HackDig : Dig high-quality web security articles for hackers

Incident Response at Sony, (Wed, Dec 24th)

2014-12-25 03:35

For those of you who are not aware; Sony currently has a job posting for a Manager of Incident Response.Where I come from they refer to that as closing the barn door after the horse has got out, They do need to start somewhere and all in all it sounds like a cool job for an experienced Incident Handler. They do mention SANS certifications. Of course they do put SANS certifications on the same level as CISSP and CISM, but it is a step.

My piece of advice for the new IR manager at Sony is to go back and review, and update, their incident response plans since the Sony response to this incident was farcical at best. Matthew Schwartz at InfoRiskTodayhas published a post describing Sonys 7 Breach Response Mistakes Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Assuming that Sony had an IR plan, and followed it, comparing this methodology to the Sony mistakes, it struck me that most of Sonys failures resulted from insufficient time spent in Preparation.

Most people think of preparation as making sure you have the proper preventive and detective controls in place to hopefully prevent, and if not, detect a breach. But preparation needs to include many other aspects including, an incident management framework, a response strategy, and a communication plan.

The incident management framework defines every aspect of your incident response team, from who the participants are to who is in charge to how the team communication will work. In most companies IR has become a technical IT function. While having the correct technical resources to respond to an incident is important, having the correct management structure in place to effectively manage the incident is equally important. Dont forget to include legal and communications functions in the incident response team. They will be indispensable in a public breach.

The response strategy comprises the processes and procedures that will be used in the case of an incident. One great way to develop these processes and procedures is to run table top exercises and mock incident exercises with the IR team. The output of these exercises should be moderately detailed plans to handle these incidents.By anticipating common scenarios in advance of an incident leads to the actual response to an incident being smoother and less stressful when an incident actually occurs. It is not possible to anticipate every conceivable incident, but think of the processes and procedures as building blocks that can be reused and modified in the case of a real incident.

An important part of any public incident is effective communication with the press and your external stakeholders such as customers and shareholders. An important part of this is going to be to get your legal and communications people on the same page as your executive. The time to be figuring out what you will and wont release publicly is not in the heat of an incident. In my experience this usually leads to paralysis and ultimately looks like you have something to hide or are trying to mislead. Much the same as your incident strategy, the communication plan is best divised in advance as part of the mock incidents and table top exercises. In my opinion communicating the truth, early and often, is the best approach. The communication function was where Sony fell down the worst, both with internaland external communications.

With this in mind it seems like a good time for all of us to review our IR plans in the light of some of the high profile breaches this year.

-- Rick Wanner - rwanner at isc dot sans dot edu- http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: ssr;pma&31191=diyrots?lmth.yraid/ude.snas.csi

Read:3071 | Comments:0 | Tags:No Tag

“Incident Response at Sony, (Wed, Dec 24th)”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud