In this video, you will learn to describe the management process of incident response, how it is implemented, and why it is important to an overall security schema. >> In this video, we are going to talk about the incident response. Incident response is a process, is a management process or a managed process that most of today's companies are dealing with. It's actually something really really important because it will understand or it will generate information about our incidents, about events or errors or even attacks that computer networks or networks at all are suffering. So, this means that as soon as somebody or something happen in our network that is not normal, that is not expected by the SIS admin or by anyone in the company, it will generate an incident. So, how could we take that incident, how could we take that event and try to understand what happened? How could we prevent any new incident in the future or how could we restore the service or the data or the computer or the network as soon as possible? All of those concepts are incident management. Obviously there is a lot of things, and we're going to talk about those things now. So, basically there is some key components on the incident management process. First of all, it's important to understand what is an event. An event obviously could be something that is not normal, something that is not part of the normal behavior of the network or normal behavior of the company, but that actually is an incident. We're going to talk about incident in a couple of minutes. But right now an event could be something that changed the normal behavior of the system, could be something that could be programmed or not is something that change what is the normal process on the company, on the network, on the computer. Or it will be something that, for example, something like access control is update or a firewall policy was push it or was update by someone in the company or logging event into the server, it could be something normal, it could be something expected or not. But normally, and the common criteria here is something that changed the normal behavior or changed the normal process in the company in the system, in the computer. Now we have the incident. The incident is the negative part of the event. So, for example, if somebody goes logging to the server and update the ACL, that's an event. That event could be generated or could be something that is suspected because there is a ticket that says that, hey, the system administrator needs to go to the server and update the ACL in order to grant access to some part of the network or in order to grant access to the VPN user or something that. But what happens if somebody detects that someone goes to the server, change the ACL, and disable or deny all the access to the servers in the company from the external network? So nobody from the Internet, nobody from the external network of the company can access the servers, that is an incident. So it's something that will negatively impact the confidentiality,the integrity and the availability of secreting the organization. Normally those incidents impact the business in so different ways. So, for example, could impact the normal service of the, company, could impact the legal part of the company, could impact the operational part of the company, the financial part of the company, okay? Now to deal with the incident, we have the response team. The response team, commonly known as the CCERT, is the team that will, first of all, in some occasions, identify the bridge, identify the incident, where the will process to resolve the incident and resolve the issue that we are having right now. So, for example, if somebody goes to the server, disable and far will pull the site and nobody from the external network can access the internal network, then our response team will try to fix that firewall policy and try to restore the access to the internal network of the company. Now, one important part of the response team is the investigation process. They need to understand what happened, they need to collect evidence, they need to maintain the chain of custody of that process, of that event, of that incident in order to understand why this incident happened, who formed the action, and what they need to do in the future to prevent these incidents to happen again. So, that's the quick explanation of what events, incidents, and response team and investigation means in the incident management universe.
