Security Operations Program
Scenario: After the security team investigation of the Petya ransomware attack, it is determined that several critical security patches were missing from the CFO’s computer that led to the infection. Furthermore, the ransomware spread across the network to other connected systems, including the servers that manage online credit card transactions and personal records of past and present students.
Due to the nature and extent of the cyberattack, you decide to call on your computer security incident response team (CSIRT) to track down other infected systems, clean them up, and restore any lost data.
While the CSIRT responds to the threat, the chief technology officer (CTO) emails you asking for details of the tools the incident response team will be using and what other mechanisms should have been in place to detect the cyberattack.
As you are preparing a response to the CTO, the CSIRT team lead comes to your office and informs you that they have evidence that someone extracted personal information of staff members and students during the ransomware attack.
You immediately contact your on-call security vendor to conduct a digital forensics investigation. As part of the communication and planning to address these issues, you decide to create some guidance.
Part 1
Using the Wk 5 Assignment Template, create a 2- to 3-page security operations program outline in which you:
Outline security operations program activities.
Select three methods to monitor events and detect suspicious activity.
Compare the relationship between security monitoring and incident response.
Part 2
Write a 1- to 2-page email response to the CFO and CTO in which you:
Select five incident response tools.
Outline event monitoring and detection, stating the purpose of each.
Explain response and recovery, and describe their importance from your current perspective.
Frame a digital forensic investigation, and explain the three benefits they can provide.