Page Comparison

...

• Overview
  • How Armor Protects You
  • Integration
  • Armor Service Levels
  • Armor Incident Response
  • Armor Incident Severities
  • Incident Response Process
  • Armor Incident Response Process
  • 1. Detection and Identification
  • 2. Investigation
  • 3. Containment and Mitigation
  • 4. Remediation and Recovery
  • Retrospective
  • Collaboration Scenario
  • Collaboration Channels
  • Incident Response Preparedness
  • 1. Public Verification of GPG Keys
  • 2. Collaboration Channel Sharing
  • 3. Ensure Asset Inventory is Current
  • 4. Periodic Review
  • Continual Improvement
  • Periodic Review
  • Rehearsal and Exercise of Plan
  • Governance, Risk and Compliance (GRC)
  • Summary

...

Upon declaration of an incident, escalation to incident response team members with scheduled availability will be initiated. Every effort must be made to ensure all team members can demonstrate proficiency in each role. The figure below depicts the IRT organizational relationship during an incident, denoting process, and information flow along with management hierarchy.

Image RemovedImage Added

Incident Response Team (IRT) Structure

...

Armor Incident Response Process

Image RemovedImage Added

Incident Response Process

...

As detailed in the sections above, effective response to incidents requires coordination and collaboration from all parties involved. There are a few steps that you can take to ensure that you’re prepared to satisfy the portions of incident response for which you’re responsible (as described in our Shared Responsibility Model):

1. Public Verification of GPG Keys

• Throughout the incident response process, sensitive information is often required to be exchanged between collaborative teams.
• Because of the elevated alert levels during incident response, identity verification of those participating in the response to the incident is critical.
• Using tools like Keybase, sharing your public key with Armor via the management console, or other forms of key exchange and verification are good ways of ensuring that the response phase isn’t delayed by identification verification processes that are sometimes significantly time consuming.

2. Collaboration Channel Sharing

• Armor collaborates with customer primarily via ticketing platform, for communication, responding to incident and for periodic updates. Depending on the type and severity of the incident, Armor may require collaborating with your team and SMEs via chat/video/voice platforms. Armor recommends real-time collaboration tools such as Slack or Microsoft Teams.
• Ensure that the appropriate members of your team have the necessary permissions to accept invitations to join collaborative channels. Frequently other users (such as SMEs for a given set of affected devices) must be consulted to provide details about certain aspects of a system or reference architecture. Your team should have the necessary permissions to invite these additional people to the channel to participate in the response activities.

3. Ensure Asset Inventory is Current

• It is also very important that the asset inventory and classification is as current as possible.
• This will aid in measuring the footprint and blast radius of a specific attack and will improve the overall response time and accuracy.

4. Periodic Review

• You must regularly review your incident response process to ensure that any weaknesses or gaps in the process are addressed.

...