Details
Cyber Breach Response That Actually Works
Organizational Approach to Managing Residual Risk1. Aufl.
|
28,99 € |
|
| Verlag: | Wiley |
| Format: | EPUB |
| Veröffentl.: | 09.06.2020 |
| ISBN/EAN: | 9781119679318 |
| Sprache: | englisch |
| Anzahl Seiten: | 320 |
DRM-geschütztes eBook, Sie benötigen z.B. Adobe Digital Editions und eine Adobe ID zum Lesen.
Beschreibungen
<p><b>You will be breached—the only question is whether you'll be ready </b></p> <p>A cyber breach could cost your organization millions of dollars—in 2019, the average cost of a cyber breach for companies was $3.9M, a figure that is increasing 20-30% annually. But effective planning can lessen the impact and duration of an inevitable cyberattack. <i>Cyber Breach Response That Actually Works</i> provides a business-focused methodology that will allow you to address the aftermath of a cyber breach and reduce its impact to your enterprise.</p> <p>This book goes beyond step-by-step instructions for technical staff, focusing on big-picture planning and strategy that makes the most business impact. Inside, you’ll learn what drives cyber incident response and how to build effective incident response capabilities. Expert author Andrew Gorecki delivers a vendor-agnostic approach based on his experience with Fortune 500 organizations.</p> <ul> <li>Understand the evolving threat landscape and learn how to address tactical and strategic challenges to build a comprehensive and cohesive cyber breach response program</li> <li>Discover how incident response fits within your overall information security program, including a look at risk management</li> <li>Build a capable incident response team and create an actionable incident response plan to prepare for cyberattacks and minimize their impact to your organization</li> <li>Effectively investigate small and large-scale incidents and recover faster by leveraging proven industry practices</li> <li>Navigate legal issues impacting incident response, including laws and regulations, criminal cases and civil litigation, and types of evidence and their admissibility in court</li> </ul> <p>In addition to its valuable breadth of discussion on incident response from a business strategy perspective, <i>Cyber Breach Response That Actually Works </i>offers information on key technology considerations to aid you in building an effective capability and accelerating investigations to ensure your organization can continue business operations during significant cyber events.</p>
<p>Foreword xxiii</p> <p>Introduction xxv</p> <p><b>Chapter 1 Understanding the Bigger Picture 1</b></p> <p>Evolving Threat Landscape 2</p> <p>Identifying Threat Actors 2</p> <p>Cyberattack Lifecycle 4</p> <p>Cyberattack Preparation Framework 5</p> <p>Cyberattack Execution Framework 6</p> <p>Defining Cyber Breach Response 8</p> <p>Events, Alerts, Observations, Incidents, and Breaches 9</p> <p>Events 9</p> <p>Alerts 9</p> <p>Observations 10</p> <p>Incidents 10</p> <p>Breaches 11</p> <p>What is Cyber Breach Response? 12</p> <p>Identifying Drivers for Cyber Breach Response 13</p> <p>Risk Management 13</p> <p>Conducting Risk Management 13</p> <p>Risk Assessment Process 14</p> <p>Managing Residual Risk 17</p> <p>Cyber Threat Intelligence 18</p> <p>What is Cyber Threat Intelligence? 18</p> <p>Importance of Cyber Threat Intelligence 19</p> <p>Laws and Regulations 20</p> <p>Compliance Considerations 20</p> <p>Compliance Requirements for Cyber Breach Response 21</p> <p>Changing Business Objectives 22</p> <p>Incorporating Cyber Breach Response into a</p> <p>Cybersecurity Program 23</p> <p>Strategic Planning 23</p> <p>Designing a Program 24</p> <p>Implementing Program Components 25</p> <p>Program Operations 26</p> <p>Continual Improvement 27</p> <p>Strategy Development 27</p> <p>Strategic Assessment 28</p> <p>Gap Analysis 28</p> <p>Maturity Assessment 30</p> <p>Strategy Definition 32</p> <p>Vision and Mission Statement 32</p> <p>Goals and Objectives 33</p> <p>Establishing Requirements 33</p> <p>Defining a Target Operating Model 35</p> <p>Developing a Business Case and Executive Alignment 35</p> <p>Strategy Execution 37</p> <p>Enacting an Incident Response Policy 37</p> <p>Assigning an Incident Response Team 38</p> <p>Creating an Incident Response Plan 38</p> <p>Documenting Legal Requirements 38</p> <p>Roadmap Development 39</p> <p>Governance 40</p> <p>Establishing Policies 40</p> <p>Enterprise Security Policy 41</p> <p>Issue-Specific Policies 41</p> <p>Identifying Key Stakeholders 42</p> <p>Executive Leadership 42</p> <p>Project Steering Committee 42</p> <p>Chief Information Security Officer 43</p> <p>Stakeholders with Interest in Cyber Breach Response 43</p> <p>Business Alignment 44</p> <p>Continual Improvement 44</p> <p>Necessity to Determine if the Program is Effective 45</p> <p>Changing Threat Landscape 45</p> <p>Changing Business Objectives 45</p> <p>Summary 46</p> <p>Notes 47</p> <p><b>Chapter 2 Building a Cybersecurity Incident Response Team 51</b></p> <p>Defining a CSIRT 51</p> <p>CSIRT History 52</p> <p>The Role of a CSIRT in the Enterprise 52</p> <p>Defining Incident Response Competencies and Functions 55</p> <p>Proactive Functions 55</p> <p>Developing and Maintaining Procedures 56</p> <p>Conducting Incident Response Exercises 56</p> <p>Assisting with Vulnerability Identification 57</p> <p>Deploying, Developing, and Tuning Tools 58</p> <p>Implementing Lessons Learned 59</p> <p>Reactive Functions 59</p> <p>Digital Forensics and Incident Response 59</p> <p>Cyber Threat Intelligence 60</p> <p>Malware Analysis 60</p> <p>Incident Management 61</p> <p>Creating an Incident Response Team 61</p> <p>Creating an Incident Response Mission Statement 62</p> <p>Choosing a Team Model 62</p> <p>Centralized Team Model 63</p> <p>Distributed Team Model 64</p> <p>Hybrid Team Model 65</p> <p>An Integrated Team 66</p> <p>Organizing an Incident Response Team 66</p> <p>Tiered Model 66</p> <p>Competency Model 68</p> <p>Hiring and Training Personnel 69</p> <p>Technical Skills 69</p> <p>Soft Skills 71</p> <p>Pros and Cons of Security Certifications 72</p> <p>Conducting Effective Interviews 73</p> <p>Retaining Incident Response Talent 74</p> <p>Establishing Authority 75</p> <p>Full Authority 75</p> <p>Shared Authority 76</p> <p>Indirect Authority 76</p> <p>No Authority 76</p> <p>Introducing an Incident Response Team to the Enterprise 77</p> <p>Enacting a CSIRT 78</p> <p>Defining a Coordination Model 78</p> <p>Communication Flow 80</p> <p>Incident Officer 80</p> <p>Incident Manager 81</p> <p>Assigning Roles and Responsibilities 82</p> <p>Business Functions 82</p> <p>Human Resources 82</p> <p>Corporate Communications 83</p> <p>Corporate Security 83</p> <p>Finance 84</p> <p>Other Business Functions 85</p> <p>Legal and Compliance 85</p> <p>Legal Counsel 85</p> <p>Compliance Functions 86</p> <p>Information Technology Functions 87</p> <p>Technical Groups 87</p> <p>Disaster Recovery 88</p> <p>Outsourcing Partners and Vendors 89</p> <p>Senior Management 89</p> <p>Working with Outsourcing Partners 90</p> <p>Outsourcing Considerations 91</p> <p>Proven Track Record of Success 91</p> <p>Offered Services and Capabilities 91</p> <p>Global Support 92</p> <p>Skills and Experience 92</p> <p>Outsourcing Costs and Pricing Models 92</p> <p>Establishing Successful Relationships with Vendors 93</p> <p>Summary 94</p> <p>Notes 95</p> <p><b>Chapter 3 Technology Considerations in Cyber Breach Investigations 97</b></p> <p>Sourcing Technology 98</p> <p>Comparing Commercial vs. Open Source Tools 98</p> <p>Commercial Tools 98</p> <p>Open Source Software 98</p> <p>Other Considerations 99</p> <p>Developing In-House Software Tools 100</p> <p>Procuring Hardware 101</p> <p>Acquiring Forensic Data 102</p> <p>Forensic Acquisition 102</p> <p>Order of Volatility 103</p> <p>Disk Imaging 103</p> <p>System Memory Acquisition 105</p> <p>Tool Considerations 106</p> <p>Forensic Acquisition Use Cases 107</p> <p>Live Response 108</p> <p>Live Response Considerations 109</p> <p>Live Response Tools 109</p> <p>Live Response Use Cases 112</p> <p>Incident Response Investigations in Virtualized Environments 113</p> <p>Traditional Virtualization 115</p> <p>Cloud Computing 115</p> <p>Forensic Acquisition 115</p> <p>Log Management in Cloud Computing Environments 117</p> <p>Leveraging Network Data in Investigations 118</p> <p>Firewall Logs and Network Flows 118</p> <p>Proxy Servers and Web Gateways 120</p> <p>Full-Packet Capture 120</p> <p>Identifying Forensic Evidence in Enterprise Technology Services 123</p> <p>Domain Name System 123</p> <p>Dynamic Host Confi guration Protocol 125</p> <p>Web Servers 125</p> <p>Databases 126</p> <p>Security Tools 127</p> <p>Intrusion Detection and Prevention Systems 127</p> <p>Web Application Firewalls 127</p> <p>Data Loss Prevention Systems 128</p> <p>Antivirus Software 128</p> <p>Endpoint Detection and Response 129</p> <p>Honeypots and Honeynets 129</p> <p>Log Management 130</p> <p>What is Logging? 130</p> <p>What is Log Management? 132</p> <p>Log Management Lifecycle 133</p> <p>Collection and Storage 134</p> <p>Agent-Based vs. Agentless Collection 134</p> <p>Log Management Architectures 135</p> <p>Managing Logs with a SIEM 137</p> <p>What is SIEM? 138</p> <p>SIEM Considerations 139</p> <p>Summary 140</p> <p>Notes 141</p> <p><b>Chapter 4 Crafting an Incident Response Plan 143</b></p> <p>Incident Response Lifecycle 143</p> <p>Preparing for an Incident 144</p> <p>Detecting and Analyzing Incidents 145</p> <p>Detection and Triage 146</p> <p>Analyzing Incidents 146</p> <p>Containment, Eradication, and Recovery 147</p> <p>Containing a Breach 147</p> <p>Eradicating a Threat Actor 148</p> <p>Recovering Business Operations 149</p> <p>Post-Incident Activities 149</p> <p>Understanding Incident Management 150</p> <p>Identifying Process Components 151</p> <p>Defining a Process 151</p> <p>Process Controls 153</p> <p>Process Enablers 155</p> <p>Process Interfaces 155</p> <p>Roles and Responsibilities 158</p> <p>Service Levels 159</p> <p>Incident Management Workfl ow 160</p> <p>Sources of Incident Notifi cations 160</p> <p>Incident Classifi cation and Documentation 162</p> <p>Incident Categorization 163</p> <p>Severity Assignment 163</p> <p>Capturing Incident Information 167</p> <p>Incident Escalations 169</p> <p>Hierarchical Escalations 169</p> <p>Functional Escalation 169</p> <p>Creating and Managing Tasks 169</p> <p>Major Incidents 170</p> <p>Incident Closure 171</p> <p>Crafting an Incident Response Playbook 171</p> <p>Playbook Overview 171</p> <p>Identifying Workfl ow Components 173</p> <p>Detection 173</p> <p>Analysis 174</p> <p>Containment and Eradication 176</p> <p>Recovery 176</p> <p>Other Workflow Components 177</p> <p>Post-Incident Evaluation 177</p> <p>Vulnerability Management 177</p> <p>Purpose and Objectives 178</p> <p>Vulnerability Management Lifecycle 178</p> <p>Integrating Vulnerability Management and Risk Management 180</p> <p>Lessons Learned 180</p> <p>Lessons-Learned Process Components 181</p> <p>Conducting a Lessons-Learned Meeting 183</p> <p>Continual Improvement 184</p> <p>Continual Improvement Principles 184</p> <p>The Deming Cycle 184</p> <p>DIKW Hierarchy 185</p> <p>The Seven-Step Improvement Process 187</p> <p>Step 1: Define a Vision for Improvement 188</p> <p>Step 2: Define Metrics 188</p> <p>Step 3: Collect Data 189</p> <p>Step 4: Process Data 190</p> <p>Step 5: Analyze Information 191</p> <p>Step 6: Assess Findings and Create Plan 191</p> <p>Step 7: Implement the plan 192</p> <p>Summary 192</p> <p>Notes 193</p> <p><b>Chapter 5 Investigating and Remediating Cyber Breaches 195</b></p> <p>Investigating Incidents 196</p> <p>Determine Objectives 197</p> <p>Acquire and Preserve Data 198</p> <p>Perform Analysis 200</p> <p>Contain and Eradicate 202</p> <p>Conducting Analysis 202</p> <p>Digital Forensics 203</p> <p>Digital Forensics Disciplines 203</p> <p>Timeline Analysis 205</p> <p>Other Considerations in Digital Forensics 206</p> <p>Cyber Threat Intelligence 207</p> <p>Cyber Threat Intelligence Lifecycle 208</p> <p>Identifying Attacker Activity with Cyber Threat Intelligence 209</p> <p>Categorizing Indicators 212</p> <p>Malware Analysis 214</p> <p>Classifying Malware 214</p> <p>Static Analysis 216</p> <p>Dynamic Analysis 217</p> <p>Malware Analysis and Cyber Threat Intelligence 217</p> <p>Threat Hunting 218</p> <p>Prerequisites to Threat Hunting 218</p> <p>Threat Hunting Lifecycle 219</p> <p>Reporting 221</p> <p>Evidence Types 223</p> <p>System Artifacts 223</p> <p>Persistent Artifacts 223</p> <p>Volatile Artifacts 225</p> <p>Network Artifacts 226</p> <p>Security Alerts 227</p> <p>Remediating Incidents 228</p> <p>Remediation Process 229</p> <p>Establishing a Remediation Team 230</p> <p>Remediation Lead 231</p> <p>Remediation Owner 232</p> <p>Remediation Planning 233</p> <p>Business Considerations 233</p> <p>Technology Considerations 234</p> <p>Logistics 235</p> <p>Assessing Readiness 235</p> <p>Consequences of Alerting the Attacker 236</p> <p>Developing an Execution Plan 237</p> <p>Containment and Eradication 238</p> <p>Containment 238</p> <p>Eradication 239</p> <p>Monitoring for Attacker Activity 240</p> <p>Summary 241</p> <p>Notes 242</p> <p><b>Chapter 6 Legal and Regulatory Considerations in Cyber Breach Response 243</b></p> <p>Understanding Breaches from a Legal Perspective 244</p> <p>Laws, Regulations, and Standards 244</p> <p>United States 245</p> <p>European Union 246</p> <p>Standards 246</p> <p>Materiality in Financial Disclosure 247</p> <p>Cyber Attribution 248</p> <p>Motive, Opportunity, Means 248</p> <p>Attributing a Cyber Attack 249</p> <p>Engaging Law Enforcement 251</p> <p>Cyber Insurance 252</p> <p>Collecting Digital Evidence 252</p> <p>What is Digital Evidence? 253</p> <p>Digital Evidence Lifecycle 253</p> <p>Information Governance 254</p> <p>Identification 254</p> <p>Preservation 255</p> <p>Collection 255</p> <p>Processing 255</p> <p>Reviewing 256</p> <p>Analysis 256</p> <p>Production 257</p> <p>Presentation 258</p> <p>Admissibility of Digital Evidence 258</p> <p>Federal Rules of Evidence 258</p> <p>Types of Evidence 260</p> <p>Direct Evidence 260</p> <p>Circumstantial Evidence 260</p> <p>Admission of Digital Evidence in Court 261</p> <p>Evidence Rules 261</p> <p>Hearsay Rule 261</p> <p>Business Records Exemption Rule 262</p> <p>Best Evidence 262</p> <p>Working with Legal Counsel 263</p> <p>Attorney-Client Privilege 263</p> <p>Attorney Work-Product 264</p> <p>Non-testifying Expert Privilege 264</p> <p>Litigation Hold 265</p> <p>Establishing a Chain of Custody 265</p> <p>What is a Chain of Custody? 266</p> <p>Establishing a Defensible Protocol 266</p> <p>Traditional Forensic Acquisition 267</p> <p>Live Response and Logical Acquisition 268</p> <p>Documenting a Defensible Protocol 269</p> <p>Documentation 269</p> <p>Accuracy 270</p> <p>Auditability and Reproducibility 270</p> <p>Collection Methods 270</p> <p>Data Privacy and Cyber Breach Investigations 271</p> <p>What is Data Privacy? 271</p> <p>Handling Personal Data During Investigations 272</p> <p>Enacting a Policy to Support Investigations 272</p> <p>Cyber Breach Investigations and GDPR 273</p> <p>Data Processing and Cyber Breach Investigations 274</p> <p>Establishing a Lawful Basis for the Processing of Personal Data 275</p> <p>Territorial Transfer of Personal Data 276</p> <p>Summary 277</p> <p>Notes 278</p> <p>Index 281</p>
<p><b>Andrew Gorecki</b> is a cybersecurity professional with experience across various IT and cybersecurity disciplines, including engineering, operations, and incident response. Originally from Europe, he provided consulting services across various industry sectors in the U.S., the UK, and other European countries. At the time of writing, he manages a team of incident response consultants within the X-Force IRIS competency of IBM Security where he leads investigations into large-scale breaches for Fortune 500 organizations, delivers proactive incident response services, and provides executive-level consulting on building and optimizing incident response programs.
<p><b>AN ESSENTIAL GUIDE FOR ORGANIZATIONAL LEADERS ON BUILDING AN EFFECTIVE CYBER BREACH RESPONSE PROGRAM AND MANAGING RESIDUAL RISK</b> <p>Destructive ransomware attacks, disastrous data breaches, and a host of other cyber events are now headline news, negatively impacting numerous companies and millions of individuals around the world. Now more than ever, it is crucial that organizations prepare for cyberattacks and increase their cyber resilience as they expand their digital footprint and online presence. Cyber risk is no longer a hypothetical factor in the decision making process—senior managers, Chief Security Officers, and other key leaders need to understand the organizational aspects of cyber incident response to prepare for significant cyber events, deal with the repercussions of a security breach, and minimize the impact of a cybersecurity attack. <p><i>Cyber Breach Response That Actually Works</i> is an authoritative source of information on building and managing a cyber breach response program<i>.</i> Rather than focusing on overly technical, step-by-step investigation and remediation techniques, this accessible resource discusses the bigger picture of where incident response fits within an overall security program, and provides the tools necessary for designing and implementing a program from a governance perspective<i>.</i> Clear and concise chapters, assuming only a basic knowledge of cybersecurity and risk management concepts, provide a framework-agnostic approach for managing residual risk through cyber incident response, creating an effective and holistic strategy, and building capabilities that meet organizational needs. <p>Written by a security professional with years of practical incident response experience with Fortune 500 companies, this real-world guide covers incident response strategy, governance, incident management, breach investigations, laws and regulations, and more. You will be breached; it is inevitable. <i>Cyber Breach Response That Actually Works</i> will help you be ready when it happens. <p><b><i>Cyber Breach Response That Actually Works</i></b><b> explains how to:</b> <ul> <li>Identify drivers for cyber breach response and create a sound strategy</li> <li>Build an effective Cyber Security Incident Response Team (CSIRT)</li> <li>Increase cyber resilience through planning and preparedness</li> <li>Minimize the impact of cyberattacks</li> <li>Decrease the cost of cyberattack response</li> <li>Build a technology toolkit to accelerate response activities</li> <li>Effectively investigate breaches and hunt for threats</li> </ul>
Diese Produkte könnten Sie auch interessieren:
MDX Solutions
von: George Spofford, Sivakumar Harinath, Christopher Webb, Dylan Hai Huang, Francesco Civardi
53,99 €
