Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This document provides an overview of Armor incident response plan that has been established to swiftly respond to any information security issues, eliminate threats, evaluate risks, assist in remediation efforts and for continual process improvement. Armor will follow this Incident Response Plan (IRP) and do so within the Service Level Agreement (SLA) The target audience for this document is Armor’s customer members, responsible for responding and managing incidents impacting your environment.

PROCESS OUTLINE

...

Upon declaration of an incident, escalation to incident response team members with scheduled availability will be initiated. Every effort must be made to ensure all team members can demonstrate proficiency in each role. The figure below depicts the IRT organizational relationship during an incident, denoting process, and information flow along with management hierarchy.

Incident Response Team (IRT) Structure \

Incident Response Team (IRT) Structure

...

Armor Incident Response Process

Incident Response Process \

Incident Response Process

...

1. Detection and Identification

  • During this phase, Armor’s systems and human analysts are monitoring for alerts and anomalies generated from the SIEM and analytics planes that have been deployed as part of the solution stack.
  • When malicious activity is detected, Armor will review the context and enrichment data to identify the attack vector and other associated indicators.
  • At this point an incident is created and assigned a priority automatically based on the rule triggered. As analysts investigate and validate, the severity may be re-assigned to the appropriate level based on impacts defined above.

...

2. Investigation

  • The incident is assigned to one or more incident responders who will conduct this phase of incident response.
  • An incident may consist of a single critical event, or a series of correlated events that must be investigated.
  • In coordinated efforts between your incident response team and the Armor incident response team, the investigation and detection process may have an iterative approach where both teams are working collaboratively to assist, guide, provide feedback, and support each other until the threat is terminated.
  • The goal of the investigation phase is to determine the scope and potential cause of the incident.

...

3. Containment and Mitigation

  • Upon determination of the attack vector(s) and probable cause(s) in the preceding steps, Armor will work with your teams to provide steps to you and your teams or vendors to implement containment and mitigation measures.
  • Containment measures may include isolation of a host, system, or application. Mitigation measures may include the blocking of specific traffic, IPs, or disabling of processes and functionality until remediation can take place to correct the behavior or activity.

...

4. Remediation and Recovery

  • Remediation measures will be recommended by the SOC and implemented by the client or the client’s designated service provider.
  • Remediation measures may include repair, modification, patching, upgrading, restoration of backup, or any other requirements to bring the system or asset back into functional working parameters.
  • Recovery may include the running of playbooks or other procedures to ensure all traces of the incident are eradicated from the environment.

...