im processes: prepare, sustain, and improve
TRANSCRIPT
IM Processes: Prepare, Sustain, and Improve
Table of Contents
Notices ............................................................................................................................................ 2
Incident Management Processes: Prepare/Sustain/Improve ....................................................... 2
Incident Response Starts Before an Incident Occurs ...................................................................... 3
Mission of the Prepare Process ...................................................................................................... 4
The Prepare/Sustain/Improve Process ........................................................................................... 5
Who Is Involved in the Prepare/Sustain/Improve Process? ........................................................... 6
Best Practices .................................................................................................................................. 8
Sample Communications Plan ...................................................................................................... 10
Page 1 of 10
Notices
19Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Incident Management Processes: Prepare/Sustain/Improve
5Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Incident Management Processes:
IntroductionPrepare/Sustain/ImproveProtect InfrastructureDetect EventsTriage EventsRespond
**005 With incident management
processes, there are a collection of
subprocesses. The first one we're
Page 2 of 10
going to talk about is prepare-
sustain-improve.
Incident Response Starts Before an Incident Occurs
6Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Incident Response Starts Before an Incident Occurs
**006 Just like building the fire
company and starting the fire
company before the first fire, incident
response starts before that first
incident occurs. This diagram shows
all of the processes associated with
incident management, and we're
going to focus on the Prepare part,
establishing an incident management
capability and process. Security
awareness training. Incident
reporting guidelines and forms.
Notification lists. Expertise matrix,
and nondisclosure for people who are
involved in an event that has certain
characteristics. Incident handling
tools. An incident tracking system.
The original media and backups in
case you have to rebuild the system,
and response policies and
procedures. All of these need to be
Page 3 of 10
dealt with before you even begin to
deal with incidents.
Mission of the Prepare Process
7Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
To create an incident management capability that supports the mission and goals of the
constituency
To improve and/or sustain an existing incident management capability that supports the
mission and goals of the constituency
Mission of the Prepare Process
**007 It's important to know you're
going with a prepared process. This
slide talks about the mission, where
you're trying to create an incident
management capability that supports
the mission and the goals of the
constituency. Again, it is vitally
important to support where the
constituency is trying to go, and then
also to improve and sustain an
existing capability that also supports
those mission and goals of the
constituency.
Page 4 of 10
The Prepare/Sustain/Improve Process
8Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
The Prepare/Sustain/Improve Process
Contains a number of subprocesses:
• Coordinate Planning and Design - Identify CSIRT requirements
- Establish CSIRT vision
- Obtain Sponsorship and Funding for the CSIRT
- Develop CSIRT Implementation Plan
• Coordinate Implementation - Develop CSIRT Policies, Procedures, and Plans
- Establish CSIRT Incident Management Criteria
- Deploy Defined CSIRT Resources
• Evaluate CSIRT Capability- Conduct Postmortem Review
- Determine CSIRT Process Modifications
- Implement CSIRT Process Modifications
**008 The prepare-sustain-improve
process consists of these items.
Coordinate the planning and the
design of the incident management
and CSIRT capability, which involves
identifying the CSIRT requirements,
establishing the vision, obtaining
sponsors and funding, and it's really
important to have a good quality
stream of funding so that the CSIRT
doesn't die prematurely. Developing
a CSIRT implementation plan. Then
once you've gotten to that point, you
can coordinate the implementation,
developing policies, procedures and
plans, establishing the incident
management criteria, and then
deploying those resources. And
finally, evaluating the CSIRT. Is it
meeting the needs? Have the needs
changed? What needs to change as
a result of that? If processes and
policies and procedures don't match
what the constituency needs, don't
Page 5 of 10
hesitate to throw them out and start
over again. That's simply the nature
of this business. So these are the
main points, the main subprocesses,
within the Prepare phase.
Who Is Involved in the Prepare/Sustain/Improve Process?
9Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Who Is Involved in the Prepare/Sustain/Improve Process?
This process may include a variety of different staff with different roles and responsibilities:
• development team (key stakeholders)
• senior managers, business owners/operators
• IT system and network operations staff
• administrative operational staff
• constituency representatives
• CSIRT staff
• other relevant parties, as appropriate- legal
- human resources
- public relations
- law enforcement
- external third-party providers (MSSPs)
- subject matter experts
**009 Here's a list of people that
are likely to be involved in this part of
the process. You may have the
development team, key stakeholders,
senior management. It's always
important to have that buy-in,
especially from business owners and
operators so they know what you're
providing, what you're doing and
what's going on-- no surprises.
You're going to have to have buy-in
from the IT system and the network
operations staff who you'll work
closely with to actually prepare and
sustain and improve the network
capabilities and the system
Page 6 of 10
capabilities used throughout the
constituency.
You're going to have administrative
operational staff who should be
involved; representatives of the
constituency. Again, no surprises.
Everybody needs to be involved so
they know what's going on. The
CSIRT staff should be involved, they
should all be involved, and other
parties that need to be involved are
the legal staff within the
organization, HR, public relations,
perhaps law enforcement, some
external third-parties like managed
security service providers, and finally
some subject matter experts that you
may bring in under certain
circumstances-- for example,
malware analysis or forensics. All of
these groups of people need to be
involved in this process.
Page 7 of 10
Best Practices
10Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Best Practices
Performing incident
management as efficiently
and effectively as possible
may require various
decisions to be made
ahead of time.
This can include determining if and when
• law enforcement will be involved
• forensics evidence will be collected
• systems can be isolated or shutdown
It can also include identifying
• a communications plan
• points of contact with other internal and external groups
• secure communication mechanisms
• data classifications of materials handled
And having access to
• critical system inventory information
• network topologies
• network baselines
**010 When an incident comes
along, the whole key is to recover
from that incident as quickly as
possible, because typically what's the
case during an incident is the
organization is not functioning in its
full capacity and generating revenue
at the level that it was used to
generating it. So it's important to
compress the time as much as is
possible of an incident so as to
continue the business at hand. So
the way to deal with this is to have
all of these things in place in advance
so that you can, as efficiently, as
effectively as possible, handle that
incident. In some cases, you can
make some of those decisions in
advance. For example, are you going
to include law enforcement? Are you
going to include some forensic
examiners who will need to be
brought in to collect evidence, if you
Page 8 of 10
are in fact going to go in a direction
of law enforcement.
What happens with systems that are
affected? Are they isolated? Are
they shut down? Are they turned
off? Are they rebuilt? Someone
needs to decide that in most cases,
and that probably depends on a
system-by-system basis based on the
risk analysis of the importance of
those systems to the business.
You also need to have a
communications plan-- how you get
information to people, who gets told,
what they get told, etcetera,
etcetera. Having points of contact
within your organization and to
external groups. Having a secure
mechanism to communicate-- secure
fax, secure telephone, encrypted
email communications-- and then
classification of the materials to be
handled for the data. You also have
to know what you're dealing with.
What are the critical systems around
the constituency? What are the most
important? What are less important?
What's the topology of the network?
If someone broke into System A, it's
on a different network from System
B; it's less likely that they may be
broken into, or more likely,
depending on that. And also network
baselines. Again, what's normal?
You can't tell what's abnormal if you
don't know what normal is.
So these things all help to efficiently
and effectively deal with an incident,
reducing downtime, reducing an
update or an upheaval in the
Page 9 of 10
economy of the business, in the flow
of financial capabilities.
Sample Communications Plan
11Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Sample Communications Plan
Type of Activity Organization and POC Information Timeframe
Critical Incident (incident
affecting critical service)
CIO Office
CIO POC
Contact Information
immediately
Critical Service Business Owner
Business POC
Contact Information
immediately
Helpdesk
Helpdesk Contact Info
within 1 hour
PII incident Breach Notification Group
Contact Information
within 1 hour
Data owner
POC
Contact Information
immediately
Human Resources
Contact Information
Within 24 hours
**011 Communicating to the
appropriate parties is very important.
So here's a sample communication
plan to talk about the type of
incidents, who should be notified,
and some timeframes in which they
could be notified. This is simply an
exemplar, but the point is you need
to decide, for each type of activity
that your CSIRT is going to deal with,
who needs to be notified and when
they need to be notified, and then
have this well known amongst your
CSIRT staff and also well known
among the constituency so that you
are setting expectations. Set those
expectations and then meet them.
Page 10 of 10