In this video, you will learn to describe the key concepts of incident response, including e-discovery, use of automated systems, business continuity planning and disaster recovery, post-incident activities. >> There are some key concepts that we need to understand now. So first, the e-discovery process is something really, really important. We need to have our baseline regarding technologies in systems and assets that we are going to use in our systems, in our companies. So the e-discovery process will allow us to get the current status of all the data, all of the systems, all the information that we are dealing with in our computers, in our systems, in our network. Also will allow us to understand how could we control the data retention period and the backups of that data. Not necessarily data, but we could also understand things like, for example, if this system, it's important if we have this system that deals with the payroll on monthly basis, is this really important? Do we need to care about the data retention here? Do we need to care about the backup? Do we need to care about the restore of this system in case of any incident happen? So that's important process, that e-discovery process. Then we have automated systems. We have a lot of things right now in our current environments. We have SIEMs like Splunk, QRadar, ArcSight. We have user behavior analytics. We have big data analysis. We have honeypots and honeytokens, artificial intelligence. We have a lot of things. Why we have a lot of things? Because we have a lot of assets, so we have a lot of data. If we only have one computer in our company, probably it will be easy for the response team to understand why an incident happened, how could we restore the service affected, and why this incident is happening again and again and again. But what about if we have 1,000 computer, 100 servers, 10 different routers and systems? We need to correlate. We need to centralize all the data generated by those systems and generate ports, generate useful data on that system. And more importantly, generate incidence or generate automated incident alerts that could allow us or could alert the incident response team that something has happened, even before the user or the company was affected by that incident. We have BCP and disaster recovery. BCP means business continuity plan. And disaster recovery is something similar, but we are going to talk about the main differences. The business continuity process is a whole process, a whole plan that we need to implement in our company in order to prevent or in order to actually guide, not just the incident response team, but guide all the organization as soon as something happen. What happen when service was affected? That service won't be available for the external users until the next three, four hours. How our company will deal with that. How the systems or how the IT department will deal with that. How the client service department will deal with all the calls that they are going to receive from different people outside to the organization. And disaster recovery actually is the process that we need to implement or we need to follow in order to be able to recover all the different areas if a disaster occurs. By the term disaster, it doesn't necessarily mean that we are going to be affected by a hurricane or by a tornado or something like that. It could be something like a cyber attack that will destroy all the data in our data center. How could we go and recover everything from our data center? How could we restore everything? And the process that we need to implement, not just to recover that, but also to inform the authorities, to inform the CEO of the company or inform to the public that we are going to have a service disrupted because we have an incident that happened in our data center. And obviously, the last term that we are going to explore is the post-incident. This post-incident is, well, as soon as everything goes okay, as soon as we recover everything, as soon as the service is now up and running, what this incident happened? What is the rootcause of this incident? Who did the attack, for example? Who implement or who make the changes? Understand what is the difference between an error, what is the difference a problem, and what is the difference between an incident. So the important part here is an error. It's something that happen on the system because somebody make an error. So for example, if you go to the finance system and you type your bank account. And instead of your bank account, you type your name and you hit Enter and the system crash because of that. That's probably an error because the system handle poorly the input of the user into a key, into a text box. A problem, it's a number of errors that normally generates a problem. So if you detect that and you do update the system and you implement a patch to fix that input error. But what happen if you detect that somebody or another user goes into another part of the system, and again, instead of numbers, they put letters and the system crash? Well, that could be a problem. The system could have a problem on the input validation side. And it's isolated since then could be something that, well, it happened once. We still don't know why it happened, but as soon as the user put numbers or put letters instead of numbers, the system crashed. But if we go and try to replicate the error, we try to replicate the same behavior, nothing happen. So that could be an isolated incident. The thing is we need to understand, we need to investigate and we need to fully understand analysis all the different types of errors, problems and incidents that we detect on our systems. But we need to understand what is an error, what is a problem, and what is an isolated incident. And the next part of the post-incident concept is, well, lessons learned, and the reports that we could generate from those errors, problems and incidents in order to understand, in order to learn what happened. How could we prevent those events? And what happen if those events happen again? How could we restore the service as soon as possible?
