Security Incident Response

1
Security Incident Response
Eric W. Sinclair, CISSP Information Security
Specialist
2
Introducing..Todd Fitzgerald
3
What is Security Incident Response?

• Security incident response is the ability to
  detect and resolve problems that threaten people,
  process, technology and facilities.
• Resolution of an incident through an appropriate
  reaction to, and containment of, the problem
  constitutes security incident response.

4
What is a SIR Team?

• A Security Incident Response Team (SIRT) is
  formed to better address the dynamic threats
  against company systems and to handle security
  incidents by centralizing this activity in one
  functional unit.
• A more formalized incident response team can
  better respond to security incidents and ensure
  that the broad range of issues which arise are
  fully coordinated.

5
Requirements driving SIRT creation
6
How do I get started?

• Research and utilize well known resources
• NIST SP800-61
• SANS Institute
• CERT
• Department of Homeland Security
• NSA

7
CAUTION!!
!
!

• Tailor best practices to your organization!
• Dont change your organization to meet a best
  practice!

8
Define Incident

• An incident can be thought of as a violation or
  imminent threat of violation of computer security
  policies, acceptable use policies, or standard
  security practices.

NIST SP800-61
9
Your Definition of Incident

• The term security incident is defined as the
  act of non-compliance with the security policy,
  procedure, or a core security requirement that
  impacts the confidentiality, integrity and
  availability of health information.

UGS SIRT Manual
10
Define SIRT terms

• Event observable occurrence
• Adverse event negative consequence
• Event Indicators sources of detection
• Incident examples types of adverse events in
  YOUR Organization

Security Pros Present a draft to your members!
11
Create policies
Recommend
Approve Publish
12
Create Policies

• User incident reporting
• Users must immediately report any actual or
  suspected security incidents
• Users will be required to assist with security
  incident resolution if necessary.
• Incident response
• Reported incidents must be acted upon immediately
  and appropriately. Establishes SIRT Program.
• SIRT Responsibilities
• Establishes membership, the responsibilities of
  each member, and the team as a whole.

13
Assign SIRT Leadership

• SIRT Manager
• Usually Security Officer, or Privacy Officer
• SIRT Deputy
• Usually Senior Security Department Member

SSD
XM
SSD
XD
14
Assemble the Team

• Appropriate Skills
• Appropriate Organizational Groups
• Understanding of Individual Roles

15
SIRT Charter
CHARTER

• Mission Protect CIA
• Philosophy
• Immediately stop the incident?
• Allow to continue for evidence collection?
• Goals
• Immediately stop any active incident
• Minimize the impact of security incidents to the
  company, through containment of the incident
• Respond to reported security threats
• Collect and process data so that it can be used
  to prosecute, if necessary
• Enable reporting to proper external partners,
  such as the FBI, and other agencies that track
  incidents, such as the CERT
• Refine the security incident response process
  through evaluation of previous responses

16
Create Reporting Procedures
Post user friendly processes in accessible areas.
17
Handling the Incident
Incident Response Life Cycle
18
(No Transcript)
19
Hard Lessons Learned

• Document Everything!
• Present users with multiple reporting mechanisms.
• Collect system/user logs immediately!
• Keep SIRT Member lists and contact information
  updated.
• Centralized SIRT Control
• Be aware of organizational relationships (other
  SIR Teams)
• Learn from previous incidents
• Update procedures regularly

20
Benefits of the IR Process

• Continued User Awareness
• Existing Policies Updated
• New Policies Created
• Measurement of Awareness
• Measurement of Compliance
• SIR Processes Updated
• Heightened SIRT Preparedness

21
Benefits of the IR Process
22
Questions and Discussion
Thank You!