Incident Management Evolution of Protection

Incident Management Evolution of Protection Incident Management Evolution of Protection - Start

2016-04-19 95K 95 0 0

Description

Implementing . a Pro-Active . Approach to . Cybersecurity. Benjamin Stephan, Director of Incident Management. FishNet. Security. Introduction. Today’s Threat Landscape. Incident Management Life Cycle. ID: 284370 Download Presentation

Embed code:
Download Presentation

Incident Management Evolution of Protection




Download Presentation - The PPT/PDF document "Incident Management Evolution of Protect..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.



Presentations text content in Incident Management Evolution of Protection

Slide1

Incident Management Evolution of Protection

Implementing

a Pro-Active

Approach to

Cybersecurity

Benjamin Stephan, Director of Incident Management

FishNet

Security

Slide2

IntroductionToday’s Threat LandscapeIncident Management Life CycleIncident Management FrameworkNext Steps

Agenda

Statistics in this presentation provided by

Ponemon

Institute Annual Study on Cyber Crime Costs.

Slide3

…and they are highly motivated to take your data…State sponsoredCrime syndicatesHacktivists…for a number of reasonsFinancial GainIndustrial EspionageIP TheftPolitical motivationBotnet Services

Cybercrime has become a high stakes game…

Slide4

The top trends related to a breach:NegligenceLack of CISO leadershipLack of external consulting supportFirst time offenseLost or stolen deviceMedian annualized cost of cyber crime is $5.9 million per year, with a range of $1.5 million to $36.5 million each year.Increase of 56% over 2010Average per capita cost was $284 per enterprise seatVaries by size of the organization with smaller firms incurring a greater per capita cost of $1,008 on average versus larger organizations

Threat Trends of 2011

*Results provided by

Ponemon

study.

Slide5

Corporate Security Posture Related to Breach Cost

*

SES: Security Effectiveness Score; Developed by PGP Corporation and

Ponemon

Institute. The higher the score the more effective an organization is at achieving security initiatives.

Slide6

Corporate Security Posture Related to Breach Cost

*SES: Security Effectiveness Score; Developed by PGP Corporation and Ponemon Institute. The higher the score the more effective an organization is at achieving security initiatives.

Slide7

Malicious traffic evading traditional perimeter security solutionsDifficulty validating alerts and determining scope of incidentLack of endpoint visibilityLack of defined incident management and response processesUntested procedures and infrastructureInability to respond to every alertInsufficient view of network traffic

What Are Your Challenges?

Slide8

Difficult or impossible to truly understand and gauge riskTime to contain an event and return to a trusted state takes too longOverwhelmed with alertsSpend excessive time reducing false positivesIncident response is time consuming, expensive and incompletePotential loss of dataNo formalized operational procedures

What Is The Impact?

Slide9

How can you defend against the unknown?How can your company benefit protect it’s critical assets?

The Solution

Slide10

Solution: Incident Life Cycle, IMF, Incident Workflow

Slide11

Incident Management Lifecycle

Slide12

Operational

Detect malicious traffic ‘on the wire’Identify symptoms of an attack via log analysisConfirm symptoms through automated and manual proceduresAnalyze 3rd party threat feedsEngage legal counselCapture relevant malware artifactsTacticalValidate findings against endpoint dataTriage live systems based on symptomatic evidenceDetermine scope, uncover additional informationWork with critical business units to determine risk potentialDeploy targeted analytic solutions to further quantify attack profileControl the threat to extend investigation time

Incident Management Life Cycle

Slide13

Reaction

Disconnect compromised systems or networksCut C&C Communication, kill active processesEscalate drastic containment procedures for authorizationDefend sensitive and critical assetsEngage 3rd party support as necessaryWipe all identified malware and related artifactsSchedule custom scans to mitigate secondary re-infectionInoculationUpdate virus signatures where applicableImplement strong enterprise solutionsDocument findings and resultsUpdate policies and procedures to compensate for deficienciesEnsure management support of pro-active measures

Incident Management Life Cycle

Slide14

2011 has been inundated with Cyber Warfare attacks from across the globe. The attackers have become more and more aggressive and sophisticated. In an effort to assist companies in defending against this onslaught of attacks; FishNet Security has architected an Incident Management Framework (IMF). The IMF is a security framework based on the “best of breed” incident response controls outlined in many known security frameworks. Such as ISO, ITIL, PCI, NIST, etc.

Incident Management Framework (IMF)

Slide15

By providing companies with a baseline framework dedicated to incident management, an entity can:Minimize product costs through strategic enterprise solutionsMitigate risk exposure through effective operational controlsImprove staff efficiency through better understanding of cyber threatsBridge the “gap” between “legal” and “IT”Implement advanced malware countermeasures to defend the corporate network

Incident

Management

Framework (IMF)

Slide16

CommunicationInternalWhen an incident occurs there must be defined escalation protocols to ensure the right individuals are communicated with and “kept in the loop”Reporting an event can be one of the most important initial actions. There are laws that must be considered as well as public relation issuesExternalCompanies must have established relationship with third party entities and law enforcement, prior to an incident. CollectionAcquisitionElectronically stored information (ESI) must be collected in a forensically sound manner.Chain of CustodyPhysical access to any collected information must be maintained at all times. Physical security controls must be implemented to ensure accurate accounting of physical access.Data RetentionPolicies must be defined as to how long ESI will be stored. Failure to define policies can lead to potential spoliation issues.

Incident Management Framework (IMF)

Slide17

AnalysisTechnicalOn the Host: suspicious hosts must be analyzed for malicious content, rogue file execution, compromise of sensitive data, etc.On the Wire: data traversing the network must be collected and analyzed to determine migration of viruses, transmission of sensitive data, anomalous packets, etc. OperationalOne of the key aspects of investigating an incident is determining unauthorized versus authorized access. The majority of incidents will include illegitimate use of an authorized account. Example: help desk user account access HR file sharesLogs play a key role in incident analysis. However, the quantity of information to be reviewed can be extremely large. A Security Information and Event Management (SIEM) system can help review the logs in a more efficient manor.

Incident Management Framework (IMF)

Slide18

ContainmentPrepare action plans for known “potential” threats.The plans must cite the situation or incident and then outline how the response team will react.Example:Situation: a service account is compromised and is transferring sensitive information out of the network.Reaction: Capture sensitive data traversing the networkIdentify the role of the service accountReset the password for the account or disable itDisconnect infected devices from the networkQuantify the data exfiltrated from the networkWork with legal regarding notification processesExecute analysis proceduresExecute cleanup procedures

Incident Management Framework (IMF)

Slide19

MitigationRemediationAnalyze the results of an investigation to determine what is required to clean up the results of the infection.Use 3rd party providers to identify vulnerabilities and help mitigate the risk of secondary infection.PreventionConduct a “post mortem analysis” of all investigations.Learn what went wrong and how it can be prevented in the future.Create a robust and repeatable process for vulnerability management.TestingDevelop and execute regular “table top” exercises to test the company’s ability to respond to an incident.Leverage hot, warm, and cold testing procedures.

Incident Management Framework (IMF)

Slide20

Legal CounselLitigation HoldEnsure plans are in place to disseminate, execute, and validate litigation holds.Request for DiscoveryPreparing an “ESI Profile” will significantly help minimize the impact of fulfilling on requests for discovery.LiabilityWork with internal and external counsel to ensure:Notification laws are metNon-disclosure agreements are fulfilledService level agreements are accurately definedImmediate ResponseActive: ensure there are accurate and up to date procedures in place to react to an incident.Passive: engage third party entities to provide immediate incident response support where needed. Classify sensitive data to ensure critical information is protected.

Incident Management Framework (IMF)

Slide21

DocumentationFormal PlanAll companies must have a formal Incident Management program in place. The program will outline the entity’s strategy regarding incident response and prevention.The plan must have full support of top level management.ProceduresThere must be formal and documented procedures that outline how employees are to respond in an incident. Procedures must be reviewed at least annually and kept up to date and in line with actual practices.Roles and ResponsibilitiesA formal emergency response team must be defined. The team must include both active players as well as key business stakeholders.

Incident Management Framework (IMF)

Slide22

Incident Management Life Cycle + Incident Management Framework = Incident Management Workflow

Incident Management Workflow

Slide23

Slide24

Attack Scenarios

Slide25

Scenario #1

Slide26

Web Server Compromise & Pivot

Website

Attacker

Root Kit

Uploaded using

SQL injection

Slide27

Root Kit

Slide28

Reverse Proxy

Reverse ProxyInstalled on serverUsing Root Kit

Attacker

RDP Traffic

Slide29

Scenario #2

Slide30

Attacker

Online Banking Fraud

Website

SQL injection

Exploit to embed

XSS code

Slide31

Online Banking Fraud

Consumer

Consumer

Consumer

Consumer

Hacker Site

Victimized Site

Embedded

XSS

Keylogger

Slide32

Online Banking Fraud

Attacker

Consumer

Consumers

Online Banking

Hacker logs into

Online banking site and creates fraudulent transactions.

Online banking credentials

Sent to hacker

Slide33

Scenario

#3

Slide34

POS Keylogger

Back Office

Processor

Internet

POS Server

POS Server

Slide35

POS Keylogger

Internet

Back Office

Hacker used global remote credentials to access environment

Keylogger

installed on each POS device. Card Swipe readers send PAN via standard keyboard I/O.

Reseller / Integrator uses global accounts to provide Tech support.

POS Server

Slide36

ROI on Cyber Defense

1

st

Instance

of threat

Saturation

Detection

Containment

1

st

Instance

of threat

Detection

Containment

Early exposure of known unknown

Rapid response

Fewer required resources

Rapid remediation

Time/cost

Uncompromised endpoints

Scope of compromise

scope

scope

Time/cost

Resources

BEFORE

AFTER

Slide37

From the point of detection to containment is referred to as the “Return To Trusted State” (RTTS)Average RTTS in 2011 was 18 daysIncrease of 4 days over 2010Average cost of $413,784 per event or $22,896 per dayIncrease of 67% over 2010The threats range in difficulty to contain (average RTTS):Malicious Insider = 45.5 days to containMalicious Code = 41.6 days to containWeb-based attacks = 23.5 days to containDOS/DDOS = 13.1 days to containStolen Devices = 10.7 days to contain

ROI on Cyber Defense (Statistics)

Slide38

ROI on Cyber Defense (Statistics)

Slide39

What are your next steps?

ACT NOW!Plan for an attack on your network.Implement enterprise grade products in your organization.Implement a strong security framework.DEFEND YOUR NETWORK!

Defining YOUR Plan

Slide40

Questions

Slide41

Thank You

Benjamin Stephan

Director, Incident Management

FishNet

Security

Benjamin.Stephan@FishNetSecurity.com

Slide42

Slide43

Slide44

Slide45

Slide46


About DocSlides
DocSlides allows users to easily upload and share presentations, PDF documents, and images.Share your documents with the world , watch,share and upload any time you want. How can you benefit from using DocSlides? DocSlides consists documents from individuals and organizations on topics ranging from technology and business to travel, health, and education. Find and search for what interests you, and learn from people and more. You can also download DocSlides to read or reference later.