In a recent webcast, Josh Feinblum, Vice President of Security at Rapid7, and guest speaker Rick Holland, Principal Analyst at Forrester Research, discussed the immediate steps security professionals should be prepared to take in case of a breach. It's not okay to have zero plans in place in case this happens -- but it is also an enormous undertaking to build out a comprehensive incident response program. Read on for the top takeaways from, 'Covering your Assets: Security Expert's Guide to the Incident Response Bare Minimum':
1) Find your Team -- The most important element in preparing for a breach is identifying key positions, roles, and responsibilities needed in the process. Incident response is a team sport, and the only cost to building strong relationships among an IR team is time. The team should also extend beyond your organization's own legal, security, corporate communications, and other personnel to include external resources you trust to provide support in a time of crisis. Build relationships with multiple incident response firms and know who you can call for help. If budget permits, have a retainer that guarantees response time in case of a breach and gets the MSA process out of the way.
2) Set Expectations -- Ensure that your stakeholders and employees understand a breach won't be solved in 45 minutes. Everyone will be anxious to get a feel for the scope and depth of a breach, but this won't happen in minutes or even days. Conduct annual drills with all parties involved to be as prepared as possible, and to help set expectations for how things can go during a real breach. But, also make sure to build flexibility into the process so you can think on your feet and respond with agility. Incident response is largely a bunch of grey areas and balancing acts. Remember that adversaries can always come back, and applying learnings for the future is an essential part of the process.
3) Logs or Bust -- Most breaches that require large scale responders to come in likely involve attackers that exist in an environment for 5-8 months or longer. If you don't have logs, then you're starting from scratch for your investigation. Make sure you understand what's happening on your endpoints, applications, and across your network. It's not enough to just fire off against stereotypical event logs. Document the type of event monitoring you want, understand what types of logs you want to see, pull the right data, and the right log levels, especially on proxies, firewalls, other perimeter devices. One of the more valuable indicators of compromise is if you have log sources chugging along regularly that disappear. Automate what logs you're expecting so you can alert on when they stop, versus conducting a reactive audit.
For the more in-depth view into the incident response bare minimum: view the on-demand webcast now.