9 hours 59 minutes
this video, we're gonna go over post incident activities and ways to use data collected to improve future response to incidents.
One of most important parts of incident response is the lessons learned meeting. It's an opportunity to improve the way things are handled in the future.
You got to start out by reviewing timelines of the incident. What happened, Wende, and even some of the actions who performed which accents? It's important you ask blameless questions. The point of this meeting isn't to figure out who went wrong where, but the focus is on. What could we have done better?
What are the procedures that we followed? And should those procedures be adjusted?
How is information sharing internally and with the cloud provider where there any gaps or delays and sharing that could have improved speed of isolation or remediating the incident?
Other questions? Is there anything we can do to preemptively prevent or detect similar incidents in the future? Do we have adequate tools to get needed visibility to re evaluating some of those preparation activities that you did? And when you get done with your lessons learned, you're gonna produce a report at least for those lessons associated with major incidents.
The report produced by your lessons learned is gonna feed into how you use this data and information collected.
Overall, you can have some incident metrics such as the number of incidents handled, say on a weekly basis. Just keep in mind that the number going up is not necessarily better. As you have more and more preventive measures in place, the number of incidents that arise should actually level off, if not decline.
Another important metric is the time per incident. In general, it's fair to say that less is better.
However, you want to make sure that the number of incidents is not growing at the same time, because having a quick resolution, two incidents but then a high number of incidents means maybe you're not addressing the root cause that's creating these incidents in the first place.
When you're assessing me incidents take a look at it both from an objective and subject of perspective. Was there damage before the incident was detected? Was this the same as past incidents? If so, what can we do to prevent it from continuing to happen? And on the more subjective note does the owner of the attacked resource feel it was a good and timely outcome,
and you'll also want to retain forensics and evidence in the event there needed for future prosecution.
This is a quick video on post incident activities. We described the lessons learned, meeting and then ways to use collected data and to examine your lessons learned reports to ensure you are continually improving your methods of incident response.