We're going be looking basically at asset inventory and identification as relates to incident response, and I want you to be careful here and not associate this with or not too closely associate this with IT asset inventory and identification. Because while we're going to talk about that and while that is a nice parallel or a nice place to plug into, you really have to make sure we look at it as a separate thing, and let's talk about why that is. Now, when we look at some common IR assets, we're going to break them down into two categories your people, which are resources, and their time and then tools, which could be hardware, software and we're going to talk about why we have to look at it that way. The first thing is what assets actually belong to incident response? In other words, are these assets truly IR assets, or are they assets that are shared with other teams? For example, I'm not seeing many incident response team own their own SIEM. I've not seen many incident response teams own their own IDS Systems, or at least have one that's completely separated from the rest of the environment. So these are some questions that need to be asked out the gate. This makes it to where you can think about these things ahead of time so that you know, as you're building your team, you're building your IR capabilities out. You remember these things. Now, the first step to doing this is trying to figure out what it is you actually have. Discovery can be done a lot of different ways. We talk about using discovery through technical means. This could be done things like port scans, memory scans, any other type of inventory tools for software and hardware that you may already have in the environment. Again, piggybacking on IT here. You want to use those to just get an inventory of all the things that may be used for instant response. Then as you get all those things documented, you can start to separate them out to what's likely to be used, what's not, and what's for absolutely sure going to be used. We can also do discovery through administrative means, which means we're going and working with accounts payable and procurement to see what's actually being paid for. I can't tell you how many times I've went through this exercise of organizations and once they start working with Account Payable and we try to reconcile what Accounts Payable is paying for with what was discovered. It just doesn't match up, and a lot of times, you find that they're paying for software and hardware that hasn't been used in a long time. We've even seen one organization was so negligent in this area that they were paying something crazy like a million and a half dollars a year in a maintenance support type contract for a piece of hardware or for pieces of hardware that had never even been deployed. Still in the boxes in the closet, decided not to go with them, just left them in the closet, and we're still paying that maintenance fee every year. You want to make sure you go through this discovery process with Accounts Payable, work with procurements so those things can be found, identified, and you might even find a lot of budget money there that you can utilize for something that can actually go towards a new IR objective. Then, of course, you want to do discovery through what we call work observation. We recently found that going through scans, and also comparing that to what we found, with Accounts Payable and procurement, we still end up finding a lot of pieces of software. I've got listed here, Wireshark and Snort, and just think of some of the really powerful open source tools that we use a lot deep in the trenches that might not be high level, very visible tools. Think about all of those. These tools are absolutely critical and absolutely paramount to the success of a lot of your in-the-trenches incident response technical workers, and sometimes it just get lost in the cracks; they're not documented. So you want to make sure you dual some work observation as well so that you can pull these out, and you have a much better picture of what's going on. Now, as I said, you want to make sure that you consider working with IT. Because the thing is, as you're doing an exercise that they got probably quite a bit of experience with, they've done asset identification. They've done inventory because they've went through audits and they've had the work with risk management and all these people. They've went through business impact analysis. They've went through risk assessments; they've went through asset identification and asset validation also, just valuating assets and all these different things. So they're probably going to have some good procedure, some good tools, and some good insight into how you can do that most efficiently. Now, you will probably also be sharing some resources with IT. Again if IT already has a huge SIEM installation from one vendor or another, it would make sense that you tried to piggyback on that. Versus going out and commissioning your own SIEM implementation, which could be very expensive and really just a waste of money if you're not aligning it with the already in place structure, they may already have systems in place as well to allow you to do this inventory. This is why when we looked back a few slides ago, we talked about scanning using tools that can go up, pull stuff out, and help your inventory; IT may already have some things in place that can help you do this, so you definitely want to make sure you borrow from that. Now, some of the other things that you find that you'll have to consider and look at is things like end-users that are being compromised, they're also often, sometimes your first indicators of attack. When we're talking about inventorying of people, you have to include in that your actual end-users and your IT people as well. We have training programs that we roll out. Well, you need to make sure that you just maybe take that role of who you train and include all of those individuals in your user assets. Now, one of the things that's also important is you need to validate the need for discovered tools. This goes back to what we said a few minutes ago where sometimes you find that maintenance and things like that are being paid on tools, or you just have tools in the environment that are just sitting there stagnant that haven't been used in years. You want to make sure you get all those ironed out, and you know what's being used versus what's not being used. Again, you never know what types of budget you might find there. You might open up by discovering these tools that you paying for that aren't being used. That can be put away, and you can use that money to purchase something else. It'll also help you get a good idea when you start trying to design a training budget later. It'll give you a good idea of the things that you will probably need to be training people up on as far as retraining people. If they have it in the environment, they're using it every day; there's a likelihood that there's probably going to need to be some training on it or even some update training that's coming up around the corner or if it's a tool that's in the environment, it's absolutely not being used, you might want to nip the training budget in the bud for that because no one's using it. So we don't need to be trained or have training dollars going towards a tool that no one's using and the environment that hasn't used for years. You won't know these things until you go through this process of actually doing this. So this is why even though we're talking about responding the incidence, doing incident response, you absolutely must go through this little exercise because you can't respond properly if you don't have the right tools in place and the right techniques in place. You can't have the right tools in place if you don't do an inventory of what you already got, it is possible that you could overkill and have the right tools plus some. But when the people that pull the purse strings come knocking at the door and there is start all of these audits and things to figure out what's being used and what's not, you don't want to be on the receiving end of wasting half your budget on tools that you never touch. I hope you enjoyed this video. Look forward to the next one.
