Incident Detection and Response

ISC2 via Coursera

Go to Course: https://www.coursera.org/learn/sscp-4th-ed-course-7

Introduction

**Review and Recommendation of the Coursera Course: Incident Detection and Response** In today's digital landscape, the need for robust cybersecurity measures has never been more vital. The Coursera course, *Incident Detection and Response*, serves as a critical resource for professionals seeking to understand and fortify their organizations against cyber threats. This course provides valuable insights into best practices for identifying, responding to, and recovering from incidents that compromise information security. ### Course Overview *Incident Detection and Response* is the seventh course in a comprehensive series aimed at developing cybersecurity professionals. It tackles one of the most pressing challenges in the field: detecting breaches and responding effectively before substantial damages occur. The course articulates the grim reality of cybersecurity breaches, emphasizing that many organizations only recognize they have been compromised when third parties inform them of the presence of their data on the dark web. This stark illustration sets the stage for a deep dive into proactive and reactive security strategies. ### Syllabus Breakdown #### Module 1: Operate All-source Intelligence for Monitoring and Incident Detection This module introduces the concept of all-source intelligence, expanding the horizon of traditional monitoring techniques. Unlike conventional methods that only observe known signals, all-source intelligence encourages the integration of data from a diverse array of channels. The goal here is to transform information into actionable insights. Participants learn to answer critical questions about their cybersecurity posture—what has happened, what went unnoticed, and whether a response is still viable. Understanding the evolution from basic intrusion detection to sophisticated SIEM systems is crucial for any security professional. #### Module 2: Support Incident Lifecycle In this module, learners explore the lifecycle of a security incident. The effectiveness of incident management relies not just on specialized procedures but also on the integration of day-to-day business operations. The course emphasizes the significance of clearly defined roles and responsibilities within the incident response team, ensuring that organizations can minimize damage and restore operations swiftly after an incident occurs. It's a reminder of the adage that "failing to prepare is preparing to fail." #### Module 3: Understand and Support Forensic Investigations Forensics is where cybersecurity truly intersects with investigative work. This module is particularly captivating for those interested in the technical nuances of handling cybersecurity incidents. It outlines the importance of meticulous planning and procedure adherence during forensic investigations. Participants will gain insights into how to support investigations effectively, preparing them for potential complexities that arise during major incidents. #### Module 4: Chapter 7 Review The final module reflects on the evolving landscape of cybersecurity. It highlights the shift in focus from asset hardening to effective breach detection, emphasizing the importance of agile, responsive strategies when a breach occurs. This module also underscores the increasing significance of data analysis in incident detection, reinforcing the notion that modern cybersecurity professionals must be adept at interpreting large volumes of data. ### Recommendations *Incident Detection and Response* is a must-enroll course for anyone in the cybersecurity field, from novices to seasoned professionals. Its practical approach and comprehensive syllabus provide learners with actionable knowledge that can be directly applied to real-world scenarios. **Pros:** - **Comprehensive Content**: The modules cover a range of essential topics, providing a holistic view of incident detection and response. - **Expertise Development**: Learners gain skills to not only respond to incidents but also prepare their organizations to mitigate potential breaches effectively. - **Real-World Application**: The course's focus on all-source intelligence and forensic investigations keeps the learning relevant and applicable. **Cons:** - For absolute beginners, some prior knowledge of cybersecurity concepts may enhance understanding, although the course is structured to build foundations gradually. ### Conclusion Courses like *Incident Detection and Response* on Coursera are invaluable for cultivating a proactive cybersecurity mindset. As organizations continue to become targets for cyberattacks, having a solid grasp of incident detection and response is essential for anyone involved in security. I highly recommend this course to anyone wanting to elevate their understanding and expertise in cybersecurity. Enroll today and empower yourself to safeguard against the ever-evolving threat landscape.

Syllabus

Module 1: Operate All-source Intelligence for Monitoring and Incident Detection

We saw in Chapter 5 the evolution from simple host-based intrusion detection, through network-based intrusion prevention and on to integrated security information and event management (SIEM) systems. Each step along this path was attempting to bring together every possible signal, from every element of an organization’s IT and OT architectures, and then analyze and exploit those signals to see if any were indicators of a possible attack or intrusion taking place. The goal of such a set of processes, the objective of gathering, collating and assessing all of that information, is to try to answer three questions:  What just happened to us?  What happened to us a while ago, but we didn’t notice it?  Is it too late to do anything about what happened in either case?  Part of that evolution to SIEMs and the next generation of intrusion detection and response systems (and the next generation after that) is the idea of all-source intelligence as the input and the process. This idea of using every possible piece of data from even the most unlikely of channels is nothing new; business forecasting and market analysis does it, national weather services do it and, of course, military and national security organizations have been doing it for years. These professions and many others know that transforming information into actionable intelligence, the kinds of conclusions and assertions on which leaders and managers can base their decision-making, requires as broad a spectrum of analysis approaches and ideas as the spread of the sources it observes.  All-source intelligence as a cybersecurity operation takes in far more than just monitoring. Monitoring in general involves observing the things you already know about: the systems, the endpoints, the people using them and the traffic on the networks. Monitoring is often about comparing observations to clip levels or alarm thresholds. As we’ll see, all-source intelligence as a process goes beyond monitoring; but it plays a vital role in enhancing the monitoring function, which still must be performed well.  No examination of monitoring or incident detection would be complete without looking at the compliance requirements that relate to it, and we’ll use that topic to bring the many threads of this module together. 

Module 2: Support Incident Lifecycle

An information security incident is a set of one or more events, or changes in the state of an information system, asset or architecture, which needs prompt and immediate security action to assess, contain, respond and recover from.  Well-prepared organizations can, with skill and luck, limit the damages to assets and the disruption to business processes that an incident might otherwise cause. Poorly prepared organizations are more likely to make serious mistakes in characterizing and handling an incident and may cause themselves more harm in the process.  Proper handling of information security incidents depends as much upon the day-to-day business processes as it does the specifics of the incident response processes. Incident detection, assessment, escalation, communication, recovery and learning from the event are activities typically integrated into the organization’s incident response process. Clarifying who does what in an incident and under what circumstances will greatly help the organization recover its business functions. The security professional should understand their legal and organizational responsibilities for incident management and be able to evaluate the activities and overall effectiveness of the organization’s incident response practice. 

Module 3: Understand and Support Forensic Investigations

Digital forensics investigation as a process and as a field of study is a fascinating and exciting combination of challenges. Those who participate in such investigations find that their creative skills, their attention to detail, and their innate curiosity will be stretched to the limit as they attempt to embrace the human, organizational and technical aspects of an information security incident. Those who support the investigators, either before or during the investigation, are equally challenged but in very different ways. The support team has tasks they must perform as part of providing services to the investigators, to organizational leaders and managers, and to end users in the organization and they must perform these tasks with rock-solid reliability and dependability to the best of their ability. Simply put, they must follow procedures and make sure that all of the required processes are followed, step by step, in detail.  Module 2 stressed the need for solid preparation and planning before the first incident occurs, and for a flexible, responsive and agile mindset to adjust those plans when that first incident does happen and shows the plans need to be changed. Preparing for incident investigation is a major part of what the security operations team needs to accomplish.  To put that preparation into perspective, this module will look in more detail at the investigative process itself. Along the way, we’ll highlight opportunities for the forward-thinking security professional to get the organization, its users, its IT and OT staff and its managers and leaders prepared to support different types of forensic investigations when and as they become necessary.  Module 3 will introduce some of the techniques of a digital forensics investigation. You may find them useful, and called for, as you’re troubleshooting an incident involving older technology systems (such as in OT architectures), or smaller, locally hosted SOHO or SMB environments. The same basic concepts still apply in the cloud and in the world of big data but scaling to that level requires a very different approach and mindset to thinking about forensics. Let’s take a closer look. 

Module 4: Chapter 7 Review

This chapter has shown how the focus, perspective and emphasis on incident detection and response have all shifted, and shifted dramatically, over the last decade or so. Previously, security professionals focused substantial efforts on identifying, enumerating and securing assets; they focused on hardening systems and networks. These were necessary efforts, but they sometimes meant that detecting a breach or intrusion was a lower-priority effort. Many of the headline-making cyber breaches and ransom attacks of the last few years show that attackers have taken advantage of the six to eight months it takes the average enterprise to notice that they’ve had (past tense) an intruder in their systems. This must change. All-source intelligence as a means of identifying and characterizing possible intrusions is proving to be a powerful way to gain insight about your systems and about detecting intrusions (or attempts to intrude into them). Combined with analytics for security, it’s also turning around a time-tested practice of being very selective in what events generate log signals, which signals get logged (and how often) and how log files are managed, collated and analyzed. Today’s security professional needs to be a bit more of a data scientist than they were in the past and perhaps more of an intelligence data analyst as well. We also looked at digital forensics, largely from the perspective of small systems rather than cloud-hosted, large, enterprise environments. Either way, in most cases, the investigation itself and the analysis of evidence is best left to the certified, trained, expert computer systems examiners to do; but as an on-scene security professional, having some background in what digital evidence might be, how it might be analyzed and what might be learned from it can help you better prepare the organization for when it has to call in the investigators.