Cyber Information Sharing

Size: px

Start display at page:

Download "Cyber Information Sharing"

Jane Weaver
5 years ago
Views:

1 Cyber Information Sharing Renault Ross CISSP, MCSE, CHSS, VCP5 Chief Cybersecurity Business Strategist Ian Schmertzler President

2 Know Your Team Under Pressure

3 Trust Your Eyes

4 Know the Supply Chain

5 Have Secondary Comms

6 Do it Right, Make it Here

8 ENDPOINT Security settings changes Network connections Successful / failed logins Sensitive docs accessed Process behaviors FIREWALL Inbound network traffic Outbound network traffic Protocol tunneling activity Administrative activity Inbound network traffic GATEWAY metadata Source server identity Web connection history Inbound attachments Outbound attachments SERVER Administrative activity Network connections Successful / failed logins Sensitive docs accessed Compliance status

9 BETTER PROTECTION + REMEDIATION BETTER PROTECTION + REMEDIATION BETTER PROTECTION + REMEDIATION BETTER PROTECTION + REMEDIATION

10 BENCHMARKING ACROSS PEERS INDUSTRY TARGETED ATTACK CAMPAIGNS GLOBALLY INFORMED SOLUTION SETTINGS ENDLESS USE CASES

11 TODAY BUILD/ACQUIRE TOMORROW PARTNER COLLECT APP EXCHANGE SOCIAL PLATFORM UNIFIED INCIDENT MGMT. INCIDENT INVESTIGATION INTERACTIVE ANALYTICS RISK ANALYSIS

Rated FREE TRIAL Secure App News Recently Viewed Top Rated

Studio C&C Detector Nova Software Target Sweep GO Getit EX

16Sep2014 Nova Software contributes robust C&C Detection

Software enhances security prioritization and checklist

Developer Tool Package News Archive >> Q&A Database

Supercoil Software Secure Check Supercoil Software 1h

12 Information Sharing APP Exchange? Logged In Joe Admin InfoSec Admin, Company 1 APPS Top Rated FREE TRIAL Secure App News Recently Viewed Top Rated New Releases By Industry By Category Load Look Level2 Studio C&C Detector Nova Software Target Sweep GO Getit EX 17Sep2014 Load Look by Level2 Studio, advances to the next level of protection. 17Sep new compliance apps added. 16Sep2014 Nova Software contributes robust C&C Detection tool. Developer Zone FREE TRIAL 16Sep2014 Supercoil Software enhances security prioritization and checklist features. Developer Tool Package News Archive >> Q&A Database Message Board Remotecontrol Elipse Strategy Termin8er Supercoil Software Secure Check Supercoil Software 1h Check out our latest development utilizing aggregated risk analysis tolerance feedback Super Coil Software 1D Dashboard elite is not all it s cracked up to be, we ve hit snags with the custom navigation integration module. Joe

Information Sharing Social Platform? Logged In Joe Admin InfoSec Admin, Company 1 Update My Status Trending Joe Admin We are seeing a lot of instances of foo.

exe on our endpoints. Where is it coming from? Upcoming Events Interests Source: 172.16.254.1 IP Address Lisa Andrews Manufacturing CISOs 2 hours ago Type: Verified Yes.

Origin: Unknown Dave Admin Manufacturing Admin 1 hours ago Forensic results: Verified Hi Joe, we have traced the origin of foo.exe to the following IP: 172.16.254.

13 Information Sharing Social Platform? Logged In Joe Admin InfoSec Admin, Company 1 Update My Status Trending Joe Admin We are seeing a lot of instances of foo.exe on our endpoints. Where is it coming from? All POST Contacts Groups Joe Admin Software Developer Verified 3 hours ago We are seeing a lot of instances of foo.exe on our endpoints. Where is it coming from? Upcoming Events Interests Source: IP Address Lisa Andrews Manufacturing CISOs 2 hours ago Type: Verified Yes. I saw it a few weeks ago. seems to be related to the earlier attack. I ll ask Dave to send you a source IP we have associated with that executable. Origin: Unknown Dave Admin Manufacturing Admin 1 hours ago Forensic results: Verified Hi Joe, we have traced the origin of foo.exe to the following IP: Connection from SAM_WIN8/SPY.EXE to at 6:18:08 pm on 10/6/14 File TED_WIN7/BOT.EXE retrieved from at 8:20:10 am on 10/24/14 Connection from SALLY_ANDROID_1 to at 4:24:08 pm on 11/6/14 Recommended

15 CSF FUNCTIONS BUILD PROFILE Core Functions ID Identify What assets need protection? PR Protect What safeguards are available? DE Detect What techniques can identify incidents? RS Respond What techniques can contain impacts of incidents? RC Recover What techniques can restore capabilities? Copyright 2017 Symantec Corporation 9

16 UNDERSTAND YOUR MATURITY: SELF ASSESSMENT LED IDENTIFY ID.BE Organization ID.AM Asset Mgt. ID.RA Risk Assessment ID.RM Risk Strategy Mgt ID.GV Governance PROTECT PR.AT Awareness Training PR.AC Access Control PR.DS Data Security PR.IP Info Processes &, Procedures DETECT DE.AE Anomalies & Events DE.CM Continuous Monitoring DE.DP Detection Processes RESPOND RS.RP Response Planning RS.CO Response Communications RS.AN Response Analysis RS.MI Response Mitigation RS.IM Response Improvements RECOVER RC.RP Recovery Planning RC.IM Recovery Improvements RC.CO Recovery Communications Not At All Planned Partially Mostly In Place Optimized

17 The image part with relationship ID rid3 was not found in the file. This image cannot currently be displayed. WHERE AM I 6 Fxn. Cat. Sub. Current Profile Fxn. Cat. Sub. Target Profile ID.AM 1 Tier 1 ID.AM 1 Tier 4 ID.AM 2 Tier 1 ID.AM 2 Tier 4 ID ID.AM ID.AM 3 ID.AM 4 ID.AM 5 Tier 2 Unused Tier 4 Enables a prioritized action plan ID ID.AM ID.AM 3 ID.AM 4 ID.AM 5 Tier 2 Unused Tier 4 ID.AM 6 Tier 3 ID.AM 6 Tier 3

18 HOW CAN I ALIGN WITH BEST PRACTICES Core Function Category Subcategory Informative References Respond (RS) Response Planning (RS.RP): COBIT 5 BAI01.10 RS.RP 1: Response CCS CSC 18 plan is executed during ISA : or after an event ISO/IEC 27001:2013 A NIST SP Rev. 4 CP 2, CP 10, IR 4, IR 8 Copyright 2017 Symantec Corporation 10

20 ENTERPRISE TOOLKIT: A Mature Compliance and Security Model Business Strategy and Governance driving Security Operations Governance (security, privacy, compliance) Information Risk Management & Reporting GRC Dashboards Security Policies and procedures Awareness and Training GRC Standards & UA Security Team Structure, Roles & Responsibilities GRC Policy Business Strategy and Governance Secure Info Access Information Protection Infrastructure Management Information Risk Management & Reporting GRC Dashboards Information Risk Management & Reporting GRC Dashboards Information Risk Management & Reporting GRC Dashboards Digital Trust High Assurance PKI Data Loss Controls Data Classification Strategic GRC Policy LOA3 Configuration & Patch Management Sys Integrity & Lockdown HIPS EPM Identity Management Authentication Encryption Electronic Discovery Tactical DLP Inventory & Asset Management Mobility & Wireless. CASB Mobile 2FA EPM ENC On Going Compliance and Security Operations Infrastructure Protection Information Risk Management & Reporting GRC Dashboards Logging & Monitoring Malicious Code Protection Security Intelligence ATP IR Retainer MSSP Secure Network Design Network Perimeter Security EDR PEN Test

Cyber Bounty Hunter. Key capabilities of today s. Renault Ross CISSP,MCSE,VCP5,CHSS Distinguished Engineer Chief Security Business Strategist

Cyber Bounty Hunter. Key capabilities of today s. Renault Ross CISSP,MCSE,VCP5,CHSS Distinguished Engineer Chief Security Business Strategist Key capabilities of today s Cyber Bounty Hunter Renault Ross CISSP,MCSE,VCP5,CHSS Distinguished Engineer Chief Security Business Strategist Copyright 2016 Symantec Corporation 1 2 3 The Cyber Skills Gap