Rapid Reaction - Foundations of Incident Management presented at bsideswellington 2017

by Ahmed Elashmawy,

Summary : With the exception of a few organisations, it seems that the effort put into establishing an information security incident management and response capability is limited to developing a documented process. Most do the bare minimum required to tick the “has an incident response process” box, with little to no regard about how effective the process is. That’s why very few organisations actually detect information security (or cyber security if you prefer) incidents in a timely manner, and fewer still are able to handle and resolve them in an efficient and effect way to minimise the impact.
The talk will start by setting the context for incident management as a risk management activity, emphasising that it is not just a technical issue, and then get some terms and definitions out of the way. This will be followed by presenting a standard incident management process, discussing its steps, describing a recipe for building your own capability and highlighting the most commonly encountered "tar pits". At the end of the session, the floor will be open for questions and sharing experiences (without disclosing sensitive information).