Brian Honan, profile picture
Uploaded byBrian Honan
PPTX, PDF854 views

Preparing for Failure - Best Practise for Incident Response

This document discusses the importance of establishing an incident response team (IRT) to prepare for and respond to security breaches. It recommends setting up alerting mechanisms, identifying necessary tools, establishing standard operating procedures, agreeing on the IRT's authority, and forming external relationships. The document also stresses the importance of practicing incident response, reviewing processes, and continuously improving the IRT through lessons learned. Resources for setting up computer security incident response teams are provided.

Embed presentation

Downloaded 34 times
Preparing for Failure - What to do When Your Security is Breached
Infosec Professional Certainties
Why Care About Information Security?
Typical IT Security
But …
Controls Will be Bypassed
Traditional Incident Response
You In Line Of Fire
Why Improve Incident Response?
Establish Team
Set up Alerting Mechanisms
Identify Tools
Don’t Forget
Standard Operating Procedures
Agree Authority of IRT
Establish External Relationships
Practise Makes Perfect
Review & Measure
Continuous Improvement
Disclosure ??
Considerations
More informationCSIRT Handbookhttp://www.cert.org/archive/pdf/csirt-handbook.pdfForming an Incident Response Teamhttp://www.auscert.org.au/render.html?it=2252Incident Response White Paper – BH Consultinghttp://www.bhconsulting.ie/Incident%20Response%20White%20Paper.pdfRFC2350: Expectations for Computer Security Incident Responsehttp://www.rfc-archive.org/getrfc.php?rfc=2350Organisational Models for Computer Security Incident Response Teamshttp://www.cert.org/archive/pdf/03hb001.pdfThe SANS Institute’s Reading Roomhttp://www.sans.org/reading_room
More ResourcesGuidelines for Evidence Collection and Archiving (RFC 3227)http://www.ietf.org/rfc/rfc3227.txtResources for Computer Security IncidentResponse Teams (CSIRTs)http://www.cert.org/csirts/resources.htmlRFC 2196: Site Security Handbookhttp://www.faqs.org/rfcs/rfc2196.html ENISA Step by Step Guide for setting up CERTShttp://enisa.europa.eu/doc/pdf/deliverables/enisa_csirt_setting_up_guide.pdfCSIRT Case Classification (Example for enterprise CSIRT)http://www.first.org/resources/guides/csirt_case_classification.html
QuestionsBrian.honan@bhconsulting.iewww.bhconsulting.iewww.twitter.com/brianhonanwww.bhconsulting.ie/securitywatchTel : +353 – 1 - 4404065

More Related Content

PDF
Overview
byNathan Burke
 
PPSX
Next-Gen security operation center
byMuhammad Sahputra
 
PPTX
If We Only Had the Time: How Security Teams Can Focus On What’s Important
byNathan Burke
 
PDF
Governance of security operation centers
byBrencil Kaimba
 
PPTX
Security operation center
byMuthuKumaran267
 
PPTX
Security Essentials
byAshley Deuble
 
PPTX
An Overview of IT Risk and Control
byIsmail Oduoye CISSP,CISA, CCNP-ROUTE,CCNA, MCITP,MCTS
 
PPS
Immune IT: Moving from Security to Immunity
byamiable_indian
 
Overview
byNathan Burke
 
Next-Gen security operation center
byMuhammad Sahputra
 
If We Only Had the Time: How Security Teams Can Focus On What’s Important
byNathan Burke
 
Governance of security operation centers
byBrencil Kaimba
 
Security operation center
byMuthuKumaran267
 
Security Essentials
byAshley Deuble
 
An Overview of IT Risk and Control
byIsmail Oduoye CISSP,CISA, CCNP-ROUTE,CCNA, MCITP,MCTS
 
Immune IT: Moving from Security to Immunity
byamiable_indian
 

What's hot

PPTX
Cybersecurity Audit
byEC-Council
 
PPTX
APAC Partner Update: SolarWinds Security
bySolarWinds
 
PPT
DataPreserve- SEVRAR Jan 09
byMike Garland
 
PDF
CyberObserver
byShimon Becker
 
PPTX
What is the UK Cyber Essentials scheme?
byIT Governance Ltd
 
PPTX
Identifying critical security controls
byElizabeth Baker, JD, CRCMP
 
PDF
How to emrace risk-based Security management in a compliance-driven culture
byShahid Shah
 
PPTX
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
byAlienVault
 
PDF
IPSec_Case_Study_DEECD_Managed_Security_Services
byIby Boztepe
 
PPTX
Security Operation Center Fundamental
byAmir Hossein Zargaran
 
PDF
Intel Presentation from NIST Cybersecurity Framework Workshop 6
byPhil Agcaoili
 
PPTX
Building a SOC - hackmiami 2018
byJose Hernandez
 
PDF
Virtual security is no less real
byguest24ab95c
 
PPTX
Veezo - Virtual Security Officer
byDirk Cipido
 
PPTX
Security Opeations Center- SOC
byAbhi Kundu
 
PDF
Servers compliance: audit, remediation, proof
byRUDDER
 
PDF
SanerNow Endpoint Management
bySecPod Technologies
 
PDF
January Infographic: Benefits of Partnering with an Managed Service Provider
byThe TNS Group
 
PPTX
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
byAnton Chuvakin
 
PPTX
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
bycentralohioissa
 
Cybersecurity Audit
byEC-Council
 
APAC Partner Update: SolarWinds Security
bySolarWinds
 
DataPreserve- SEVRAR Jan 09
byMike Garland
 
CyberObserver
byShimon Becker
 
What is the UK Cyber Essentials scheme?
byIT Governance Ltd
 
Identifying critical security controls
byElizabeth Baker, JD, CRCMP
 
How to emrace risk-based Security management in a compliance-driven culture
byShahid Shah
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
byAlienVault
 
IPSec_Case_Study_DEECD_Managed_Security_Services
byIby Boztepe
 
Security Operation Center Fundamental
byAmir Hossein Zargaran
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
byPhil Agcaoili
 
Building a SOC - hackmiami 2018
byJose Hernandez
 
Virtual security is no less real
byguest24ab95c
 
Veezo - Virtual Security Officer
byDirk Cipido
 
Security Opeations Center- SOC
byAbhi Kundu
 
Servers compliance: audit, remediation, proof
byRUDDER
 
SanerNow Endpoint Management
bySecPod Technologies
 
January Infographic: Benefits of Partnering with an Managed Service Provider
byThe TNS Group
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
byAnton Chuvakin
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
bycentralohioissa
 

Viewers also liked

PPTX
Greek Travel Guide
byTiina Sarisalmi
 
PPT
Springtime in Orivesi
byTiina Sarisalmi
 
PDF
Economic Control or Reform or Structural Change : Occupy the 1?
byANM Farukh
 
PPT
KMUTNB - Internet Programming 7/7
byphuphax
 
PPT
eTwinning Professional Development 2011
byTiina Sarisalmi
 
PPT
Kansainvälisyys ja verkko-oppiminen
byTiina Sarisalmi
 
PPT
Lunch Recipe from Romania
byTiina Sarisalmi
 
PPTX
Using Moodle to Support Differentiated Instruction
byyeske.patricia
 
PDF
East Side Rising
bySirron Carrector
 
PDF
P Gross Portfolio2008
bypjgross
 
PPTX
Facebook
byJohanda
 
PPTX
Eurooppalainen verkosto OPS:n resurssina – esimerkkinä eTwinning
byTiina Sarisalmi
 
PPTX
Kansainvälisyysstrategia 2.0 ja OPS-2016
byTiina Sarisalmi
 
PDF
Italian spring
byTiina Sarisalmi
 
PPT
Christopher Warren
byguestb2e14ae4
 
PPT
Tactiek verdedigen
byJohanda
 
PPTX
From student to professional – my experiences - 2010
byDennis Chong
 
PPTX
Johdatus kansainvälisyyskoulutukseen
byTiina Sarisalmi
 
PPTX
Ic Sconf2010presentation Dp Bh
byBrian Honan
 
PPTX
etwinning Learning Events - Pedagogical Objectives
byTiina Sarisalmi
 
Greek Travel Guide
byTiina Sarisalmi
 
Springtime in Orivesi
byTiina Sarisalmi
 
Economic Control or Reform or Structural Change : Occupy the 1?
byANM Farukh
 
KMUTNB - Internet Programming 7/7
byphuphax
 
eTwinning Professional Development 2011
byTiina Sarisalmi
 
Kansainvälisyys ja verkko-oppiminen
byTiina Sarisalmi
 
Lunch Recipe from Romania
byTiina Sarisalmi
 
Using Moodle to Support Differentiated Instruction
byyeske.patricia
 
East Side Rising
bySirron Carrector
 
P Gross Portfolio2008
bypjgross
 
Facebook
byJohanda
 
Eurooppalainen verkosto OPS:n resurssina – esimerkkinä eTwinning
byTiina Sarisalmi
 
Kansainvälisyysstrategia 2.0 ja OPS-2016
byTiina Sarisalmi
 
Italian spring
byTiina Sarisalmi
 
Christopher Warren
byguestb2e14ae4
 
Tactiek verdedigen
byJohanda
 
From student to professional – my experiences - 2010
byDennis Chong
 
Johdatus kansainvälisyyskoulutukseen
byTiina Sarisalmi
 
Ic Sconf2010presentation Dp Bh
byBrian Honan
 
etwinning Learning Events - Pedagogical Objectives
byTiina Sarisalmi
 

Similar to Preparing for Failure - Best Practise for Incident Response

PDF
Proactive incident response
byBrian Honan
 
PPTX
Incident Response in the wake of Dear CEO
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PPTX
You Will Be Breached
byMike Saunders
 
PDF
The Critical Incident Response Maturity Journey
byEMC
 
PDF
Incident Response
byInnoTech
 
PPTX
INCIDENT-RESPONSE_093004 (1).pdtffyghgptx
byjess12castano
 
PDF
Security Incident Response Readiness Survey
byRahul Neel Mani
 
PPTX
L11 Transition And Key Roles and SAT ROB IRP.pptx
byStevenTharp2
 
PDF
YBB-NW-distribution
byMike Saunders
 
PPTX
IT Security and Management - Semi Finals by Mark John Lado
byMark John Lado, MIT
 
PPTX
chapter on Incident Response Management.
bySuhail Qadir Mir
 
PDF
Ch5-Incident Response Management.pdfncident Response Management.
bySuhail Qadir Mir
 
PDF
File000119
byDesmond Devendran
 
PDF
Cybersecurity Incident Response Planning.pdf
byCiente
 
PDF
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
byCisco Canada
 
PPTX
Navigating Cybersecurity Incidents in 2025
bywininlifeacademy5
 
PDF
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
PPTX
Dream of the (blue) Effective Case Management System
bySalesforce Engineering
 
PDF
Navigating-Cybersecurity-Incidents-in-2025.pptx.pdf
byWin In Life Academy
 
PPTX
Lecture 06 - Incident Management and SOC.pptx
byprasadsanjaya2
 
Proactive incident response
byBrian Honan
 
Incident Response in the wake of Dear CEO
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
You Will Be Breached
byMike Saunders
 
The Critical Incident Response Maturity Journey
byEMC
 
Incident Response
byInnoTech
 
INCIDENT-RESPONSE_093004 (1).pdtffyghgptx
byjess12castano
 
Security Incident Response Readiness Survey
byRahul Neel Mani
 
L11 Transition And Key Roles and SAT ROB IRP.pptx
byStevenTharp2
 
YBB-NW-distribution
byMike Saunders
 
IT Security and Management - Semi Finals by Mark John Lado
byMark John Lado, MIT
 
chapter on Incident Response Management.
bySuhail Qadir Mir
 
Ch5-Incident Response Management.pdfncident Response Management.
bySuhail Qadir Mir
 
File000119
byDesmond Devendran
 
Cybersecurity Incident Response Planning.pdf
byCiente
 
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
byCisco Canada
 
Navigating Cybersecurity Incidents in 2025
bywininlifeacademy5
 
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
Dream of the (blue) Effective Case Management System
bySalesforce Engineering
 
Navigating-Cybersecurity-Incidents-in-2025.pptx.pdf
byWin In Life Academy
 
Lecture 06 - Incident Management and SOC.pptx
byprasadsanjaya2
 

More from Brian Honan

PPTX
Brian honan ipexpo keynote
byBrian Honan
 
PPTX
GDPR & Brexit - What Does the Future Hold?
byBrian Honan
 
PDF
Ransomware Prevention Guide
byBrian Honan
 
PPTX
Brian honan
byBrian Honan
 
PPTX
The dark side of the internet
byBrian Honan
 
PPTX
Data security brian honan
byBrian Honan
 
PPTX
Presentation on EU Directives Impacting Cyber Security for Information Securi...
byBrian Honan
 
PPTX
Incident Response in the Cloud
byBrian Honan
 
PPTX
How to Like Social Media Network Security
byBrian Honan
 
PDF
Bridging the air gap
byBrian Honan
 
PPTX
Learning from History
byBrian Honan
 
PPTX
Incident response cloud
byBrian Honan
 
PPT
Best practises for log management
byBrian Honan
 
PPT
Cloud security
byBrian Honan
 
PPTX
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
byBrian Honan
 
PPTX
Creating a CERT at WARP Speed
byBrian Honan
 
PDF
The Case for Mandatory Data Breach Disclosure Laws
byBrian Honan
 
PPT
Knowing Me Knowing You
byBrian Honan
 
PDF
Scare Ware From Ireland
byBrian Honan
 
PDF
Hot Topics For 2010
byBrian Honan
 
Brian honan ipexpo keynote
byBrian Honan
 
GDPR & Brexit - What Does the Future Hold?
byBrian Honan
 
Ransomware Prevention Guide
byBrian Honan
 
Brian honan
byBrian Honan
 
The dark side of the internet
byBrian Honan
 
Data security brian honan
byBrian Honan
 
Presentation on EU Directives Impacting Cyber Security for Information Securi...
byBrian Honan
 
Incident Response in the Cloud
byBrian Honan
 
How to Like Social Media Network Security
byBrian Honan
 
Bridging the air gap
byBrian Honan
 
Learning from History
byBrian Honan
 
Incident response cloud
byBrian Honan
 
Best practises for log management
byBrian Honan
 
Cloud security
byBrian Honan
 
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
byBrian Honan
 
Creating a CERT at WARP Speed
byBrian Honan
 
The Case for Mandatory Data Breach Disclosure Laws
byBrian Honan
 
Knowing Me Knowing You
byBrian Honan
 
Scare Ware From Ireland
byBrian Honan
 
Hot Topics For 2010
byBrian Honan
 

Recently uploaded

PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Workflow and decision Automation with Flowable
bychakib ch
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 

Preparing for Failure - Best Practise for Incident Response

Editor's Notes

  • #3 The three certainties with regards to information securityDeath and TaxesYou will have an incident.How you respond to an incident will have a direct influence on the impact that incident may have to your costs, reputation and ability to conduct business.
  • #5 Traditional focus on PreventionPoliciesFirewallsAnti-Virus SoftwareIntrusion Detection SystemsIf turned on !!Little Attention Paid to RespondingResponse Focus Primarily onVirusesMinor Policy Breaches
  • #6 More solutions do not necessarily guarantee you are secure.Neither does more standards such as ISO 27001 or PCI DSS. Yes they will make your security more efficient and better, but you still will at some stage suffer a breach.
  • #8 Traditional ResponseAdhocUnplannedDeal with it as it happensResults inProlonged incidentsIf You Know You Have Been AttackedLack of metrics and measurementsBad Guys & Gals getting awayInappropriate Response Can Result;Disclosure of confidential information.Prolonged recovery times.Lack of evidence for a criminal or civil case.Negative impact to the organisation’s image.Potential legal and/or compliance Issues.Potential Legal Cases from Third Party Organisations.Exposure to Legal/Libel Cases From Employees/Individuals.IT Manager Updating Their CV
  • #9 IT Manager Updating Their CVInvariably IT get blamed for either letting the incident happen in the first place or for not responding appropriately
  • #10 Structured and Formalised Response provides;Positive Security PostureIncidents Dealt with Quickly, Efficiently and EffectivelyRapid and Accurate Assessment of IncidentsChoosing Most Appropriate Response.Shortened Recovery Times.Minimised Business Disruption.Confidence to Proceed with a Court Case.Regulatory and Legal Compliance.Potential Reduction in Incidents.Accurate Reporting and Metrics
  • #11 ComposedInformation SecurityOperationsHuman ResourcesLegalPublic RelationsFacilities ManagementUnder Control of Information Security
  • #12 Log filesNetwork DevicesPeopleNot just via the support deskBaseliningWhat is the norm for your network?ExternalVulernability ListsPartnersThird Parties
  • #13 Forensics SoftwareCommercial vs. Open SourceIncident Tracking & RecordingDigital SignaturesSpare MediaBackupsEvidence bagsEvidence formsPhysical EvidenceCCTV, Swipe Card accessNetwork Sniffers Centralised Time SourceTraining CoursesNotebooksDigital CameraOut of Band CommunicationsEmail may be compromisedSupport System may be compromisedWar RoomSecure StorageCoffee!!
  • #15 How are Incidents Reported?Incident ClassificationProcedures in Place for Expected IncidentsProcedures in Place for Unexpected IncidentsWho declares an Incident?Who to involve and when?Team available 24x7?Escalation TreeTypical ProceduresMalware/Computer Virus infectionExternal Unauthorised Access to SystemsInternal Unauthorised Access to SystemsTheft of Computer Equipment and Related Data.Discovery of Illegal Content on Company’s ResourcesSerious Breach of the AUPMinor Breach of the AUPWebsite Defacement.Denial of Service Attack.Email Flood Attack.Third Party Compromise.Disclosure of Confidential Information.
  • #16 Incidents Can Occur 24x7What takes Priority?Mitigate the impact of IncidentGather as Much Evidence As PossibleRestore SystemsWhat Authority has IRT teamE.g. Take systems offlineIntegrate with Business ContinuityCan IRT invoke Business Continuity Plan?Integrate With Other ProcessesChange Control etc.Security vs Service !!
  • #17 Some Skills not available In-houseLegalForensicsPublic RelationsAgree Terms & Conditions before an IncidentSuppliersISPs, Telecomms, HostingPartnersCustomersAn Garda SiochanaGarda Computer Crime UnitPart of Garda Bureau of Fraud InvestigationHow do you Report a Computer Crime?Contact Local Garda StationRefer to Garda Computer Crime UnitWhen Should You Contact Garda Computer Crime UnitToday !!Do the above before you have an incident as it is not something you want to negotiate in the middle of responding to an incident or breach.
  • #18 Run Practise Drills.Identify Weaknesses in IR.Review Effectiveness of Incident Response.Ensure Everyone Aware of Roles & Responsibilities.Regularly Test Network for Vulnerabilities.Regularly Normalise Network & Systems.Test Staff Awareness.Test Management Awareness.Can you contact everyone when you need to?For example will the network engineer in their twenties who is single be available to respond at 10 p.m. on a Friday night? How about the manager who has to do the school run in the morning?
  • #19 Formal Post Incident ReviewDocument OutcomesImplement RecommendationsMeasure IncidentsNumber of Incidents by ClassificationCosts of IncidentsTiming of IncidentsCorrelate with Real World EventsAnnual Report, Press Releases etc.Integrate With Other ProcessesRisk AssessmentTrainingBusiness Continuity Planning
  • #21 Data Breach Code of Practise – NOT MANDATORY !!!Despite the Data Protection Act, many companies are still not adhering to best practises.Recent headlines highlight that many organisations are still not taking adequate steps to protect the personal information of their staff and/or customers. HSE – stolen laptops Bank of Ireland – stolen laptopsJobs.ie – website hacked Online Irish Retailer – website hacked exposing credit card detailsIn the main consumers are not made aware that breaches occur. This leaves them at greater risk of fraud as they do not know if they should be taking precautionary steps to protect themselves.
  • #22 Balance needs to be achieved