July 9, 2021 Events & WebinarsDetection and response

Q&A on Incident Response Operations

We had so many great questions during our session “How does your incident response program stack up?” so we hosted an extended Q&A to address some great topics we were unable to answer the first time around.

00:09 Panelist Introduction

03:28 Steps to building a successful IR program

05:50 RACI Chart

07:30 “If you are the person that finds the threat, you are the person in charge until you hand it off.” – Adam

08:58 “The whole thing with incident management is that it’s never going to be perfect the first time.” – Adam

10:53 “I’ve seen this work well when the application owners, system owners, business owners have their roles defined.” – Greg

12:00 “The last place you want to be is in a situation where you don’t know who owns what, who is going to start containing the problem, and whether or not we can shut things down. – Greg

14:02 Question 1: Can you describe how you would do a gap analysis on a security operations center that does incident response?

15:50 “First we have to figure out how we define it. How do we know it’s happening? Do we have the data? Do we have the right folks in the room? That starts the questions. Start at a high level as you start to dig into this.” – Greg

20:45 Policy Templates

21:05 “A lot of policy is making lists. You want everyone to agree that the list is right and you stick with it for better or worse. You can always change them.” – Keith

24:35 Question 2: How do you measure the effectiveness of an IR program?

25:04 “You can’t measure anything unless you have some data. Having an incident management process that allows you to capture the metadata of your incident.” – Adam

28:00 Question 3: Where can you lean on technology to make some of this easier and more effective?

28:42 “When it comes to the actual operations piece of it, there are some key pieces. It’s documentation. It’s making sure that when we go through the process, that we are documenting the things that are happening, and being able to share those things.” – Greg

31:35 “Having some kind of ticket issue tracking system is critical.” – Adam

Keith McCammon
Chief Security Officer & Co-Founder, Red Canary
Adam Mathis
VP of Information Security, Red Canary
Greg Bailey
Director of Incident Handling, Red Canary
Laura Brosnan
Information Security Specialist, Red Canary