layout | title | type | track | technology | related-to | status | when-day | when-time | location | room-layout | organizers | participants | outcomes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
blocks/working-session |
Incident Response Playbook |
workshop |
Security Playbooks |
SOC |
done |
Wed |
PM-1 |
Room-5 |
cabaret |
Francois Raynaud |
Naushad007, Mamta Vuppu;Mateo Martínez |
mapped |
Responding to security incidents should not be an improvised or non-scripted activity. It is important that workflows and action-plans are created in advance, so that the team's response to an incident is consistent, focused and repeatable.
- Create incident response playbook that can be used by the Community
- Incident response playbook
Goals
- IR from a developer’s perspective
- Don’t cover entire IR field, just developer’s roles and responsibilities
- Reinforce how other best practices, such as threat models, support the IR process.
Preparation
- Conduct fire drill – consider tabletop exercises
- Assign points of contact (e.g. Security Champions)
- Rapid deployment plan
- Logging
Questions that will be asked
- Is it our data?
- Is it a breach?
- What app/service provides the data?
- Where did data come from?
- Can the data be time stamped?
- What does it mean?
- Does it have value?
- Can we roll back to last known ‘good’ state?
Response to incident
- Rapid deployment, owners have to know their roles
- Communication – keep people updated with minimal publicity
- Log what happens, and when, so people coming in as the crisis develops can be brought up to speed quickly
- Stagger engineering team so that 24/7 coverage is possible (people need to rest, eat, etc.)
- The benefit of a situation dealt with quickly and efficiently outweigh the cost of the remedy and the cost to the business
Post Mortem
- Did the threat model cover this?
- Bug Bounty the target?
- Why it happened?
- How did we react?
- Was best practice followed?
- If not, why not?
- Tuning web application firewalls
Lessons learnt / next steps
- How many pre-requisites were satisfied
- Was Playbook appropriate?
- Variables will cause gaps in PB
- What adjustments need to be made
Overall outcome
- We feel that a Preparation Guide could satisfy needs in this area, perhaps building on Tom Brennan’s OWASP Incident Response Project
The target audience for this Working Session is:
- Security teams
- SOC teams
- Outpacing the Threat With Dynamic Playbooks
- How to build Incident Response Playbooks
- Incident Response
- How To Handle A Cyber Security Incident
- Best Practices for Developing a Cyber Security Playbook
- A weekend in Incident Response: How to Mitigate Cybersecurity Risks in HealthCare
Here are the current 'work in progress' materials for this session (please add as much information as possible before the sessions)
- Draft version of an incident respose playbook