13 Operational and Security Incident management. IT Governance CEN 667

Transcription

1 13 Operational and Security Incident management IT Governance CEN 667 1

2 Project proposal (week 4) Goal of the projects are to find applicable measurement and metric methods to improve processes: For series of standards and For ITIL For Business Continuity and BS For Disaster Recovery For Penetration testing For Operational and Security Incident management For Risk Management Secure method for visual authentication Mobile securty access with speach recognition Other agreed with lecturer Literature review on selected topic - between 500 and 1000 words Proposal / for improvements of choosen method, approach, techniqe, - up to 2000 words List of references Document prepared in two columns as it should Be prepared for the conference paper Week report on updates 2

3 Project proposal (week 13) Candidate Topic Literature review draft Paper Proposed correction s week? Azizah Ibrahim Emina Aličković Jasmin Kevrić Mobile IPv6 handover packet loss avoidance A Novel Intrusion System Based on Support Vector Machines Algorithm improvement for the network anomaly detection using improved KDD 2009 NO NO NO NO NO NO NO NO NO Adnan Miljković Implementation of two factor authentication for web appliacation YES (463 words) NO NO Fatih Ozturk Evolutionary Computation Method Application for Network Intrusion Detection System using Real Network Data NO NO NO Tarik Kraljić NO NO NO NO Adnan Kraljić Adoption of standard ERP solutions in Health Care Sector Yes NO NO 3

4 Lectures Schedule Week Topic Introduction to IT governance Week 1 Overwiev of Information Security standards - ISO series of standards (27001, Week , 27003, 27004, 27005) Week 3 Information Technology Service management ISO and ISO Week 4 ITIL Week 5 Business Continuity and BS and BS Week 6 Disaster Recovery Week 7 COBIT Week 8 Project implementation (ISO and ISO 27003) Week 9 Midterm Week 10 Risk Managament (ISO 27005) Week 11 Application and Network Security and security testing Week 12 Specific Requirements and Controls Implementation (ISO 27002) Week 13 Operational and Security Incident management Week 14 Perforamnce Measurement and Metrics (ISO 27004) Week 15 Audit (ISO 19011) and Plan- Do-Check-Act impovement cyclus 4

5 13 Operational and Security Incident management IT Governance CEN 667 5

6 6

7 Definition Incident: Any event which is not part of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the quality of that service. 7

8 Elements of Incident Response (?) Shultz & Shumway Preparation Detection Containment Eradication Recovery Follow-up vanwyk & Forno Detection (Identification) Damage Assessment (Coordination) Damage Control (Mitigation) Damage Reversal (Investigation) Lessons Learned (Education) 8

9 9

10 10

11 11

12 Incident Management 12

13 Objective of Incident Management To ensure continuity of the services provided by ensuring that any irregularities in the service level agreed upon are corrected as soon as possible. 13

14 Here s How It s Really Done A Holistic Approach Preparation Incident response is an element of risk management Response Identify Contain Isolate for later analysis Recover Formal post mortem 14

15 Risk Management Elements Threats Vulnerabilities Impacts Countermeasures Process Analysis Response to analysis ongoing Incident response plan and practice Focus on business continuity Before, during and after the incident 15

16 Building Incident Management Into a Risk Management Plan Incidents pose risks and must be planned for in advance Resources needed Management procedures Reducing the risks that could permit an incident Threat management Preventative and detective controls Understand how the elements of risk affect incident management 16

17 Risk vs. Vulnerabilities Definition of risk The likelihood that a threat agent will successfully exploit a vulnerability to create an unwanted or adverse impact. (Jones) Risk consists of the agent causing the threat, the exploitable vulnerability, the impact of a successful attack and mitigating factors Vulnerabilities Weaknesses that may be exploited to cause an unwanted result 17

18 18

19 The Stages of the Incident Management Process Risk analysis Develop a triage plan for business continuity Risk and incident management plan Feed back risks that could enable an incident into the plan for proactive remediation Training, tools and relationships Everyone who could be touched by an incident is on the team Manage the incident 19

20 Defining Incident Response: The Stages of an Incident Interdiction Containment Recovery Analysis 20

21 What We Mean By: Interdiction Stopping or interrupting the incident Containment Isolating damage and preventing it from spreading Recovery Returning the business to the pre-incident state Analysis Post-incident root cause analysis (post mortem) 21

22 The Incident Occurs The team already is in place and has been trained The plan already is in place and has been rehearsed and approved Resources already are in place Threats, vulnerabilities and impacts are known A triage approach has been established in advance 22

23 Incident Handling Incident Recording Initial Support & Classification Incident Monitoring & Tracking Service Request? Investigation & Diagnosis Resolution & Recovery Service Request Procedure Incident closed 23

24 IMPACT Prioritisation High Highest Priority Medium Low Low Medium High URGENCY 24

25 Prioritisation Impact - A measure of business criticality ; often measured by the number of people or systems affected. Urgency - The speed with which the incident must be resolved Other Considerations - Size, scope and complexity of resolution (effort) - Resources available for coping in the meantime and also for correcting the fault 25

26 Escalation CIO Mgr Mgr Mgr Tech Tech Tech Tech Tech Tech Functional (competence) 26

27 Responding Identify Identify that there is an incident Contain Respond in accordance with the plan Business needs come first, but Isolate for later analysis wherever possible Use a Command and Control architecture Recover Formal post mortem 27

28 Managing Threats During the Incident First stage objective Applying threat inhibitors and removing access to interdict the application of the threat against vulnerabilities May be technical Filtering at the perimeter Identifying threat agents and removing catalysts Second stage objective Contain damage and prevent spread Water-tight bulkheads already should be in place Security policy domains 28

29 Managing Vulnerabilities During the Incident First stage objective Take primary vector vulnerable systems off line Second stage objective Isolate vulnerable systems Third stage objective Remove vulnerabilities, obtaining evidence wherever possible Fourth stage objective Analyze evidence to understand how the vulnerability responded to the threat 29

30 Managing Impacts During the Incident First stage objective Reduce through interdiction and redirection Second stage objective Limit spread Security policy domains and water-tight bulkheads Third stage objective Ensure that recovery is complete Fourth stage objective Analyze and quantify Lessons learned MUST be applied 30

31 Command and Control

32 The Incident Management Team EVERYONE is on the team! Core team manages and plans for the incident Everyone who may be touched by an incident has a role to play and must be prepared to play his or her role Plan for and implement a command and control architecture Train and rehearse key players in the use of the architecture Lesson learned from the Slammer case study: there were early warning signs for two hours prior to meltdown that would have helped avoid serious damage, but the network ops center operators missed them 32

33 Command & Control Requirements Team structure Includes non-team members such as system administrators Central command Analysis, monitoring and management tools Link analyzers Forensics IDS monitors Network management All analysis is done by central command Issues suggestions to field teams Dispatches and makes team assignments Makes decisions Field teams Perform pre-designated tasks Command s eyes, ears and hands 33

34 The Command and Control Architecture Layered response First responders Incident Command Center Field responders Centralized incident management Each layer has specific responsibilities Each layer requires specific training Each layer requires specific tools 34

35 First Responders The first individuals likely to detect the incident System administrators Network control center operators Network security team Training Signs of an incident Local policies, procedures and incident management roles Including their roles Incident management contact list Evidence management requirements and techniques Tasks As defined in the Incident Management Plan Stage 1 know what, when and how to interdict Stage 2 know security policy domains and their containment procedures Stage 3 be prepared to follow recovery instructions Stage 4 participate in post mortems 35

36 Incident Command Center Key team members who will manage the incident Center of all control and all command decisions Performs all analysis during the incident Collects all data Training All elements of incident management including local policies and procedures Tasks As defined in the Plan Stage 1 collect data from first responders, determine interdiction process, direct interdiction procedures, involve outside resources as necessary Stage 2 determine appropriate containment perimeters, direct containment procedures Stage 3 collect evidentiary materials such as logs, forensic images, etc., determine recovery triage, direct and coordinate recovery procedures, involve outside resources as necessary Stage 4 conduct incident post mortems 36

37 Field Responders All individuals who may be affected by the incident and who may be called upon to assist in its management Training Elements of incident management that impact them directly Tasks As defined in the Plan Stage 1 none Stage 2 as directed by Command Center Stage 3 As directed by Command center Stage 4 participate in post mortems as requested 37

38 Tools of Incident Management Evidence collection and management Intrusion detection systems EnCase Enterprise or ProDiscover Sniffers Log management systems Command and control Communications tools Cell phones, BlackBerries, alternative systems, etc. Evidence management interface SceneSearch Corporate version ( 38

39 Incident Control Activities Incident detection and recording Classification and initial support Investigation and diagnosis Resolution and recovery Incident closure Ownership, monitoring, tracking and communication 39

40 Key Performance Indicators (KPIs) The following are examples to measure the effectiveness and efficiency of the process: Total number of incidents Mean elapsed time to achieve incident resolution Average cost per incident Percentage of incidents handled within agreed response time 40

41 First Line support Managing Incident Control Detect and Record 2 nd Line n th Line Initial Support Resolved? no Investigate Diagnose yes Recovery Resolved? no Investigate Diagnose Recovery Resolved? Recovery Closure etc. 41

42 Questions? 42

43 Thank you 43