Building an Incident Response Team
Upcoming SlideShare
Loading in...5
×
 

Building an Incident Response Team

on

  • 571 views

Presented by: Slade Griffin, Contextual Security Solutions ...

Presented by: Slade Griffin, Contextual Security Solutions

Abstract: This session will present Mr. Griffin’s observations made while working directly with utilities as they developed and built incident response processes and the teams to support them. Topic covered will be the architectural development of visibility into different types of networks using different technologies. Having the technology to gain visibility into your networks is less than half the battle, the next step is to properly tune down the “noise” to determine whether an incident is happening.

Statistics

Views

Total Views
571
Views on SlideShare
570
Embed Views
1

Actions

Likes
0
Downloads
11
Comments
0

1 Embed 1

http://www.energysec.org 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Building an Incident Response Team Building an Incident Response Team Presentation Transcript

    • Who should be on your IR team
    • About me
    • What’s the Incident Response Process ( or Cycle) Why have processes or procedures? Document walk through Agenda
    • Preparation Identification ContainmentEradication Recovery Lessons Learned Incident Response Process (SANS)
    • Preparation Detection and Analysis Containment, Eradication, and Recovery Post-incident Activity Incident handling checklist Recommendations Incident Response Process (NIST 800-61)
    • Create Policy and Plan Develop Procedures Set External Communication Guidelines Select Team Structure Establish Internal and External Relationships Determine Services Training the team Incident Response (NRECA)
    • Dec 22 12:28:08 10.0.135.6 sshd[10926]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ds178- 77-126-21.dedicated.hosteurope.de Dec 22 12:29:20 10.0.135.6 sshd[10926]: Accepted password for <$user>from 178.77.126.21 port 49154 ssh2 Dec 22 12:29:38 10.0.135.6 sshd[10926]: pam_unix(sshd:session): session opened for user <$user>by (uid=0) Log example
    • I need a volunteer who doesn’t have an IR plan. (I know you’re in here somewhere) Requirements and Real Life