Pub. 7 2017-2018 Issue 2

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S September • October 2017 13 The Incident Response Process The National Institute of Standards and Technology (NIST) has published a document titled “Computer Security Incident Handling Guide”. This guide represents a four step process for incident response. The four steps are: • Preparation • Detection & Analysis • Containment, Eradication and Recovery • Post-Incident Activity Many financial intuitionsmay not be able to develop full inci- dent response capabilities that will cover all four steps. However, preparation, detection andbasic analysis are tasks and skills that institutions must be capable of performing. The first step, Preparation, is critical as it will determine the success of any intrusion response. Preparation includes develop- ment of policies and procedures. Additionally, it is important to invest in appropriate training for on-site IT staff so that they will be able to detect intrusions and perform basic analysis. On-site IT staff are best qualified for this since they operate in the envi- ronment on a daily basis and can determine abnormal activity. Third-party IT providers can also be very valuable provided they have dedicated staff trained in intrusion response. Another key element in the preparation step is to test response capabilities. Testing should be conducted frequently and can include sce- nario and tabletop testing. It is also important to test the actual technical response processes, including use of any tools to be used in detection and basic analysis. Any additional work in the Preparation phase canmake subsequent tasks, such as detection and analysis. much easier. Network Visibility The second step, Detection & Analysis, can quickly become complex. An institutionmust have the capabilities and resources to determine if there has been an intrusion. This includes full content packet captures and Netflow data from all ingress and egress points in the network and appropriate system logs from all devices such as firewalls, routers, switches, virtualization hypervisors, servers, antivirus products and workstations. The goal is to aggregate and retain all data so that on-site IT staff has complete visibility into what is happening across the all areas of the network at all times. Not If - But When The saying “It’s not if, but when” applies to intrusions today. Every business has a need for intrusion response now. Somemay not knowuntil lawenforcement informs them. Smart businesses will have prepared their incident response ahead of time andwill detect when Sad Panda intrudes. n Ty Purcell is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem– a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit our website at www.conetrix. com to learn how CoNetrix can improve your Cybersecurity maturity.