WEBVTT

0:00:03.360000 --> 0:00:06.440000
 Hello everyone and welcome.

0:00:06.440000 --> 0:00:10.540000
 In this video we are going to be a
 time of this section of the course

0:00:10.540000 --> 0:00:15.440000
 before we get into SOC automation.

0:00:15.440000 --> 0:00:22.000000
 It just came to me as I was about to
 begin that section that there is

0:00:22.000000 --> 0:00:29.040000
 a very important topic or I should
 say point of contention that I need

0:00:29.040000 --> 0:00:36.040000
 to go over and it really comes down
 to the interchangeable use of the

0:00:36.040000 --> 0:00:42.540000
 words or the terms incident handling
 and incident response.

0:00:42.540000 --> 0:00:48.160000
 Now this is so contentious, so I should
 say not really contentious but

0:00:48.160000 --> 0:00:59.620000
 it's obviously going to be a question
 or something that will end up used

0:00:59.620000 --> 0:01:03.480000
 interchangeably and you may not know that
 they are being used interchangeably

0:01:03.480000 --> 0:01:08.100000
 so you may think that incident handling
 is something that's totally different

0:01:08.100000 --> 0:01:13.860000
 from incident response and the truth behind
 it is a little bit more nuanced

0:01:13.860000 --> 0:01:22.560000
 and I'm going to prove this by referring
 you to a very excellent publication

0:01:22.560000 --> 0:01:28.300000
 by MITRE but without wasting any more
 time the objective of this video

0:01:28.300000 --> 0:01:34.780000
 is to sort of explain what each of
 these means but really to juxtapose

0:01:34.780000 --> 0:01:42.180000
 them against each other especially
 from the perspective of them being

0:01:42.180000 --> 0:01:47.240000
 sort of different or I would
 say independent processes.

0:01:47.240000 --> 0:01:53.460000
 So what I'm trying to say here is that
 in certain instances if used or

0:01:53.460000 --> 0:02:00.240000
 defined correctly instant handling refers
 to something that encompasses

0:02:00.240000 --> 0:02:04.600000
 incident response and I'm trying to
 sort of give you that information

0:02:04.600000 --> 0:02:10.420000
 so that you actually know when you're
 referring to instant handling or

0:02:10.420000 --> 0:02:13.920000
 when you're specifically referring
 to incident response and then as I

0:02:13.920000 --> 0:02:18.260000
 said I'm going to contextualize all
 of this so let's not waste any more

0:02:18.260000 --> 0:02:20.500000
 time let's get started.

0:02:20.500000 --> 0:02:24.660000
 So in the context of security operations
 incident response and incident

0:02:24.660000 --> 0:02:30.200000
 handling are two distinct but interconnected
 phases of the incident management

0:02:30.200000 --> 0:02:35.200000
 process. Understanding the difference
 between these two is crucial for

0:02:35.200000 --> 0:02:40.460000
 building an effective SOC workflow or processes
 right and it's also important

0:02:40.460000 --> 0:02:44.780000
 to understand the difference between them
 as they are often used interchangeably

0:02:44.780000 --> 0:02:51.180000
 and from certain points of view incorrectly
 they've been used interchangeably

0:02:51.180000 --> 0:02:56.900000
 incorrectly which means that some people
 or some groups may think that

0:02:56.900000 --> 0:03:01.360000
 they sort of refer to the same thing
 however you know from some quarters

0:03:01.360000 --> 0:03:06.880000
 instant handling is actually as we'll
 get into shortly a larger process

0:03:06.880000 --> 0:03:11.360000
 that includes incident response as a
 subset and that was sort of the core

0:03:11.360000 --> 0:03:16.800000
 of what I wanted to explain in the introduction
 but that begs the question

0:03:16.800000 --> 0:03:22.280000
 properly defined what is incident handling
 so incident handling refers

0:03:22.280000 --> 0:03:27.360000
 to the overall structured process of
 managing and this is the keyword

0:03:27.360000 --> 0:03:33.820000
 here preparing for security instance it
 includes developing policies procedures

0:03:33.820000 --> 0:03:38.520000
 and guidelines to detect contain eradicate
 and recover from incidents

0:03:38.520000 --> 0:03:42.500000
 and this is where the confusion comes
 into play because as you can see

0:03:42.500000 --> 0:03:50.660000
 it sort of includes or encompasses the
 incident response lifecycle workflow

0:03:50.660000 --> 0:03:55.560000
 and the phases therein and that's what
 confuses people but don't worry

0:03:55.560000 --> 0:04:00.160000
 it'll make sense in a few seconds or
 in a minute so the primary objective

0:04:00.160000 --> 0:04:05.200000
 of incident handling is to ensure that
 an organization is ready to effectively

0:04:05.200000 --> 0:04:11.900000
 keyword is manage and mitigate incidents
 when they occur so what is the

0:04:11.900000 --> 0:04:16.760000
 scope of incident handling well as
 you can see it's extremely similar

0:04:16.760000 --> 0:04:21.460000
 to that of incident response with the
 only difference being preparation

0:04:21.460000 --> 0:04:28.340000
 right and that's sort of the key differentiating
 point or factor so it

0:04:28.340000 --> 0:04:33.720000
 encompasses preparation detection containment
 eradication recovery so

0:04:33.720000 --> 0:04:39.900000
 in the case of preparation it involves creating
 playbooks training establishing

0:04:39.900000 --> 0:04:43.180000
 communication channels in the case of detection
 you know identifying potential

0:04:43.180000 --> 0:04:46.800000
 threats and attacks in the case of
 containment limiting the damage of

0:04:46.800000 --> 0:04:50.780000
 a security incident in the case of eradication
 removing the threat from

0:04:50.780000 --> 0:04:54.980000
 the environment you're already aware of
 this in the case of recovery restoring

0:04:54.980000 --> 0:05:00.460000
 normal operations after an incident
 okay so I've already sort of given

0:05:00.460000 --> 0:05:04.220000
 you ideas to what the key distinguishing
 factor is but let's take a deeper

0:05:04.220000 --> 0:05:11.020000
 look so revisiting the definition of incident
 handling as sort of a separate

0:05:11.020000 --> 0:05:16.520000
 you know defined process that is similar
 or is closely linked to incident

0:05:16.520000 --> 0:05:22.140000
 response you know defining that again
 but then juxtaposing it against

0:05:22.140000 --> 0:05:27.180000
 incident response so incident handling
 is a broader term that refers to

0:05:27.180000 --> 0:05:31.860000
 the process of managing an incident from
 start to finish including preparation

0:05:31.860000 --> 0:05:37.360000
 and these two keywords are very important
 planning and coordination of

0:05:37.360000 --> 0:05:42.260000
 all activities related to security incidents
 now if you remember in one

0:05:42.260000 --> 0:05:48.680000
 of the earlier videos I actually utilized
 a diagram which will go through

0:05:48.680000 --> 0:05:56.600000
 in this video that mentioned a particular
 role or demarcation that had

0:05:56.600000 --> 0:06:04.200000
 to do or that had to deal with incident
 response essentially managing

0:06:04.200000 --> 0:06:10.760000
 the incident response process right
 and that is in essence what incident

0:06:10.760000 --> 0:06:16.740000
 handling is right so the think of the
 role IR coordinator you know who

0:06:16.740000 --> 0:06:21.020000
 is essentially that is a role but the
 responsibility is to manage that

0:06:21.020000 --> 0:06:26.340000
 entire incident response process so
 incident handling can be seen as a

0:06:26.340000 --> 0:06:32.840000
 process that refers to that you know managing
 that entire incident response

0:06:32.840000 --> 0:06:36.820000
 process I know that sounds a little
 bit confusing and don't worry it'll

0:06:36.820000 --> 0:06:40.280000
 make sense at the end with the reference
 that I'm going to give you so

0:06:40.280000 --> 0:06:47.180000
 incident response in a company that
 you know users or defines and uses

0:06:47.180000 --> 0:06:51.900000
 incident handling correctly in terms
 of it being sort of all-encompassing

0:06:51.900000 --> 0:06:57.560000
 and inclusive of incident response which
 should be a subset of incident

0:06:57.560000 --> 0:07:03.680000
 handling in incident response is a subset
 of incident handling which means

0:07:03.680000 --> 0:07:11.520000
 it falls incident response falls under
 incident handling which in this

0:07:11.520000 --> 0:07:17.400000
 context focuses on the actions taken
 to mitigate and resolve the incident

0:07:17.400000 --> 0:07:22.320000
 after detection what that means is that
 incident handling sort of deals

0:07:22.320000 --> 0:07:27.780000
 with everything before an incident if
 that makes sense and all the stuff

0:07:27.780000 --> 0:07:32.220000
 that comes after whereas the incident
 response team and process deals

0:07:32.220000 --> 0:07:37.080000
 with you know when an incident comes
 in or when there's been an escalation

0:07:37.080000 --> 0:07:43.060000
 to an incident responder and they are
 essentially limited to you know

0:07:43.060000 --> 0:07:48.280000
 containment eradication mitigation all
 of that stuff but nothing before

0:07:48.280000 --> 0:07:53.060000
 that hopefully that makes sense so what
 are the key differences between

0:07:53.060000 --> 0:07:59.900000
 incident handling and response and have
 some aspects or key differentiation

0:07:59.900000 --> 0:08:04.720000
 criteria so we have the scope so in
 the case of incident handling it's

0:08:04.720000 --> 0:08:09.140000
 usually broad right if it is defined
 in a company where they say that

0:08:09.140000 --> 0:08:13.020000
 we have an incident handling process
 it's usually broad that includes

0:08:13.020000 --> 0:08:18.940000
 planning detection response recovery
 and of course improvement incident

0:08:18.940000 --> 0:08:24.240000
 response however is narrow and is primarily
 focused on detection response

0:08:24.240000 --> 0:08:27.800000
 containment and recovery so I hope you
 can see what the differences are

0:08:27.800000 --> 0:08:32.900000
 they're very minimal but the only reason
 why I'm differentiating it for

0:08:32.900000 --> 0:08:38.360000
 you is because again you make you may
 come into situations where these

0:08:38.360000 --> 0:08:43.060000
 two terms are not used to mean the same
 thing or interchangeably but actually

0:08:43.060000 --> 0:08:48.040000
 represent in the case of incident handling
 a larger process and incident

0:08:48.040000 --> 0:08:51.760000
 response is seen as a subset of that
 that's the only reason why I'm making

0:08:51.760000 --> 0:08:56.260000
 this video is to clarify it for you right
 now so that you don't get confused

0:08:56.260000 --> 0:09:00.900000
 in the future and you're able to actually
 tell okay they that person is

0:09:00.900000 --> 0:09:05.280000
 referring to incident response when
 they say instant handling and this

0:09:05.280000 --> 0:09:11.440000
 organization actually you know has treats
 incident response as a subset

0:09:11.440000 --> 0:09:17.220000
 of instant handling in any case moving
 on to the next comparison point

0:09:17.220000 --> 0:09:20.980000
 which is the emphasis what's the emphasis
 of instant handling preparation

0:09:20.980000 --> 0:09:26.860000
 coordination that's the keyword and
 overall management that's that's the

0:09:26.860000 --> 0:09:33.320000
 absolute that's the crescendo of that
 point management of incidents what's

0:09:33.320000 --> 0:09:39.500000
 the the emphasis of instant response
 tactical response and remediation

0:09:39.500000 --> 0:09:44.560000
 of incidents what's the goal of instant
 handling to build a strong foundation

0:09:44.560000 --> 0:09:49.180000
 for handling incidents effectively what's
 the goal of incident response

0:09:49.180000 --> 0:09:54.580000
 rapidly responding to and mitigating
 the impact of incidents what are

0:09:54.580000 --> 0:09:58.740000
 the activities involved in instant handling
 developing policies procedures

0:09:58.740000 --> 0:10:04.060000
 training preparation and instant management
 what's the activities in incident

0:10:04.060000 --> 0:10:08.420000
 response investigation containment
 eradication recovery and forensics

0:10:08.420000 --> 0:10:13.020000
 and now you can start to see that they
 really are you know two different

0:10:13.020000 --> 0:10:18.960000
 things very closely linked in fact you
 know inextricably linked but you

0:10:18.960000 --> 0:10:21.800000
 know they're referring to two different
 things really and this is very

0:10:21.800000 --> 0:10:26.180000
 important in any case what's the duration
 of incident handling it's obviously

0:10:26.180000 --> 0:10:30.780000
 because it's focused on the process
 and management of incident is going

0:10:30.780000 --> 0:10:36.300000
 to be ongoing what's the duration of
 incident response well in this case

0:10:36.300000 --> 0:10:40.600000
 it's going to be event driven which
 means it's only initiated it only

0:10:40.600000 --> 0:10:45.040000
 comes into play when an incident occurs
 that's when incident response

0:10:45.040000 --> 0:10:49.320000
 comes into play and it's there in the
 name what's uh and then we have

0:10:49.320000 --> 0:10:55.080000
 the responsibility so who is responsible
 for incident handling well incident

0:10:55.080000 --> 0:11:00.240000
 handling is typically overseen by the
 incident management team the IMT

0:11:00.240000 --> 0:11:05.100000
 as it's known and whenever you see a
 company with an IMT that means that

0:11:05.100000 --> 0:11:12.040000
 structurally they they uh they treat
 incident response as a subset or

0:11:12.040000 --> 0:11:17.040000
 a part of a larger process called incident
 handling this is absolutely

0:11:17.040000 --> 0:11:23.020000
 important so continuing on incident
 handling is typically overseen by

0:11:23.020000 --> 0:11:27.560000
 the IMT which may include SOC managers
 incident coordinators remember

0:11:27.560000 --> 0:11:31.360000
 that role it was in that diagram we'll
 get to that in the next slide and

0:11:31.360000 --> 0:11:36.660000
 compliance or policy specialists and you
 know the responsibility for incident

0:11:36.660000 --> 0:11:40.600000
 response incident response is carried
 out by the incident response team

0:11:40.600000 --> 0:11:50.480000
 IRT or CSERT whatever you want to call
 it or SOC analysts so now you can

0:11:50.480000 --> 0:11:54.300000
 sort of see the difference now again
 you might be thinking yourself well

0:11:54.300000 --> 0:11:58.440000
 no one uses the phrase or the term
 instant handling anymore and you're

0:11:58.440000 --> 0:12:03.460000
 right to a certain extent the popular
 consensus uh or it's very common

0:12:03.460000 --> 0:12:07.980000
 to see incident response used over instant
 handling and that's fine but

0:12:07.980000 --> 0:12:12.480000
 it's very important for you to know
 uh you know when you're dealing with

0:12:12.480000 --> 0:12:17.700000
 an organization or a SOC that actually
 treats them differently whereby

0:12:17.700000 --> 0:12:21.920000
 incident handling is sort of a larger
 process that is really to do with

0:12:21.920000 --> 0:12:30.040000
 managing uh the um you know the process
 of um essentially uh management

0:12:30.040000 --> 0:12:35.300000
 of incidents and then incident response
 falls under that so very very

0:12:35.300000 --> 0:12:38.720000
 important now this was the diagram I
 was referring to so if you remember

0:12:38.720000 --> 0:12:44.940000
 I added this role here called IR coordinator
 and it sort of encompassed

0:12:44.940000 --> 0:12:49.760000
 the uh really the SOC analysts and
 you know the incident response team

0:12:49.760000 --> 0:12:53.580000
 fall in tents and purposes and this is
 what instant handling is referring

0:12:53.580000 --> 0:12:59.500000
 to it's not referring to uh incident
 response as a process um it's really

0:12:59.500000 --> 0:13:07.360000
 referring to the management of the team
 um as well as the processes involved

0:13:07.360000 --> 0:13:14.700000
 in incident response or and of that
 incident response is a subset or a

0:13:14.700000 --> 0:13:20.180000
 subcategory it's a major subset or
 a major uh sub category but instant

0:13:20.180000 --> 0:13:24.520000
 handling refers to just management of
 that entire process of dealing with

0:13:24.520000 --> 0:13:29.260000
 incidents and the reason that is done
 as I've already explained is fairly

0:13:29.260000 --> 0:13:34.400000
 obvious at this point so to end this
 video um I'm now going to confuse

0:13:34.400000 --> 0:13:42.500000
 you even more by sort of providing proof
 of uh the there's really no consensus

0:13:42.500000 --> 0:13:49.040000
 of you know um on what term is the correct
 term to use and this is a an

0:13:49.040000 --> 0:13:56.040000
 excerpt or a quote directly from the MITRE
 um publication called 11 strategies

0:13:56.040000 --> 0:14:00.440000
 of a world class cybersecurity operations
 center this is by the MITRE

0:14:00.440000 --> 0:14:04.540000
 cooperation there's a PDF about 500 pages
 I've added a link to the slides

0:14:04.540000 --> 0:14:09.720000
 here please go through that PDF you
 don't have to read it all just go

0:14:09.720000 --> 0:14:14.120000
 through it and you can actually get
 to this particular quote but this

0:14:14.120000 --> 0:14:19.200000
 is how it reads generally the terms incident
 handling and incident response

0:14:19.200000 --> 0:14:24.640000
 are inconsistently used throughout SOC
 community so right there I've just

0:14:24.640000 --> 0:14:30.020000
 validated what I've said um and I actually
 added this reference slide

0:14:30.020000 --> 0:14:34.620000
 towards the end of me developing this
 slide deck uh you know having said

0:14:34.620000 --> 0:14:39.380000
 what I'd already said because I'm aware
 of this uh in consistency as it

0:14:39.380000 --> 0:14:43.900000
 were in any case let's proceed on in
 some circles incident handling is

0:14:43.900000 --> 0:14:48.080000
 considered a broader term than instant
 response and that's why I made

0:14:48.080000 --> 0:14:52.800000
 this video because when you get into
 those circles or into a SOC that

0:14:52.800000 --> 0:14:58.380000
 uh considers incident handling a broader
 term then you need to understand

0:14:58.380000 --> 0:15:04.340000
 why it is considered a broader term
 and where um and how it compares to

0:15:04.340000 --> 0:15:09.100000
 instant response in any case moving on
 suggesting it encompasses tracking

0:15:09.100000 --> 0:15:14.680000
 and reporting while incident response
 is specific to responding to the

0:15:14.680000 --> 0:15:19.860000
 incident itself although many SOCs
 call the function incident response

0:15:19.860000 --> 0:15:24.260000
 and that is true incident response is
 sort of the popular term and include

0:15:24.260000 --> 0:15:30.660000
 tracking and report writing in the function
 uh you know I just so I just

0:15:30.660000 --> 0:15:34.780000
 wanted to give you this excerpt or
 quote to sort of show you that it's

0:15:34.780000 --> 0:15:41.660000
 not just me or you that is confused uh
 you know you just uh it's something

0:15:41.660000 --> 0:15:45.340000
 that is very inconsistent it's not
 been really defined it all depends

0:15:45.340000 --> 0:15:49.900000
 on a plethora of factors what country
 you're in uh you know the maturity

0:15:49.900000 --> 0:15:55.060000
 of the organization all of that stuff
 in any case the reason I made this

0:15:55.060000 --> 0:15:59.740000
 video was to provide you with the info
 needed to remove that confusion

0:15:59.740000 --> 0:16:04.060000
 when you get into circles that call
 it incident handling so you actually

0:16:04.060000 --> 0:16:08.760000
 understand why they have these two separate
 but linked things now in the

0:16:08.760000 --> 0:16:12.660000
 earlier videos when I was explaining
 the incident response life cycle

0:16:12.660000 --> 0:16:18.140000
 or workflows you can see that I included
 things like um you know tracking

0:16:18.140000 --> 0:16:22.980000
 and report writing because that's generally
 speaking how it's seen so

0:16:22.980000 --> 0:16:28.160000
 in uh at least based on what I've seen
 um a lot of companies nowadays

0:16:28.160000 --> 0:16:32.460000
 just include those you know the management
 process and the tracking report

0:16:32.460000 --> 0:16:36.680000
 writing just you know as part of the
 incident response process but you

0:16:36.680000 --> 0:16:40.740000
 may still run into companies organizations
 that again have incident handling

0:16:40.740000 --> 0:16:46.880000
 that then has incident response as sort
 of a subset um you know of incident

0:16:46.880000 --> 0:16:51.360000
 handling in any case you know I know I've
 sort of uh repeated myself multiple

0:16:51.360000 --> 0:16:55.000000
 times but this is very very important
 because you can get really confused

0:16:55.000000 --> 0:16:59.460000
 when you see an article or a paper called
 incident handling and like what's

0:16:59.460000 --> 0:17:03.820000
 that is that even incident response
 and the answer to that is yes it's

0:17:03.820000 --> 0:17:08.440000
 just you know just how things are categorized
 so hopefully that clarified

0:17:08.440000 --> 0:17:12.100000
 to answer that question for you maybe
 a bit too late in the course but

0:17:12.100000 --> 0:17:15.920000
 there we are um so with that being
 said that's going to be it for this