Upload
marc-vael
View
1.482
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Presentation given at ISACA Belgium in November 2011 at CERT.BE on ISACA's view on CERT
Citation preview
Incident Management and Response
CISO Tasks1. Develop & implement processes for detecting, identifying, analyzing
and responding to information security incidents2. Establish escalation & communication processes & lines of authority3. Develop plans to respond to & document information security
incidents4. Establish capability to investigate information security incidents 5. Develop process to communicate with internal parties & external
organizations 6. Integrate information security incident response plans with disaster
recovery (DRP) & business continuity plan (BCP)7. Organize, train, equip teams to respond to information security
incidents8. Periodically test & refine information security incident response plans9. Manage response to information security incidents10. Conduct reviews to identify causes of information security incidents,
develop corrective actions & reassess risk
Definition
What is incident management and response?• Incident management is the capability to effectively
manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits
• Incident response is the operational capability of incident management that identifies, prepares for and responds to incidents to control and limit damage; provide forensic and investigative capabilities; and maintain, recover and restore normal operations as defined in service level agreements (SLAs).
Incident Management and Response Overview
• Purpose = manage impact of unexpected disruptive events to acceptable levels
• Possible disruptions may be –Technical–Physical –Environmental
• Any type of incident that can significantly affect organization’s ability to operate or that may cause damage must be considered by the CISO
Outcomes of Incident Management and Response
• Outcomes of good incident management & response include organization that
− Can deal effectively with unanticipated events− Has sufficient detection & monitoring capabilities− Has well defined severity & declaration criteria as well as
defined escalation & notification processes− Has response capabilities that demonstrably support
business strategy− Proactively manages risks of incidents appropriately− Periodically tests its capabilities − Provides monitoring & metrics to gauge performance of
incident management & response capabilities
Scope & Charter of Incident Management
• Scope/charter document –Formally establishes IMT–Documents its responsibility to manage & respond to
security incidents
• Sections of charter should include:–Mission–Scope–Organizational structure–Information flow–Services provided
Responsibilities
• Incident response goals include:− Containing effects of incident (damage & losses do not escalate
out of control)
− Notifying appropriate people for purpose of recovery or to provide needed information
− Recovering quickly & efficiently from security incidents− Minimizing impact of info security incident− Responding systematically & decreasing likelihood of
recurrence− Balancing operational & security processes− Dealing with legal & law enforcement-related issues
Senior Management Commitment
• Senior management is critical to success of incident management & response
• Incident management & response– Is component of risk management– Needs same level of support from senior
management
Desired State
• Incident management & response requires:− Well-developed monitoring capabilities for key controls− Personnel trained in assessing situation, capable of
providing triage, managing effective responses − Managers that have made provisions to capture all
relevant information & apply previously learned lessons− Managers who
• Know when disaster is imminent• Have well-defined criteria• Have experience, knowledge, and authority to invoke disaster recovery
processes necessary to maintain or recover operational status
Challenges in Developing an Incident Management Plan
• Challenges may be result of− Lack of management buy-in & organizational
consensus − Mismatch to organizational goals & structure− IMT member turnover − Lack of communication process − Complex & wide plan
Policies and Standards
• Documented set of incident response policies, standards and procedures is important to:
− Ensure incident management activities are aligned to IMT mission
− Set correct expectations− Provide guidance for operational needs− Maintain consistency & reliability of services
Personnel
• IMT usually consists of − CISO (who usually leads the team)
− Steering committee/advisory board
− Permanent/dedicated team members
− Virtual/temporary team members
• Composition of incident response staff will vary from team-to-team & will depend on number of factors such as:– Mission & goals of incident response program – Nature & range of services offered – Available staff expertise – Constituency size & technology base – Anticipated incident load – Severity or complexity of incident reports – Funding
Roles and Responsibilities
Roles and Responsibilities (continued)
Roles and Responsibilities (continued)
SkillsBasic skills for incident response team members can be separated into 2 groups:
• Personal skills– Communication– Presentation skills– Ability to follow policies and procedures– Team skills– Integrity– Self understanding– Coping with stress– Problem solving– Time management
• Technical skills– Technical foundation skills—Require basic understanding of underlying
technologies used by organization– Incident handling skills—Require understanding of techniques, decision
points & supporting tools required in daily activities
Current State of Incident Response Capability
Ways to identify current state of incident response capability include:
• Survey of senior management, business managers and IT representatives
• Self-assessment
• External assessment or audit
History of Incidents
• Past incidents provide valuable information on trends, types and business impacts− Can be used as input for assessment of IMT’s
performance− Used as input to assessment of types of incidents
that must be considered & planned for
Risk Tolerance
• Risk tolerance = same as acceptable risk which must be determined by management
• CISO should be aware that incident management also includes BCP & DRP
• Overall response management = combination of BCP, DRP, continuity of business operations and incident response
Integrating a BIA Into Incident Response
• CISO needs to– Oversee development of response & recovery plans* to
ensure they are properly designed & implemented– Ensure resources required to continue business are
identified & recorded – Identify & validate response and recovery strategies– Obtain senior management approval of strategies– Oversee development of comprehensive response &
recovery plans
* Should be based on BIA
Integrating RTO & RPO Into Incident Response
• RTO = amount of time allowed for recovery of business function or resource after disaster occurs
• Effective incident management = includes resolving incidents with acceptable interruption window (AIW)
• RPO = measurement of point prior to outage to which data are to be restored
• Describes state of recovery that should be achieved to facilitate acceptable outcomes
Elements of an Incident Response Plan
• CIAC & SANS Institute propose following incident response phases:– Preparation – Identification – Containment– Eradication– Recovery – Lessons learned
Elements of an Incident Response Plan
Preparation—prepares organization to develop incident response plan prior to incident. Sufficient preparation facilitates smooth execution.
Activities:• Establishing approach to handle incidents• Establishing policy & warning banners in information systems to deter
intruders & allow information collection• Establishing communication plan to stakeholders• Developing criteria on when to report incident to authorities• Developing process to activate incident management team• Establishing secure location to execute incident response plan• Ensuring equipment needed is available
Elements of an Incident Response Plan
Identification—aims to verify if incident has happened & find out more details about incident. Reports on possible incidents may come from information systems, end users or other organizations. Not all reports are valid incidents, as they may be false alarms or may not qualify as incident.
Activities:• Assigning ownership of incident or potential incident to
incident handler• Verifying reports or events qualify as incident• Establishing chain of custody during identification when
handling potential evidence• Determining severity of incident & escalating it as necessary
Elements of an Incident Response Plan
Containment—After incident has been identified & confirmed, IMT is activated & information from incident handler is shared. Team will conduct detailed assessment & contact system owner or business manager of the affected information systems/assets to coordinate further action. The action taken is to limit the exposure.
Activities:• Activating incident management/response team to contain incident• Notifying appropriate stakeholders affected by incident• Obtaining agreement on actions taken that may affect availability of a
service or risks of the containment process• Getting IT representative & relevant virtual team members involved to
implement containment procedures• Obtaining & preserving evidence• Documenting & taking backups of actions from this phase onward• Controlling & managing communication to public by PR team
Elements of an Incident Response Plan
Eradication—When containment measures have been deployed, it is time to determine root cause of incident & eradicate it. Eradication can be done in number of ways: restoring backups to achieve clean state of system, removing root cause, improving defenses & performing vulnerability analysis to find further potential damage from same root cause.
Activities:• Determining signs & cause of incidents• Locating most recent version of backups or alternative solutions• Removing root cause. In event of worm or virus infection, it can be
removed by deploying appropriate patches & updated antivirus software.• Improving defenses by implementing protection techniques• Performing vulnerability analysis to find new vulnerabilities introduced by
root cause
Elements of an Incident Response Plan
Recovery—ensures affected systems or services are restored to condition specified in RPO. The time constraint is documented in RTO.
Activities:• Restoring operations to normal• Validating that actions taken on restored systems were
successful• Getting involvement of system owners to test system• Facilitating system owners to declare normal operation
Elements of an Incident Response Plan
Lessons learned At end of incident response process, report should always be developed
to share what has happened, what measures were taken & results after plan was executed. Part of report should contain lessons learned that provide IMT & other stakeholders valuable learning points of what could have been done better. These lessons should be developed into plan to enhance incident management capability & documentation of incident response plan.
Activities:• Writing incident report• Analyzing issues encountered during incident response efforts• Proposing improvement based on issues encountered• Presenting report to relevant stakeholders
Organizing, Training and Equipping the Response Staff
• Every IMT member should get following training:− Induction to IMT—basic information about the
team and its operations− Mentoring re. team’s roles, responsibilities and
procedures− On the job training− Formal training
Recovery Planning and Business Recovery Processes
• DRP is traditionally defined as recovery of IT systems when disastrous events
• BCP is defined as recovery of critical business processes necessary to continue or resume operations.
• Each of these planning processes typically includes several main phases, including:– Risk & business impact assessment– Response & recovery strategy definition– Documenting response & recovery plans– Training that covers response a&recovery procedures– Updating response & recovery plans– Testing response & recovery plans– Auditing response & recovery plans
Recovery Strategies
• Most appropriate strategy = one that demonstrably addresses probable events with acceptable recovery times at a reasonable cost
• Development of incident management & response plan = difficult & expensive process that may take considerable time– development of several alternative strategies – prudent to consider outsourcing some or all of the
needed capabilities
Incident Management and Response Teams
Number of teams depends upon size of organization & magnitude of operations - examples include:
• Emergency action team• Damage assessment team• Emergency management team• Relocation team• Security team
Notification Requirements
Plan should include call tree with prioritized list of contacts• Representatives of equipment & software vendors• Contacts within companies have been designated to provide
supplies & equipment or services• Contacts at recovery facilities, including hot site representatives or
predefined network communications rerouting services• Contacts at offsite media storage facilities & contacts within
company who are authorized to retrieve media from offsite facility• Insurance company agents• Contacts at human resources (HR) & contract personnel services• Law enforcement contacts
Periodic Testing of the Response and Recovery Plans
Testing must include:• Developing test objectives• Executing test• Evaluating test• Developing recommendations to improve
effectiveness of testing processes as well as response & recovery plans
• Implementing follow-up process to ensure recommendations are implemented
Testing for Infrastructure and Critical Business Applications
• After test objectives have been defined, CISO must:
− Ensure independent third party observer is present to monitor & evaluate the test
− Implement tracking process to ensure any recommendations resulting from testing are implemented in timely fashion
− Know about disaster recovery testing for infrastructure & critical business applications
Type of Tests
Tests that are progressively more challenging:• Table-top walk-through of plans• Table-top walk-through with mock disaster scenarios• Testing infrastructure & communication components of plan• Testing infrastructure & recovery of critical applications• Testing infrastructure, critical applications & involvement of
end users• Full restoration & recovery tests with some personnel
unfamiliar with systems• Surprise tests
Ensuring Execution as Required
• Facilitator or director* is needed to
– Direct tasks within plans
– Oversee plan execution
– Liaise with senior management
– Make decisions as necessary
• Defining appropriate recovery strategies & alternatives is important in overall process
* - The CISO often serves as facilitator
Establishing Procedures
If an incident occurs:– Information security staff needs documented procedures so that
information can be properly recorded and preserved – CISO should develop data/evidence preservation procedures– Information systems staff must understand basic procedures, including
taking no action that could change/modify/contaminate potential or actual evidence
Initial response by system administrator should include: •Retrieving information needed to confirm incident•Identifying scope & size of affected environment (e.g., networks, systems, applications)•Determining degree of loss, modification or damage (if any)•Identifying possible path or means of attack
Requirements for Evidence
• CISO must know– Requirements for collecting & presenting evidence– Rules for evidence, admissibility of evidence, and
quality and completeness of evidence– Consequences of any contamination of evidence
following info security incident
Post-event Reviews
• Post-event reviews = critical part of incident management process
• CISO should:– Manage post-event reviews to learn from
completed tasks & to use information to improve IMT’s response procedures
– Consider enlisting help of third-party specialists if detailed forensic skills are needed
Contact Information
Mr. Marc VaelCISA, CISM, CGEIT, CISSP, ITIL Service Manager, Prince2 Foundation
Vice President
ISACA Belgium Chapter
Koningsstraat 109-111
1000 Brussels
Belgium
November 2011
42ISACA