5 Best Practices to Reduce Incident Response Time - Great Bay Software

1 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME

A data breach is inevitable

43% of IT professionals said their organization experienced a breach last year

- Ponemon Institute report: 2014 a Year of Mega Breaches

There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese, and those who don’t know they’ve been hacked by the Chinese.

- James Comey, United States FBI Director


Teams don’t feel prepared

•  26% believe their current organization’s IR capabilities are ineffective

•  The definition of an incident remains broad - increasing the workload for understaffed IR teams

Source: SANS Institute report, Incident Response: How to Fight Back


Incident Response Framework

1.  Preparation 2.  Identification 3.  Containment 4.  Eradication 5.  Recovery 6.  Lessons learned


Today’s Agenda Formal incident response plan

Integration of systems

Endpoint location data

Endpoint behavior monitoring

Team practice

1

2

3

4

5

5 BEST PRACTICE #1 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME

Formal incident response plan This best practice affects:

•  Step 1 - preparation: Having a formal process rather than a general one will enable your team to be prepared when an incident occurs.

•  Step 6 - lessons learned: The formal process makes revising and optimizing how you handle incidents in the future easier.


According to the statistics 43% of IT professionals say a lack of formal IR plans and procedures presents obstacles

55% identified that a lack of a formal IR team presents obstacles

Source: SANS Institute report, Incident Response: How to Fight Back


Three parts to an IR plan

• This includes identifying which stakeholders need to be informed at which points.

1) Identify who is a part of your incident response team

• The act of publishing your process will help remove any assumptions that individuals may have.

2) Write down the steps in your process

• The depth of information shared will be different, however, the entire organization needs to understand how to raise a red flag if they see something suspicious.

3) Educate the security team and the whole organization


Integration of systems This best practice affects step 1 - Preparation:

•  Identify exactly which systems communicate with each other

•  Identify which systems your team needs to check individually


Piecing together the puzzle •  The average company uses several different

technologies from several different vendors to secure their data

•  All of them wish that these systems could be integrated to provide a single source of information and work flow


Questions to ask each vendor 1.  What information can I pull from your system into other

systems?

2.  What information can I bring into your system from other systems?

3.  How much customization and time will it take to make the integrations I need possible - if at all?

4.  Do you provide services to help with integration of systems?


Endpoint location data This best practice affects:

•  Step 2 - Identification: Insight into an endpoint’s location can help the team determine if this is a problem or a false positive.

•  Step 3 - Containment: Location information enables the team to remove an affected device from a connected port to contain the damages.

•  Step 4 - Eradication: This information can also help the response team physically locate and remediate affected devices.


An impossible feat?

In most organizations manually keeping a record of where devices are located is impossible - especially with the addition of initiatives such as BYOD - in which endpoints are portable.


Three parts to the best practice

Endpoint Loca6on Data

Real-‐&me data on each endpoint a1ached to the network •  Allows the team to find the endpoint at the &me of an incident

A log of all historical loca&on data •  Helps to answer the ques&on: “What does normal look like for this endpoint?”

Ability to easily search for and/or access this informa&on •  Enables team to access the informa&on right when they need it


Endpoint behavior monitoring

This best practice affects:

•  Step 2 - Identification: A warehouse of context allows you to gain a deeper insight into the potential issue

•  Step 3 - Containment: Insight into device interactions can allow you to see what devices may be affected

•  Step 5 - Recovery: Continuous monitoring can help ensure that the problem does not persist and alert you if a device starts behaving out of the norm


50% of IT professionals cite lack of visibility into system and endpoint vulnerabilities as the key impediment to effective incident response at their organization. - SANS white paper, Incident Response: How to Fight Back

When you can’t see it…


Three parts to the best practice Monitoring endpoint behavior

Informa&on captured from

several data points on each endpoint to provide a

complete picture

Log of historical contextual

informa&on that can be easily reviewed

Real-‐&me data on endpoints that can be used to trigger

alerts about uncharacteris&c

behavior


Team practice This best practice affects all steps.

ü Perfect practice makes perfect.


In a high stress situation… •  It is easy to forget formal processes and make

fast decisions. •  Practice can help the team remember the process –

even in crisis mode.

62% of IT professionals site lack of time to review and practice procedures as the key impediment to effective incident response at their organization.

- SANS white paper, Incident Response: How to Fight Back

19 BEST PRACTICE #5 TEAM 5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME

Two parts to the best practice Practice exactly as you want the process executed •  Skipping steps and bypassing parts you assume the team

already knows will weaken your team’s knowledge of the complete process

Practice often enough that it is ingrained knowledge

Practice can help you find flaws and enable you to optimize your process before an incident occurs.

BONUS:


Review The incident response best practices 1.  Formal incident response plan 2.  Integration of systems 3.  Endpoint location data 4.  Endpoint behavior monitoring 5.  Team practice


How can we help?

What is the device? How is

the device" behaving?

Where is the device?


Beacon product suite Identify. Ensure every endpoint accessing the network is accounted for to eliminate vulnerable blind spots.

Monitor. Know how endpoints are behaving at all times to easily identify and address potential threats quickly.

Enforce. Control access to the network to allow what should be on the network on and keep what shouldn’t off.


Why Beacon? Comprehensive. Our software provides you with complete visibility. It detects and profile every endpoint touching your network, including non-computing devices.

Contextual. It provides you with historical and real-time detailed context for every endpoint on

the network. ü  What is the endpoint

ü  Where is it located

ü  Is it behaving uncharacteristically

Scalable. Our technology has been proven to scale to satisfy the largest of enterprise clients.

Simple. Beacon is a sophisticated application that is actually easy to deploy and manage.

24

CONTACT US w) www.greatbaysoJware.com e) [email protected] p) +1 763.251.1400

Questions?

5 BEST PRACTICES TO REDUCE INCIDENT RESPONSE TIME

25 VISIT OUR BLOG FOR MORE BEST PRACTICES WWW.GREATBAYSOFTWARE.COM/BLOG

26

BYOD Initiative? Steps to Reduce the Network Security Risk Presented by Jon Olstik Senior Principal Analyst, Enterprise Strategy Group

JOIN US FOR OUR NEXT WEBINAR TUESDAY, MAY 5 AT 12 PM CENTRAL

A"end this webinar to learn: •  The business trend towards increased

BYOD usage •  Steps that will help you reduce BYOD risk •  How to successfully implement each step

5 Best Practices to Reduce Incident Response Time - Great Bay Software

Software

Transcript of 5 Best Practices to Reduce Incident Response Time - Great Bay Software