how to build a successful incident response program
DESCRIPTION
Building an incident response program can be a cumbersome task when done manually. From identifying incident types and severity to creating a response plan for each incident type, Co3 provides an easy to use, customizable solution for quickly assessing, responding to, and driving incidents to closure. Co3 customer, USA Funds, manages incidents in one tenth of the time that it took previously. This webinar will guide security practitioners through the process of creating a basic incident response process using Co3's Security Incident Response module. Based on a list of accumulated best practices, this webinar will give team members a good start on creating a successful incident response program to use at their organization. Our featured speakers for this timely webinar will be: -Ted Julian, Chief Marketing Officer, Co3 Systems -Tim Armstrong, Security Incident Response Specialist, Co3 SystemsTRANSCRIPT
Building an Incident Response Program
IR In 3 Easy Steps
Page 2
Agenda
• Introductions
• Today’s Breach Reality
• IR in 3 Easy Steps• Assemble The Team• Prepare The Plan• Practice And Improve
Page 3
Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Tim Armstrong, Security Incident Response Specialist, Co3 Systems
Page 4
Co3 Systems at a glance
From privacy breaches, to malware outbreaks, to system intrusions, to DDoS attacks — Co3 automates incident response.
Based on a knowledge-base of incident response best practices, industry standard frameworks, and regulatory requirements, Co3 makes incident response efficient, compliant, and best-of-breed.
Page 5
The complete process – based on E.R. standards
PREPAREImprove Organizational Readiness• Appoint team members• Fine-tune response SOPs • Escalate from existing systems• Run simulations (firedrills / table
tops)
MITIGATEDocument Results & Improve Performance• Generate reports for management,
auditors, and authorities • Conduct post-mortem• Update SOPs• Track evidence• Evaluate historical performance• Educate the organization
ASSESSIdentify and Evaluate Incidents• Assign appropriate team members• Evaluate precursors and indicators• Correlate threat intelligence• Track incidents, maintain logbook• Prioritize activities based on criticality• Generate assessment summaries
MANAGEContain, Eradicate, and Recover• Generate real-time IR plan• Coordinate team response• Choose appropriate containment
strategy• Isolate and remediate cause• Instruct evidence gathering and
handling• Log evidence
Page 6
Today’s Breach Reality
Data breaches are on the rise and organizations are unprepared to detect them or resolve them -
• data breaches have increased in both severity (54 percent) and frequency (52 percent) in the past 24 months
• …organizations are facing a growing flood of increasingly malicious data breaches, and they don’t have the tools, staff or resources to discover and resolve them
1 “The Post Breach Boom” – The Ponemon Institute, February 2013
THE PONEMON INSTITUTE 1
Page 7
Today’s Breach Reality
“If you are going to invest in one thing, it should be incident response”GARTNER
2
“You can’t afford ineffective incident response”FORRESTER RESEARCH
3
“Only 20% of respondents rate their IR program as being ‘very effective’”
1
“Top spending priorities are training and automation tools”
2013 INCIDENT RESPONSE SURVEY – iSMG
1 “The Need For Speed: 2013 IR Survey”- Information Security Media Group - August 2013
2 Gartner Security Summit, Keynote Address - June 20133 “Seven Habits of Highly Effective Incident Response Teams” - April
2013
Page 8
Addressing Today’s Breach Reality
• Having an incident response capability is no longer optional• Being prepared means having a “when” not an “if” strategy
Fortunately, bolstering IR isn’t hard
IR in 3 Easy Steps: • Assemble The Team• Prepare The Plan• Practice And Improve
STEP 1: ASSEMBLE THE TEAM
Page 10
Identify Team Members
• CEO, CISO, and other senior management• Public Relations and General Council• Help Desk• Developers• Change Control• HR• Law enforcement• Maybe more…
Page 11
Collaboration
Page 12
Get Buy-in
• Education• Educate yourself
• Show Value• What would it cost if we didn’t react quickly?
• Show repercussions• Fines• Bad PR• Loss of revenue
Page 13
Get Buy-in
POLLOur incident response process is:
STEP 2: PREPARE THE PLAN
Page 16
Identify Incident Types and Severity
• Event types:• Malware• Phishing• DoS/DDoS• Lost/stolen equipment/media• Lost/stolen documents• Improper disposal• System intrusions• Communication errors
Page 17
Identify Incident Types and Severity
Page 18
Create Response Plans
• One for each individual type of event• Possibly multiple types for each event
Page 19
Define Required Documentation for Incidents
Page 20
Define Required Documentation for Incidents
POLLWe plan to improve our incident response capability by:
STEP 3: PRACTICE AND IMPROVE
Page 23
Practice Your Plan
• Simulations• What if this happened to us? • Case studies
• Fire drills • What would we do if this happened to us?
Page 24
Practice Your Plan
Page 25
Practice Your Plan
Page 26
Lessons Learned
• Hire more people:• analysts, legal, forensics, etc.
• Enhance preventative measures:• New hardware, software, tools, etc.
• Invest in user awareness and training:• Phishing, scams, malware recognition• Social engineering
• Review of process:• Credit monitoring services?• Letter fulfilment?
QUESTIONS
One Alewife Center, Suite 450Cambridge, MA 02140 PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for privacy look like.”GARTNER
“Platform is comprehensive, user friendly, and very well designed.”PONEMON INSTITUTE
“One of the hottest products at RSA…”NETWORK WORLD – FEBRUARY 2013