WEBVTT 00:00:00.830 --> 00:00:03.490 Let's take a look at incident response. 00:00:04.390 --> 00:00:08.250 The outcomes of a business continuity management system are that we 00:00:08.250 --> 00:00:12.170 have plans in place for incidents through incident response planning 00:00:12.560 --> 00:00:16.690 which address things like life safety, containment of the incident, 00:00:16.980 --> 00:00:22.210 documentation of the incident, and the ability to return to normal operations. 00:00:22.830 --> 00:00:28.080 Business continuity planning is based on a business impact analysis, 00:00:28.320 --> 00:00:32.009 the critical business functions, the recovery time objective, 00:00:32.020 --> 00:00:34.220 the data recovery point objective, 00:00:34.230 --> 00:00:38.240 and the requirements to enable recovery of systems. 00:00:39.040 --> 00:00:40.820 Disaster recovery planning, 00:00:40.980 --> 00:00:45.640 the relocation of IT and other services to an alternate location. 00:00:47.070 --> 00:00:52.950 When we look at an event, an event can be defined as any measurable occurrence, 00:00:53.000 --> 00:00:56.770 something happened, somebody walked in, somebody walked out. 00:00:57.200 --> 00:00:58.300 That's an event. 00:00:58.620 --> 00:01:05.160 An incident is a type of event with a potential to affect business mission. 00:01:05.340 --> 00:01:08.940 In other words, we could call it an adverse event. 00:01:09.520 --> 00:01:12.110 All incidents are types of events, 00:01:12.110 --> 00:01:15.150 but certainly not all events are types of incidents. 00:01:16.460 --> 00:01:20.020 Our goal is to build resilient systems. 00:01:20.090 --> 00:01:26.370 We see all that used a lot today in the ability of business resilience means we 00:01:26.370 --> 00:01:31.820 can continue operations even during adverse circumstances. 00:01:33.520 --> 00:01:38.120 We have response plans in place to address especially 00:01:38.120 --> 00:01:39.820 things that have happened in the past. 00:01:40.170 --> 00:01:43.720 If it's happened before, there is a chance it could happen again. 00:01:44.520 --> 00:01:48.290 We also have to know what are the current trends and threats, 00:01:48.350 --> 00:01:52.770 what are the types of attacks being used today? Is today's problem, 00:01:52.770 --> 00:01:56.050 say ransomware or DDoS attacks? 00:01:56.050 --> 00:02:01.500 We should know what the current, should we say, tool of choice of hackers is. 00:02:02.290 --> 00:02:03.400 And of course, 00:02:03.410 --> 00:02:07.090 we should look at areas of change because everything 00:02:07.100 --> 00:02:09.580 worked well until we made a change. 00:02:09.970 --> 00:02:13.100 In many cases, it's when we have a change in staff, 00:02:13.100 --> 00:02:18.860 a change in procedures, a change in equipment that we get more incidents as well. 00:02:20.080 --> 00:02:25.550 Incident management is a structured process that starts with preparation. 00:02:26.040 --> 00:02:29.510 Let's be prepared in case something happens, 00:02:29.850 --> 00:02:33.000 then we can prevent it as much as possible if we 00:02:33.000 --> 00:02:34.470 know the things that can happen. 00:02:35.120 --> 00:02:38.920 But we have to be alert to the fact that things can still happen, 00:02:38.930 --> 00:02:41.690 even though we are prepared and have prevented, 00:02:42.070 --> 00:02:44.080 so we need good detection. 00:02:44.700 --> 00:02:48.100 When something happens, we need to stop it from spreading, 00:02:48.360 --> 00:02:50.510 and that, of course, is containment. 00:02:51.090 --> 00:02:54.720 Then we want to get back to normal, restoration, 00:02:54.730 --> 00:02:57.280 and apply lessons that were learned. 00:02:57.960 --> 00:03:01.990 We can see, for example, a fire is an example of an incident. 00:03:02.200 --> 00:03:07.260 We're prepared by having equipment and alarms and smoke detectors. 00:03:07.680 --> 00:03:11.070 We try to prevent fires through good practice of not 00:03:11.080 --> 00:03:14.610 overloading electrical circuits or having dangerous 00:03:14.610 --> 00:03:16.550 circumstances that could lead to fire, 00:03:17.030 --> 00:03:20.740 but we have those detectors so if there is a fire we'd know about it. 00:03:21.220 --> 00:03:24.550 The first thing we want to do if there is a fire is to contain it, 00:03:24.720 --> 00:03:27.650 stop it from spreading, close fire doors, 00:03:27.650 --> 00:03:28.510 for example. 00:03:29.060 --> 00:03:32.440 After the fire is out, we need to rebuild, 00:03:32.540 --> 00:03:35.220 restoration, and then, of course, 00:03:35.220 --> 00:03:38.720 learn how could we make sure that this doesn't happen again. 00:03:39.870 --> 00:03:42.540 The idea of preparation starts with policy. 00:03:42.930 --> 00:03:47.820 Do we have policies about how to deal with things and who 00:03:47.830 --> 00:03:50.820 has the authority if there is an incident? 00:03:51.240 --> 00:03:54.100 So it's not such that in a case of a crisis, 00:03:54.260 --> 00:03:57.510 everybody is wondering well, who can make the decisions? 00:03:57.520 --> 00:03:58.820 Who's in charge? 00:03:59.510 --> 00:04:03.190 We have defined team members, each with their own role, 00:04:03.200 --> 00:04:06.740 and of course, with the procedures of how we would do things. 00:04:07.600 --> 00:04:10.520 We want to make sure that everything is documented 00:04:10.710 --> 00:04:12.850 because when we have things documented, 00:04:12.850 --> 00:04:16.360 we'll be able to go back and review what went well, 00:04:16.630 --> 00:04:18.839 what could we improve on, for example. 00:04:19.290 --> 00:04:20.190 And of course, 00:04:20.190 --> 00:04:24.660 we want to have regular reporting back to management and our customers and 00:04:24.660 --> 00:04:28.440 employees of what is the current status of the incident. 00:04:29.940 --> 00:04:31.970 The idea of prevention, of course, 00:04:31.980 --> 00:04:35.530 is to have learned what are the things that could happen, 00:04:35.540 --> 00:04:40.410 so hopefully we reduce the vulnerabilities or reā€‘reduce the 00:04:40.410 --> 00:04:43.300 likelihood of something happening again. 00:04:43.830 --> 00:04:45.950 The better we can be at prevention, 00:04:46.090 --> 00:04:50.770 the better we can be hopefully at avoiding having to deal with incidents at all. 00:04:52.030 --> 00:04:56.910 We know that a lot of this is learning from what are the bad guys doing. 00:04:57.480 --> 00:05:00.020 The types of attacks they're using are the things I 00:05:00.020 --> 00:05:02.730 should especially be watching for, in other words, 00:05:02.740 --> 00:05:04.710 offense drives defense. 00:05:05.450 --> 00:05:08.860 We need to monitor and know what's happening on our systems, 00:05:08.870 --> 00:05:11.630 networks, applications, and users. 00:05:11.980 --> 00:05:15.570 We see far too often that the problem is the attack had 00:05:15.570 --> 00:05:19.230 gone on for months and nobody recognized it because nobody 00:05:19.230 --> 00:05:21.080 knew what was normal activity. 00:05:21.850 --> 00:05:24.970 We should test our controls to make sure they're working, 00:05:25.260 --> 00:05:29.350 and certainly we should have awareness programs so people know what 00:05:29.350 --> 00:05:32.180 to watch for and what to do if something happens. 00:05:33.570 --> 00:05:34.920 The key points review. 00:05:35.370 --> 00:05:38.390 The secret to incident management is preparation, 00:05:38.970 --> 00:05:43.160 manage the incident and don't let the incident manage you. 00:05:43.800 --> 00:05:45.740 Prevention is better than recovery, 00:05:45.980 --> 00:05:49.820 and learn from past incidents how to be better prepared.