SlideShare a Scribd company logo

PDS_CSIRP_PRC

Henry Draughon
Henry Draughon
1 of 23
Download to read offline
CSIRP Computer Security Incident Response PlanComputer Security Incident Response Plan Process Resource Center NIST SP 800‐61 R2 Foundation Manage the Forest and the Trees Bridging the Gap Between Operations and Strategy
CSIRP – NIST SP 800‐61 R2 Foundation  Most Widely Referenced Incident Response Lifecycle  Extensive Library of Supporting Authoritative Sources
Customized Web‐Based Computer Security  Incident Response Plan (CSIRP)Incident Response Plan (CSIRP)  Visually Intuitive NavigationOverview  Visually Intuitive Navigation  Centralized Access to Supporting  Resources Computer Security Incident Response Plan Intent and Key Definitions NIST SP 800‐53, 83, 83r2, 84, 184, 86,  SANS, CERT, US & ICS‐CERT, ISAC, MITRE,  Specific Vendor Best Practices and more 2.0 Monitor, Detection, &  Analysis 1.0 Preparation Each phase contains relevant intuitive  workflows, supporting reference  material where they apply within the  4.0 Post‐Incident  Activity 3.0 Containment,  Eradication, &  Recovery process, and end‐to‐end accountability Reference center provides additional  resources like threat playbooks and links  Reference Center CSIRP Management Contacts CSIRP Team Structure Information Center to sites that provide malware  remediation assistance Information Center
CSIRP Process Resource Center Home Page
Home Page of CSIRP Process Resource  Center – Expanded Intent & Key DefinitionsCenter  Expanded Intent & Key Definitions
Buttons Contain Links to Presentations,  Documents, Applications, Other ResourcesDocuments, Applications, Other Resources
CSIRP 1.0 Preparation  Preparation is about: Computer Security Incident Response Plan Overview  Establishing and training the incident  response team  Acquiring the necessary incident  2.0 Computer Security Incident Response Plan Intent and Key Definitions q g y response tools and resources  Proactively planning responses for the  likely attacks the organization may face 2.0 Monitor, Detection, &  Analysis 1.0 Preparation 3 0 y g y  Preparing the team to effectively react  within minutes of unfamiliar attacks  Testing plans and preparedness 4.0 Post‐Incident  Activity 3.0 Containment,  Eradication, &  Recovery Testing plans and preparedness  Continuously improving the incident  response posture with lessons learned  and industry updates and Reference Center CSIRP Management Contacts CSIRP Team Structure Information Center and industry updates and  reconnaissance
1.1 Create Computer Security Incident  Response Team Charter (CSIRT)Response Team Charter (CSIRT) 11 1.1  Create CSIRT Teams, Roles,  & Stakeholders’ Charter CSIRT Computer Security Incident Response Team Internal Members CSIRT Computer Security Incident Response Team Internal Members  CSIRT Charter  Establishes written  management commitment to Designated Internal Points of Contact CSIRT Computer Security Incident Response Team External Members Designated Internal Points of Contact CSIRT Computer Security Incident Response Team External Members SOC Shift Team Lead Incident Response Handlers Assistant LeadLead ForensicsCore Team Members Manager Leader Bridge Line Information Security Officer Alternative Manager Leader Chief Information Security Officer Extended Incident Response Team Director IT Director Network Director Networks Chief Information Officer Director Technology Strategy & Architecture Director Applications & Data Center Control Systems Technical SOC Shift Team Lead Incident Response Handlers Assistant LeadLead ForensicsCore Team Members Manager Leader Bridge Line Information Security Officer Alternative Manager Leader Chief Information Security Officer Extended Incident Response Team Director IT Director Network Director Networks Chief Information Officer Director Technology Strategy & Architecture Director Applications & Data Center Control Systems Technical management commitment to  the CSIRP  Defines goals, scope, levels of  authority roles and Federal Trade Commission Federal Bureau of Investigation/ Department of Homeland Security Police Department of Energy AT&T & Verizon Distributed Denial of Service DDoS Mitigation Service Bureau of Alcohol, Tobacco, Firearms and Explosives Drug Enforcement Administration Department of Homeland Security Electricity Information Sharing and Analysis Center North American Electric Reliability Corporation FBI Infragard National Infrastructure Protection Center Forum of Incident Response & Security Teams (FIRST) UUNet Internet Service Provider Computer Emergency Response Team (CERT) Computer Incident Advisory Capability (CIAC) Federal Trade Commission Federal Bureau of Investigation/ Department of Homeland Security Police Department of Energy AT&T & Verizon Distributed Denial of Service DDoS Mitigation Service Bureau of Alcohol, Tobacco, Firearms and Explosives Drug Enforcement Administration Department of Homeland Security Electricity Information Sharing and Analysis Center North American Electric Reliability Corporation FBI Infragard National Infrastructure Protection Center Forum of Incident Response & Security Teams (FIRST) UUNet Internet Service Provider Computer Emergency Response Team (CERT) Computer Incident Advisory Capability (CIAC) Risk Management Business Continuity / Disaster Recovery Director Budget & Governance Corporate Communications Human Resources Government Affairs Director PMO Legal Managerial and Administrative Regulatory Group Security, Risk & Controls Director Network Field Services Physical Security Control Systems Group Risk Management Business Continuity / Disaster Recovery Director Budget & Governance Corporate Communications Human Resources Government Affairs Director PMO Legal Managerial and Administrative Regulatory Group Security, Risk & Controls Director Network Field Services Physical Security Control Systems Groupauthority, roles, and  responsibilities Forensics Investigation Firm External Cyber Law Firm & Compliance Breach Notification & Call Center Services Insurance/Risk Management Brokerage Firm Credit Monitoring Identity Protection Services Forensics Investigation Firm External Cyber Law Firm & Compliance Breach Notification & Call Center Services Insurance/Risk Management Brokerage Firm Credit Monitoring Identity Protection Services
CSIRP 2.0 Monitor, Detection, & Analysis  Monitor, Detection, & Analysis: Computer Security Incident Response Plan Overview , , y  The Monitor function was added to  Detection and Analysis  Monitor Detection & Analysis is 2.0 Computer Security Incident Response Plan Intent and Key Definitions Monitor, Detection, & Analysis is  about recognizing, receiving,  analyzing and classifying all  cybersecurity events and  2.0 Monitor, Detection, &  Analysis 1.0 Preparation 3 0 y y determining which are actual  incidents vs. security or maintenance  events 4.0 Post‐Incident  Activity 3.0 Containment,  Eradication, &  Recovery  Prioritizing the handling of incidents  Event escalation path alternatives Reference Center CSIRP Management Contacts CSIRP Team Structure Information Center
2.1 Monitor and Detection
2.2 Analysis
CSIRP 3.0 Containment, Eradication, &  RecoveryRecovery  Containment, Eradication, &  Computer Security Incident Response Plan Overview , , Recovery is about:  Isolating the attacked system(s) Quickly and effectively determining the 2.0 Computer Security Incident Response Plan Intent and Key Definitions  Quickly and effectively determining the  appropriate containment method   Stopping the damage to the infected  host(s) 2.0 Monitor, Detection, &  Analysis 1.0 Preparation 3 0host(s)  Tracking down other system infections  and remedying them 4.0 Post‐Incident  Activity 3.0 Containment,  Eradication, &  Recovery  Ensuring the attack is fully remedied  Bringing functionality back to normal  Monitoring to ensure there are no  Reference Center CSIRP Management Contacts CSIRP Team Structure Information Center g lingering components of the attack
3.1 Containment, Eradication, & Recovery 
CSIRP 4.0 Post‐Incident Activity Computer Security Incident Response Plan Overview  Post‐Incident Activity is about 2.0 Computer Security Incident Response Plan Intent and Key Definitions y  Conducting robust assessments of  lessons learned  Ensuring the appropriate actions are 2.0 Monitor, Detection, &  Analysis 1.0 Preparation 3 0 Ensuring the appropriate actions are  taken to prevent recurrence of the  vulnerability exploit  Conducting forensics to aid 4.0 Post‐Incident  Activity 3.0 Containment,  Eradication, &  Recovery Conducting forensics to aid  understanding and remedy the  vulnerability, the exploit, and to support  possible legal actions Reference Center CSIRP Management Contacts CSIRP Team Structure Information Center p g
4.0 Post‐Incident Activities
4.0 Post‐Incident Activities
Reference Center
Library Contains Integrated Full Document  for Regulatory and Audit Requirementsfor Regulatory and Audit Requirements
CSIRP Management Contacts
Visual End‐to‐End Accountability – SIPOC  Combined with RACICombined with RACI
Designed for Laptops, Tablets, and  SmartphonesSmartphones
CSIRP Process Resource Center NIST SP 800 61 R2 Fo ndationNIST SP 800‐61 R2 Foundation  Customized web framework that places CSIRP workflows and  resources at the fingertips of incident handlers responseresources at the fingertips of incident handlers, response  team members, and stakeholders where it makes sense  Visually illustrates the incident response plan in a fashion  that enables all stakeholders to quickly get on the same page  Includes dynamic links and  navigation to:  Segmented visually intuitive workflows and response protocolsSegmented visually intuitive workflows and response protocols  Clearly defined roles and responsibilities, contacts, glossaries, forms,  websites, videos and other resources as needed  Links to applications and required information sourcespp q  Centralized, accessible via computers, laptops, tablets, and  smart phones  HTML version can run entirely from a jump‐kit laptop if  network is unavailable
Process Delivery Systems Process Center Development Manage the Forest and the Trees • Domain Content Development  Policies, Guidelines, and Standards  Domain Best Practices from Referenceable,  Authoritative Sources • Definitions and Visualization of Total  Accountability; SIPOC/RACI • Key Performance Measure Development • End to End Process Maps Segmented by Contact: Henry Draughon • End‐to‐End Process Maps Segmented by  Logical Groups • Resource Directories • Applications, Forms, and Document  Bridging the Gap Between Operations and Strategy Henry Draughon Process Delivery Systems (972) 980‐9041 hdraughon@processdeliverysystems.com d li t Libraries • Glossaries • Process Governance • Links to External Resources www.processdeliverysystems.com• Links to External Resources

Recommended

RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™CPaschal
 
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsTrish McGinity, CCSK
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Chris Hammond-Thrasher
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
GDPR
GDPRGDPR
GDPRRajivarnan R
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 

Recommended

RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™CPaschal
 
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsTrish McGinity, CCSK
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Chris Hammond-Thrasher
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
GDPR
GDPRGDPR
GDPRRajivarnan R
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG ReportPriyanka Aash
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityNIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityDavid Sweigert
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_JunCandan BOLUKBAS
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepEnterpriseGRC Solutions, Inc.
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
 
What operational technology cyber security is?
What operational technology cyber security is?What operational technology cyber security is?
What operational technology cyber security is?sohailAhmad304
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis PYA, P.C.
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Cohesive Networks
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...Shah Sheikh
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016Ulf Mattsson
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Phil Agcaoili
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 
2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deckElaine Axum
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramLancope, Inc.
 
What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great InfographicsSlideShare
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShareKapost
 

More Related Content

What's hot

NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityNIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityDavid Sweigert
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
 
What operational technology cyber security is?
What operational technology cyber security is?What operational technology cyber security is?
What operational technology cyber security is?sohailAhmad304
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis PYA, P.C.
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Cohesive Networks
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...Shah Sheikh
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016Ulf Mattsson
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Phil Agcaoili
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 
2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deckElaine Axum
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramLancope, Inc.
 

What's hot (20)

NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG Report
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityNIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
 
What operational technology cyber security is?
What operational technology cyber security is?What operational technology cyber security is?
What operational technology cyber security is?
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized Defense
 
2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
 

Viewers also liked

What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great InfographicsSlideShare
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShareKapost
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareEmpowered Presentations
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation OptimizationOneupweb
 
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingHow To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingContent Marketing Institute
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksSlideShare
 

Viewers also liked (7)

What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great Infographics
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShare
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
 
You Suck At PowerPoint!
You Suck At PowerPoint!You Suck At PowerPoint!
You Suck At PowerPoint!
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization
 
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingHow To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & Tricks
 

Similar to PDS_CSIRP_PRC

2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxStevenTharp2
 
Access Control For Local Area Network Performance Essay
Access Control For Local Area Network Performance EssayAccess Control For Local Area Network Performance Essay
Access Control For Local Area Network Performance EssayDotha Keller
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgJohn M. Kennedy
 
Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Ferenc Fresz
 
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]APNIC
 
2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public SectorScott Geye
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdfkarthikvcyber
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Dave Darnell
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™CPaschal
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environmentsamiable_indian
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.pptkarthikvcyber
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident responseBrian Honan
 
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight LoggerCIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight Loggerprotect724rkeer
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overviewdr_edw777
 

Similar to PDS_CSIRP_PRC (20)

2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
Incident Response
Incident Response Incident Response
Incident Response
 
L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptx
 
Overview
OverviewOverview
Overview
 
Access Control For Local Area Network Performance Essay
Access Control For Local Area Network Performance EssayAccess Control For Local Area Network Performance Essay
Access Control For Local Area Network Performance Essay
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwg
 
Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0
 
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
 
CCA study group
CCA study groupCCA study group
CCA study group
 
2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector2016 - Cyber Security for the Public Sector
2016 - Cyber Security for the Public Sector
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdf
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.ppt
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
 
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight LoggerCIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overview
 

PDS_CSIRP_PRC

  • 1. CSIRP Computer Security Incident Response PlanComputer Security Incident Response Plan Process Resource Center NIST SP 800‐61 R2 Foundation Manage the Forest and the Trees Bridging the Gap Between Operations and Strategy
  • 2. CSIRP – NIST SP 800‐61 R2 Foundation  Most Widely Referenced Incident Response Lifecycle  Extensive Library of Supporting Authoritative Sources
  • 3. Customized Web‐Based Computer Security  Incident Response Plan (CSIRP)Incident Response Plan (CSIRP)  Visually Intuitive NavigationOverview  Visually Intuitive Navigation  Centralized Access to Supporting  Resources Computer Security Incident Response Plan Intent and Key Definitions NIST SP 800‐53, 83, 83r2, 84, 184, 86,  SANS, CERT, US & ICS‐CERT, ISAC, MITRE,  Specific Vendor Best Practices and more 2.0 Monitor, Detection, &  Analysis 1.0 Preparation Each phase contains relevant intuitive  workflows, supporting reference  material where they apply within the  4.0 Post‐Incident  Activity 3.0 Containment,  Eradication, &  Recovery process, and end‐to‐end accountability Reference center provides additional  resources like threat playbooks and links  Reference Center CSIRP Management Contacts CSIRP Team Structure Information Center to sites that provide malware  remediation assistance Information Center
  • 5. Home Page of CSIRP Process Resource  Center – Expanded Intent & Key DefinitionsCenter  Expanded Intent & Key Definitions
  • 6. Buttons Contain Links to Presentations,  Documents, Applications, Other ResourcesDocuments, Applications, Other Resources
  • 7. CSIRP 1.0 Preparation  Preparation is about: Computer Security Incident Response Plan Overview  Establishing and training the incident  response team  Acquiring the necessary incident  2.0 Computer Security Incident Response Plan Intent and Key Definitions q g y response tools and resources  Proactively planning responses for the  likely attacks the organization may face 2.0 Monitor, Detection, &  Analysis 1.0 Preparation 3 0 y g y  Preparing the team to effectively react  within minutes of unfamiliar attacks  Testing plans and preparedness 4.0 Post‐Incident  Activity 3.0 Containment,  Eradication, &  Recovery Testing plans and preparedness  Continuously improving the incident  response posture with lessons learned  and industry updates and Reference Center CSIRP Management Contacts CSIRP Team Structure Information Center and industry updates and  reconnaissance
  • 8. 1.1 Create Computer Security Incident  Response Team Charter (CSIRT)Response Team Charter (CSIRT) 11 1.1  Create CSIRT Teams, Roles,  & Stakeholders’ Charter CSIRT Computer Security Incident Response Team Internal Members CSIRT Computer Security Incident Response Team Internal Members  CSIRT Charter  Establishes written  management commitment to Designated Internal Points of Contact CSIRT Computer Security Incident Response Team External Members Designated Internal Points of Contact CSIRT Computer Security Incident Response Team External Members SOC Shift Team Lead Incident Response Handlers Assistant LeadLead ForensicsCore Team Members Manager Leader Bridge Line Information Security Officer Alternative Manager Leader Chief Information Security Officer Extended Incident Response Team Director IT Director Network Director Networks Chief Information Officer Director Technology Strategy & Architecture Director Applications & Data Center Control Systems Technical SOC Shift Team Lead Incident Response Handlers Assistant LeadLead ForensicsCore Team Members Manager Leader Bridge Line Information Security Officer Alternative Manager Leader Chief Information Security Officer Extended Incident Response Team Director IT Director Network Director Networks Chief Information Officer Director Technology Strategy & Architecture Director Applications & Data Center Control Systems Technical management commitment to  the CSIRP  Defines goals, scope, levels of  authority roles and Federal Trade Commission Federal Bureau of Investigation/ Department of Homeland Security Police Department of Energy AT&T & Verizon Distributed Denial of Service DDoS Mitigation Service Bureau of Alcohol, Tobacco, Firearms and Explosives Drug Enforcement Administration Department of Homeland Security Electricity Information Sharing and Analysis Center North American Electric Reliability Corporation FBI Infragard National Infrastructure Protection Center Forum of Incident Response & Security Teams (FIRST) UUNet Internet Service Provider Computer Emergency Response Team (CERT) Computer Incident Advisory Capability (CIAC) Federal Trade Commission Federal Bureau of Investigation/ Department of Homeland Security Police Department of Energy AT&T & Verizon Distributed Denial of Service DDoS Mitigation Service Bureau of Alcohol, Tobacco, Firearms and Explosives Drug Enforcement Administration Department of Homeland Security Electricity Information Sharing and Analysis Center North American Electric Reliability Corporation FBI Infragard National Infrastructure Protection Center Forum of Incident Response & Security Teams (FIRST) UUNet Internet Service Provider Computer Emergency Response Team (CERT) Computer Incident Advisory Capability (CIAC) Risk Management Business Continuity / Disaster Recovery Director Budget & Governance Corporate Communications Human Resources Government Affairs Director PMO Legal Managerial and Administrative Regulatory Group Security, Risk & Controls Director Network Field Services Physical Security Control Systems Group Risk Management Business Continuity / Disaster Recovery Director Budget & Governance Corporate Communications Human Resources Government Affairs Director PMO Legal Managerial and Administrative Regulatory Group Security, Risk & Controls Director Network Field Services Physical Security Control Systems Groupauthority, roles, and  responsibilities Forensics Investigation Firm External Cyber Law Firm & Compliance Breach Notification & Call Center Services Insurance/Risk Management Brokerage Firm Credit Monitoring Identity Protection Services Forensics Investigation Firm External Cyber Law Firm & Compliance Breach Notification & Call Center Services Insurance/Risk Management Brokerage Firm Credit Monitoring Identity Protection Services
  • 9. CSIRP 2.0 Monitor, Detection, & Analysis  Monitor, Detection, & Analysis: Computer Security Incident Response Plan Overview , , y  The Monitor function was added to  Detection and Analysis  Monitor Detection & Analysis is 2.0 Computer Security Incident Response Plan Intent and Key Definitions Monitor, Detection, & Analysis is  about recognizing, receiving,  analyzing and classifying all  cybersecurity events and  2.0 Monitor, Detection, &  Analysis 1.0 Preparation 3 0 y y determining which are actual  incidents vs. security or maintenance  events 4.0 Post‐Incident  Activity 3.0 Containment,  Eradication, &  Recovery  Prioritizing the handling of incidents  Event escalation path alternatives Reference Center CSIRP Management Contacts CSIRP Team Structure Information Center
  • 12. CSIRP 3.0 Containment, Eradication, &  RecoveryRecovery  Containment, Eradication, &  Computer Security Incident Response Plan Overview , , Recovery is about:  Isolating the attacked system(s) Quickly and effectively determining the 2.0 Computer Security Incident Response Plan Intent and Key Definitions  Quickly and effectively determining the  appropriate containment method   Stopping the damage to the infected  host(s) 2.0 Monitor, Detection, &  Analysis 1.0 Preparation 3 0host(s)  Tracking down other system infections  and remedying them 4.0 Post‐Incident  Activity 3.0 Containment,  Eradication, &  Recovery  Ensuring the attack is fully remedied  Bringing functionality back to normal  Monitoring to ensure there are no  Reference Center CSIRP Management Contacts CSIRP Team Structure Information Center g lingering components of the attack
  • 14. CSIRP 4.0 Post‐Incident Activity Computer Security Incident Response Plan Overview  Post‐Incident Activity is about 2.0 Computer Security Incident Response Plan Intent and Key Definitions y  Conducting robust assessments of  lessons learned  Ensuring the appropriate actions are 2.0 Monitor, Detection, &  Analysis 1.0 Preparation 3 0 Ensuring the appropriate actions are  taken to prevent recurrence of the  vulnerability exploit  Conducting forensics to aid 4.0 Post‐Incident  Activity 3.0 Containment,  Eradication, &  Recovery Conducting forensics to aid  understanding and remedy the  vulnerability, the exploit, and to support  possible legal actions Reference Center CSIRP Management Contacts CSIRP Team Structure Information Center p g
  • 18. Library Contains Integrated Full Document  for Regulatory and Audit Requirementsfor Regulatory and Audit Requirements
  • 22. CSIRP Process Resource Center NIST SP 800 61 R2 Fo ndationNIST SP 800‐61 R2 Foundation  Customized web framework that places CSIRP workflows and  resources at the fingertips of incident handlers responseresources at the fingertips of incident handlers, response  team members, and stakeholders where it makes sense  Visually illustrates the incident response plan in a fashion  that enables all stakeholders to quickly get on the same page  Includes dynamic links and  navigation to:  Segmented visually intuitive workflows and response protocolsSegmented visually intuitive workflows and response protocols  Clearly defined roles and responsibilities, contacts, glossaries, forms,  websites, videos and other resources as needed  Links to applications and required information sourcespp q  Centralized, accessible via computers, laptops, tablets, and  smart phones  HTML version can run entirely from a jump‐kit laptop if  network is unavailable
  • 23. Process Delivery Systems Process Center Development Manage the Forest and the Trees • Domain Content Development  Policies, Guidelines, and Standards  Domain Best Practices from Referenceable,  Authoritative Sources • Definitions and Visualization of Total  Accountability; SIPOC/RACI • Key Performance Measure Development • End to End Process Maps Segmented by Contact: Henry Draughon • End‐to‐End Process Maps Segmented by  Logical Groups • Resource Directories • Applications, Forms, and Document  Bridging the Gap Between Operations and Strategy Henry Draughon Process Delivery Systems (972) 980‐9041 hdraughon@processdeliverysystems.com d li t Libraries • Glossaries • Process Governance • Links to External Resources www.processdeliverysystems.com• Links to External Resources