In this week’s Whiteboard Wednesday, Jeremiah Dewey, Senior Director of Global Consulting at Rapid7, walks us through the critical steps of an incident response program and explains why incident response should be treated as a continuum, rather than a linear process.
Hi I'm Jeremiah Dewey I'm the Director of Incident Response Services here at Rapid7. I'm here to talk with you today about the development of a successful incident response program. As you can see here on the board incident response is not, as the name may imply, a linear process from a breach to successfully kicking out the bad guys and returning it to normal. It's actually a bit of a continuum. It happens throughout the life of your program even when incidents are not detected. It starts with prevention. What technology do you have in place to prevent incidents?Show more Show less
Awareness campaigns that you've gone through to educate your users so that they can either prevent themselves from getting into a case of an incident happening or stop one as soon as they see it. It then moves on into the detection phase where you can detect events as they happen, triage them correctly so that you can then drive your response efforts correctly. If you scope in the right manner when you're responding to incidents and investigating them, you can have a successful remediation, which leads to a good clean up of the environment and lessons learned that can feed back into the beginning of the process and continue on that loop. What touches every phase of the incident response process is preparation.
If you're going to prepare properly for incidents it's very important to develop a thorough and tested incident response plan. That plan will help guide you from alert triage all the way to incident categorization. Your category should be broad enough so that you're flexible and can respond to any type of incident in your environment, but also you need to have the granularity to go step by step within the playbooks that are created from those categorizations to truly have a thorough enough investigation to remediate properly. We'll talk more about later steps within this process in subsequent white board Wednesdays, but for today I wanted to focus on the early stages, especially the planning. That's it for this week's Whiteboard Wednesday and we'll talk to you next week.
Learn more about how you can build up your incident detection and response capability before you’re compromised.Learn More
Jeremiah reviews tabletop exercises, their methodology, and some tips on conducting these simulated incidents.Watch Now