Click here to load reader
Upload
halock
View
215
Download
0
Embed Size (px)
Citation preview
8/14/2019 Halock - IR and Forensics
http://slidepdf.com/reader/full/halock-ir-and-forensics 1/2
Pricing:
Hard Drive acquisition
typically $500-$1000/drive
Hard Drive analysis typically
$1000-$2500/drive
Forensic analysis: $300/hr
eDiscovery: $300/hr
Expert court testimony:
$450/hr
1 Day First Responder
Training: $1500/student
Halock Security Labs provides
comprehensive and discreet incident
response and forensic analysis. Our
examiners are experienced with
handling intrusions, criminal
investigations and sensitive internal
matters. Involving Halock early in the
situation can help you decide what
type of response is best for your
situation.
Solution Overview
Professional Services Included :
Emergency phone consulting
Forensic strategy consulting
First responder training
Live incident response
Forensic examination
Legal testimony
eDiscovery examination
What is a First Responder?
The first responder in the sense of incident
response is the first trained individual to assess
the situation and/or preserve evidence. A
trained first responder can limit damage while
enabling law enforcement or staff full access todata that could locate the source of the attack.
First responder training will help prepare
everyday administrators to identify and perform
basic response to intrusions. Typical classes run
1 day.
Incident Response & Forensic Analysis
L i ve I n c i d e n t
R e sp on se :
Responding to sensitive incidents
requires specialized skills. Halock’s
Certified Forensic Analysts are
trained and experienced to deal
with security breaches,
unexplained system failures, policy
violations, information leaks,
fraud, electronic threats, Web site
defacement, monitoring alerts and
other suspicious activity that can
be traced electronically. The
Halock Team will know when and
how to work with law enforcement
as well as understand the needs of
the organization’s legal counsel.
Working with professional incident
handlers can help protect the
organization’s interests and
minimize liabilities.
INCIDENT RESPONSE HOTLINE
800.925.0559
847.221.0200 halock.com
1834 Walden Office Square, Suite 150 * Schaumburg, IL 60173 * 847.221.0200 * www.halock.com
Security Operations Division
Why Incident Response?
Intrusion Investigation
Electronic Theft
Information Leaks
Website Defacement
Fraud Investigation
Electronic Threats or Harassment
Corporate Policy Violation Investigation
Why Forensic Analysis?
Warranted by an incident response
investigation
Independent verification of a legal
opponent’s forensic findings
Proof of policy violation such as doing side
work on company time or prohibited
personal use of work computer
eDiscovery and other civil or criminal legal
matters
8/14/2019 Halock - IR and Forensics
http://slidepdf.com/reader/full/halock-ir-and-forensics 2/2
Phases of Incident Response
1834 Walden Office Square Suite 150 * Schaumburg, IL 60173 * 847.221.0200 * www.halock.com
847.221.0200 halock.com
Establish baseline security levels Assign roles and responsibilitiesTrain personnelPerform day-to-day monitoring
PHASE I: Preparation and Training
PHASE II: Identification
Suspected incident detected and IRT (Incident Response Team) first respondernotifiedFirst responder assessment
Determine type of threat(s)
Determine affected resourcesEliminate false positives
PHASE III: Containment
Monitor and/or stop hostile activity
Isolate affected resource(s)
Ensure integrity of data
Ensure availability of critical services
PHASE IV: Eradicate
Incident response (IR) manager notifiedIR manager assessmentDecide appropriate response
Notify reserve & brief IRT resources and develop action planNotify IRTReserve resources
Brief team Action plan developed
Perform Incident Response
Line Administrators
Handling
Recovery Measures
Further Actions
Incident Response Team
Investigate
Management
Analysis
Gather Information
Data Center Managers
Handling
Support Investigation
Recovery Measures
Risk Management
Lessons Learned
PHASE V: Recovery
Patch
Alert
Prosecute
HR actions
Return to normal operations
PHASE VI: Report and Follow-Up
Document incident information and
brief as necessary
Document lessons learned
Improve policies, guidelines and
procedures
Improve infrastructure as warranted