Transcription
Incident ManagementManaging a Security Incident Response Programusing the RSA Security Incident Management SolutionJune 2011 v 1.0www.archer.com1-888-539-EGRC
COPYRIGHT NOTICECopyright 2011 EMC CorporationAll rights reserved. These materials are confidential and proprietary to EMCCorporation, and no part of these materials should be reproduced, published inany form by any means, electronic or mechanical including photocopy or anyinformation storage or retrieval system nor should the materials be disclosed tothird parties without the express written authorization of EMC Corporation.Incident ManagementVersion 1.0June 2011RSA Archer13200 Metcalf Ave., Suite 300Overland Park, KS 66213Main: (913) 851-9137Support: (913) 239-1860www.archer-tech.comarchersupport@rsa.comii 2011 EMC Corporation. All Rights Reserved
Table of ContentsChapter 1: Introduction . 1Purpose of this Document. 2Assumptions . 2Chapter 2: Solution Design . 3Incident Management Implementation . 4Key Features and Benefits. 4Centralized Incident Data and Control Access . 4Incidents and Ethics Violations in Real Time Tracking . 5Investigation Process Management . 5Response Procedures and Document Incident Resolution . 5Status and Impact Monitoring . 5Incident Management Activities Reporting . 5Regulatory Compliance . 6RSA Security Incident Management: An Integrated Solution . 6The RSA enVision Platform . 6RSA Archer Incident Management . 7RSA Archer eGRC Platform . 7Chapter 3: Solution Structure . 9Solution Diagram . 10Incidents. 11Investigations . 11Response Procedures . 11Incident Events . 12Dashboards and Reporting . 12Chapter 4: Incident Management Basics . 15Security Incident Management Team . 16Sample Roles . 16Incident/Investigation Application Roles . 17Incident Management Solution Workflow . 18Incident Reporting and Analysis . 18Solution Process. 19Process Diagrams . 20Incident Application Process Flow . 20Ethics Violations Process . 21Chapter 5: Incidents and Investigations . 23Incidents. 24Initial Reporting. 24Assignment . 25Response . 25Resolution. 29Investigations . 30Investigation Information . 30Evidence and Evidence Tracking . 31 2011 EMC Corporation. All Rights Reservediii
Chapter 6: Incident Events . 33Overview . 34Solution Overview . 34Application Layout. 35Example Record . 36Incident and Event Information Sections . 36Device Information Section. 37Event Details, Source/Destination, and Packet Sections . 37Chapter 7: Incident Management Implementation Methodology. 39Overview . 40Phases of Work. 41Phase 1: Define Working Group . 41Activity 1.1: Define Working Group Structure . 41Task 1.1.1: Review the Business Objectives with the Project Sponsor . 42Task 1.1.2: Designate Incident Management Ownership . 42Activity 1.2: Obtain Project Sponsor Sign-off . 42Phase 2: Analyze the Existing Process and Content . 42Activity 2.1: Review Existing Incident Process and Structure . 42Task 2.1.1: Review Process Structure . 42Task 2.1.2: Analyze Response Procedure Content . 42Activity 2.2: Review Analysis . 43Task 2.2.1: Conduct the Analysis Workshop(s) . 43Task 2.2.4: Capture Results from the Workshops . 43Task 2.2.5: Obtain Final Sign-Off . 43Phase 3: Prepare Solution . 43Activity 3.1: Adjust Application Structures . 43Activity 3.2: Create Response Procedures . 43Activity 3.3: Add Reporting and Dashboards . 44Phase 4: Conduct Rollout and Training . 44Activity 4.1: Train Incident Team . 44Activity 4.2: Train End Users . 44Appendix A: Pre-Configured Reports . 45Ethics Violations . 46Incidents . 46Investigations. 47Response Procedures . 47iv 2011 EMC Corporation. All Rights Reserved
IntroductionChapter 1 2011 EMC Corporation. All Rights Reserved1
Purpose of this DocumentSecurity incident management has been a staple of fundamental risk and security practices formany years. However, the requirement for more advanced operational incident handling isbecoming more prevalent in today’s information centric business world. The strategic value ofan information security function that can detect, respond, and protect company assetseffectively and efficiently is critical to that organization’s success. A fundamental starting point inbuilding advanced security operations is the capability of the organization to identify, investigate,and resolve security incidents. Before an organization can truly get in front of the risks andthreats to their infrastructure, it first must manage the most pressing and immediate issues.Security incident management is the process within security operations that first must be tackledbefore more sophisticated capabilities can be achieved.RSA Archer Incident Management is one of the core technological enablers for this process.Bringing structure and form to the response process, the RSA Archer eGRC solution providesnot only a method to centralize and consolidate incident management activities, but also a fullcase management system to manage investigations. Often, incidents are documented using avariety of techniques. Incident Management provides a standard template to capture incidentdetails and a workflow function to manage the response team.This guide supports the implementation of the RSA Archer Incident Management solution. Itprovides a framework for the establishment of a baseline response team using the standardfeatures of the solution and further integration into security event and information managementsystems. Security incident management is a well known topic and is the focus of many otherdocuments from other sources. This document is not meant to be a complete guide toestablishing a Computer Emergency Response Team (CERT), but rather a supplement andguide to the Incident Management solution.This guide also explores the RSA Security Incident Management Solution – not to be confusedwith the RSA Archer Incident Management solution. The broader RSA Security IncidentManagement Solution includes not only the RSA Archer eGRC solutions but also the RSAenVision product for security event management. This guide focuses on only the RSA ArcherIncident Management portion of that solution with regards to the Incident Events application,which is an “add-on” component to the RSA Archer solution that enables integration to theenvision platform.AssumptionsThe tasks outlined in the implementation methodology include the following assumptions: 2Further guidance on the establishment of a CERT team should be used when institutinga security response process. Guidance, such as NIST 800-61 or other sources, providemuch information on the overall creation of a CERT capability.The project is part of an overall RSA Archer implementation, the final outcome of whichis the deployment of the RSA Archer Incident Management solution.Team members are trained and experienced on the RSA Archer eGRC Platformfunctionality and scope.Due to the varied nature of business requirements, configuration and changes to thebasic structure and functions within the applications are defined using RSA's typical“design/build/deploy” methodology. This methodology provides guidance for the“analyze” phase of the project and focuses more on the structure of the data thanconfiguration tasks for the applications. 2011 EMC Corporation. All Rights Reserved
Solution DesignChapter 2 2011 EMC Corporation. All Rights Reserved3
Incident Management ImplementationRSA Archer Incident Management centralizes and streamlines the complete case managementlifecycle for cyber and physical incidents and ethics violations. Using the web-based solution,you can capture incident reports, evaluate the criticality of an incident, and assign responseteam members based on business impact and regulatory requirements. You also canconsolidate response procedures, manage investigations end-to-end, and report on trends,losses, recovery efforts, and related incidents. Powered by the RSA Archer eGRC Platform, theRSA Archer Incident Management solution allows you to effectively manage incidents that occuranywhere you do business from detection through analysis and resolution.Through RSA Archer Incident Management, you can accomplish the following: Report incidents of any type, including theft, harassment, fraud, violence, bribery,corruption, equal opportunity violations, conflicts of interest, phishing, denial-of-serviceattacks, and so on.Integrate incident data from a call center or intrusion detection service through the RSAArcher Data Feed Manager.Centralize incident documentation, response procedures, and investigations across yourenterprise.Access control incident data down to the field level to protect personal identities and theintegrity of confidential information.Notify responders via e-mail when incidents enter their queue for investigation.Use the RSA Archer eGRC Platform for efficient access to incident data and responseprocedures no matter where personnel are located.Employ automated task management functionality to track response activities.Document legal and law enforcement involvement in the response process and tracklosses and recovery costs.Maintain an incident history and audit trail with the capability to track each version of anincident record throughout its lifecycle.Produce rollup reports to track incidents and identify trends, incident similarities, andrelationships to better understand mitigation and prevention requirements.Understand the relationships of incidents to business units, information assets, facilities,vendors, risks, financial loss events, and your business continuity program throughseamless integration with the full RSA Archer eGRC Suite.Key Features and BenefitsCentralized Incident Data and Control AccessWith RSA Archer Incident Management, you can consolidate incident documentation acrossbusiness units and locations. This unified approach supports regulatory compliance for trackingand reporting incidents. You also can secure incident data down to the individual field level toprotect confidential information. The RSA Archer eGRC Platform allows you to limit incidentaccess to only those individuals directly involved in the investigation and resolution processes.In addition, you can grant senior management access to the level of incident data necessary forrisk and financial impact analysis.4 2011 EMC Corporation. All Rights Reserved
Incidents and Ethics Violations in Real Time TrackingRSA Archer Incident Management provides an easy-to-use web interface for reporting incidentsand ethics violations that occur anywhere you do business. You can use the Archer Data FeedManager to capture incident data from external sources, such as a call center or notificationservice. Additionally, the Incident Management solution supports anonymous incident reportingas recommended by the Public Disclosure Act and required by the Sarbanes-Oxley Act.Through the system’s interface, you quickly can document the details of an incident, includingthe time of occurrence and initial report, the location of the event, its category, and its severity. Ifyou use the RSA Archer Enterprise Management solution to track relationships anddependencies within your enterprise hierarchy and infrastructure, you also can relate theincident to business units, facilities, and technologies it affects, giving you a holistic view ofbusiness and human impacts.Investigation Process ManagementRSA Archer Incident Management puts you in control of the complete investigation lifecycle. Foreach incident that requires an investigation, you can submit a formal request, noting theurgency, location, business unit, and type (e-Discovery, Investigation, or Litigation). You canassign an investigation owner, manager, and support staff and auto-notify these individualswhen assignments enter their queue. To help investigators prioritize their activities, the solutionallows you to rate incidents by criticality, financial impact, and regulatory significance.Additionally, the dynamic workflow prompts investigators for various levels of documentationbased on the investigation status, and the solution captures evidence through manual entry andautomated data collection.Response Procedures and Document Incident ResolutionUsing RSA Archer Incident Management, you can import your library of response proceduresand use them in the context of multiple incidents. By linking an incident to one or more responseprocedures, you can track remediation efforts and approvals from a single managementinterface. Also you can document legal and law enforcement involvement, perform loss/recoveryanalysis, and document incident resolution, including causes and corrective actions.Status and Impact MonitoringYou can maintain a detailed incident history and audit trail with the capability to display multipleversions of an incident record throughout the incident lifecycle. Through seamless integrationwith the RSA Archer eGRC Suite, you can understand incident impact on your business units,facilities, personnel, and technology infrastructure. Additionally, you can track vendorinvolvement in any incident and use that information within the context of your vendor riskmanagement program.Incident Management Activities ReportingUsing RSA Archer's reporting capabilities, you can track incidents by type, date, person,location, financial impact, and other attributes. You also can construct graphical dashboards thatprovide management with real-time access to current incidents, their resolution status, and keymetrics, including loss information at the end of an investigation. By relating incidents of thesame type, you can identify trends and incident relationships, providing the data necessary toensure that appropriate mitigation and remediation strategies are employed. 2011 EMC Corporation. All Rights Reserved5
Regulatory ComplianceRSA Archer Incident Management supports all certification and accreditation processesrequired by sections 3505 and 3544 of the Federal Information Security Management Act, aswell as the ability to report and manage incidents associated with government facilities andsystems. RSA Archer also provides a turnkey solution for compliance with the Whistleblowerrequirements of Sarbanes-Oxley sections 301 and 302, including all essential data entryinterfaces and report generation capabilities.RSA Security Incident Management: An Integrated SolutionThe RSA Security Incident Management Solution is an integrated set of security tools thataccelerate the identification, prioritization, investigation, and resolution of security incidents. Thesolution includes the RSA enVision product, our industry leading Security Incident and EventManagement (SIEM) platform, for collecting and analyzing log and event data to quickly identifyhigh-priority security incidents as they occur. Once the critical events within the infrastructureare identified, RSA Archer Incident Management then enables the security function to managethe complete investigation and resolution of the incidentA seamless integration between the two products allows security analysts to use event datafrom the RSA enVision platform and the information from the RSA Archer eGRC Platform to addbusiness context to the incident for quicker prioritization. The end result is the efficient andeffective investigation and remediation of the security incident.The blend of a SIEM infrastructure and an enterprise Governance, Risk and Compliance(eGRC) platform is an unprecedented solution in the market. Unlike other eGRC vendors, thesolution brings real-time event data into the key risk and compliance process of security incidentmanagement. Combining the business information within the eGRC platform with the event datain the SIEM infrastructure brings extraordinary dimension to the log and system data. Finally,the empirical data provided by the security incident management process greatly improves theoverall view of the compliance and security risks in the organization.The RSA enVision PlatformWith the RSA envision platform, your security operations team has a true SIEM solution foraddressing their network security management challenges. Security and IT administrators caninterrogate the full volume of stored data through an intuitive dashboard. Advanced analyticalsoftware turns unstructured raw data into valuable business information, giving administratorsactionable insights to help simplify compliance, enhance security, and optimize IT and securityoperations.Administrators can automatically collect log data about their network and security infrastructure,as well as file, application, and user activity, helping to simplify the event management process.Over 1400 reports and policies are included and tailored to today's specific compliancerequirements and industry regulations. The RSA enVision platform stores all log data withoutfiltration or normalization and protects it from tampering, providing a verifiably authentic sourceof archived data.With real-time security event alerts, monitoring, and drill-down forensic functionality, the RSAenVision platform gives administrators a clear view and understanding of the threats and risks tothe infrastructure and applications so they can take more effective actions to mitigate thoserisks. IT support staff can use the enVision platform to track and manage activity logs forservers, networking equipment, and storage platforms, as well as monitor network assets and6 2011 EMC Corporation. All Rights Reserved
the availability and status of users, hardware, and business applications. The enVision platformprovides an intelligent forensic tool for troubleshooting infrastructure problems and protectinginfrastructure resources, providing granular visibility into specific behaviors by end-users tomore efficiently and effectively manage your business critical resources and security andoperations teams.RSA Archer Incident ManagementRSA Archer Incident Management streamlines the complete case management lifecycle forsecurity incidents. You can document security incidents, evaluate incident criticality, and assignresponse team members based on business impact and regulatory requirements. You also canconsolidate response procedures and manage security investigations.With the robust reporting engine, you can report on trends, losses, recovery efforts, and relatedissues. Using RSA Archer Incident Management, you effectively can handle security incidentsthat occur anywhere you do business from detection through analysis and resolution. You canlimit access to incident data to only those individuals directly involved in investigation,resolution, and analysis. Advanced features such as automated e-mail notifications andworkflow support a robust process that can meet any organization’s security incident responseneeds.The solution also allows management to improve risk management abilities by delivering adetailed incident history and audit trail. Dashboards and reports provide management with theinsight into the actual risks and threats within the operations to make informed businessdecisions. Historical data can illustrate how incidents impact your business units, facilities,personnel, technology infrastructure, and vendor relationships.RSA Archer eGRC PlatformUnderpinning this entire process is the RSA Archer eGRC Platform. Security incidentmanagement requires business information to correctly prioritize and manage the riskassociated with each incident. Information such as the relationship of business processes andthe devices impacted by the incident provide the context around the incident to make the rightdecisions. The Platform includes a complete Enterprise Management module to documentcompany assets – from individual devices up to business products and services. This catalog ofassets clarifies the true impact of any security incident by giving real business context to theincident analysis process.The following graphic depicts the RSA Security Incident Management Solution in action. 2011 EMC Corporation. All Rights Reserved7
Solution StructureChapter 3 2011 EMC Corporation. All Rights Reserved9
Solution DiagramRSA Archer Incident Management applications and associated applications are depicted in thefollowing diagram. The Incident Events application, as part of the RSA Security IncidentManagement Solution, is depicted as well. This application is not part of the out-of-the-boxsolution, but is available as an on-demand application and is discussed in this chapter.The following is the RSA Archer Incident Management solution diagram.This guide is focused on the following four applications: 10IncidentsInvestigationsResponse ProceduresIncident Events 2011 EMC Corporation. All Rights Reserved
IncidentsThe Incidents application is the main hub of the solution. The Incidents application provides theability to report and manage incidents. An incident record enables you to track summaryinformation, assign investigators, and track legal involvement and record information about thedata, loss, recovery, and results of the incident. Reports and evidence can be logged asattachments within the incident record, and related incidents can be identified for trend analysis.Through the Incidents application, you can do the following: Consolidate incident documentation across business units and locations.Track how incidents impact your business units, facilities, personnel, and vendorrelationships.Limit access to incident data to only those individuals directly involved in investigation,resolution, and analysis.Maintain a detailed incident history and audit trail with the capability to display multipleversions of a record throughout the incident lifecycle.The Incident application contains several sections to document the Incident. This documentcovers each section in more detail in Chapter 5, ”Incidents and Investigations.”InvestigationsWith the Investigations application, you can report and manage investigations of one or moreincidents or ethics violations. You also can report on investigations by business unit, status,urgency, location, and many other criteria.Through the Investigations application, you can do the following: Submit requests for incident investigations, noting the urgency, location, and type (eDiscovery, Investigation, Litigation, or other).Assign the investigation owner, manager, and support staff and auto-notify them whenassignments enter their queue.Record evidence and attach supporting documentation.Maintain a detailed investigation history and audit trail with the capability to displaymultiple versions of a record throughout the investigation lifecycle.Response ProceduresThe Response Procedure
RSA Archer Incident Management is one of the core technological enablers for this process. Bringing structure and form to the response process, the RSA Archer eGRC solution provides not only a method to centralize and consolidate incident management activities, but also a full case management system to manage investigations.
