Overview of the. Computer Security Incident Response Plan. Process Resource Center

Transcription

1 Overview of the Computer Security Incident Response Plan Process Resource Center

2 Mobilized CSIRP: Visually Intuitive, Accurate, Complete, Succinct Content Available On-the-Go Process Resource Centers: Customized Web Frameworks that Place CSIRP Policies, Processes, and Resources at the Fingertips of All Stakeholders When and How They Need It Visually Illustrates the Incident Response Plan in a Fashion that Enables All Stakeholders to Quickly Get on the Same Page Includes dynamic links and navigation to: Segmented visually intuitive workflows and response protocols Clearly defined roles and responsibilities, contacts, glossaries, forms, websites, videos and other resources as needed Links to applications and required information sources Centralized, Accessible via Desktops, Laptops, Tablets, and Mobile Phones HTML Version Can Run Entirely from a Jump-Kit Laptop and Mobile Phone if Network is Unavailable

3 CSIRP Process Resource Center for the NIST SP R2 Incident Response Lifecycle Widely Referenced Incident Response Lifecycle Extensive Availability of Supportive Authoritative Referenceable Sources

4 NIST SP R2 Community CSIRP Process Resource Center Home Page

5 Customized Web-Based Computer Security Incident Response Plan (CSIRP) Visually Intuitive Navigation Centralized Access to Supporting Resources NIST SP , 83, 83r2, 84, 184, 86, SANS, CERT, US & ICS-CERT, ISAC, MITRE, Specific Vendor Best Practices and more Each phase contains relevant intuitive workflows, supporting reference material where they apply within the process, and end-to-end accountability Reference center provides additional resources like threat playbooks and links to sites that provide malware remediation assistance

6 Home Page of CSIRP Process Resource Center Expanded Intent & Key Definitions

7 CSIRP Home Page Linked Document CSIRP Web Framework Overview

8 CSIRP 1.0 Preparation Preparation is about: Establishing and training the incident response team Proactively planning specific responses for the likely attacks the organization may face Acquiring the necessary incident response tools and resources Preparing the team to effectively react within minutes of unfamiliar attacks Testing plans and preparedness Continuously improving the incident response posture with lessons learned, industry updates, and reconnaissance

9 1.1 Create Computer Security Incident Response Team Charter (CSIRT) CSIRT Charter Establishes written management commitment to the CSIRP Defines goals, scope, levels of authority, roles, and responsibilities

10 Step 1.4: Create Response Plans for Incident Types Defined in Step 1.2, the Compliance & Threat Requirements Library

11 CSIRP 2.0 Monitor, Detection, & Analysis Monitor, Detection, & Analysis: The Monitor function was added to Detection and Analysis Monitor, Detection, & Analysis is about recognizing, receiving, analyzing and classifying all cybersecurity events and determining which are actual incidents vs. security or maintenance events Prioritizing the handling of incidents Event escalation path alternatives

12 2.1 Monitor and Detection

13 2.1 Monitor and Detection

14 2.2 Analysis

15 Fingertip Access to SOPs and Best Practices When Required Logically in the Plan

16 CSIRP 3.0 Containment, Eradication, & Recovery Containment, Eradication, & Recovery is about: Isolating the attacked system(s) Quickly and effectively determining the appropriate containment method Stopping the damage to the infected host(s) Tracking down other system infections and remedying them Ensuring the attack is fully remedied Bringing functionality back to normal Monitoring to ensure there are no lingering components of the attack

17 3.1 Containment, Eradication, & Recovery

18 CSIRP 4.0 Post-Incident Activity Post-Incident Activity is about Conducting robust assessments of lessons learned Ensuring the appropriate actions are taken to prevent recurrence of the vulnerability exploit Conducting forensics to aid understanding and remedy the vulnerability, the exploit, and to support possible legal actions

19 4.0 Post-Incident Activities

20 4.0 Post-Incident Activities

21 Reference Center

22 Library Contains Integrated Full Document for Regulatory and Audit Requirements

23 CSIRP Management Contacts

24 Visual End-to-End Total Accountability SIPOC Combined with RACI Eliminate Silos

25 Designed to Adapt to Desktops, Laptops, Tablet, and Mobile Phones

26 Adapt to Any Compliance Standards

27 Process Management Contact Contact: Henry Draughon Process Delivery Systems (972) Manage the Forest and the Trees Bridging the Gap Between Operations and Strategy