SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsSecurity incidents are inevitable. While large businesses can afford security teams to prepare and respond to incidents, this expense is typically out of reach for small/mediumsized businesses (SMB). SMBs generally can't afford to have security professionals tune and care for their environments. SMBs are more likely for a cyber intrusion to have criminal intent than large companies, and they have less resources to be prepared. Eleven (11) sets of incident response documentation, taken from real-life incidents, were reviewed to determine what configurations in the investigated environment enabled or inhibited effective incident response. Thorough research into the viability of implementing these findings in SMB environments was conducted, and a series of recommendations were derived from this dataset. These recommendations are spread across five (5) key categories: contractual, documentation, logging, operational, and training. Finally, a scenario involving the compromise of a fictitious organisation has been detailed, illustrating the difference that implementing these recommendations may have on an incident response engagement. A review of the process and output shows the immense value derived from these kinds of reviews. While the nature of the original documentation sets makes it unlikely similar datasets will ever be made public, it also shows that valuable information can be sufficiently abstracted for public consumption and benefit, with value for SMBs.