5 Best Practices to Reduce Incident Response Time - Great Bay Software
-
Upload
great-bay-software -
Category
Software
-
view
79 -
download
3
Transcript of 5 Best Practices to Reduce Incident Response Time - Great Bay Software
1 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
A data breach is inevitable
43% of IT professionals said their organization experienced a breach last year
- Ponemon Institute report: 2014 a Year of Mega Breaches
There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese, and those who don’t know they’ve been hacked by the Chinese.
- James Comey, United States FBI Director
2 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Teams don’t feel prepared
• 26% believe their current organization’s IR capabilities are ineffective
• The definition of an incident remains broad - increasing the workload for understaffed IR teams
Source: SANS Institute report, Incident Response: How to Fight Back
3 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Incident Response Framework
1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons learned
4 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Today’s Agenda Formal incident response plan
Integration of systems
Endpoint location data
Endpoint behavior monitoring
Team practice
1
2
3
4
5
5 BEST PRACTICE #1 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Formal incident response plan This best practice affects:
• Step 1 - preparation: Having a formal process rather than a general one will enable your team to be prepared when an incident occurs.
• Step 6 - lessons learned: The formal process makes revising and optimizing how you handle incidents in the future easier.
6 BEST PRACTICE #1 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
According to the statistics 43% of IT professionals say a lack of formal IR plans and procedures presents obstacles
55% identified that a lack of a formal IR team presents obstacles
Source: SANS Institute report, Incident Response: How to Fight Back
7 BEST PRACTICE #1 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Three parts to an IR plan
• This includes identifying which stakeholders need to be informed at which points.
1) Identify who is a part of your incident response team
• The act of publishing your process will help remove any assumptions that individuals may have.
2) Write down the steps in your process
• The depth of information shared will be different, however, the entire organization needs to understand how to raise a red flag if they see something suspicious.
3) Educate the security team and the whole organization
8 BEST PRACTICE #2 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Integration of systems This best practice affects step 1 - Preparation:
• Identify exactly which systems communicate with each other
• Identify which systems your team needs to check individually
9 BEST PRACTICE #2 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Piecing together the puzzle • The average company uses several different
technologies from several different vendors to secure their data
• All of them wish that these systems could be integrated to provide a single source of information and work flow
10 BEST PRACTICE #2 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Questions to ask each vendor 1. What information can I pull from your system into other
systems?
2. What information can I bring into your system from other systems?
3. How much customization and time will it take to make the integrations I need possible - if at all?
4. Do you provide services to help with integration of systems?
11 BEST PRACTICE #3 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Endpoint location data This best practice affects:
• Step 2 - Identification: Insight into an endpoint’s location can help the team determine if this is a problem or a false positive.
• Step 3 - Containment: Location information enables the team to remove an affected device from a connected port to contain the damages.
• Step 4 - Eradication: This information can also help the response team physically locate and remediate affected devices.
12 BEST PRACTICE #3 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
An impossible feat?
In most organizations manually keeping a record of where devices are located is impossible - especially with the addition of initiatives such as BYOD - in which endpoints are portable.
13 BEST PRACTICE #3 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Three parts to the best practice
Endpoint Loca6on Data
Real-‐&me data on each endpoint a1ached to the network • Allows the team to find the endpoint at the &me of an incident
A log of all historical loca&on data • Helps to answer the ques&on: “What does normal look like for this endpoint?”
Ability to easily search for and/or access this informa&on • Enables team to access the informa&on right when they need it
14 BEST PRACTICE #4 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Endpoint behavior monitoring
This best practice affects:
• Step 2 - Identification: A warehouse of context allows you to gain a deeper insight into the potential issue
• Step 3 - Containment: Insight into device interactions can allow you to see what devices may be affected
• Step 5 - Recovery: Continuous monitoring can help ensure that the problem does not persist and alert you if a device starts behaving out of the norm
15 BEST PRACTICE #4 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
50% of IT professionals cite lack of visibility into system and endpoint vulnerabilities as the key impediment to effective incident response at their organization. - SANS white paper, Incident Response: How to Fight Back
When you can’t see it…
16 BEST PRACTICE #4 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Three parts to the best practice Monitoring endpoint behavior
Informa&on captured from
several data points on each endpoint to provide a
complete picture
Log of historical contextual
informa&on that can be easily reviewed
Real-‐&me data on endpoints that can be used to trigger
alerts about uncharacteris&c
behavior
17 BEST PRACTICE #5 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Team practice This best practice affects all steps.
ü Perfect practice makes perfect.
18 BEST PRACTICE #5 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
In a high stress situation… • It is easy to forget formal processes and make
fast decisions. • Practice can help the team remember the process –
even in crisis mode.
62% of IT professionals site lack of time to review and practice procedures as the key impediment to effective incident response at their organization.
- SANS white paper, Incident Response: How to Fight Back
19 BEST PRACTICE #5 TEAM 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Two parts to the best practice Practice exactly as you want the process executed • Skipping steps and bypassing parts you assume the team
already knows will weaken your team’s knowledge of the complete process
Practice often enough that it is ingrained knowledge
Practice can help you find flaws and enable you to optimize your process before an incident occurs.
BONUS:
20 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Review The incident response best practices 1. Formal incident response plan 2. Integration of systems 3. Endpoint location data 4. Endpoint behavior monitoring 5. Team practice
21 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
How can we help?
What is the device? How is
the device" behaving?
Where is the device?
22 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Beacon product suite Identify. Ensure every endpoint accessing the network is accounted for to eliminate vulnerable blind spots.
Monitor. Know how endpoints are behaving at all times to easily identify and address potential threats quickly.
Enforce. Control access to the network to allow what should be on the network on and keep what shouldn’t off.
23 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
Why Beacon? Comprehensive. Our software provides you with complete visibility. It detects and profile every endpoint touching your network, including non-computing devices.
Contextual. It provides you with historical and real-time detailed context for every endpoint on
the network. ü What is the endpoint
ü Where is it located
ü Is it behaving uncharacteristically
Scalable. Our technology has been proven to scale to satisfy the largest of enterprise clients.
Simple. Beacon is a sophisticated application that is actually easy to deploy and manage.
24
CONTACT US w) www.greatbaysoJware.com e) [email protected] p) +1 763.251.1400
Questions?
5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME
26
BYOD Initiative? Steps to Reduce the Network Security Risk Presented by Jon Olstik Senior Principal Analyst, Enterprise Strategy Group
JOIN US FOR OUR NEXT WEBINAR TUESDAY, MAY 5 AT 12 PM CENTRAL
A"end this webinar to learn: • The business trend towards increased
BYOD usage • Steps that will help you reduce BYOD risk • How to successfully implement each step