At Black Hat this week, HBGary (a subsidiary of ManTech) released a commercial tool for Incident response, which came to be after ManTech Cyber Solutions purchased Vantos. The Seattle-based Vantos had largely used their incident response command center for law enforcement, e-commerce, casinos and resorts.
Vantos platform enables organizations to connect data streams form all of the previously mentioned log points, as well as any other log systems, ticketing systems, and put them in to a simple looking display that can be shared with others who need information, but have next to no clue when it comes to the technical side of incident response.
Passive interviews and conversations with Black Hat attendees also gave us some insight into where they look for information on incident response. A majority of those mentioned SANS, and from that, CSO learned of a useful whitepaper on creating a SIEM and incident response toolkit using open source tools.
While the whitepaper may not be for everyone, it's certainly worth a read. In addition to that single whitepaper, SANS as an entire series on incident response, covering issues from Zero-Day threats, social media, indicators of compromise, and cloud-based incidents.
Attendees CSO spoke to also mentioned that professional groups, such as those on LinkedIn, or those within their local community -- NAISG (National Information Security Group), are also helpful for gaining insight on incident response, from tools to learning what hasn't worked in the past.
When it comes to incident response, the bottom line basics are a good starting point. The following were collected via arranged interviews and passive conversations during Black Hat 2013.
Know your target data: This means understanding all of the types of data on the network, where it lives on the network, and prioritize its value. After that, map all of the ways this data can be accessed both internally and externally. Plan protection for this data, at rest and in motion, and control (as well as monitor) all access to it.
Document plans for various scenarios: Not every incident will be purely about someone hacking you. Organizations should plan for external attacks, as well as incidents stemming from lost or stolen assets, accidents, and malicious actors from within (including when an outsider compromises and insider's access.)
Establish a base of operations: A base of operations is a command center of sorts. This will make things easier for the organization, and often amounts to nothing more than a conference room, or the largest office in the building. It could be the back dock if necessary, but as long as one is established, that's what's important.
Nominate a single point of contact: Make sure this point of contact as access to everyone working the incident, and access to those who need regular updates and information. It's also wise to make sure there is fast access to PR should it be needed. If PR is needed, from that point on they should be the only voice speaking for the company to the public regarding any incident. Let the legal team deal with issues of compliance and regulatory as needed.
Sign up for Computerworld eNewsletters.