Domain 7 Overview and Incident Response
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Folks, we have made it to Domain 7,
00:00
which is pretty awesome considering we only
00:00
have eight domains to get through,
00:00
so the end is near.
00:00
Hang in there just a bit longer.
00:00
Now domain 7 is a focus on security operations.
00:00
The main topics we're going to cover in this chapter,
00:00
we're going to look at incident response,
00:00
which sometimes can lead into the need
00:00
to conduct forensic investigations.
00:00
Then we're also going to talk about redundancy
00:00
>> and how we accomplish redundancy
00:00
>> across the many areas in our environment.
00:00
Then last but not least,
00:00
we'll talk about business continuity
00:00
and disaster recovery,
00:00
or what I like to call,
00:00
when bad things happen to good network administrators.
00:00
Our very first section,
00:00
we're going to start to look at incident response.
00:00
We're going to discuss
00:00
>> what we shouldn't have to discuss,
00:00
>> which is the need for incident response,
00:00
incident preparation, and incident management,
00:00
should just be obvious today
00:00
>> why we need those elements,
00:00
>> but we still find ourselves having to sell
00:00
>> to senior management the needs.
00:00
>> Then we also want to talk about what our role
00:00
>> will be in incident response as CISSPs.
00:00
>> Now, when we talk about incidence,
00:00
let's make sure that we have a couple of terms down.
00:00
The first term we want is an event.
00:00
An event is simply a measurable change in state.
00:00
DNS server started, DNS server stopped,
00:00
>> that's an event.
00:00
>> Now, once an event or collection of events
00:00
>> has negative impact on our system,
00:00
>> then it becomes an incident.
00:00
An incident doesn't have to be malicious,
00:00
but it is negative in nature.
00:00
Of course, what we have to do plan for and be
00:00
ready to address when an incident does materialize.
00:00
Then sometimes, as I mentioned before,
00:00
as we're conducting incident response,
00:00
it becomes apparent or at least
00:00
possible that there's been some criminal activity.
00:00
We may very quickly need to move
00:00
>> from incident response
00:00
>> into conducting forensic investigations.
00:00
>> Now our argument simply needs to be
00:00
that incident response delivers value to the business.
00:00
We're going to minimize the amount of downtime,
00:00
the systems impacted, dollars lost.
00:00
It's much cheaper to prepare
00:00
>> and effectively manage an incident
00:00
>> than it is to suffer the losses.
00:00
We see this time after time, week after week,
00:00
we see all of the organizations,
00:00
>> the government agencies,
00:00
>> the various elements of infrastructure
00:00
>> being targeted in these attacks
00:00
>> and how well we're able to move forward
00:00
>> depends on our incident response.
00:00
We're at the point where we see
00:00
>> so many of these attacks on a day-to-day,
00:00
>> week by week basis that you would think
00:00
>> we don't have to beg senior management for support.
00:00
>> But we still have to go to them
00:00
with specific tie-ins to business objectives
00:00
in order to get that for funding
00:00
>> in order to get their involvement
00:00
>> in the incident management program.
00:00
Now, our responsibilities as CISSP,
00:00
we're not going to be
00:00
on the incident response team per se.
00:00
By that, I mean,
00:00
we're not going to be carrying out
00:00
>> the incident response.
00:00
>> We're going to be responsible
00:00
>> for doing a research, conducting risk assessments,
00:00
>> determining what the needs are for incident response,
00:00
what our capabilities need to be,
00:00
we're going to be responsible for
00:00
developing policies and procedures,
00:00
making sure that our incident response is adequate,
00:00
so we're really going to oversee
00:00
>> the incident response program,
00:00
>> but we're not going to be the ones
00:00
carrying out the procedures.
00:00
I want to stress that
00:00
because most of the time on this exam,
00:00
specifically with incident response,
00:00
you're not going to want to jump
00:00
in and get your hands dirty.
00:00
That's not our role.
00:00
Remember, we've got to think like a manager.
00:00
If the exam tells me
00:00
>> I've come across the server room with the door
00:00
>> broken down and there's obviously been vandalism,
00:00
I'm not going to go into that server room
00:00
>> dusting for fingerprints
00:00
>> like I'm Scooby-Doo or something,
00:00
>> I'm going to make sure that
00:00
the appropriate team is called
00:00
>> and I'm going to make sure procedures are followed.
00:00
>> Those are our responsibilities,
00:00
is we're overseeing the incident management program,
00:00
but we're not in that hands-on element
00:00
>> like the rest of the exam.
00:00
>> Now, one big piece that we are responsible
00:00
for is making sure that planning is in place.
00:00
Making sure that we have the proper policies,
00:00
>> procedures, standards, guidelines
00:00
>> in order to effectively respond to an incident
00:00
>> with our focus on minimizing
00:00
>> the impact of the business.
00:00
>> Now we also need to make sure
00:00
>> that we have our key experts in place to advise us.
00:00
>> Many times, we may stumble
00:00
across an incident caused by an internal employee.
00:00
Having our legal team, our HR team,
00:00
senior management involved in writing policy
00:00
>> so that we make sure we're not
00:00
>> violating the rights of our employees,
00:00
not infringing upon their privacy unduly,
00:00
we really need to make sure
00:00
>> that we have guidance in that area.
00:00
>> We shouldn't just be pulling policy off the cuff.
00:00
Never should we be doing that.
00:00
But here specifically where we may have to
00:00
analyze the workstation of a particular employee,
00:00
we need to make sure that that's handled properly.
00:00
Also that if it would shift
00:00
>> to a forensic investigation,
00:00
>> that the processes we take
00:00
will ensure that digital evidence remains intact.
00:00
Now our job also is to make sure that we have
00:00
a dedicated computer incident response team,
00:00
not necessarily dedicated meaning
00:00
>> they can't have other roles in the organization,
00:00
>> but that we have a well-defined set of people
00:00
>> assigned to the incident response team.
00:00
>> We also may want to make sure
00:00
other information is available like phone numbers
00:00
for local law enforcement or forensic experts
00:00
>> would escalation procedures
00:00
>> or should we find that the incident is
00:00
>> larger than originally anticipated,
00:00
so that goes to the CISSP.
00:00
When we're talking about incident management,
00:00
much bigger than just response.
00:00
First, we have to prepare,
00:00
which we've talked about.
00:00
Then I have to be able to detect an incidence,
00:00
so that comes from the last chapter with
00:00
our intrusion detection systems
00:00
and our scans and assessments.
00:00
Then we respond, which is all
00:00
about minimizing the impact on the business.
00:00
We mitigate so that we can
00:00
lessen or stopped the bleeding, so to speak.
00:00
We report to the appropriate authorities
00:00
whether that's internal or external,
00:00
we recover those systems that had been compromised,
00:00
we bring those systems back into
00:00
full remediation and functionality,
00:00
and then we document our lessons learned.
00:00
These steps have to be in place
00:00
>> in order to properly respond to incidents,
00:00
>> and it's our responsibility
00:00
>> as CISSPs to lead this process.
00:00
>> We have covered the roles and incident management,
00:00
specifically from our perspective as a CISSP,
00:00
and we've also talked about the various elements
00:00
>> that are necessary in an incident management process.
Up Next
Instructed By
Similar Content
