Preparing for Failure - Best Practise for Incident Response

24
Helping You Piece IT Together http:// www.bhconsulting.ie info@bhconsulting .ie Preparing for Failure - What to do When Your Security is Breached

description

An overview of the steps you should consider when setting up your incident response function.

Transcript of Preparing for Failure - Best Practise for Incident Response

Page 1: Preparing for Failure - Best Practise for Incident Response

Helping You Piece IT Together

http://www.bhconsulting.ie [email protected]

Preparing for Failure - What to do When Your Security is Breached

Page 2: Preparing for Failure - Best Practise for Incident Response

Infosec Professional Certainties

Page 3: Preparing for Failure - Best Practise for Incident Response

Why Care About Information Security?

http://www.boards.ie/?
Page 4: Preparing for Failure - Best Practise for Incident Response

Typical IT Security

Page 5: Preparing for Failure - Best Practise for Incident Response

But …

Page 6: Preparing for Failure - Best Practise for Incident Response

Controls Will be Bypassed

Page 7: Preparing for Failure - Best Practise for Incident Response

Traditional Incident Response

Adhoc & Unplanned

Deal with it as it happens

Prolonged Recovery Times

Damage to Company

Lack of Metrics

Legal Issues

Bad Guys/Gals Getting Away

Page 8: Preparing for Failure - Best Practise for Incident Response

You In Line Of Fire

Page 9: Preparing for Failure - Best Practise for Incident Response

Why Improve Incident Response?

Page 10: Preparing for Failure - Best Practise for Incident Response

Establish Team

Information Security Operations Human

Resources Legal Public Relations

Facilities Management

Page 11: Preparing for Failure - Best Practise for Incident Response

Set up Alerting Mechanisms

Page 12: Preparing for Failure - Best Practise for Incident Response

Identify Tools

Page 13: Preparing for Failure - Best Practise for Incident Response

Don’t Forget

Page 14: Preparing for Failure - Best Practise for Incident Response

Standard Operating Procedures

Page 15: Preparing for Failure - Best Practise for Incident Response

Agree Authority of IRT

Page 16: Preparing for Failure - Best Practise for Incident Response

Establish External Relationships

Page 17: Preparing for Failure - Best Practise for Incident Response

Practise Makes Perfect

Page 18: Preparing for Failure - Best Practise for Incident Response

Review & Measure

Page 19: Preparing for Failure - Best Practise for Incident Response

Continuous Improvement

Develop

IR Policy

Create IRT

Develop SOPsTEST

Update

Page 20: Preparing for Failure - Best Practise for Incident Response

Disclosure ??

Page 21: Preparing for Failure - Best Practise for Incident Response

Considerations

Page 22: Preparing for Failure - Best Practise for Incident Response

More information

CSIRT Handbookhttp://www.cert.org/archive/pdf/csirt-handbook.pdf

Forming an Incident Response Teamhttp://www.auscert.org.au/render.html?it=2252

Incident Response White Paper – BH Consulting

http://www.bhconsulting.ie/Incident%20Response%20White%20Paper.pdf

RFC2350: Expectations for Computer Security Incident Responsehttp://www.rfc-archive.org/getrfc.php?rfc=2350

Organisational Models for Computer Security Incident Response Teams

http://www.cert.org/archive/pdf/03hb001.pdf

The SANS Institute’s Reading Roomhttp://www.sans.org/reading_room

http://www.cert.org/archive/pdf/csirt-handbook.pdf
http://www.auscert.org.au/render.html?it=2252
http://www.bhconsulting.ie/Incident%20Response%20White%20Paper.pdf
http://www.rfc-archive.org/getrfc.php?rfc=2350
http://www.cert.org/archive/pdf/03hb001.pdf
http://www.sans.org/reading_room
Page 23: Preparing for Failure - Best Practise for Incident Response

More Resources

Guidelines for Evidence Collection and Archiving (RFC 3227)

http://www.ietf.org/rfc/rfc3227.txt

Resources for Computer Security IncidentResponse Teams (CSIRTs)

http://www.cert.org/csirts/resources.html

RFC 2196: Site Security Handbookhttp://www.faqs.org/rfcs/rfc2196.html

ENISA Step by Step Guide for setting up CERTShttp://enisa.europa.eu/doc/pdf/deliverables/enisa_csirt_setting_up_guide.pdf

CSIRT Case Classification (Example for enterprise CSIRT)http://www.first.org/resources/guides/csirt_case_classification.html

http://www.ietf.org/rfc/rfc3227.txt
http://www.cert.org/csirts/resources.html
http://www.faqs.org/rfcs/rfc2196.html
http://enisa.europa.eu/doc/pdf/deliverables/enisa_csirt_setting_up_guide.pdf
http://www.first.org/resources/guides/csirt_case_classification.html
Page 24: Preparing for Failure - Best Practise for Incident Response

Questions

[email protected]

www.twitter.com/brianhonanwww.bhconsulting.ie/securitywatch

Tel : +353 – 1 - 4404065

mailto:[email protected]
http://www.bhconsulting.ie/
http://www.twitter.com/brianhonan
http://www.bhconsulting.ie/securitywatch

Preparing for the Unthinkable - BOMA · Preparing for the Unthinkable Active Shooter Incident Management ... • Full scale exercise (multi- disciplinary, mock event) Response. Integrated

Preparing for the Unthinkable - BOMA · Preparing for the Unthinkable Active Shooter Incident Management ... • Full scale exercise (multi- disciplinary, mock event) Response. Integrated

Negotiated practise

Negotiated practise

Practise Meru

Practise Meru

Ethical practise

Ethical practise

Grammar Practise

Grammar Practise

EDUCATION FOR SUSTAINABLE DEVELOPMENT To Practise what we Preach.. Martin Haigh, Oxford Brookes University, Oxford, UK Current HE is geared more to preparing.

EDUCATION FOR SUSTAINABLE DEVELOPMENT To Practise what we Preach.. Martin Haigh, Oxford Brookes University, Oxford, UK Current HE is geared more to preparing.

Practise Questions

Practise Questions

into practise

into practise

SQL Practise

SQL Practise

Practise pronouns

Practise pronouns

Practise 6

Practise 6

Planning Practise

Planning Practise

Practise Elem

Practise Elem

Practise Shots.

Practise Shots.

Preparing For and Responding To a Computer Security Incident ...

Preparing For and Responding To a Computer Security Incident ...

Draft Critical Incident Policy - Coláiste na Trócaire ...mercycc.ie/wp-content/uploads/2017/01/CnaT_Website_Student-Support...Student Support and Critical Incident Policy ... preparing

Draft Critical Incident Policy - Coláiste na Trócaire ...mercycc.ie/wp-content/uploads/2017/01/CnaT_Website_Student-Support...Student Support and Critical Incident Policy ... preparing

Practise Report

Practise Report

Practise Pt2

Practise Pt2

Photoshop Practise

Photoshop Practise

Practise Mechanics

Practise Mechanics