Incident Response Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Hi there and welcome to
00:00
our next lesson, incident response management.
00:00
In this lesson, we'll be covering
00:00
the incident response management and what's involved,
00:00
different incident management roles that would exist,
00:00
and a few examples of incidence, so let's begin.
00:00
Incident response management it's
00:00
basic main aim is to
00:00
minimize the damage from security incidents.
00:00
Security incidents will happen even with the best of
00:00
security and best of all audits, best of everything.
00:00
It's just a fact of modern life unfortunately an,
00:00
the key of incident response management is to
00:00
recover and learn from those incidents and
00:00
hopefully prevent it from
00:00
happening again or at the very least
00:00
strengthen the security and
00:00
the areas that need strengthening.
00:00
It's basically a formal structure that's in process,
00:00
procedure, and also personnel.
00:00
There are number of phases with
00:00
incident response management.
00:00
First stop, it starts with planning and preparation.
00:00
This is defining things like
00:00
what the policy and procedure is,
00:00
support from senior management
00:00
for this policy and procedure,
00:00
and assigning roles and areas of responsibility.
00:00
Next, we need to look at
00:00
basically detection of incidents.
00:00
Once the policy and procedures is in place,
00:00
how are we actually going to
00:00
detect if an incident occurs?
00:00
There's a couple of answers to this,
00:00
and it basically is a mixture of
00:00
technical and procedural controls.
00:00
It could be something that is included
00:00
in the security awareness training for example,
00:00
and it could also be a definition which is
00:00
implemented in your IPS or IDS controls.
00:00
Next is the initiation,
00:00
so this should also be
00:00
covered in the planning and preparation.
00:00
How's an incident actually initiated?
00:00
What defines an incident,
00:00
and what is determining what is
00:00
actually an incident in the context of the organization?
00:00
Next also is the recording.
00:00
It's very important that
00:00
every step of the incident is recorded so it can go
00:00
into lessons learn plan.
00:00
Once the incident has been
00:00
initiated there's evaluation phase,
00:00
so we need to actually
00:00
understand what the incident is and the
00:00
ramifications and also the
00:00
impact it has on the organization.
00:00
Where possible there's a desire to contain the incident.
00:00
If for example it is a network intrusion,
00:00
it would be desirable to
00:00
limit the access of the attacker to
00:00
just a small segment of the network for
00:00
example or else it could be eradication,
00:00
so if there's an attacker within the network is
00:00
there an ability to terminate their access entirely?
00:00
Throughout this, there also needs
00:00
to be points of escalation.
00:00
This could be in terms of escalation through
00:00
to senior management for further guidance,
00:00
or advice, or even escalation
00:00
out to law enforcement if appropriate.
00:00
In terms of the response to incidents,
00:00
so there is the initial response,
00:00
which is the actual actions which are
00:00
taking place while the incident is occurring.
00:00
Next phase is the recovery phase and so there needs to be
00:00
planning in terms of how
00:00
the organization is going to recover from the incident.
00:00
This could involve technical and procedural controls,
00:00
and it could also involve personal public relations for
00:00
example if their media needs to be informed
00:00
about what is occurring within the organization.
00:00
Next is the closure.
00:00
A formal definition that this incident has now
00:00
ended and then onto the reporting phase.
00:00
That's basically the lessons activities can begin,
00:00
and so that leads into
00:00
the post incident review
00:00
and then two into the lessons learned.
00:00
There are a number of roles
00:00
within incident management and
00:00
these can vary from organization to organization,
00:00
but you generally need somebody to coordinate and
00:00
liaise with the various stakeholders involved.
00:00
Given the fact that you need to plan
00:00
your incident response for any number of incidents,
00:00
there needs to be organization-wide focus
00:00
on for this coordinate or liaise on.
00:00
There also needs to be somebody
00:00
who is ultimately in charge,
00:00
somebody who can direct
00:00
the various resources and
00:00
also engage with senior management.
00:00
Incident manager, so somebody who is actually
00:00
on the shop floor basically
00:00
operating and dealing with
00:00
the day-to-day needs of the incident.
00:00
A security specialist who can be
00:00
brought in for advice and guidance,
00:00
and any subject matter experts that may relate to
00:00
the specific area impacted by
00:00
the incident and business unit liaison.
00:00
This can be bringing in HR, legal,
00:00
public relations, whatever resources
00:00
are needed to manage the incident.
00:00
Incident examples can vary.
00:00
Basically it defines specifically for an organization,
00:00
but commonly you'll have technical incidents
00:00
such as virus outbreaks or web defacement but you
00:00
could also have reputational damages such as
00:00
the defamatory information in the media or you could
00:00
even have physical breaches of your organization.
00:00
These can all vary and need to be
00:00
probably defined in the policy and procedure.
00:00
That's incident management.
00:00
We've talked a little bit
00:00
about incident response management
00:00
and the different phases,
00:00
so the different incident management roles
00:00
that you're likely to encounter within
00:00
an organization or at the very least
00:00
need to be probably defined in the policy
00:00
and a few examples of different incidents
00:00
that could commonly affect organizations.
00:00
I hope you enjoyed this lesson,
00:00
and I will see you at the next one.
Up Next