Intelligent CISO Issue 53 - Page 73

and rapid business recovery while also issuing directives that maintain compliance throughout .
Since OT requirements differ significantly from IT , IRPs should separate their workflows . Core plant or manufacturing processes must be highlighted in the IRP , along with what data is collected from such systems , where it is stored and for how long . This is important because most OT systems require data collection to be performed locally due to lack of network bandwidth and a range of other regulatory and operational requirements . So , any forensic analysis of an incident in an ICS environment will lean heavily on the IRP for data collection , especially to ensure that it does not clash with the organisation ’ s emergency operations plans ( EOP ), which always override IRPs when safety concerns arise .
3 . Log everything
A formal collection management framework ( CMF ) is critical to the identification of available evidence because it reduces investigation time and highlights monitoring gaps . For modern incident response , sources should include Windows event logs , Active Directory authentication , Sysmon , PowerShell logging , firewall logging and VPN authentication data . Documentation on configuration change management is also important , as are DNS query and response logs , DHCP , NetFlow and Web proxy logs . And don ’ t forget distributed control system ( DCS ) or supervisory control and data acquisition ( SCADA ) environments , where communication protocols are often proprietary .
Focus should be placed on chokepoints and perimeter log collection , as well as east-west network traffic ; and due attention should be paid to any third-party network connections , as they greatly broaden the definition of ‘ perimeter ’.
4 . Consider budgeting for an incident-response retainer
All business stakeholders should be aware that not having an incident response service retainer has risk attached to it . While business cases against retainers may make sense at the time , their absence in a crisis can lead www . intelligentciso . com
73