We're also going to have our legal response.
00:00
Because like we said,
00:00
many times an incident could
00:00
compromise our ability to maintain legal compliance,
00:00
so we're going to have a legal
00:00
response that's going to help with that,
00:00
but then they're also going to be able
00:00
to advise us if we're going to
00:00
move into an investigation to perhaps
00:00
collect evidence to report to law enforcement.
00:00
Then ultimately,
00:00
these stages come together to provide us with
00:00
a comprehensive plan for mitigating incidents.
Up Next