00:09 Panelist Introduction
03:28 Steps to building a successful IR program
05:50 RACI Chart
07:30 “If you are the person that finds the threat, you are the person in charge until you hand it off.” – Adam
08:58 “The whole thing with incident management is that it’s never going to be perfect the first time.” – Adam
10:53 “I’ve seen this work well when the application owners, system owners, business owners have their roles defined.” – Greg
12:00 “The last place you want to be is in a situation where you don’t know who owns what, who is going to start containing the problem, and whether or not we can shut things down. – Greg
14:02 Question 1: Can you describe how you would do a gap analysis on a security operations center that does incident response?
15:50 “First we have to figure out how we define it. How do we know it’s happening? Do we have the data? Do we have the right folks in the room? That starts the questions. Start at a high level as you start to dig into this.” – Greg
20:45 Policy Templates
21:05 “A lot of policy is making lists. You want everyone to agree that the list is right and you stick with it for better or worse. You can always change them.” – Keith
24:35 Question 2: How do you measure the effectiveness of an IR program?
25:04 “You can’t measure anything unless you have some data. Having an incident management process that allows you to capture the metadata of your incident.” – Adam
28:00 Question 3: Where can you lean on technology to make some of this easier and more effective?
28:42 “When it comes to the actual operations piece of it, there are some key pieces. It’s documentation. It’s making sure that when we go through the process, that we are documenting the things that are happening, and being able to share those things.” – Greg
31:35 “Having some kind of ticket issue tracking system is critical.” – Adam