什么是事故应变?
When a security team detects a threat, it’s essential organizations are ready for what comes next. That requires having a tightly coordinated incident response plan (IRP) 和 sequence of actions 和 events assigned to specific stakeholders on a dedicated IR team.
Some businesses may have their own in-house team, some may outsource their 事件响应服务, while others might take a hybrid approach where they outsource technical analysis but manage the rest of the IRP in-house. Either way, this team should have trained 和 planned for these IR events well before any trouble. 协调良好的IR工作应始终包括:
- 高级事件管理和协调
- 事件的技术分析
- 确定事件范围以确定受影响的人员或内容
- 危机沟通 to ensure information is released in a coordinated 和 beneficial manner
- Legal response to determine any implications 和 prepare any needed response or action
- Remediation 和 mitigation recommendations 和 actions to ensure a smooth recovery
谁是事件应变小组的主要成员?
The key players on an IR team are crucial 和 should tailor actions to the unique circumstances of a 违反. Security organizations should identify specific individuals or teams for the following core functions:
- 事件管理: This central role requires extensive technical knowledge 和 prior experience in management 和 IR. The person in this role acts as an overall project manager to oversee technical task completion, 以及为所有相关利益相关者收集信息.
- 企业事故调查: This is where the challenges of working at an enterprise can vary from smaller counterparts. A large 违反 at a bigger organization requires leveraging technologies 和 partnerships across teams to quickly assist in forensics across hosts (even remote ones) so that the team can find 妥协指标 以及潜在的范围,越快越好.
- 技术分析这些角色需要技术知识, 和 it's best to have analysts on the team who specialize in specific areas, 比如恶意软件分析, 取证分析, 事件日志分析, 网络分析. Any information these analysts find should be shared with the rest of the IR team.
- 事故范围:违规的程度是什么? 这是任何IR团队都需要知道的一个关键问题. The answer to this question may change over the course of the IR 和 investigation, 特别是随着技术分析的继续.
- 危机沟通:分享调查结果, 以及范围和潜在结果, 需要在内部和外部同时发生吗. An experienced crisis communications team should communicate the right details to the right audiences. 他们的职责可能包括违规通知, 监管的通知, 员工和/或受害者通知, 新闻发布会, 如果需要.
- 法律、人力资源和监管方面的问题如有违约 法规或遵从性考虑, it’s important to have someone on the team with knowledge of how to navigate disclosure requirements or work with law enforcement groups, 比如政府代表. 对于没有满足这些需求的内部专家的团队, 聘请律师的专业法律知识是值得投资的.
- 执行决策: Any 违反 can potentially affect an organization's public image 和 financial st和ing, 这就是为什么行政领导应该始终参与其中. There will be crucial decision points over the course of an IR 和 investigation, 和 the team will need executive input on how to proceed at these crucial junctures.
- 报告和补救在制作IR时,重要的是要记录所有内容. 有了这些信息, teams should be able to piece together an entire story for the 违反: what the attackers did, 他们是何时以及如何做到的, 以及他们设法达成的妥协. 这将使制定详细的应对计划成为可能 补救和缓解 从漏洞中恢复的建议, 和 hopefully help the organization defend against any future attacks that are similar in nature.
什么是事件应变计划?
IR计划描述了需要采取的步骤, 是谁干的, 当组织中发生违规或安全危机时. A robust response plan should empower teams to leap into action 和 mitigate damage as quickly as possible. 每一刻都很重要. That’s why emergency incident responders go through regular training simulations 和 process reviews, so when a situation arises they know how to act almost by muscle memory.
以防止在您的组织中发生缓慢的响应, 响应人员应该有一个精心绘制的IR计划, 定期排练各种可能的场景. Buy-in from key organizational stakeholders 和 C-level executives is also critical, so your team knows the support is in place for them to act quickly 和 efficiently.
毕竟, 发生安全事件时, it’s not just technical teams that need to act; non-technical resources – such as legal 和 communications – as well as outside parties will need to be involved, 尤其是当你和一个 安全服务提供商.
什么是受管理的事件响应服务?
Managed IR services are provided by an external vendor 和 are intended to help organizations of any maturity, 大小, 以及更好地应对和管理漏洞的技能. These managed services providers can help address strategic 和 tactical gaps by:
- 开发健壮的安全程序: If you're unsure whether your incident detection program covers all possible contingencies relevant to your organization, managed IR services can help you improve your readiness to incidents 和 违反es.
- 进行桌面练习: Put your internal IR team through their paces 和 verify their readiness with threat simulation exercises conducted by the provider.
- 进行妥协和/或违约准备评估: An external IR team can assess the current state of your organization's environment 和 security processes, 并确定任何潜在的风险或差距.
- 提供即时的违约补救:如果您怀疑自己被入侵并需要立即帮助, a managed services provider can jump into action to help stop further damage.
- 提供事件响应保留: A retainer ensures your team 和 the provider's teams are aligned to a plan 和 everyone is ready to go in case of a 违反. 许多保留服务将包括上面提到的几种服务, 和 they will often guarantee a certain service level agreement on their response times.
It may sound repetitive, but the worst time to prepare for a 违反 is after its happened. 有一个健全的IR计划 – 并确保与所有利益相关者沟通 – 为最坏的情况做准备的最好方法是什么.
死后的
After successfully responding to an incident, it's not time to rest just yet. The internal IR team should conduct a post-mortem to learn from the experience 和 fine-tune response preparedness.
什么是有效的,什么是无效的,什么可以更好或更快地工作? 经验是最好的老师, so it's important to glean as many lessons as possible from responding to an actual incident.
阅读更多关于事件响应的信息
准备战斗:让我们建立一个事件响应计划(第一部分)
准备战斗:让我们建立一个事件响应计划(第二部分)
事件响应新:最新的Rapid7博客文章