[2024]Digital Global Overview Report 2024 Meltwater.pdf
Incident Response
1. How To Avoid a Corporate Meltdown:
Create a Security Response Plan Now
By Mic Martin, President
www.MTCyberC.com
2. Topics of Discussion
• Background
• Policies and Directives
• Incident Response Plan Components
• Response Team Roles and Responsibilities
• Importance of Testing and Practice
• Information Sharing and Communication
• Cyber Security Information Sharing Act of 2015
3. Background
18 years of Information Security expertise: Security Awareness Training, Cross-Sector
Collaboration Information Sharing Bridge, Incident Response, Encryption, Policy, and System
Security Risk Assessments (C&A)
Served in executive leadership roles with Dept of Defense (DoD), Dept of Homeland Security
(DHS) in Washington D.C, and Federal Bureau of Investigation (FBI)
Trains the FBI on Information Security Subject Matter Areas of Expertise
Operation Iraqi Freedom U.S. Air Force Veteran
The President of MicheTechnology Cyber Consultants, LLC
Specializes in:
– Critical Infrastructure Protection Master: Cyber Threat and Hazard Identification
– Intelligence Community (IC) Classified Information Systems
– National Security Systems Risk Assessments
– Law Enforcement (LE) Sensitive Systems
– Insider Threat
5. We Are Inextricably Intertwined
• Hospitals/Medical Facilities IT and Communications
• Maritime and Power Grid IT and Communications
• Transportation IT and Communications
• Emergency Management IT and Communications
• Defense IT and Communications
The Climate Is Changing Too Fast For You To Still Be
Doing What You Did A Year Ago In Your Organizations
6. A Good Reputation Is More Valuable
Than Costly Perfume
Company Reputation
Fines for Non-Compliance
Fees for Consumer Protection
Loss of Business Credibility
Higher Insurance Premiums
Irreparable Damage or Loss
Lawsuits
7. Incident Response Plan Components
Critical Assets – **NEED TO BE IDENTIFIED**
– Who Do They Belong To And Who Has Them?
– Where They Are Located?
– Who Has Privileged Access To Them, What Type, and
What For?
What is Considered an Incident For Your
Company?
– Human-Caused: Insider Threat, Untrained Staff
– Natural-Caused: Tornadoes, Floods, Earthquakes
– Technological-Caused: Power Grid Failure,
Transportation Failures
8. Incident Response Plan
Components
Require a Formal Incident Reporting System
Determine a Category Escalation Matrix
Incident Trigger-Employee, Self-Report, Notice
Team Roles and Responsibilities
Investigation
Communication
Testing and Practice
Maintenance and Updates
9. Human-Caused Incidents
• Lost/Stolen Mobile Device, Laptops, Tablets
• Unauthorized Software/Hardware Installs
• Data Leaks/Spills and Breaches
• Unauthorized/Improper Use of Access
• Ransomware- Locky, CryptoWall, CryptoLocker
• Virus Intrusions
• Insider Threat Turncoats
12. Customary Response Team Members
INFO TECHNOLOGY
CSIRT-IT Sanitizing Team Data Center
Security Operations Center Server Management Mainframes
Information Security/
Assurance Office
Database Administrator Vulnerability Assessment
Help Desk Web Developers Classified Network
Forensics Infrastructure Protection Program Manager
Storage & Virtualization COMSEC Engineers
Malware Analysis PKI Certificate Authority Destruction
Penetration Testers Network & Sys Admin End Users
13. Blindspots = Vulnerability
Everyone Else
Evidence Response
Teams
Supply and
Inventory
Technicians
Vendors and
Contractors
Policy and
Governance Office
Privacy/Civil
Liberties
Physical Security Building Owner for
Leased Facilities
Inspector General
(IG) Office
*FTI-US Treasury
Supervisors and
Managers
Facilities Security
Officers
(FSO)/Clearance
Specialists
Human Capital
(HR)
Legal Office Media /Public
Affairs Office
Finance OSHA Safety
Officers
Law Enforcement Emergency
Management
Coordinator
Hospital Fire Department Red Cross
Insider Threat Crisis Management
Coordinators
CIRT-Other Acquisition Office Cloud Service
Provider
Command
Centers/Dispatch
City, County, State,
Tribal, Federal
Agencies
System Owner Executive
Management
Your Customers
14. Full Team Roles & Responsibilities
CSIRT-IT Sanitizing Team Data Center
Security Operations Center Server Management Mainframes
Information Security/ Assurance Office Database Admins Vulnerability Assessment
Help Desk Web App Classified Network
Forensics Infrastructure Protection Program Manager
Storage & Virtualization COMSEC Engineers
Malware Analysis PKI Certificate Authority Destruction
Penetration Testers Network & Sys Admin End Users
Evidence Response Teams Supply and Inventory
Technicians
Vendors and Contractors Policy and
Governance Office
Privacy/Civil Liberties
Physical Security Building Owner for Leased
Facilities
Inspector General (IG)
Office
*FTI-US Treasury
Supervisors and Managers Facilities Security Officers
(FSO)/Clearance
Specialists
Human Capital (HR) Legal Office Media /Public Affairs
Office
Finance OSHA Safety Officers
Law Enforcement Emergency Management
Coordinator
Hospital Fire Department Red Cross
Insider Threat Crisis Management
Coordinators
CIRT-Other Acquisition Office Cloud Service Provider
Command
Centers/Dispatch
City, County, State, Tribal,
Federal Agencies
System Owner Executive Management Your Customers
15.
16. Testing and Practice Improves Response Time
and Avoids a Corporate Meltdown
Gone are the days when you could simply change the date and replace names in your
Security Response Plans
18. Communication
Must Notify Everyone Identified In Your Response
Plan of Their Role and Responsibilities
Annotate Contact Information: Name, Title,
Email, Physical Address, Mailing Address, Desk
Phone, Cell Phone, Home Phone, After-Hours
Phone, Radio Call Sign, Twitter Handle, Skype ID…
Communicate the Plan To Your Staff
What Good Is A Security Response Plan If No One
Knows About It?
23. Who’s Going to Update This?!?CSIRT-IT Sanitizing Team Data Center
Security Operations Center Server Management Mainframes
Information Security/ Assurance Office Database Admins Vulnerability Assessment
Help Desk Web App Classified Network
Forensics Infrastructure Protection Program Manager
Storage & Virtualization COMSEC Engineers
Malware Analysis PKI Certificate Authority Destruction
Penetration Testers Network & Sys Admin End Users
Evidence Response Teams Supply and Inventory
Technicians
Vendors and Contractors Policy and
Governance Office
Privacy/Civil Liberties
Physical Security Building Owner for Leased
Facilities
Inspector General (IG)
Office
*FTI-US Treasury
Supervisors and Managers Facilities Security Officers
(FSO)/Clearance
Specialists
Human Capital (HR) Legal Office Media /Public Affairs
Office
Finance OSHA Safety Officers
Law Enforcement Emergency Management
Coordinator
Hospital Fire Department Red Cross
Insider Threat Crisis Management
Coordinators
CIRT-Other Acquisition Office Cloud Service Provider
Command
Centers/Dispatch
City, County, State, Tribal,
Federal Agencies
System Owner Executive Management Your Customers
24. Response Plan Components Review
Identify Company Critical Assets
Who has them (System Owner)
Where they are located
Who has privileged access to them and what type
What is Considered an Incident For You?
Human-Caused: Insider Threat, Untrained Staff
Natural-Caused: Tornadoes, Floods, Earthquakes
Technological-Caused: Power Grid Failure, Transportation Failure
Require a Formal Incident Reporting System
Determine a Category Escalation Matrix
Incident Trigger-Employee, Self-report, Notice
Roles and Responsibilities
Investigation
Communication and Information Sharing
Cyber Security Information Sharing Act of 2015
Testing and Practice
Maintenance and Updates of the Response Plan
25. THANK YOU!
For Incident Response Training Information
Contact:
Mic Martin, President
Email: micmartin@mtcyberc.com
Tel: 469-340-2804
www.MTCyberC.com