Comments on: The Three "R"s of Incident Response: Respond, Recover and (Public) Relations http://www.breachbytes.com/2008/02/28/the-three-rs-of-incident-response-respond-recover-and-public-relations/ Network Forensics | Network Monitoring | Incident Response Sat, 22 Nov 2008 20:25:25 +0000 http://wordpress.org/?v=2.5.1 By: Stephen Smoogen http://www.breachbytes.com/2008/02/28/the-three-rs-of-incident-response-respond-recover-and-public-relations/#comment-211 Stephen Smoogen Sat, 01 Mar 2008 00:15:10 +0000 http://www.breachbytes.com/2008/02/28/the-three-rs-of-incident-response-respond-recover-and-public-relations/#comment-211 Yes I have to say public relations is one of those organizations you really have to get involved quickly.. and they need to be trained on how to handle it in a proactive matter. Like many other organizations, PR groups have a tendancy to want to hush it up and only answer when it has been needled out. That is usually too late into the situation and makes everything look worse. I wonder if the problem isn't really an IR4 issue. The 4th item that gets missed a lot is Renewal. What was learned from the incident? How can we respond better? This is one of those things that we always say we will get to, but rarely do so. There were a lot of times where IR teams are doing the same thing over and over because no one ever took the time to say "Why are all these machines getting infected? How can we lower that number? How can we measure that we are improving?" Its usually only after too much money has been lost that the core problems might be looked at.. while if an organization had looked at it on a month-by-month role they would have lowered that loss by putting in proactive steps. Yes I have to say public relations is one of those organizations you really have to get involved quickly.. and they need to be trained on how to handle it in a proactive matter. Like many other organizations, PR groups have a tendancy to want to hush it up and only answer when it has been needled out. That is usually too late into the situation and makes everything look worse.

I wonder if the problem isn’t really an IR4 issue. The 4th item that gets missed a lot is Renewal. What was learned from the incident? How can we respond better? This is one of those things that we always say we will get to, but rarely do so. There were a lot of times where IR teams are doing the same thing over and over because no one ever took the time to say “Why are all these machines getting infected? How can we lower that number? How can we measure that we are improving?” Its usually only after too much money has been lost that the core problems might be looked at.. while if an organization had looked at it on a month-by-month role they would have lowered that loss by putting in proactive steps.

]]>