Incident Response Testing - PowerPoint PPT Presentation

About This Presentation
Title:

Incident Response Testing

Description:

As the cybersecurity landscape continues to evolve and threat actor sophistication increases, it is ever more important that you not only have incident response processes in place but that you ensure they work consistently. And, of course, you should continuously iterate and improve over time. Visit - – PowerPoint PPT presentation

Number of Views:129

less

Transcript and Presenter's Notes

Title: Incident Response Testing


1
Testing Incident Response
  • Putting Your Incident Response
  • Processes to the Test

2
Introduction
  • Your class being gathered and ushered into the
    centermost room of your school.
  • Schools run tornado and fire drills so everyone
    knows what to do, when. Plus, you dont want to
    find out your emergency plans dont work at the
    moment disaster actually strikes.
  • So why arent we applying this logic more
    broadly in cybersecurity?

3
Are You Regularly Testing Your Incident Response
Processes?
4
Incident Response in Kindergarten
  • Security operations leaders would do well to take
    a queue from the emergency drills of their
    childhood when it comes to their incident
    response programs and processes. What makes sense
    on paper or the whiteboard often doesnt work as
    planned when put into practice.

5
Cybersecurity Incident Response
  • As the cybersecurity landscape continues to
    evolve and threat actor sophistication increases,
    it is ever more important that you not only have
    incident response processes in place but that you
    ensure they work consistently. And, of course,
    you should continuously iterate and improve over
    time.

6
IR Processes and the School of Hard Knocks
  • While many organizations go a great lengths to
    set up effective security operations incident
    response plans, very few proactively test their
    processes to ascertain how they will work when
    faced with a real threat. SANS found that only
    33 of organizations periodically review and
    update their incident response processes, while
    another 25 only review and update their
    processes after a major incident.

7
Assessment of IR Process
8
How to Test Your IR Processes
  • Paper tests are mostly theoretical and may be a
    first step for security operations teams who
    dont have well-documented incident response
    processes.
  • Tabletop exercises are just that - stakeholders
    around a table running through a security event
    scenario. This technique allows teams to review
    and practice the various actions detailed in an
    incident response process.
  • Simulated Attacks - A fully simulated attack is
    the most effective way of pressure testing your
    incident response processes as it uses real life,
    controlled attacks to see how an organization
    will respond when hit by an external threat. For
    instance, an organization can simulate the
    deployment of a known threat

9
Simulated Attacks
10
Optimizing Your IR Processes
  • Testing your incident response processes yield
    two important results - a clear understanding of
    whether your plan is likely to work and a list of
    gaps that should be addressed.
  • Your incident response playbooks should always be
    updated after theyve been put to use, whether in
    a simulated scenario or as part of real security
    incident triage and remediation. And, through
    testing, you should identify opportunities to
    apply automation to your incident response
    processes to expedite remediation and keep your
    analysts focused on the highest value tasks.

11
The Role of Playbooks
  • Everything weve discussed in this article
    assumes your organization has some level of
    documentation for your incident response
    processes.
  • Playbooks ensure that everyone in your
    organization is on the same page, will execute
    processes the same way and knows what their role
    is in the event of an incident. As with attack
    simulations, there are a variety of ways to
    approach playbook creation, including automated
    playbooks available within many security
    orchestration platforms.

12
Conclusion
  • Having the best incident response plan is only as
    good the paper its written on if it fails to
    provide a suitable response to a threat. Your
    incident response processes should be codified,
    documented and regularly pressure tested for
    vulnerabilities. And you must ensure that
    playbooks exist and are regularly updated to
    reflect lessons learned from the tests and actual
    incidents.
Write a Comment
User Comments (0)
About PowerShow.com