I have the opportunity to recommend a good Security, Incident Response, and Forensic Lab configuration.
I am aware the three are not the same, and require different things.
The realities of business is that I will not be able to separate the three out, as I have limited human resources.
General description - 20,000 workstations (mostly Windows XP, some Vista, some Linux, some Un*x), 200 companies, 4 continents - think of loose federation.
How would you set it up, infrastructure, command center, organization, etc?
What tools would you get for each of the three areas? Any overlap, compatibility requirements, needs?
What resources would you need, want, like?
p.s. I have till Friday to come up with my wishlist. D
You want this designed by Friday? I hope you're not starting just now.
Unfortunately, you won't get an answer that's even halfway worthwhile without providing a better overview of the organization(s) involved. I'll consult if you're willing to pay 😉
What a lovely position to be in !
How often are you expecting to deal with "incidents" ? It may be more economical if they are few and far between to run a permanent base in one country and buy a lot of portable field kit … Go out, image and then bring it back to a central base in your lead country for analysis.
The cost of running a lab and employing staff in 4 continents would probably easily cover the cost of flying staff and kit out several times over …
If you can give a few more details ( and employ staff in Europe, preferably England, but my wife likes Paris, at exorbitantly high rates ) we may be able to help more -P …
Yes, I have been working on the pieces parts what I would like, want, and need, of course.
As for consulting, I would be happy to take you onbut we only pay in Vatican currency. 😉
I agree that having a full fledged IR team with appropriate forensic tools on each continent would be very costly.
Although London is tempting, we are a US based firm.
I might have the opportunity to present my proposal - not necessarily get it. Most likely, I will just barely get my continuing education in. ( Forget about tools and proper labs.
Open Source is an excellent thing, but once the finance department gets a wind of it - any time something extraordinary is needed they suggest go get an Open Source version… cry