5 steps to improve your incident response plan

5 Steps to Improve Your

Incident Response Plan

Introductions: Today’s Speakers

• Ted Julian – Chief Marketing Officer, Co3 Systems

• Richard White – Principal, HP Security Intelligence and

Operational Consulting, MBA CISSP CHP/CHSS

Agenda

• Do you even have a plan?

• Reality about most Incident Response plans

• 5 Steps to Improve Your Incident Response Plan.

• Step 1 – How do we determine if this is an incident?

• Step 2 – Who’s in charge and are we ready?

• Step 3 – Test the plan and learn.

• Step 4 – Lets work on our communications.

• Step 5 – Let’s measure the impact.

• Questions

About Co3’s Incident Response Management System

PREPARE

Improve Organizational

Readiness

• Appoint team members

• Fine-tune response SOPs

• Escalate from existing systems

• Run simulations (firedrills / table

tops)

MITIGATE

Document Results &

Improve Performance

• Generate reports for management,

auditors, and authorities

• Conduct post-mortem

• Update SOPs

• Track evidence

• Evaluate historical performance

• Educate the organization

ASSESS

Identify and Evaluate

Incidents

• Assign appropriate team members

• Evaluate precursors and indicators

• Correlate threat intelligence

• Track incidents, maintain logbook

• Prioritize activities based on criticality

• Generate assessment summaries

MANAGE

Contain, Eradicate, and

Recover

• Generate real-time IR plan

• Coordinate team response

• Choose appropriate containment

strategy

• Isolate and remediate cause

• Instruct evidence gathering and

handling

• Log evidence

Security Intelligence & Operations Consulting

Experience:

• 30+ SOC Builds

• 90+ SOC Assessments

• 30+ SIOC Consultants worldwide

Solution Approach:

• People, Process, & Technology

Accelerated Success:

• Mature Project Methodology

• Best Practices

• Extensive Intellectual Capital

Purpose:

Ensure our customers are successful with ESP products by providing the right People, building the right Processes and delivering effective Technology.

ESP

Services

Founded: 2007

HP’s industry-leading scale

Monthly security events

2.3billion

HP Secured User Accounts

47m HP Security Professionals

5000+

10 out of 10 Top telecoms

9 out

of 10

Major banks

Global Security

Operations

Centers

8 Global SOC Planned regional SOC

HP managed security customers

900+

All major branches US Department of Defense

9 out of 10 Top software companies

DO YOU EVEN HAVE A

PLAN?

Why have a plan?

• Legally required in most cases (PCI,

HIPAA, SOX, etc…)

• Core Security Function for any

organization

• Train people and teams the proper way

to respond

Do you even have a plan?

State of Security Operations Business White Paper – Hewlett Packard

• Three major points in the report:

• Security incidents are increasing in complexity, occurrence and

success, meaning organizations are going to have to invest more in a

response planning and capabilities.

• Organizations need a better understanding of the threats so they can

prepare better and utilize resources more effectively.

• Internal incidents are still the most common such as malware, insider

threats and employees losing sensitive data.

REALITY ABOUT

INCIDENT RESPONSE

PLANS

Reality about Incident Response Plans

• No plan is perfect and no plan survives a real world test.

• IR Plans require documentation, testing and validation

before they can be called a real IR plan.

• Incident response plans go stale over time and must be

refreshed annually or whenever the organization makes

any major changes.

• Most organizations have no plans in place or

response capabilities.

What’s in an Incident response plan?

Incident Response Plans are directed by Policy, guidelines

and Directives

A good Incident Response Plan defines:

• Roles and responsibilities

• Description, goals and objectives

• Process for how to determine/declaring an incident

• Definition of different incident types and severity criteria

• Process flows from beginning to recovery

• Communication plans internally and externally

• Chain of command for each Incident Type

ASSESS AND IMPROVE

YOUR PLAN

Step 1 – How do we determine if this is an incident?

• A policy is in place for the organization that sets the requirements and

standards for Incident Response.

• Defines the criteria for a major and minor incident type

• Requires a procedure for each Incident Type

• Defines overall responsibility in the organization

• When an Incident is declared, it should be based on incident type and well

developed supporting procedures.

• Do we know and understand any Third party/Vendor Incident response

procedures.

• The decision matrix needs to be based on Asset Criticality, Impact to the

business and Threat type.


Category Description Single Workstation Multiple

Workstations/Single

HVT

Multiple HVTs/PCI

Asset

Exercise/Network Defense

Testing

This category is used during approved activity testing

of internal/external network defenses or responses

SEV-4 SEV-4 SEV-4

Successful Unauthorized

Access/Intrusion: Root/Admin

Level

In this category an individual gains admin/root level

logical or physical access without permission to a

company network, system, application, data, or other

resource

SEV-3 SEV-2 SEV-1

Successful Unauthorized

Access/Intrusion: User Level

In this category an individual gains user level logical or

physical access without permission to a company

network, system, application, data, or other resource

SEV-3 SEV-2 SEV-1

Attempted Unauthorized

Access/Intrusion

This category shows an attacker's unauthorized

attempt at accessing a company network, system,

application, data, or other resource, though not

successful

SEV-4 SEV-3 SEV-2

Denial of Service An attack that successfully prevents or impairs the

normal authorized functionality of networks, systems or

applications by exhausting resources. This activity

includes being the victim or participating in the DoS?

SEV-3 SEV-2 SEV-1


• Severity Levels and SLA’s must be

standardized across the organization.

• Agree on a dispute resolution process when

SLA’s and Severity definitions collide.

• Maintain an overall communication and

escalation plan with multiple paths of

communication and alternates.

Involve other groups in the incident declaration process

• Initiate communications

• Provide scheduled updates

• Start documentation and ask for evidence preservation

Step 2 – Who’s in charge and are we ready?

Roles, Responsibilities and Authority must be defined

• Roles must be supported by Policy granting authority needed to fulfill the role.

• Do we have the right people and are they trained properly to handle most

Incidents?

• Enough resources to do the day job and handle the incident?

• Do they know the plan and understand what to do?

• Are the right support groups involved and identified.

• Know who to get involved

• Know who not to get involved



• Some roles require representation and expertise from legal, HR,

communications, executive leadership, etc…

• Collect the information that will be needed at time of incident or provide paths to

updated information

• Asset information

• Network diagrams

• Key resources

• Support services and resources



Responsible - Performs the role, delegated to perform the task by the Accountable Party

Accountable - The one ultimately answerable for the correct and thorough completion of the task

Consulted - Those whose opinions are sought, typically subject matter experts

Informed - Those who are provided status on the progress of the tasks.

Phase \ Role SOC Manager SOC Analysts Forensic Analyst Incident

Manager

BUSINESS

UNIT Incident

Response Team

BUSINESS

UNIT Mgmt.

WATCH A R - - - -

TRIAGE A R C - - -

MOBILIZE A R - C I I

ASSESS &

CONTAINMENT I I C C R A

STABILIZE I I - C R A

RECOVERY I I - C R A

Post Mortem A I C R C I

Step 3 – Test the plan and Learn

• Drills

• Desktop exercises

• Functional Exercises

• Full scale exercises

The exercise scenarios are designed to stimulate technical,

operational, communication and/or strategic responses to

cyber incidents with a view to reviewing and refining current

capabilities.


• Steps in a Exercise

• Preparation

• Detection and Analysis • Preparation

• Containment and Eradication

• Post-Incident Activity

• Recovery process – get back to business

Preparation

Detection and Analysis

Containment Eradication

Recovery


Overall goals

• Examine information sharing

• Assess decision making

• Evaluate roles and responsibilities within the organization

Multi-group participation allows us to

• Understand incident management across multiple departments and entities

• Evaluate threat information sharing among the whole community

• Understand roles and responsibilities

• Test and evaluate Incident Response coordination

Step 4 – Lets work on our communications

• Review and test the communication plan

• Identify Incident Manger and Incident Management Team

members and their alternates.

• Identify Business and Information Technology Team

Leaders and their alternates.

• Vendor Emergency contacts and processes

• Regularly update and maintain internal and external contact

lists.

• Identify the person or department to handle any media

requests.


• Establish a conference bridge

• Centralized Knowledgebase/Document Repository

• Recovery plans

• Status updates

• Share documents

• Store Documents

• Template for communications so we are sending all the right

information

• Identify Crisis command center/war room and an alternate

location

• Help desk automated messages to prevent overwhelming staff


Why communication plans fail to

communicate

• Email is often ignored

• Voice mail is ignored

• Alerts are ignored

• Out of date

• Weekends, holidays and nights

phones get turned off

• The plan is never updated

• Staff get overwhelmed by

requests

Step 5 – Let’s measure the impact

Understand what has a negative impact on the business

• Loss of data.

• Reputation.

• Legal requirements.

• What’s the cost of a severe, moderate or

minimal incident?

• How long can we be

down and survive?

• Who will be impacted

the most?

Step 5 – Let’s measure the impact

Priority

Asset/Business

Process

Recovery Time

Objective (RTO)

Maximum

Tolerable

Downtime (MTD)

Recovery Point

Objective (RPO)

1 Point of Sale 15 minutes 30 minutes 4 hours

2 Email 12 hours 48 hours 24 hours

2 Employee payroll 48 hours 96 hours 12 hours

Priority Severe Moderate Minimal

Loss of revenue,

overtime costs, loss of

customer loyalty, data

loss

Some revenue loss,

overtime costs, customer

annoyance

Loss of revenue

Greater that 300k per

hour100-150k per hour <25k per hour

3% 22% 60%

Point of Sale

Conclusion

• Understand what’s important to the business

• Test your plan and update it based on lessons learned

• Post-Mortems are critical to be performed for each incident

and test

• Prepare for the worst

• Have a recovery plan

Resources

• Cyber Incident Response: Are business leaders ready?

http://www.arbornetworks.com/news-and-events/press-releases/recent-press-

releases/5160-economist-intelligence-unit-and-arbor-networks-research-show-83-

percent-of-businesses-are-not-fully-prepared-for-an-online-security-incident

• NIST Computer Security Incident Handling Guide

http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

• State of Security Operations – HP

https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-0501enw.pdf

http://www.arbornetworks.com/news-and-events/press-releases/recent-press-releases/5160-economist-intelligence-unit-and-arbor-networks-research-show-83-percent-of-businesses-are-not-fully-prepared-for-an-online-security-incident


































































QUESTIONS

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a

nightmare scenario as painless as possible,

making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for

privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and

very well designed.”

PONEMON INSTITUTE

Richard White MBA CISSP CHP/CHSS

Principal, Security Intelligence and operations

[email protected]

“One of the hottest products at RSA…”

NETWORK WORLD – FEBRUARY 2013