Incident Response Planning
Tips and Techniques
Peter Romness
US Public Sector Cybersecurity
What kind of storm?
Natural
Disasters
Business
Interruption
Security Incidents
What kind of storm?
Hacking
DDoS
Ransomware
How do security incidents happen?
Your Files Are
Encrypted!
Time Left
8:00:00
$ Pay Now
User
Clicks
Malware
Launches
Ransomware
Delivered
Information
Held Hostage
Ransomware has quickly become the most profitable type of malware
ever seen, on its way to becoming a $1 billion annual market.
Incident Response Planning
Follow
Cybersecurity
Best Practices
Build Security
Into
the Network
Tips and Techniques Summary
Create a
Security-Aware
Culture
Detect
Breaches
Quickly
Provide Rapid
Response and
Recovery
NIST Cybersecurity Framework
Best Practices
http://www.nist.gov/cyberframework
The planning and documentation for cybersecurity
incident response and recovery must be in place
before the cyber event occurs.
Identify
Recover
Respond
Protect
Detect
Build Security In
010
101
001
011
010
101
001
011
010
101
001
011
010
101
001
011
Use the Network as a Sensor...
...and the Enforcer
See
Detect
Respond
Remediate
Technology Alone
Is Not the Answer
Security-Aware Culture
Actionable collaboration
among people, processes,
and technology is
a must.
Processes
People
Technology
Implement
Automate
Train
Test
Detect Breaches Quickly
Months
VS
Hours
Baseline
Monitor
Analyze
Act
Response and Recovery
NIST Guidance
Identify
Guide for Cybersecurity Event Recovery
NIST SP 800-184
Computer Security Incident Handling Guide
NIST SP 800-61
Recover
Respond
Protect
Detect
Rapid Response
NIST SP 800-61
1
Organizing an Incident Response Capability
2
Handling an Incident
3
Coordination and Information Sharing
4
Incident Handling Scenarios
5
Incident-Related Data Elements
Rapid Recovery
NIST SP 800-184
1
Planning for Cyber Event Recovery
2
Continuous Improvement
3
Recovery Metrics
4
Building the Playbook
5
Example: Data Breach Recovery Scenario
Top Three Tips
1
Plan ahead using best practices – Incident Response Plan
2
Build and continually foster a security-aware organization
3
Use the network as sensor and enforcer – Drive to automate
Learn more about...
1
The Cybersecurity Threat Landscape:
http://www.talosintelligence.com
2
NIST Cybersecurity Best Practices:
http://csrc.nist.gov
3
Cisco Threat-Centric Security:
http://www.cisco.com/go/security
Thank You