Time
7 hours 36 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers considerations for outsourcing an incident response team: · Current and future quality of work · Division of responsibilities · Sensitive information revealed to contractor · Lack of organization specific knowledge · Lack of correlation · Handling of incidents at multiple locations · Maintaining incident response skills in house

Video Transcription

00:04
some of the gun. We're gonna talk about outsourcing considerations. So one of the first considerations to look at is the current and future quality of work
00:13
performed by these teams. So organizations should consider not only the current quality at the breadth and depth of the outsourcers work, but also efforts to ensure the quality of future work
00:25
for example, minimizing turnover and burn out. Providing a solid training program for new employees
00:32
Organization should think about how they could objectively assess the quality of the outsourcers work.
00:38
So again it's kind of similar to if you're going to want to look at your
00:43
internal incident response team, you would also want to look at a way of how you can evaluate that outside team or that outside source to know if you're getting your money's worth,
00:55
so you don't so one look at the division of Responsibilities, so organizations are often unwilling to give an outsourcer authority to make operational decisions for the environment. You see that lot with the United States government, government boys have the ability to essentially make decisions and
01:15
contract with the government, and then you have the government contractors who sexually
01:19
do the workers is required and contracting but can't really make any decisions or commit the government
01:26
to certain actions of spending. Money
01:30
in this example could be essentially disconnecting a Web server. So it's really important to document what type of responsibilities that you want to have outside organizations to do and to have certain types of decision points to allow them
01:49
the ability to know when they should or could
01:52
take certain actions. For example, one particularly outsourced model addresses this issue by having the outsourcer provide incident data to the organization's internal team, along with recommendations for further handling of the incident.
02:07
Then the internal team ultimately makes the operation operational. Decisions with the outsourcer can continue to arrive the support as needed.
02:16
Another consideration that you might have this sensitive information revealed to the contractor,
02:23
so dividing incident response responsibilities and restricting access to sensitive information could live in this. For example, a contractor may determine what you what user I d would use an incident. So, for example, the user i d. 123456
02:42
but not know what person is associated with the user, I d.
02:46
So boys can then take over the investigation.
02:50
Non disclosure agreements are one possible option for protecting the disclosure of sensitive information,
02:55
but it's likely in your organization you may have essentially compartment, and we're not. Everyone in the organization even knows what other apartments they're doing, so that's very common. But you just want to be able to have a way to work with or work through some of those considerations. If you do have
03:15
our do work with the lie of sensitive information,
03:19
Some other outsourcing considerations are the lack of organization specific knowledge, so accurate analysis and prioritization of incidents are dependent on specific knowledge of the organization's environment.
03:31
So the organization should provide the outsourcer regularly updated documents that define what incidents it is concerned about. Which resource is air critical. A lot level of response should be under various circumstances. The organization should also report all changes and updates made to its I T infrastructure
03:52
network configuration systems to that outside contractor.
03:54
Otherwise, the contractor has to make the best gas how each incident should be handled, inevitably leading to a mishandled incident and frustration on both sides. So communication is going to be very key doing this if you've ever responded to an incident, particularly even within your own organisation.
04:15
Often times you may have ah, diagram of your your server room
04:19
or I T room, and even within your own organisation, it's not up to date.
04:26
Ideally, you would be able to figure out how that works. But if you're outside are going in the organization, that's even harder. So it's It's important to have good communication between your contractors, so lack of organization specific knowledge can also be a problem when incident response is not outsourced.
04:46
If communications air Week among teams or organization simply does not collect the necessary information,
04:53
the next consideration is going to be a lack of correlation. So correlation among multiple data sources is going to be very important
05:00
if your intrusion detection system records and attempted attack against a Web server. But the outsourcer has no access to the servers log, it may be unable to determine whether the attack was successful, so to be efficient, the out searcher will require administrative privileges to critical systems
05:18
and security device logs remotely over secure channel.
05:21
This will increase your admin cost and it probably introduce additional access entry points and increase the risk of unauthorized disclosure of sensitive information. So those were just some some things to be aware of so often times. If you're trying to provide that extra information to the outsourcer,
05:41
you may be opening yourself up to
05:44
additional kind of vulnerabilities.
05:48
So the next consideration is going to be handling incidents at multiple locations. So as we talked about earlier line of large enterprises are spread out. Of course, the United States across globally so effective incident response were often requires physical presence at the organization's facilities.
06:08
So if the outsourcer it's offside, consider whether the officer consider where the outsourcers located,
06:14
how quickly it can respond to that incident or haven't answered response team at that facility, and how much will that cost?
06:21
So consider on site visits. Per perhaps there are certain facilities are areas where the outsourcer should not be permitted to work well. So again, if you've got one of those
06:31
secure facilities are working in a government skiff, you may not want to have that outsourcer that outsourced or may not be permitted to work in that area due to security constraints.
06:45
And then the next consideration is maintaining incident response skills in house. So organizations that completely outsource incident response should strive to maintain basic incident response skills inside and situations may arise in which the outsources unavailable
07:02
up, which could be Maybe you have a contract dispute
07:06
are they go out of business. So the organization should be prepared to perform all of its own incident handling, or at least have someone there who's knowledgeable about incident. Handling on that also goes kind of hand in hand with being able to evaluate that outsourcing. As long as you have someone within the organization you have some knowledge
07:26
of incident response.
07:28
You are protecting yourself.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor