Japanese Manufacturing, Killer Robots, & Effective Incident Handling

Transcript

1. Japanese Manufacturing, Killer Robots, & Effective Incident Handling With Scott

   & Kevin

2. Introduction - Who We Are - What We’re About -

   What We’re Gonna Share

3. Who We Are? Kevin aka @bfist Response Lead @ Heroku

   Scott aka @sroberts SIRT Lead @ GitHub FOR578 Instructor

4. WHAT WE’RE ABOUT? MAKING INCIDENT RESPONSE MORE EFFICIENT WITH SCIENCE

   ENGINEERING

5. WHAT WE’RE GONNA SHARE? A LOW COST, COLLABORATIVE METHOD FOR

   MANAGING COMMON INCIDENT RESPONSE WORKFLOWS

6. You’ve Got 99 Problems - Moving up the Maturity Model

   - Enable multiple responders - Provide easy to comms to stakeholders - Incidents come in waves - You’re poor and have no $$$

7. Project Management <REQUIRED MODEL SLIDE>

8. JIT (Just In Time) - Management Theory from Toyota -

   Create as Needed/Not as Planned - Limits Inventory - Lots of IR Parallels

9. Introduction to Kanban - A factory floor level production management

   tool - Spatial representation of tasks through a series of phases - Adapted to multiple non- manufacturing industries

10. Introduction to Kanban

11. None
12. None

13. Useful For.. - Short Term (JIT) Tasks Around Incidents -

    Long Term Management Task for Projects & Continuous Output

14. Warning We use the same tool (Kanban) BUT… We use

    kanban very differently (And that’s cool!!!)

15. Example

16. Platforms: GitHub Projects - Notes, artifacts, and boards in one

    place - Assign cards to people - Easy API - No Built In Templating

17. GitHub Projects

18. Platforms: Trello - Kanban is their main product - Full

    featured GUI - Card based discussions - Attachable Files - Many Integrations - Mature API

19. Trello

20. Incident Stages - Preparation. } Built Here - Identification -

    Containment - Eradication - Recovery - Lessons Learned } Helps Here

21. Preparation - Build template Kanban boards for common incidents -

    Start with a column for basic information sharing - Do you have things that need to be done in every incident?

22. Other Stages - Create a column for containment, eradication, and

    recovery tasks. - Do you need to roll creds for this incident? - Do you need to revoke hardware tokens?

23. Example: Malware Incident

24. Lessons Learned - Create a column for lessons learned -

    Dumping ground for the retro

25. Meat & Potatoes (And Simplicity) - 3 Columns - In

    Progress - Done - Canceled - Assign People to Tasks - Canceled cards should have an explanation

26. Example

27. Example: Lost/Stolen Laptop

28. Workflows: System Triage - New - Live Response Requested -

    Live Response Received - Analyzed - Remediated - Returned

29. Workflows: Compromised Resources - Malicious Activity Identified - Password Reset

    - 2FA Verified - User Interviewed - Remediated

30. Workflows: Indicator Development - Backlog - Enriched - COA: Discovery

    - Detection Created - COA: Detection Deployed - Detection Deprecated

31. Workflows: Intelligence Product Development - Planned - Analyzed - Drafted

    - Edited - Released - Feedback Collected

32. Automation - Templates move you from managed to defined -

    Repeatable & Consistent - Demonstrate Process - Reduce Admin Overhead

33. Wanna Try It? github.com/sroberts/incident-template

34. Bonus Content: The Five Whys - More Toyota Stuff -

    Root Cause Analysis Methodology - Useful Retrospective Technique

35. Conclusion - Kanban helps make repeatable yet flexible processes -

    Makes communications consistent - Powerful with a little automation

36. Thanks Made with <3 By Scott (@sroberts) & Kevin (@bfist)