1. CSIRP
Computer Security Incident Response PlanComputer Security Incident Response Plan
Process Resource Center
NIST SP 800‐61 R2 Foundation
Manage the Forest and the Trees
Bridging the Gap Between Operations and Strategy
3. Customized Web‐Based Computer Security
Incident Response Plan (CSIRP)Incident Response Plan (CSIRP)
Visually Intuitive NavigationOverview
Visually Intuitive Navigation
Centralized Access to Supporting
Resources
Computer Security Incident Response Plan
Intent and Key Definitions
NIST SP 800‐53, 83, 83r2, 84, 184, 86,
SANS, CERT, US & ICS‐CERT, ISAC, MITRE,
Specific Vendor Best Practices and more
2.0
Monitor, Detection, &
Analysis
1.0
Preparation
Each phase contains relevant intuitive
workflows, supporting reference
material where they apply within the
4.0
Post‐Incident
Activity
3.0
Containment,
Eradication, &
Recovery
process, and end‐to‐end accountability
Reference center provides additional
resources like threat playbooks and links
Reference Center
CSIRP Management Contacts
CSIRP Team Structure
Information Center
to sites that provide malware
remediation assistance
Information Center
7. CSIRP 1.0 Preparation
Preparation is about: Computer Security Incident Response Plan
Overview
Establishing and training the incident
response team
Acquiring the necessary incident 2.0
Computer Security Incident Response Plan
Intent and Key Definitions
q g y
response tools and resources
Proactively planning responses for the
likely attacks the organization may face
2.0
Monitor, Detection, &
Analysis
1.0
Preparation
3 0
y g y
Preparing the team to effectively react
within minutes of unfamiliar attacks
Testing plans and preparedness
4.0
Post‐Incident
Activity
3.0
Containment,
Eradication, &
Recovery
Testing plans and preparedness
Continuously improving the incident
response posture with lessons learned
and industry updates and
Reference Center
CSIRP Management Contacts
CSIRP Team Structure
Information Center
and industry updates and
reconnaissance
8. 1.1 Create Computer Security Incident
Response Team Charter (CSIRT)Response Team Charter (CSIRT)
11 1.1
Create CSIRT Teams, Roles,
& Stakeholders’ Charter
CSIRT
Computer Security Incident Response Team
Internal Members
CSIRT
Computer Security Incident Response Team
Internal Members
CSIRT Charter
Establishes written
management commitment to
Designated Internal
Points of Contact
CSIRT
Computer Security Incident Response Team
External Members
Designated Internal
Points of Contact
CSIRT
Computer Security Incident Response Team
External Members
SOC Shift Team
Lead
Incident Response Handlers
Assistant LeadLead
ForensicsCore Team Members
Manager Leader Bridge Line
Information
Security Officer
Alternative
Manager Leader
Chief Information Security Officer
Extended Incident Response Team
Director IT
Director Network
Director
Networks
Chief Information
Officer
Director
Technology
Strategy &
Architecture
Director
Applications &
Data Center
Control Systems
Technical
SOC Shift Team
Lead
Incident Response Handlers
Assistant LeadLead
ForensicsCore Team Members
Manager Leader Bridge Line
Information
Security Officer
Alternative
Manager Leader
Chief Information Security Officer
Extended Incident Response Team
Director IT
Director Network
Director
Networks
Chief Information
Officer
Director
Technology
Strategy &
Architecture
Director
Applications &
Data Center
Control Systems
Technical
management commitment to
the CSIRP
Defines goals, scope, levels of
authority roles and
Federal Trade
Commission
Federal Bureau
of Investigation/
Department of
Homeland
Security
Police
Department of
Energy
AT&T & Verizon
Distributed
Denial of Service
DDoS Mitigation
Service
Bureau of
Alcohol,
Tobacco,
Firearms and
Explosives
Drug
Enforcement
Administration
Department of
Homeland
Security
Electricity
Information
Sharing and
Analysis Center
North American
Electric Reliability
Corporation
FBI Infragard
National
Infrastructure
Protection Center
Forum of Incident
Response &
Security Teams
(FIRST)
UUNet Internet
Service Provider
Computer
Emergency
Response Team
(CERT)
Computer
Incident Advisory
Capability (CIAC)
Federal Trade
Commission
Federal Bureau
of Investigation/
Department of
Homeland
Security
Police
Department of
Energy
AT&T & Verizon
Distributed
Denial of Service
DDoS Mitigation
Service
Bureau of
Alcohol,
Tobacco,
Firearms and
Explosives
Drug
Enforcement
Administration
Department of
Homeland
Security
Electricity
Information
Sharing and
Analysis Center
North American
Electric Reliability
Corporation
FBI Infragard
National
Infrastructure
Protection Center
Forum of Incident
Response &
Security Teams
(FIRST)
UUNet Internet
Service Provider
Computer
Emergency
Response Team
(CERT)
Computer
Incident Advisory
Capability (CIAC)
Risk
Management
Business
Continuity /
Disaster
Recovery
Director Budget
& Governance
Corporate
Communications
Human
Resources
Government
Affairs
Director PMO
Legal
Managerial and Administrative
Regulatory
Group
Security, Risk &
Controls
Director Network
Field Services
Physical Security
Control Systems
Group
Risk
Management
Business
Continuity /
Disaster
Recovery
Director Budget
& Governance
Corporate
Communications
Human
Resources
Government
Affairs
Director PMO
Legal
Managerial and Administrative
Regulatory
Group
Security, Risk &
Controls
Director Network
Field Services
Physical Security
Control Systems
Groupauthority, roles, and
responsibilities
Forensics
Investigation
Firm
External Cyber
Law Firm &
Compliance
Breach
Notification &
Call Center
Services
Insurance/Risk
Management
Brokerage Firm
Credit
Monitoring
Identity
Protection
Services
Forensics
Investigation
Firm
External Cyber
Law Firm &
Compliance
Breach
Notification &
Call Center
Services
Insurance/Risk
Management
Brokerage Firm
Credit
Monitoring
Identity
Protection
Services
9. CSIRP 2.0 Monitor, Detection, & Analysis
Monitor, Detection, & Analysis: Computer Security Incident Response Plan
Overview
, , y
The Monitor function was added to
Detection and Analysis
Monitor Detection & Analysis is 2.0
Computer Security Incident Response Plan
Intent and Key Definitions
Monitor, Detection, & Analysis is
about recognizing, receiving,
analyzing and classifying all
cybersecurity events and
2.0
Monitor, Detection, &
Analysis
1.0
Preparation
3 0
y y
determining which are actual
incidents vs. security or maintenance
events
4.0
Post‐Incident
Activity
3.0
Containment,
Eradication, &
Recovery
Prioritizing the handling of incidents
Event escalation path alternatives
Reference Center
CSIRP Management Contacts
CSIRP Team Structure
Information Center
12. CSIRP 3.0 Containment, Eradication, &
RecoveryRecovery
Containment, Eradication, & Computer Security Incident Response Plan
Overview
, ,
Recovery is about:
Isolating the attacked system(s)
Quickly and effectively determining the 2.0
Computer Security Incident Response Plan
Intent and Key Definitions
Quickly and effectively determining the
appropriate containment method
Stopping the damage to the infected
host(s)
2.0
Monitor, Detection, &
Analysis
1.0
Preparation
3 0host(s)
Tracking down other system infections
and remedying them
4.0
Post‐Incident
Activity
3.0
Containment,
Eradication, &
Recovery
Ensuring the attack is fully remedied
Bringing functionality back to normal
Monitoring to ensure there are no
Reference Center
CSIRP Management Contacts
CSIRP Team Structure
Information Center
g
lingering components of the attack
14. CSIRP 4.0 Post‐Incident Activity
Computer Security Incident Response Plan
Overview
Post‐Incident Activity is about
2.0
Computer Security Incident Response Plan
Intent and Key Definitions
y
Conducting robust assessments of
lessons learned
Ensuring the appropriate actions are 2.0
Monitor, Detection, &
Analysis
1.0
Preparation
3 0
Ensuring the appropriate actions are
taken to prevent recurrence of the
vulnerability exploit
Conducting forensics to aid 4.0
Post‐Incident
Activity
3.0
Containment,
Eradication, &
Recovery
Conducting forensics to aid
understanding and remedy the
vulnerability, the exploit, and to support
possible legal actions
Reference Center
CSIRP Management Contacts
CSIRP Team Structure
Information Center
p g
22. CSIRP Process Resource Center
NIST SP 800 61 R2 Fo ndationNIST SP 800‐61 R2 Foundation
Customized web framework that places CSIRP workflows and
resources at the fingertips of incident handlers responseresources at the fingertips of incident handlers, response
team members, and stakeholders where it makes sense
Visually illustrates the incident response plan in a fashion
that enables all stakeholders to quickly get on the same page
Includes dynamic links and navigation to:
Segmented visually intuitive workflows and response protocolsSegmented visually intuitive workflows and response protocols
Clearly defined roles and responsibilities, contacts, glossaries, forms,
websites, videos and other resources as needed
Links to applications and required information sourcespp q
Centralized, accessible via computers, laptops, tablets, and
smart phones
HTML version can run entirely from a jump‐kit laptop if
network is unavailable
23. Process Delivery Systems
Process Center Development Manage the Forest and the Trees
• Domain Content Development
Policies, Guidelines, and Standards
Domain Best Practices from Referenceable,
Authoritative Sources
• Definitions and Visualization of Total
Accountability; SIPOC/RACI
• Key Performance Measure Development
• End to End Process Maps Segmented by
Contact:
Henry Draughon
• End‐to‐End Process Maps Segmented by
Logical Groups
• Resource Directories
• Applications, Forms, and Document
Bridging the Gap Between Operations and Strategy
Henry Draughon
Process Delivery Systems
(972) 980‐9041
hdraughon@processdeliverysystems.com
d li t
Libraries
• Glossaries
• Process Governance
• Links to External Resources www.processdeliverysystems.com• Links to External Resources