Creating a Foundation for Proactive Incident Response

1
Creating a Foundation for Proactive Incident
Response
2
Introduction

• As a Boy Scout, youre trained to be prepared -
  always in a state of readiness in mind and body
  to do your duty. And for many of us in
  cybersecurity, a sense of duty is what drew us to
  the industry in the first place. What happens
  when the mind and body are at the ready, but you
  don't have the right approach or tools to carry
  out your duty as you know you can and should?

3
Quarterly Incident Response Threat Report
4
Effective Incident Detection

• Before your SOC can set its incident response
  process into motion, there needs to be an
  effective method to accurately identify real
  threats. The average SOC gets thousands of alerts
  per day, and weeding out false positives to focus
  on actual threats can be challenging. With a
  security orchestration platform in place, your
  ecosystem of security technologies can work
  together to deliver vital context that lets your
  team know where their focus is most needed.

5
Decisive Incident Detection

• With security orchestration and automation, these
  crucial details are automatically gathered and
  presented to your security team, enabling them to
  assess the priority of an alert, quickly close
  false positives and clearly identify which
  security events would trigger applying your
  incident response process. This ultimately helps
  drive down mean time to detect (MTTD) which, when
  combined with a proactive incident response plan
  will also lead to a faster mean time to respond
  (MTTR).

6
Security Orchestration for Proactive IR

• The QIRTR identifies six steps for taking a more
  proactive approach to incident response. Of those
  security orchestration has a significant impact
  on the first four
• Have an incident response plan in place
• Communicate and notify
• Know your legal requirements
• Visibility is key
• Hunt quietly
• Regular checkups multi-factor authentication

7
Effective Incident Response

• For effective incident response - your entire
  security team needs to know what steps to take A
  and when. This means having a clear, documented
  plan that is periodically tested through
  simulations to assess effectiveness and
  continuously improve.
• One of the key benefits offered by security
  orchestration platforms is the ability to codify
  your incident response plans into consistent,
  repeatable playbooks.

8
Leverage Security Orchestration

• Because security orchestration gives your team a
  complete picture of an incident, it can also help
  your team do the necessary postmortem and
  reporting to satisfy legal requirements. Some
  security orchestration and automation platforms
  offer automated reporting that provides a
  snapshot of the security incident as well as a
  summary of the playbooks applied and remediation
  steps taken.

9
Be Ready To Proactively Communicate Notify
10
Conclusion

• Utilizing all available information and having it
  presented to analysts in a clear, usable way
  ensures that the security team has all the data
  needed to perform deep analysis and determine the
  best incident response approach rapidly.
• By channeling our inner Boy Scouts and taking a
  more proactive approach to incident response
  enabled by security orchestration, we can help
  our security operations teams more quickly,
  effectively and consistently identify and respond
  to threats.