Your SlideShare is downloading. ×
5 Steps to Improve Your Incident Response Plan
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

5 Steps to Improve Your Incident Response Plan


Published on

Do you have an incident response plan to cover disasters, cyber-attacks, and other threats to your organization? How confident are you that it will work in a real-world situation? While simply having …

Do you have an incident response plan to cover disasters, cyber-attacks, and other threats to your organization? How confident are you that it will work in a real-world situation? While simply having a plan will help you check the box on the audit, it doesn't guarantee effectiveness in a real situation. Assessing your incident response plans through fire drills, desk top exercises, functional scenarios, and full scale exercises will help your organization truly validate the effectiveness of the plan.

IR assessments are meant to:

- Evaluate plans, policies, and procedures
- Find weaknesses in the plan and gaps in resources
- Improve coordination and communication internally and externally
- Define and validate roles and responsibilities
- Train personnel in their roles and responsibilities

This webinar will provide practical steps for assessing your organization's plans and demonstrate ways to improve them through a methodical and proven approach. After all, whether they're big or small, internal or external, in most any organization incidents occur. Complete plans that have been tested, backed by trained resources and thorough communication, are the proven recipe to minimize the impact of incidents when they occur.

Our featured speakers for this webinar will be:

- Ted Julian, Chief Marketing Officer, Co3 Systems

- Richard White, Security Intelligence and Operations Principal, HP Enterprise Security Products

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. 5 Steps to Improve Your Incident Response Plan
  • 2. Page 2 Introductions: Today’s Speakers • Ted Julian – Chief Marketing Officer, Co3 Systems • Richard White – Principal, HP Security Intelligence and Operational Consulting, MBA CISSP CHP/CHSS
  • 3. Page 3 Agenda • Do you even have a plan? • Reality about most Incident Response plans • 5 Steps to Improve Your Incident Response Plan. • Step 1 – How do we determine if this is an incident? • Step 2 – Who’s in charge and are we ready? • Step 3 – Test the plan and learn. • Step 4 – Lets work on our communications. • Step 5 – Let’s measure the impact. • Questions
  • 4. Page 4 About Co3’s Incident Response Management System PREPARE Improve Organizational Readiness • Appoint team members • Fine-tune response SOPs • Escalate from existing systems • Run simulations (firedrills / table tops) MITIGATE Document Results & Improve Performance • Generate reports for management, auditors, and authorities • Conduct post-mortem • Update SOPs • Track evidence • Evaluate historical performance • Educate the organization ASSESS Identify and Evaluate Incidents • Assign appropriate team members • Evaluate precursors and indicators • Correlate threat intelligence • Track incidents, maintain logbook • Prioritize activities based on criticality • Generate assessment summaries MANAGE Contain, Eradicate, and Recover • Generate real-time IR plan • Coordinate team response • Choose appropriate containment strategy • Isolate and remediate cause • Instruct evidence gathering and handling • Log evidence
  • 5. Page 5 Security Intelligence & Operations Consulting Experience: • 30+ SOC Builds • 90+ SOC Assessments • 30+ SIOC Consultants worldwide Solution Approach: • People, Process, & Technology Accelerated Success: • Mature Project Methodology • Best Practices • Extensive Intellectual Capital Purpose: Ensure our customers are successful with ESP products by providing the right People, building the right Processes and delivering effective Technology. ESP Services Founded: 2007
  • 6. Page 6 HP’s industry-leading scale Monthly security events 2.3billion HP Secured User Accounts 47m HP Security Professionals 5000+ 10 out of 10 Top telecoms 9 out of 10 Major banks Global Security Operations Centers 8 Global SOC Planned regional SOC HP managed security customers 900+ All major branches US Department of Defense 9 out of 10 Top software companies
  • 8. Page 8 Why have a plan? • Legally required in most cases (PCI, HIPAA, SOX, etc…) • Core Security Function for any organization • Train people and teams the proper way to respond
  • 9. Page 9 Do you even have a plan? State of Security Operations Business White Paper – Hewlett Packard • Three major points in the report: • Security incidents are increasing in complexity, occurrence and success, meaning organizations are going to have to invest more in a response planning and capabilities. • Organizations need a better understanding of the threats so they can prepare better and utilize resources more effectively. • Internal incidents are still the most common such as malware, insider threats and employees losing sensitive data.
  • 11. Page 11 Reality about Incident Response Plans • No plan is perfect and no plan survives a real world test. • IR Plans require documentation, testing and validation before they can be called a real IR plan. • Incident response plans go stale over time and must be refreshed annually or whenever the organization makes any major changes. • Most organizations have no plans in place or response capabilities.
  • 12. Page 12 What’s in an Incident response plan? Incident Response Plans are directed by Policy, guidelines and Directives A good Incident Response Plan defines: • Roles and responsibilities • Description, goals and objectives • Process for how to determine/declaring an incident • Definition of different incident types and severity criteria • Process flows from beginning to recovery • Communication plans internally and externally • Chain of command for each Incident Type
  • 13. POLL
  • 15. Page 15 Step 1 – How do we determine if this is an incident? • A policy is in place for the organization that sets the requirements and standards for Incident Response. • Defines the criteria for a major and minor incident type • Requires a procedure for each Incident Type • Defines overall responsibility in the organization • When an Incident is declared, it should be based on incident type and well developed supporting procedures. • Do we know and understand any Third party/Vendor Incident response procedures. • The decision matrix needs to be based on Asset Criticality, Impact to the business and Threat type.
  • 16. Page 16 Step 1 – How do we determine if this is an incident? Category Description Single Workstation Multiple Workstations/Single HVT Multiple HVTs/PCI Asset Exercise/Network Defense Testing This category is used during approved activity testing of internal/external network defenses or responses SEV-4 SEV-4 SEV-4 Successful Unauthorized Access/Intrusion: Root/Admin Level In this category an individual gains admin/root level logical or physical access without permission to a company network, system, application, data, or other resource SEV-3 SEV-2 SEV-1 Successful Unauthorized Access/Intrusion: User Level In this category an individual gains user level logical or physical access without permission to a company network, system, application, data, or other resource SEV-3 SEV-2 SEV-1 Attempted Unauthorized Access/Intrusion This category shows an attacker's unauthorized attempt at accessing a company network, system, application, data, or other resource, though not successful SEV-4 SEV-3 SEV-2 Denial of Service An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS? SEV-3 SEV-2 SEV-1
  • 17. Page 17 Step 1 – How do we determine if this is an incident? • Severity Levels and SLA’s must be standardized across the organization. • Agree on a dispute resolution process when SLA’s and Severity definitions collide. • Maintain an overall communication and escalation plan with multiple paths of communication and alternates. Involve other groups in the incident declaration process • Initiate communications • Provide scheduled updates • Start documentation and ask for evidence preservation
  • 18. Page 18 Step 2 – Who’s in charge and are we ready? Roles, Responsibilities and Authority must be defined • Roles must be supported by Policy granting authority needed to fulfill the role. • Do we have the right people and are they trained properly to handle most Incidents? • Enough resources to do the day job and handle the incident? • Do they know the plan and understand what to do? • Are the right support groups involved and identified. • Know who to get involved • Know who not to get involved
  • 19. Page 19 Step 2 – Who’s in charge and are we ready? Roles, Responsibilities and Authority must be defined • Some roles require representation and expertise from legal, HR, communications, executive leadership, etc… • Collect the information that will be needed at time of incident or provide paths to updated information • Asset information • Network diagrams • Key resources • Support services and resources
  • 20. Page 20 Step 2 – Who’s in charge and are we ready? Roles, Responsibilities and Authority must be defined Responsible - Performs the role, delegated to perform the task by the Accountable Party Accountable - The one ultimately answerable for the correct and thorough completion of the task Consulted - Those whose opinions are sought, typically subject matter experts Informed - Those who are provided status on the progress of the tasks. Phase Role SOC Manager SOC Analysts Forensic Analyst Incident Manager BUSINESS UNIT Incident Response Team BUSINESS UNIT Mgmt. WATCH A R - - - - TRIAGE A R C - - - MOBILIZE A R - C I I ASSESS & CONTAINMENT I I C C R A STABILIZE I I - C R A RECOVERY I I - C R A Post Mortem A I C R C I
  • 21. POLL
  • 22. Page 22 Step 3 – Test the plan and Learn • Drills • Desktop exercises • Functional Exercises • Full scale exercises The exercise scenarios are designed to stimulate technical, operational, communication and/or strategic responses to cyber incidents with a view to reviewing and refining current capabilities.
  • 23. Page 23 Step 3 – Test the plan and Learn • Steps in a Exercise • Preparation • Detection and Analysis • Preparation • Containment and Eradication • Post-Incident Activity • Recovery process – get back to business Preparation Detection and Analysis ContainmentEradication Recovery
  • 24. Page 24 Step 3 – Test the plan and Learn Overall goals • Examine information sharing • Assess decision making • Evaluate roles and responsibilities within the organization Multi-group participation allows us to • Understand incident management across multiple departments and entities • Evaluate threat information sharing among the whole community • Understand roles and responsibilities • Test and evaluate Incident Response coordination
  • 25. Page 25 Step 4 – Lets work on our communications • Review and test the communication plan • Identify Incident Manger and Incident Management Team members and their alternates. • Identify Business and Information Technology Team Leaders and their alternates. • Vendor Emergency contacts and processes • Regularly update and maintain internal and external contact lists. • Identify the person or department to handle any media requests.
  • 26. Page 26 Step 4 – Lets work on our communications • Establish a conference bridge • Centralized Knowledgebase/Document Repository • Recovery plans • Status updates • Share documents • Store Documents • Template for communications so we are sending all the right information • Identify Crisis command center/war room and an alternate location • Help desk automated messages to prevent overwhelming staff
  • 27. Page 27 Step 4 – Lets work on our communications Why communication plans fail to communicate • Email is often ignored • Voice mail is ignored • Alerts are ignored • Out of date • Weekends, holidays and nights phones get turned off • The plan is never updated • Staff get overwhelmed by requests
  • 28. Page 28 Step 5 – Let’s measure the impact Understand what has a negative impact on the business • Loss of data. • Reputation. • Legal requirements. • What’s the cost of a severe, moderate or minimal incident? • How long can we be down and survive? • Who will be impacted the most?
  • 29. Page 29 Step 5 – Let’s measure the impact Priority Asset/Business Process Recovery Time Objective (RTO) Maximum Tolerable Downtime (MTD) Recovery Point Objective (RPO) 1 Point of Sale 15 minutes 30 minutes 4 hours 2 Email 12 hours 48 hours 24 hours 2 Employee payroll 48 hours 96 hours 12 hours Priority Severe Moderate Minimal Loss of revenue, overtime costs, loss of customer loyalty, data loss Some revenue loss, overtime costs, customer annoyance Loss of revenue Greater that 300k per hour 100-150k per hour <25k per hour 3% 22% 60% Point of Sale
  • 30. Page 30 Conclusion • Understand what’s important to the business • Test your plan and update it based on lessons learned • Post-Mortems are critical to be performed for each incident and test • Prepare for the worst • Have a recovery plan
  • 31. Page 31 Resources • Cyber Incident Response: Are business leaders ready? releases/5160-economist-intelligence-unit-and-arbor-networks-research-show-83- percent-of-businesses-are-not-fully-prepared-for-an-online-security-incident • NIST Computer Security Incident Handling Guide • State of Security Operations – HP
  • 33. One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900 WWW.CO3SYS.COM “Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE “Co3…defines what software packages for privacy look like.” GARTNER “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE Richard White MBA CISSP CHP/CHSS Principal, Security Intelligence and operations “One of the hottest products at RSA…” NETWORK WORLD – FEBRUARY 2013