Effective Incident Response & Security Incident Response
Proper preparation and planning are the key to effective incident response. Without a clear-cut plan and course of action, it’s often too late to coordinate effective response efforts after a breach or attack has occurred. Taking the time to create a comprehensive incident response plan can save your company substantial time and money by enabling you to regain control over your systems and data promptly when an inevitable breach occurs.
At CyberSecOP, we provide enterprise level managed security services in every aspect of enterprise security matters, including:
Preparation - The most important phase of incident response is preparing for an inevitable security breach. Preparation helps organizations determine how well their CIRT will be able to respond to an incident and should involve policy, response plan/strategy, communication, documentation, determining the CIRT members, access control, tools, and training.
Identification - Identification is the process through which incidents are detected, ideally promptly to enable rapid response and therefore reduce costs and damages. For this step of effective incident response, IT staff gathers events from log files, monitoring tools, error messages, intrusion detection systems, and firewalls to detect and determine incidents and their scope.
Containment - Once an incident is detected or identified, containing it is a top priority. The main purpose of containment is to contain the damage and prevent further damage from occurring (as noted in step number two, the earlier incidents are detected, the sooner they can be contained to minimize damage). It’s important to note that all of SANS’ recommended steps within the containment phase should be taken, especially to “prevent the destruction of any evidence that may be needed later for prosecution.” These steps include short-term containment, system back-up, and long-term containment.
Eradication - Eradication is the phase of effective incident response that entails removing the threat and restoring affected systems to their previous state, ideally while minimizing data loss. Ensuring that the proper steps have been taken to this point, including measures that not only remove the malicious content but also ensure that the affected systems are completely clean, are the main actions associated with eradication.
Recovery - Testing, monitoring, and validating systems while putting them back into production in order to verify that they are not re-infected or compromised are the main tasks associated with this step of incident response. This phase also includes decision making in terms of the time and date to restore operations, testing and verifying the compromised systems, monitoring for abnormal behaviors, and using tools for testing, monitoring, and validating system behavior.
Lessons Learned - Lessons learned is a critical phase of incident response because it helps to educate and improve future incident response efforts. This is the step that gives organizations the opportunity to update their incident response plans with information that may have been missed during the incident, plus complete documentation to provide information for future incidents. Lessons learned reports give a clear review of the entire incident and may be used during recap meetings, training materials for new CIRT members, or as benchmarks for comparison.
In addition to IT security consulting, and managed security services, our offerings include best-of-breed solutions for securing cloud computing, designing and implementing effective enterprise security architecture, mitigating advanced threats, securing the Internet of Things, managing identity and delivering security intelligence.
Our enterprise security consulting and managed security services supporting organizations in all vertical markets and protecting their sensitive data.
Enterprise Framework Development:
OWASP Top-Ten, ISO 27000, and NIST serve as a governing foundation for everything we do along with usage of enterprise security tools giving your business the CyberSecOp advantage: While executing, we differ from all other security organizations through the strict adherence to The 9 Core Tenants.