The RSA Incident Handling and Response classroombased learning prepares a security analyst to take on incident handling responsibilities in a forward-thinking Security Operations Center (SOC).
This classroom-based learning provides a thorough overview of tasks, processes, procedures, escalation workflows and tools used by a Security Analyst/Incident Handler. Through use cases, examples, and hands-on exercises, participants investigate a variety of critical incident response scenarios. The instructional material emphasizes decision-making and prioritization with the goal of teaching the students how to make an assessment in a short amount of time using security monitoring instrumentation, contextual analysis and correlation to indicators of network exploitation. Students develop a broader understanding of the role the SOC fulfills in the larger organization, including issues associated with incident response and assessing organizational risk.
Security Analysts with 6-12 months of experience working in a Security Operations Center, Network Operation Center (NOC), Critical Incident Response Team (CIRT) or similar function.
Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:
6-12 months as a Level I Security Analyst
Upon successful completion of this course, participants should be able to:
- Outline sustainable and repeatable tasks, processes, procedures, escalation points and workflows of the Security Analyst/Incident Handler.
- Ingest daily intelligence reports and previous shift logs.
- Recognize the legal, corporate investigative responsibilities associated with incident response.
- Participate in risk analysis for central and distributed networks to include the impact of cloud based infrastructures as part of the SOC.
- Review, triage, investigate, and analyze escalated events and incidents from other analysts or IS groups during shift.
- Monitor security events using all SOC data sources.
- Investigate all incidents aligned to proper process, procedure and escalation points.
- Prioritize incident response relative to threat severity, business context and activity volume.
- Recommend, develop, and implement remediation procedures.
- Create an incident report with appropriate handoffs and closure.
- Coordinate, de-conflict and align event and incident communication.
- Support root cause analysis.
- Prepare communication for executives and enterprise stakeholders.
The Tools and Tasks of an Incident Handler
List the tasks, processes, procedures and escalation points of a level two security analyst.
Identify the tools used by the level two security analyst.
Provide examples of the types of incidents handled by the Level Two security analyst.
Ingest daily intelligence reports and previous shift logs for efficient operations handoffs, escalations and transitions.
Participating in Regulatory Compliance
Define security compliance.
Describe the types of compliance standards.
Outline the steps to become compliant with a standard.
Distinguish a security program from a compliance program.
Outline what happens during a compliance audit.
Identify the responsibilities of a security analyst for a security audit.
Contributing to Risk Assessment and Mitigation
Monitor security controls to mitigate risk.
Participate in risk analysis for central and distributed networks
List organizational assets protected by the SOC
Assess vulnerabilities of assets
Investigating an Incident
Investigate all escalated incidents.
Summarize the steps to create a malware analysis environment
Explore the tools included in the course’s malware analysis environment
Responding to an Incident
Escalate incident as required
Prioritize incident response Recommending Remediation
Recommend remediation to operations Make recommendations to appropriate department for each incident
Addressing After-Action Items
Create an incident report
Derive and incorporate threat intelligence from incident.
Root cause analysis.
Preparing Executive-level Communications
Prepare a brief to senior management
Summarize incident to Operations
Industry tools used in this course include: