Download Presentation - The PPT/PDF document "Adapting Incident Response to Meet the" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Presentation on theme: "Adapting Incident Response to Meet the"— Presentation transcript:
Adapting Incident Response to Meet the Threat
Jeff Schilling Director, Global Incident Response and Digital Forensics
Why change your approach?Do you really know your environment?
Do You really know/understand your threat?Where to focus your efforts to respond?Measuring success
My Press Box View
My view as the Director of the Army’s
Global Network Security Team
My view as the Director of the Dell
Incident Response Practice
The Dell SecureWorks
Incident Response Practice300+ projects last
year42% of our engagements were with Medium-sized business58% were large enterprise customers
70% of our engagements were active Incident Response
30% were proactive engagements
20% of our projects involved Advance Persistent Threat (Targeted Threat)
Our observations from 2012 engagements:
End users still the primary targets (51% of the time)
Servers and applications running second (39% of the time)
20% of our engagements involved insider threat activity
Do I need to change my approach?
Getting to “yes”
Do you rarely see the same activity on your networks with the same success?Do you conduct trend analysis of your security incidents?
Have you analyzed the things you can control and the things you can’t?
For the things you
, have you calculated the risks or outcomes?
Have you insured or transferred that risk?
you make adjustments to your security controls based on trends?
Do you have a plan or playbook to address your most common Incidents?
Do you rehearse and update these plans?
really know your environment?
Which picture best describes your network?
Do you have an updated/accurate network diagram? Are you a part of the change management process so you know when it changes?
you studied your network flow to know what ports and protocols to accept and
Do you validate with Pen Tests, Vulnerability Scans,
Do you have defined network boundaries with the Internet?
Do you Leverage Active Directory to assign risk and controls to Organizational Units?
Is “white listing” embraced in your organization?
Do you have a standard, secure image/baseline for hosts and servers?
Do you centralize your event log monitoring?
Do you limit workstation to workstation communication?
really know your enemy?
Categories of threat
Phishing with Dynamite
Automated control for scale
Can be defended with good
Signature based controls
Buys trade craft
Can be sophisticated and
Smash and grab
Human controlled (just for you)
Custom trade craft
Highly targeted phishing
Water holing web drive
Some server compromises
Highly targeted efforts
Attempts to cover their tracks
Will compromise partners to get
is to log on, become an insider
Fly on the wall
Hardest to detect, tries to hide in
Usually has elevated privileges
In most cases, assumes not being
monitoredRarely uses tradecraft: when they do, normally crawlers Usually has access to data that does not pertain to their job, that is what they takeMay use “close access” techniquesAttempts to cover their tracksManagers/HR usually not surprised when insider is caught
May be some overlap in APT and Insider threat detection