It’s Monday. Your cell phone starts buzzing. The CEO wants you in his office NOW to explain why your company is trending on Twitter (and not in a good way). Your inbox is full. Every social media interface you’re connected to is screaming for attention. You get a text from a Russian telephone number that says “p0wn3d!” You log in to check on the system status, and your dashboard is lit up like Times Square on New Year’s. Sympathetic colleagues have left a giant box of coffee and large bottles of pain killers on your desk. It’s going to be a long day.
The worst time to figure out how to respond to a security incident is when you’re in the middle of one. Carole Fennelly explains why an effective incident response plan requires that policies, plans, people, technologies, and processes be in place and tested before a security incident occurs.
Security technology designed to detect, alert, and log events is not very effective if it isn’t properly configured. Intrusion detection systems are great tools but are of limited use if you don’t have critical assets in scope. Log files can provide information about the attack but are not very helpful if they haven’t been configured to collect and protect data for critical assets before the attack.
Incident response has evolved quite a bit in the last 30 years. Back then, there was little, if any, guidance on how to respond to a breach and few tools to detect and investigate intrusions. In those days, admins usually found out about a breach when their systems started behaving strangely or they got a call from another admin. The primary goal for many years was to get the systems back in operation and address the conditions that led to the breach. Costs were limited to system downtime and staff hours spent working on the incident. Breaches were considered to be technical problems involving technical people.
Technical people still have a prominent role in the incident response process, but the impact to the business has shifted from the temporary loss of technical resources to the more permanent loss of data, resulting in significant liability issues. It’s important for technical staff to work together with business staff to understand the business priorities for data gathering and analysis, so technical skills and insight can be leveraged to determine the scope of the breach and limit the organization’s exposure. What you don’t know can hurt you—especially when it comes to regulatory issues. If there is a breach and the extent of the damage or data loss is not known, the assumption must be made that everything was compromised. The consequences of this can kill a business.
Carole walks you through 30 years of experience of real-world incident response, covering preparation, detection and evaluation, containment, investigation, recovery, and postmortem to establish an incident response plan that is tailored for your company.
Carole Fennelly is a freelance information security management consultant in the greater NYC area. Carole has over 35 years of hands-on experience in the information security and technology fields and has authored several industry-standard security benchmarks based on her extensive experience in operating system platforms and security practices. As a consultant, Carole has defined security strategies and developed policies and procedures to implement strategies at numerous Fortune 500 clients in the NYC area.
©2017, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • email@example.com