Sec4

Operational Security
Disaster Recovery
Incident Response
CCSD SECURITY
ESSENTIAL

Security Operations Overview
Copyright © 2019 Logical Operations, Inc. All rights reserved.
Focus Description
Maintain Operational
Resilience
Keep core business functions operating even when a negative event occurs.
Protect Valuable Assets Protect a wide range of assets and resources, from data to equipment to human.
Control System Accounts Control users who have access to critical business systems.
Effective Security Services
Management
Make sure that strong leadership is in place to keep security operations services
consistent and effective.

Incident Response Process
Detect a
Problem
Evaluate the
Problem
Mitigate the
Damage
Determine
Lessons
Learned
Report Details
Recover and
Remediate
Implement
Preventive
Controls

IRT Roles and Responsibilities
IT
Information
Security
Physical/Corporate
Security
Executive
Management
Legal
Internal
Audit
Human
Resources
Media/Public
Relations
Incident
Response
Team

• Prevent a situation from becoming worse.
• Ensure that first responders take correct action.
• Provide the team with all of the tools and resources they need.
Incident Response Management

• Volume of log entries and false positives can be overwhelming.
• Adverse occurrence might not actually be a security incident.
• Hardware failures.
• Human error.
• Use professional judgment.
• Document all systems.
• Set a baseline of normal behavior.
• Retain logs from all sources.
• Correlate events, alerts, and indicators from all sources.
• Research reputable sources for information.
• Filter out irrelevant or inconsequential sources.
• Properly document analysis findings in a database.
Evaluation and Analysis

• Use triage method to determine priority by criticality.
• Take care to not inadvertently contaminate a crime scene.
• If you do not intend to prosecute:
• Contain damage.
• Discover the problem.
• Bring systems back online.
Response and Mitigation

• Can be as simple as restoring a single operating system or as complex as moving all
personnel and operations to a new physical location.
• Make sure the recovered system will not be vulnerable to the same attack.
• Use a different team to perform a fresh vulnerability assessment on recovered
system.
• Stop or reverse the damage caused by the incident.
• Discover root cause.
Recovery and Remediation

• Report business impact of incident.
• Report should include:
• Source of incident.
• Triggers.
• Systems targeted.
• Specific impacts.
• Actions taken to mitigate incident.
• Actions taken to recover systems and operations.
• Actions taken to mitigate lingering effects.
• Current state of the system.
• Lessons learned.
Reporting and Documentation

• Identify areas of security that need improvement.
• Determine the best way possible to improve security.
Lessons Learned
 Actions taken.
 Optimal solution.
 How teams reacted/performed.
 Cost in time and money.
 How future response will be different.
 Recommended changes to security policy.

• Seeking evidence from computers/networks that might pertain to criminal/civil
matter.
• Remember nearly anything done on computer/network leaves a trace.
• Set of procedures/protocols that are:
• Methodical.
• Verifiable.
• Auditable.
Investigative Procedures
Collect
Evidence
Present
Findings
Analyze
Evidence
Discover
Evidence

• Keep asking "what was the immediate thing that allowed this to happen?”
• With each answer, repeat the question until you find the root cause.
• Most root causes can be uncovered in six questions.
• There are likely to be several root causes.
Root Cause Analysis

• Report findings to management, authorities, stakeholders.
• Tailor report based on audience.
Investigation Reports

Disaster Recovery Planning Process
Update and Maintain
Identify
Document
Train
Assess

DRPs
• Well-documented policy that defines:
• How people/resources will be protected during disaster.
• How organization will recover.
• Plan should be tested for effectiveness and fine-tuned before a disaster strikes.
• Train staff on policy so they can respond automatically in case of emergency.

Disaster Recovery Strategy Considerations
Risks
Personnel safety
Essential items
Relocation scheme
Cost vs.
benefit
Weigh goals and
costs to ensure an
effective DRP
Prioritization
Recover business
critical processes first

Disaster Recovery Priority Levels
Short
term
Mid term
Long
term
Not
required

DRP Personnel Roles and Responsibilities
Executive emergency
management team
Command
center team
Emergency management
team
Emergency
response teams
End users
DRP
Personnel

• A master schedule that lists all of the tests.
• A description of the test objectives and methods.
• A list of all test participants.
• The roles and responsibilities of all test participants including support personnel.
• The decision-makers and their successors.
• Test locations.
• Test escalation conditions.
• Contact information.
DRP Test Plan

• Notify all stakeholders:
• Employees and their families.
• Vendors, contractors, and business
partners.
• Facility and site managers.
• Department managers.
• Senior managers and Board of Directors.
• News media.
• Law enforcement.
• Emergency responders.
• Insurance companies.
• Suppliers and distributors.
• Customers.
• Government regulators.
• Competitors.
• Unions.
• Internet users.
• The general public or line-of-business
related communities.
• Industry groups.
Communication with Stakeholders

Communication Flow
• Create a fault-tolerant call tree.
• Put emergency numbers on badges or refrigerator magnets.

• Final part of disaster recovery.
• Part of the DRP.
• Primary working facility and environment is back to normal.
• Part of staff might still be at alternate site for awhile.
• Legal team and insurance agent will play a role.
Restoration

• What was the root cause of the disaster?
• How can such a disaster be avoided in the future?
• How did the DR/BCP team respond?
• What lessons were learned?
• What went well?
• What could be improved?
Disaster Post-Mortem

END

Sec4

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Sec4

Similar to Sec4 (20)

More from Anne Starr

More from Anne Starr (20)

Recently uploaded

Recently uploaded (20)

Sec4