Your SlideShare is downloading. ×
0
First Responders Course - Session 2 - Incident Response Teams [2004]
First Responders Course - Session 2 - Incident Response Teams [2004]
First Responders Course - Session 2 - Incident Response Teams [2004]
First Responders Course - Session 2 - Incident Response Teams [2004]
First Responders Course - Session 2 - Incident Response Teams [2004]
First Responders Course - Session 2 - Incident Response Teams [2004]
First Responders Course - Session 2 - Incident Response Teams [2004]
First Responders Course - Session 2 - Incident Response Teams [2004]
First Responders Course - Session 2 - Incident Response Teams [2004]
First Responders Course - Session 2 - Incident Response Teams [2004]
First Responders Course - Session 2 - Incident Response Teams [2004]
First Responders Course - Session 2 - Incident Response Teams [2004]
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

First Responders Course - Session 2 - Incident Response Teams [2004]

226

Published on

The second session from a two day for potential first responders across a large financial services client.

The second session from a two day for potential first responders across a large financial services client.

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
226
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Phil HugginsFebruary 2004
  • 2.  Client Relationship Team Services Team Roles TeamTypes ExternalTeams Team Management Preparation Initial IncidentTeam Meeting Ongoing ManagementTasks
  • 3.  Incident Response teams are customer serviceteams. Adversarial relationships with business units onlyleads to poor incident performance. Incidents are very high stress events for businessmanagers. If their expectations are different fromthe team then they will become adversarial. Set performance targets, let business units know whatthey are and measure them. Establish a protocol for team members when interactingwith business unit staff.
  • 4.  What capabilities is the team going to offerthe business units ? Extra services such as: Auditing Specific Platform Skills Forensic Acquisition Forensic Analysis Post-Incident Support
  • 5.  Team Manager and LogisticsOfficer Administration and personnel management. Usually reports to CSO. Logistics and administrative support. Team Leader Coordinator of an individual incident. Able to make operational decisions in most cases. SeniorAnalyst Experienced specialist incident responders. Able to work independently of team leader for extended periods. Analyst The incident responders Not necessarily a dedicated resource Strong technical skills (At least a power user) Equipment Maintainer Maintains the availability of all Incident Response equipment. Responsible for acquiring new equipment as required during an incident.
  • 6.  Always more tasks than people to do them. Internal Distributed CSIRT A loose collection of pre-identified system administrators who can be re-tasked at short notice to perform incident response duties. Only works in organisations that are able to easily and successfully make andbreak teams on the fly. Requires significant buy in from business line managers, incident team mayneed to overcome ‘tunnel vision’ as are closer to the systems day to day. Internal Dedicated CSIRT A dedicated team to provide nothing but security support to the business. Generally better trained and with a higher availability. Can provide a moreindependent viewpoint on an incident. Necessary for more formal organisations where crossing group boundaries isdifficult and fraught.
  • 7.  Corporate Efficient use of resources, available corporate wide Slower response times, political implications IT Easy access to system staff as required Business Unit Specialised, fast response, minimises downtime Even when only high risk business units are served it becomes costly Hybrid Centralise function for awareness, training and shared resources Local teams to provide speed of response and specialist skills
  • 8.  Public CSIRT CERT/CC JANET CERT FIRST Good first points of contact if incident involves systemsowned by constituents. Commercial CERTTeams Expensive Good source of specialist knowledge / equipment
  • 9.  Location Where has the incident occurred? Situation What has happened? Find out as much as possible. How did the incident come to light? Intelligence Get as much detailed information as possible to enable you to make decisions and briefyour team Mission What is the aim of this incident response? Execution How are you going to achieve your aim? Follow the company standard incidentresponse procedures Have an outline plan of action. Administration What do you need to achieve your mission? Contact details of key people etc Operations including Security What are the constraints? Need to know basis. Do not make it company wide gossip Who else should be informed – legal, HR, PR, senior management Logistics Do you need any specific items of kit or software to achieve your aim
  • 10.  When first establishing an Incident Responseteam theTeam Leader andTeam Managerneed information. The initial team meeting will either: collate the information you need to plan theresponse identify who is going to gather and analyse thatinformation for you
  • 11.  Who are the key players? Sponsor, stakeholders, external suppliers What are the constraints? Roles ? Explain what everyone will contribute and their responsibilities Make it clear that teamwork is vital for success Do the company incident response procedures detail who tocall upon? If not, identify skills, knowledge and experience required Identify who is required and for how long Are they available full-time or part-time?
  • 12.  Keep the team focused, deal withdistractions Keep your team informed of progress andwhat is happening Remember: the incident could well be fastmoving and this could impact the membersof the team, who may never have worked asa team in such conditions

×