Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Process One Key Understandings Updated 11.01.2011


Published on

Automation of your organization\'s Incident Response Management will normalize CSIRT processes. Makes response activities repeatable and defensible.

  • Be the first to comment

  • Be the first to like this

Process One Key Understandings Updated 11.01.2011

  1. 1. Process One– Key Concepts
  2. 2. Process One – Fundamental Approach Process One was specifically developed to assist security incident responders in handling the myriad of investigative, remedial, and reporting tasks involved in resolving security incidents. The first phase of every Process One implementation is the creation of a customized Computer Security Incident Response Team process guide. This process guide becomes the governing document for the responders, and is electronically manifested in the Process One software. An understanding of the approach used during the construction of this process guide will facilitate a deeper understanding of the system. June 17, 2011 2
  3. 3. The Extended CSIRT Model Core CSIRT Team: Core CSIRT team External members act as incident coordinators who are ultimately responsible for the final HR Physical resolution of all computer security related incidents. Extended Extended CSIRT Team: Extended CSIRT team members are individuals within various operational departments possessing specific Core Finance Legal skills to assist in case actions and/or having CSIRT intimate departmental and institutional knowledge. Individual CSIRT Contributors: Individual CSIRT CSIRT contributors are assigned specific OPS actions to complete based on their Risk knowledge, skill sets, and responsibilities. Individual Contributor June 17, 2011 3
  4. 4. Consistent PrioritizationAn incident’s priority can bedetermined by establishingthe highest level of impacton the organization using anestablished matrix.In this example, the incidentreflects a “High” priority eventhough most impacts areconsidered “Low”. June 17, 2011 4
  5. 5. Proper NotificationNow a CSIRT process caneffectively utilize a ReportingEscalation Matrix toascertain which departmentsshould receive immediatealerts about an incident.Process One thenautomatically notifiesappropriate personnel whenincidents are created orescalated. June 17, 2011 5
  6. 6. Establishing Incident Categories Email Usage Personnel Internet Usage Workstation Usage Application Misuse Network Probing The desired granularity of incident categories must be Email Spamming External Internet determined, and then those Network Probing categories must be defined. Denial of Service This is important for both Logical Attach establishing work flows and for Legal Hold Support reporting purposes. Legal Forensic Request Outside Legal Support Equipment Computing Equipment Loss Loss of Electronic Media Loss Paper Media Loss June 17, 2011 6
  7. 7. Determining Available Response ActionsOnce an incident hasbeen properlycategorized, utilizing aresponse matrixensures that incidentsare handled in astandard andrepeatable fashion. June 17, 2011 7
  8. 8. Codifying the Response Process June 17, 2011 8
  9. 9. For more information contact: Patrick Wynn Reclamere, Inc. Senior Business Development Director 410.218.41791-Nov-11 9