5 Steps to Improve Your
Incident Response Plan
Page 2
Introductions: Today’s Speakers
• Ted Julian – Chief Marketing Officer, Co3 Systems
• Richard White – Principal, HP Security Intelligence and
Operational Consulting, MBA CISSP CHP/CHSS
Page 3
Agenda
• Do you even have a plan?
• Reality about most Incident Response plans
• 5 Steps to Improve Your Incident Response Plan.
• Step 1 – How do we determine if this is an incident?
• Step 2 – Who’s in charge and are we ready?
• Step 3 – Test the plan and learn.
• Step 4 – Lets work on our communications.
• Step 5 – Let’s measure the impact.
• Questions
Page 4
About Co3’s Incident Response Management System
PREPARE
Improve Organizational
Readiness
• Appoint team members
• Fine-tune response SOPs
• Escalate from existing systems
• Run simulations (firedrills / table
tops)
MITIGATE
Document Results &
Improve Performance
• Generate reports for management,
auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
ASSESS
Identify and Evaluate
Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Correlate threat intelligence
• Track incidents, maintain logbook
• Prioritize activities based on criticality
• Generate assessment summaries
MANAGE
Contain, Eradicate, and
Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment
strategy
• Isolate and remediate cause
• Instruct evidence gathering and
handling
• Log evidence
Page 5
Security Intelligence & Operations Consulting
Experience:
• 30+ SOC Builds
• 90+ SOC Assessments
• 30+ SIOC Consultants worldwide
Solution Approach:
• People, Process, & Technology
Accelerated Success:
• Mature Project Methodology
• Best Practices
• Extensive Intellectual Capital
Purpose:
Ensure our customers are successful with ESP products by providing the right People, building the right Processes and delivering effective Technology.
ESP
Services
Founded: 2007
Page 6
HP’s industry-leading scale
Monthly security events
2.3billion
HP Secured User Accounts
47m HP Security Professionals
5000+
10 out of 10 Top telecoms
9 out
of 10
Major banks
Global Security
Operations
Centers
8 Global SOC Planned regional SOC
HP managed security customers
900+
All major branches US Department of Defense
9 out of 10 Top software companies
DO YOU EVEN HAVE A
PLAN?
Page 8
Why have a plan?
• Legally required in most cases (PCI,
HIPAA, SOX, etc…)
• Core Security Function for any
organization
• Train people and teams the proper way
to respond
Page 9
Do you even have a plan?
State of Security Operations Business White Paper – Hewlett Packard
• Three major points in the report:
• Security incidents are increasing in complexity, occurrence and
success, meaning organizations are going to have to invest more in a
response planning and capabilities.
• Organizations need a better understanding of the threats so they can
prepare better and utilize resources more effectively.
• Internal incidents are still the most common such as malware, insider
threats and employees losing sensitive data.
REALITY ABOUT
INCIDENT RESPONSE
PLANS
Page 11
Reality about Incident Response Plans
• No plan is perfect and no plan survives a real world test.
• IR Plans require documentation, testing and validation
before they can be called a real IR plan.
• Incident response plans go stale over time and must be
refreshed annually or whenever the organization makes
any major changes.
• Most organizations have no plans in place or
response capabilities.
Page 12
What’s in an Incident response plan?
Incident Response Plans are directed by Policy, guidelines
and Directives
A good Incident Response Plan defines:
• Roles and responsibilities
• Description, goals and objectives
• Process for how to determine/declaring an incident
• Definition of different incident types and severity criteria
• Process flows from beginning to recovery
• Communication plans internally and externally
• Chain of command for each Incident Type
POLL
ASSESS AND IMPROVE
YOUR PLAN
Page 15
Step 1 – How do we determine if this is an incident?
• A policy is in place for the organization that sets the requirements and
standards for Incident Response.
• Defines the criteria for a major and minor incident type
• Requires a procedure for each Incident Type
• Defines overall responsibility in the organization
• When an Incident is declared, it should be based on incident type and well
developed supporting procedures.
• Do we know and understand any Third party/Vendor Incident response
procedures.
• The decision matrix needs to be based on Asset Criticality, Impact to the
business and Threat type.
Page 16
Step 1 – How do we determine if this is an incident?
Category Description Single Workstation Multiple
Workstations/Single
HVT
Multiple HVTs/PCI
Asset
Exercise/Network Defense
Testing
This category is used during approved activity testing
of internal/external network defenses or responses
SEV-4 SEV-4 SEV-4
Successful Unauthorized
Access/Intrusion: Root/Admin
Level
In this category an individual gains admin/root level
logical or physical access without permission to a
company network, system, application, data, or other
resource
SEV-3 SEV-2 SEV-1
Successful Unauthorized
Access/Intrusion: User Level
In this category an individual gains user level logical or
physical access without permission to a company
network, system, application, data, or other resource
SEV-3 SEV-2 SEV-1
Attempted Unauthorized
Access/Intrusion
This category shows an attacker's unauthorized
attempt at accessing a company network, system,
application, data, or other resource, though not
successful
SEV-4 SEV-3 SEV-2
Denial of Service An attack that successfully prevents or impairs the
normal authorized functionality of networks, systems or
applications by exhausting resources. This activity
includes being the victim or participating in the DoS?
SEV-3 SEV-2 SEV-1
Page 17
Step 1 – How do we determine if this is an incident?
• Severity Levels and SLA’s must be
standardized across the organization.
• Agree on a dispute resolution process when
SLA’s and Severity definitions collide.
• Maintain an overall communication and
escalation plan with multiple paths of
communication and alternates.
Involve other groups in the incident declaration process
• Initiate communications
• Provide scheduled updates
• Start documentation and ask for evidence preservation
Page 18
Step 2 – Who’s in charge and are we ready?
Roles, Responsibilities and Authority must be defined
• Roles must be supported by Policy granting authority needed to fulfill the role.
• Do we have the right people and are they trained properly to handle most
Incidents?
• Enough resources to do the day job and handle the incident?
• Do they know the plan and understand what to do?
• Are the right support groups involved and identified.
• Know who to get involved
• Know who not to get involved
Page 19
Step 2 – Who’s in charge and are we ready?
Roles, Responsibilities and Authority must be defined
• Some roles require representation and expertise from legal, HR,
communications, executive leadership, etc…
• Collect the information that will be needed at time of incident or provide paths to
updated information
• Asset information
• Network diagrams
• Key resources
• Support services and resources
Page 20
Step 2 – Who’s in charge and are we ready?
Roles, Responsibilities and Authority must be defined
Responsible - Performs the role, delegated to perform the task by the Accountable Party
Accountable - The one ultimately answerable for the correct and thorough completion of the task
Consulted - Those whose opinions are sought, typically subject matter experts
Informed - Those who are provided status on the progress of the tasks.
Phase \ Role SOC Manager SOC Analysts Forensic Analyst Incident
Manager
BUSINESS
UNIT Incident
Response Team
BUSINESS
UNIT Mgmt.
WATCH A R - - - -
TRIAGE A R C - - -
MOBILIZE A R - C I I
ASSESS &
CONTAINMENT I I C C R A
STABILIZE I I - C R A
RECOVERY I I - C R A
Post Mortem A I C R C I
POLL
Page 22
Step 3 – Test the plan and Learn
• Drills
• Desktop exercises
• Functional Exercises
• Full scale exercises
The exercise scenarios are designed to stimulate technical,
operational, communication and/or strategic responses to
cyber incidents with a view to reviewing and refining current
capabilities.
Page 23
Step 3 – Test the plan and Learn
• Steps in a Exercise
• Preparation
• Detection and Analysis • Preparation
• Containment and Eradication
• Post-Incident Activity
• Recovery process – get back to business
Preparation
Detection and Analysis
Containment Eradication
Recovery
Page 24
Step 3 – Test the plan and Learn
Overall goals
• Examine information sharing
• Assess decision making
• Evaluate roles and responsibilities within the organization
Multi-group participation allows us to
• Understand incident management across multiple departments and entities
• Evaluate threat information sharing among the whole community
• Understand roles and responsibilities
• Test and evaluate Incident Response coordination
Page 25
Step 4 – Lets work on our communications
• Review and test the communication plan
• Identify Incident Manger and Incident Management Team
members and their alternates.
• Identify Business and Information Technology Team
Leaders and their alternates.
• Vendor Emergency contacts and processes
• Regularly update and maintain internal and external contact
lists.
• Identify the person or department to handle any media
requests.
Page 26
Step 4 – Lets work on our communications
• Establish a conference bridge
• Centralized Knowledgebase/Document Repository
• Recovery plans
• Status updates
• Share documents
• Store Documents
• Template for communications so we are sending all the right
information
• Identify Crisis command center/war room and an alternate
location
• Help desk automated messages to prevent overwhelming staff
Page 27
Step 4 – Lets work on our communications
Why communication plans fail to
communicate
• Email is often ignored
• Voice mail is ignored
• Alerts are ignored
• Out of date
• Weekends, holidays and nights
phones get turned off
• The plan is never updated
• Staff get overwhelmed by
requests
Page 28
Step 5 – Let’s measure the impact
Understand what has a negative impact on the business
• Loss of data.
• Reputation.
• Legal requirements.
• What’s the cost of a severe, moderate or
minimal incident?
• How long can we be
down and survive?
• Who will be impacted
the most?
Page 29
Step 5 – Let’s measure the impact
Priority
Asset/Business
Process
Recovery Time
Objective (RTO)
Maximum
Tolerable
Downtime (MTD)
Recovery Point
Objective (RPO)
1 Point of Sale 15 minutes 30 minutes 4 hours
2 Email 12 hours 48 hours 24 hours
2 Employee payroll 48 hours 96 hours 12 hours
Priority Severe Moderate Minimal
Loss of revenue,
overtime costs, loss of
customer loyalty, data
loss
Some revenue loss,
overtime costs, customer
annoyance
Loss of revenue
Greater that 300k per
hour100-150k per hour <25k per hour
3% 22% 60%
Point of Sale
Page 30
Conclusion
• Understand what’s important to the business
• Test your plan and update it based on lessons learned
• Post-Mortems are critical to be performed for each incident
and test
• Prepare for the worst
• Have a recovery plan
Page 31
Resources
• Cyber Incident Response: Are business leaders ready?
http://www.arbornetworks.com/news-and-events/press-releases/recent-press-
releases/5160-economist-intelligence-unit-and-arbor-networks-research-show-83-
percent-of-businesses-are-not-fully-prepared-for-an-online-security-incident
• NIST Computer Security Incident Handling Guide
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
• State of Security Operations – HP
https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-0501enw.pdf
QUESTIONS
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for
privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and
very well designed.”
PONEMON INSTITUTE
Richard White MBA CISSP CHP/CHSS
Principal, Security Intelligence and operations
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
Top Related