Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Wasn't expecting that! Now what?

by Andy Gibbs

  • Login to see the comments

  • Be the first to like this

Wasn't expecting that! Now what?

  1. 1. Some ideas on managing incidents Wasn’t expecting that! Now what? Andy Gibbs Enterprise Architect - Security
  2. 2. Agenda Introduction to UCAS The nature of incidents: what, why, how Aims of incident management UCAS’ strategy and approach Shared experiences
  3. 3. UCAS is Unique! We are the national centralized organisation processing applications to higher education in the UK. An intermediary in an ever changing multi-£billion market.
  4. 4. UCAS Application Schemes • UCAS Undergraduate • UCAS Teacher Training • UCAS Conservatoires • UCAS Postgraduate • UCAS Progress
  5. 5. Our customers Circa 800,000 applicants each year Circa 600,000 placed 4 million applications, in over 6,000 registered centers, to 387universities & colleges & 1200 schools. This includes UK & international schools, agents and advisers from over 100 countries.
  6. 6. Our challenge Protect vital stakeholder information Deliver our services in a secure, reliable and operationally stable manner
  7. 7. What is an incident anyway? event INCIDENT
  8. 8. What is an incident anyway? An event or occurrence that has an unexpected and adverse effect on normal circumstances: • Business assets (including digital assets) • Services, outputs or deliverables • Operational processes • Resource levels • Assurance levels (integrity, quality, reliability etc) It will usually require special treatment to resolve: • Additional resources (time, money, people, equipment) • Emergency processes • Skill-sets
  9. 9. Appropriate incident response data breach business loss fines reputational damage harm £ unnecessary wasted resources Distraction from normal business panic & alarm Too early, too greatToo little, too late
  10. 10. Why do incidents occur? Organisations take risks Processes can and will go wrong Things break People are human – we all make mistakes Carelessness, naivety, distractions, misunderstanding Those with malicious, malevolent or criminal intent Defences are not perfect INCIDENTS ARE INEVITABLE PLAN and RESPOND ACCORDINGLY
  11. 11. Aims of incident management Prevent incidents from occurring Rapidly detect and respond to incidents when they do occur Contain the situation and minimise business disruption Quickly identify the issue and who/what has been affected Inform and update affected parties of situation and action plan Take prompt and co-ordinated remedial action to re-instate Understand root-cause and adapt accordingly Minimise the cost and disruption of handling incidents
  12. 12. UCAS Security Strategy Incident management has a role to play in all 4 quadrants
  13. 13. Protect - managing your risk Risk has three components: • threat • vulnerability • impact Eliminate any one of the above and you have no risk!
  14. 14. Threat Understand your threat landscape • Participate in Security Groups JANET UK-SECURITY forum CyberSecurity Information Sharing Partnership (CiSP) (NCSC) LinkedIn Information Security Forum • Media and Press • Threat advisories and reports
  15. 15. Vulnerability A vulnerability is an incident waiting to happen! Identify and reduce your areas of vulnerability: • Technical - vulnerability advisories vulnerability scans and pen tests • People - active awareness and education programmes • Financial - contingency planning, budgeting, reserves
  16. 16. Reduce Impact Reducing impact should an incident occur • Regular backup of data • Build in resilience • Responsive incident management process • Business continuity plan - Test
  17. 17. Detect Keep employees vigilant • Raise and maintain awareness • Encourage and reward people for reporting • Make reporting issues easy Manual / passive detection alone is not sufficient - pro-actively monitor for incidents
  18. 18. Detect
  19. 19. Detect events events events events events events events events events Security logs & event repository High Medium Low Alerts server management anti-virus/malware file integrity monitoring firewall management intrusion detection network management end user analytics mobile device mgt user access management Event Correlation Analysis Dashboard / reports Real-time alerting Triage eventscontextual security Network & Security Operations Centre SIEM Other SIEM tools are available 
  20. 20. ALERT Network & Security Operations Data Protection & Governance Cyber Security Emergency Change Advisory Board Facilities & Physical Security Business Operations External Incident Investigation Crisis Management Team Emergency Services Incident Run Books Escalation Paths Incident Communications Team Invoke Triage Incident Team Severity – how serious is it? Containment – how do we get the situation under control Incident Process - Invoke or not to invoke? Routing – Most effective path to resolution? Who leads? Event Log – Open an incident timeline and event log Duty Incident Manager
  21. 21. Incident response- features Clear incident process • Common point of incident co-ordination • Agreed lines of command and control • Multiple ways of communicating Triage process Duty Incident Manager (+ deputies) Incident team + resolver groups Nominated deputies for all critical roles – no SPOF Run-books to support incident handling and recovery Communications – internal and external stakeholders, media and press Escalation processes when necessary Review – root cause + long-term fix Incident closure
  22. 22. Adapt Always establish root cause if possible – Why? Why? Why? Do we have an underlying problem? Identify lasting / long-term solution Understand risks of maintaining any ‘sticking-plaster’ fixes Learn from the experience Adapt people, processes and technology Record the outcome Communicate to affected stakeholders
  23. 23. Questions?
  24. 24. Thank you