Incident Response Team Models

00:00

Hello. My name's David.

00:02

And welcome to pre incident response.

00:06

We have just finished. I'm talking about incident response somewhere on hardware in the episode prior to that one in which we reviewed. But what you will need carry along with you to the site of a customer breach your incident

00:24

and also something that you may need afterwards.

00:28

Now we're gonna move out of those areas and start talking about

00:33

the human members off the team,

00:37

uh, that you will be dealing with, which can bring,

00:41

but good times and bad, just based on the human element. But it's imperative,

00:47

uh, that we give some consideration to this as we talk about the incident response process. Because your team members they're the crux of the team and identifying who they are providing for them in the right way is vital. Just like, um,

01:03

dealing with an army, you've got to treat people right. You've got to give him a proper training and tools. I allow them to do their job. So,

01:12

um,

01:15

he more k something I'm a little bit familiar with. That's me there in the upper left of the screen, pushing on a giant log with some other members of SWAT team. That was What's a number off? So, yeah, we work together as a team that's carried on since I've retired into the incident response

01:34

feel.

01:34

So

01:37

let's not drag our feet. Let's jump right in here. So what are some best practices for creating? A see certain Now

01:46

these teams are called all kinds of things, everything from Ceasar to search Thio i r Thio Cyber Security Team. I don't care what you call it, and I don't want us to get caught up in acronyms when it comes to the team, because that's not the important part I've seen.

02:04

I grew up in a church. You know, when you hear the story with you, please don't get offended at

02:08

because it kind of illustrates the ridiculousness of some people wearing their ideas.

02:15

But, um, I saw as a young child growing up more church fights over the collar of choir roads

02:23

than anything else

02:27

at a time.

02:29

One certain group of choir members, with one going another certain group of love that the Congregation of the Church would want Jell O, and there would be huge fights and slanders a in all kinds of things, and that's what you need to avoid

02:46

that kind of decision and our invitation hurts rather than help. So don't bring that kind of

02:53

thinking into your team because you're a team player. It's not all about you. It's about the team. It's about company. It's about protecting the data that is assigned. So there are a lot of different ways a lot of different theories and practices for

03:07

creating on I Incident response team

03:10

the number one and you'll hear me say this again and again here. Eyes management's important. Buy it if you don't have managed with support and funding. It's a lost cause from the very beginning, and that was just a sad reality. Um,

03:25

failure to obtain that and highlight its importance at that upper chain of command is just going to set you up for failure in the real world and also in the funding world, and you're not gonna be able to do your jobs properly. So you need some people who can deal with the upper management,

03:46

the sea level, where executive level

03:47

branch of the business, in order to get you those things, then you need to develop a plan. Um

03:54

I can't harp on the planning enough. You need to gather the information from your environment to prepare for your tools but harbor software and also training for your team.

04:05

I have a vision for your dean

04:08

that's extremely important, eh? So that your team members know what they're doing, how they're going to do it. But their day to day jobs are. Have the operational plan in the vision and communicated out, then implement those kinds of things air pretty simple.

04:26

But oftentimes they're either dumb Boulder mixed around, skipped over, and that leads to difficulties down the road.

04:33

Now there are a lot of different team models, depending upon which program you choose to follow. I've closed out some of the ones that I've actually seen out there in the Wild Wild West.

04:46

The first is the Central Incident Response Team. It's a single team, handles incidents throughout the organization of all shapes and sizes works typically most effectively for small businesses,

05:00

whether it's in small, as in the number of personnel that worked for them or small as in their geographic,

05:06

Mr Duchin

05:08

has businesses grow

05:11

ah, and add people and add locations.

05:15

A central incident response team is gonna be hampered in their ability to adequately provide incident response just due to the size of the organization as it grows.

05:28

Now think of a pyramid turned over on its head. Ah, lot of times that's inverted and a business will start with the Central Incident Response Team

05:38

and

05:39

failed to grow that team as the business grows. Because, of course, you're upper management are just looking at the bottom line. We're looking at the dollar signs looking that funding and the Incident Response team isn't considered important in day to day operations. In fact, it's often for cotton

05:57

until an incident happens, and then suddenly everybody knows your name.

06:00

So keep that in mind. If you

06:04

have a central Incident response team and it's working well, now it may change is the business grows and the team needs to grow and change with the business.

06:15

The 2nd 1 is the distributed spots teams. This is where you have multiple teams that are responsible,

06:25

um, four individual segments of the network or even individual business locations. So as your business grows and expands and and locations on the map, you may be deciding that you want smaller teams spread out in these different locations in order provide quicker

06:43

and more effective incident response

06:46

for your business.

06:47

Pretty good idea. Um,

06:49

the team should be considered part of a single coordinated entity and have the same duties and command stock.

06:58

They shouldn't be allowed to start thinking of themselves a standalone teams. Now there's always room for a good, healthy competition, and that should be encouraged. However, you don't want one team to become the team on to become the funding source, and,

07:15

uh, the orders of the team where they have all the equipment at their location were you drop in an idea in there that can create problems for an instant response effort so you can easily move away from that incident. Managers should

07:33

have an active role in that to ensure that these teams are properly set up identified, and structure

07:42

team that I worked with in the past was distributed team. Of course, we were in MSs piece that are key members were all over, spread out across the geographic us. But once or twice a year, the entire team would get together

07:59

team building exercises, personal interactions, and it helped create a spirit of camaraderie that is necessary. Needed

08:07

just an idea for you to take home. Put your back pocket. Now. Then there's just one called a coordinating team, which is the incident response team is small, but they provided by still other teams

08:20

without actually having any authority over his own teams.

08:26

Um, this can excuse me.

08:28

Be both good and bad.

08:31

Do you have to have the other teams, uh, after basically be told

08:37

the I R team is here to help? They're not here to hinder. They're not here to cast suspicion or take your jobs away. One of the most frustrating things that I've seen since I came out of law enforcement into the private industry and even saw it on enforcement

08:52

is this vast gulf that exists between security and the rest of I T. It's almost as if the rest of my teeth ache security. Is there a particular job? And they cut them out and put them in a room in the basement with no windows and only one light ball. And don't give them any money, and that just leads to disaster.

09:11

So you're gonna have a coordinating team,

09:15

make sure that it you have good leaders that can govern a watch over the team and that they are practicing good incident response techniques across your industry vector and with your employees. It's now different ways to staff it quickly. You can use internal employees where you're using your own

09:33

people to do us a response work. You could partially outsource it or fully outsource it, depending on how it goes on what your funding is. Um, you'd have their pluses and minuses to bring to the table. Um,

09:48

so keep that in mind.

09:50

Now

09:52

again, crop here, identify your own organizations needs in order to select the right team model U 24 hour coverage Wide Geographic responses recommendation. You want four part time members on Morales? Important burnout can occur.

10:07

Ah, and you need to be able to address that quickly and rapidly. That does happen.

10:13

And again, cost is a huge factor. Is selecting the right team model because, unfortunately, you can't foresee everything, so some unexpected costs could arise that you have your wit and finally expertise. Incident response requires knowledge and skills and training

10:31

Barbie on typical ID. He helped us person,