Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Armor takes steps to address foreseeable threats to your data and systems. Any issues that arise affecting your protected environment, applications, or data are our highest priority. Armor incident response is a key aspect of Armor’s overall security and privacy program. Armor has established an incident response capability that can be relied upon during such issues with a goal of reducing impact and restoring normal status while maintaining service quality and compliance. Once the solution is fully deployed and alerts begin to be emitted that require investigation, it is Armor’s responsibility to triage and investigate those alerts and to provide you a guided response.

Armor Defense Managed Detection and Response connects the logs and telemetry data from all sources and correlates them, giving you a complete picture from which you can identify threats.

This document provides an overview of Armor incident response plan that has been established to swiftly respond to any information security issues, eliminate threats, evaluate risks, assist in remediation efforts and for continual process improvement. Armor will follow this Incident Response Plan (IRP) and do so within the Service Level Agreement (SLA) The target audience for this document is Armor’s customer members, responsible for responding and managing incidents impacting your environment.

PROCESS OUTLINE

...

How Armor Protects You

Armor enables you to own your valuable data and configurations while leaving the management to us. Armor provides a managed, cloud-native, and DevOps-centric solution that provides detection and correlation capabilities across all aspects of your operation. Armor works with you to ensure your environment is secure and compliant using a shared responsibility model. This model allows you to focus on the aspects of the stack that you are uniquely qualified or positioned to maintain and rely on Armor to provide the reference architecture and guidance stemming from its expertise. \ \ To learn more about MDR Shared Responsibilities, see Managed Detection and Response(MDR) Shared Responsibility Model

...

Upon declaration of an incident, escalation to incident response team members with scheduled availability will be initiated. Every effort must be made to ensure all team members can demonstrate proficiency in each role. The figure below depicts the IRT organizational relationship during an incident, denoting process, and information flow along with management hierarchy.

Incident Response Team (IRT) StructureImage Modified

...

Incident Response Team (IRT) Structure

Depending on the incident, the relevant roles will be assigned according to skill requirement and availability of Triage Analysts and Incident Handlers. As the incident response team checks in, roles will be assigned according to procedure outlined in the Incident Response Team Escalation Procedure. The Information Security Management team will ensure the incident response plan and procedures are maintained and followed. For every incident there must be assigned an Incident Commander. In addition, depending on the type of incident and escalation, the senior leadership from Armor and your organization may be activated, to provide support for maintaining the staffing capacity to effectively and guidance for handling incident response scenarios, and to evangelize and support the incident response plan. Armor requests at least one member of senior leadership should be available for making hard decisions during incident response should the need arise. All aspects of the incident are documented by scribe and custody of all evidence are captured and retained as per Armor policies and procedures.

...

Armor Incident Response Process

Incident Response ProcessImage Modified

...

Incident Response Process

  1. ### Detection and Identification
  • During this phase, Armor’s systems and human analysts are monitoring for alerts and anomalies generated from the SIEM and analytics planes that have been deployed as part of the solution stack.
  • When malicious activity is detected, Armor will review the context and enrichment data to identify the attack vector and other associated indicators.
  • At this point an incident is created and assigned a priority automatically based on the rule triggered. As analysts investigate and validate, the severity may be re-assigned to the appropriate level based on impacts defined above.
  1. ### Investigation
  • The incident is assigned to one or more incident responders who will conduct this phase of incident response.
  • An incident may consist of a single critical event, or a series of correlated events that must be investigated.
  • In coordinated efforts between your incident response team and the Armor incident response team, the investigation and detection process may have an iterative approach where both teams are working collaboratively to assist, guide, provide feedback, and support each other until the threat is terminated.
  • The goal of the investigation phase is to determine the scope and potential cause of the incident.
  1. ### Containment and Mitigation
  • Upon determination of the attack vector(s) and probable cause(s) in the preceding steps, Armor will work with your teams to provide steps to you and your teams or vendors to implement containment and mitigation measures.
  • Containment measures may include isolation of a host, system, or application. Mitigation measures may include the blocking of specific traffic, IPs, or disabling of processes and functionality until remediation can take place to correct the behavior or activity.
  1. ### Remediation and Recovery
  • Remediation measures will be recommended by the SOC and implemented by the client or the client’s designated service provider.
  • Remediation measures may include repair, modification, patching, upgrading, restoration of backup, or any other requirements to bring the system or asset back into functional working parameters.
  • Recovery may include the running of playbooks or other procedures to ensure all traces of the incident are eradicated from the environment.

In instances where the remediation effort relies largely upon the customer’s team(s), Armor Security’s incident response team will be available to assist, guide, provide feedback, and support as needed. If it has been determined that a threat actor dwelled on the asset or system, and remediation has been completed, a full analysis report and timeline of the incident will be created providing the root cause and any suggestions that may help further secure the environment from such incidents moving forward.

...

As detailed in the sections above, effective response to incidents requires coordination and collaboration from all parties involved. There are a few steps that you can take to ensure that you’re prepared to satisfy the portions of incident response for which you’re responsible (as described in our Shared Responsibility Model):

  1. Public Verification of GPG Keys
  • Throughout the incident response process, sensitive information is often required to be exchanged between collaborative teams.
  • Because of the elevated alert levels during incident response, identity verification of those participating in the response to the incident is critical.
  • Using tools like Keybase, sharing your public key with Armor via the management console, or other forms of key exchange and verification are good ways of ensuring that the response phase isn’t delayed by identification verification processes that are sometimes significantly time consuming.
  1. Collaboration Channel Sharing
  • Armor collaborates with customer primarily via ticketing platform, for communication, responding to incident and for periodic updates. Depending on the type and severity of the incident, Armor may require collaborating with your team and SMEs via chat/video/voice platforms. Armor recommends real-time collaboration tools such as Slack or Microsoft Teams.
  • Ensure that the appropriate members of your team have the necessary permissions to accept invitations to join collaborative channels. Frequently other users (such as SMEs for a given set of affected devices) must be consulted to provide details about certain aspects of a system or reference architecture. Your team should have the necessary permissions to invite these additional people to the channel to participate in the response activities.
  1. Ensure Asset Inventory is Current
  • It is also very important that the asset inventory and classification is as current as possible.
  • This will aid in measuring the footprint and blast radius of a specific attack and will improve the overall response time and accuracy.
  1. Periodic Review
  • You must regularly review your incident response process to ensure that any weaknesses or gaps in the process are addressed.

Continual Improvement

At Armor, we strive to learn from every incident and implement preventative measures to avoid future incidents. The actionable insights from incident analysis enable us to enhance our tools, training and processes, overall security and privacy program, policies and procedures and response efforts.

...