The quarterly publication of the International Legal Technology Association
Issue link: http://read.uberflip.com/i/411912
PEER TO PEER: THE QUARTERLY MAGA ZINE OF ILTA 72 AN INCIDENT RESPONSE PROGRAM With an understanding of the types of attackers and their methodologies, we can be better prepared to respond. The key is to be prepared to respond, not to react. Many incidents could be active for days, weeks or even months. Without a properly formulated plan, you risk ruining your chance to properly understand what has occurred, identify how many systems are affected and determine who is responsible. To address an incident, you need to know how to properly escalate an event, call on the right people and have a structured incident response (IR) program. • Planning and Preparation: The first step in setting up an IR program is to create the response plan: a documented set of policies and procedures that the organization follows when addressing an incident. The plan should detail who is involved at what stages and give detailed contact information. Such information can include C-level, general counsel, outside counsel, business unit leaders, system and network administrators, outside forensic vendors and even your cybersecurity insurance broker. The plan should also include a meeting place that has adequate power, privacy, communication lines and white boards. Part of your preparation should include go bags or jump kits that are ready at all times with forensic disk imagers and boot discs, disk drives for data storage (you don't want to scramble to source a two terabyte hard drive at three a.m.), network taps, printed procedures and call trees. Make sure people are properly trained for IR procedures, and conduct regular response drills. • Detection and Analysis: If you monitor your network and hosts regularly, you will see more and more alerts and events. However, not every event is an incident, and it is important to know your normal environmental baselines. Know where to look on your network perimeter, host perimeters, file systems and applications to aggregate data points and be able to make the proper determination that there is an incident. Once you can make the call that there is an incident, ensure there is someone to quarterback the process and act as the lead incident handler. Also, be discreet. More advanced attackers will be monitoring and will react to your awareness of their activity. Consider using out-of-band communications, and act on a need-to- know basis. FEATURES And it's all powered by our SQL Contact BEC Legal for a demonstration. Client/Matter Scheduling from Outlook — is it really that easy? BEC Schedule Express provides client/matter scheduling directly from the Outlook calendar. BEC Docket Enterprise backs it up with centralized controls for distribution, reminders, reports and rules-based docketing.