Cyber Security Incident Response Fighting Fire with Fire

Similar documents
Are we breached? Deloitte's Cyber Threat Hunting

Building and Testing an Effective Incident Response Plan

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Anticipating the wider business impact of a cyber breach in the health care industry

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

Effective Cyber Incident Response in Insurance Companies

The Deloitte-NASCIO Cybersecurity Study Insights from

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Standing Together for Financial Industry Resilience Quantum Dawn IV after-action report June 2018

External Supplier Control Obligations. Cyber Security

Emerging Technologies The risks they pose to your organisations

Cyber Risks in the Boardroom Conference

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Business continuity management and cyber resiliency

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Standing Together for Financial Industry Resilience Quantum Dawn 3 After-Action Report. November 19, 2015

Cyber Threat Landscape April 2013

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

CYBER RESILIENCE & INCIDENT RESPONSE

Bradford J. Willke. 19 September 2007

SOC for cybersecurity

Cyber crisis management: Readiness, response, and recovery

The value of visibility. Cybersecurity risk management examination

Risk Advisory Academy Training Brochure

Sage Data Security Services Directory

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

How to be cyber secure A practical guide for Australia s mid-size business

How to Prepare a Response to Cyber Attack for a Multinational Company.

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Webcast title in Verdana Regular

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Cyber Security is it a boardroom issue?

From Dabbling to Doing The Age of the Intuitive Enterprise

CCISO Blueprint v1. EC-Council

Moving from Prevention to Detection March 2017

Les joies et les peines de la transformation numérique

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

MANAGEMENT OF INFORMATION SECURITY INCIDENTS

Does someone else own your company s reputation? EY Global Information Security Survey 2018

Cybersecurity Fortification Initiative (CFI) infrastructure whitepaper

Vulnerability Management. June Risk Advisory

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Cyber Espionage A proactive approach to cyber security

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Cyber Risk and Networked Medical Devices

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Cybersecurity The Evolving Landscape

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

EC-Council Certified Incident Handler v2. Prepare to Handle and Respond to Security Incidents EC-COUNCIL CERTIFIED INCIDENT HANDLER 1

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Cybersecurity, safety and resilience - Airline perspective

CYBER INSURANCE: MANAGING THE RISK

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

ITU CBS. Digital Security Capacity Building: Role of the University GLOBAL ICT CAPACITY BUILDING SYMPOSIUM SANTO DOMINGO 2018

Copyright 2016 EMC Corporation. All rights reserved.

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Understanding the Changing Cybersecurity Problem

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

You ve Been Hacked Now What? Incident Response Tabletop Exercise

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Cyber Risk Having better conversations on cyber

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

CYBER SECURITY TAILORED FOR BUSINESS SUCCESS

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Cyber Risk and Third Party Risk Management. Lisa Murphy First Horizon National Corporation

Staffing Services UnderDefense your source of experienced professionals to solve security staffing challenges today

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Information Security Incident Response Plan

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Incident Response Services

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

The NextGen cyber crime battlefield. Why organizations will always lose this battle

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Information Security Controls Policy

A new approach to Cyber Security

Information Security Incident Response Plan

Hacking and Cyber Espionage

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

BHConsulting. Your trusted cybersecurity partner

TECHLAW AUSTRALIA. Update on cyber security and data protection. Thursday, 22 June Thursday, 22 June

INTELLIGENCE DRIVEN GRC FOR SECURITY

Internet of Things (IoT) Securing the Connected Ecosystem

CYBER FRAUD & DATA BREACHES 16 CPE s May 16-17, 2018

Safeguarding unclassified controlled technical information (UCTI)

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Credit Card Data Compromise: Incident Response Plan

Continuous protection to reduce risk and maintain production availability

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Transcription:

Cyber Security Incident Response Fighting Fire with Fire Arun Perinkolam, Senior Manager Deloitte & Touche LLP Professional Techniques T21 CRISC CGEIT CISM CISA

AGENDA Companies like yours What is the threat? What is the potential impact? What do leading practices look like? Staying ahead of the curve Appendix Q&A 2

COMPANIES LIKE YOURS CRISC CGEIT CISM CISA 9/13/2013 3

Companies like yours Click on video 4

WHAT IS THE THREAT? CRISC CGEIT CISM CISA 9/13/2013 5

The advancing threat The times they are a-changin The digital revolution is driving business innovation and growth, yet also exposing us to new and emerging threats. 61% of compromised records were taken using high difficulty hacking techniques. 2010 2011 2012 = 10 attacks per day The threat landscape is changing, and businesses have had to accept that it is not possible to prevent all forms of cyber attack, especially those that are particularly sophisticated and targeted. Malicious Insiders Espionage Organised Crime! Hacktivists Opportunistic Attacks The frequency of cyber attack is steadily increasing, and it only takes a single weakness for an attack to be successful. 2010 2011 2012 = $1m Data Sources: Verizon 2012 Data Breach investigations Report, Ponemon 2012 Cost of Cyber Crime Study 6

The advancing threat The odds aren t in your favor Attackers have a limitless number of attempts to compromise your defenses, but it only takes a single weakness on your part to get in. It is an unfair game, but you can still prevent or significantly limit damage by quickly identifying and dealing with instances of compromise. Seconds Minutes Hours Days Weeks Months Years Initial attack to initial compromise 43% 29% 4% 11% 7% 7% 0% Initial compromise to data exfiltration 8% 38% 25% 14% 8% 8% 0% Initial compromise to discovery 0% 0% 0% 27% 24% 39% 9% Discovery to containment 32% 38% 0% 1% 9% 17% 4% Data Source: Verizon 2012 Data Breach investigations Report 7

WHAT IS THE POTENTIAL IMPACT? CRISC CGEIT CISM CISA 9/13/2013 8

Consequences of an attack Financial losses and share price damage Brand and reputation Regulatory environment Costs of remediation and investigation Impact to operational capabilities Loss of intellectual property Risk to employees $110 billion Estimated cost of cyber crime to U.S. economy 1 88% Of organizations surveyed are confident that they are protected against external cyber threats 2 Yet Many organizations remain overconfident about their current level of security leaving them vulnerable to attack 59% Of companies had knowingly experienced a security incident in the past 12 months 2 1 2012 Cybercrime Report, Symantec 2 2013 Deloitte TMT Global Security Study 9

WHAT DO LEADING PRACTICES LOOK LIKE? CRISC CGEIT CISM CISA 9/13/2013 10

Prepare, Be Aware, and Respond A leading practices response approach is founded on the following core principles: Be aware of their threat profile and vulnerabilities; Be prepared before an attack; and Respond effectively should an attack happen. Cyber Security 11

Effective Cyber Incident Response Manage and respond to highconsequence events which have the potential to seriously disrupt operations, damage reputation and destroy shareholder value INCIDENT RESPONSE Stage 1 Immediate INCIDENT assessment RESPONSE and Stage 1 analysis Immediate assessment and analysis CRISIS MANAGEMENT Stage 1 CRISIS Stabilisation MANAGEMENT Stage 1 Stabilisation Conduct technical and forensic analysis of incidents Assess incident and support containment / minimization of damage BUSINESS INTELLIGENCE INCIDENT RESPONSE INCIDENT Stage RESPONSE 2 Stage Detailed 2 Detailed analysis & containment analysis & containment CRISIS CRISIS MANAGEMENT MANAGEMENT Stage 2 Recover Stage 2 Recover Execute technical incident response Manage public relations Manage internal communications and reporting INCIDENT INCIDENT RESPONSE RESPONSE Stage Stage 3 Post 3 incident Post security incident assessment security assessment 12

Using Business Intelligence How would a potential global contagion impact us? How would a significant redistribution of resources impact business as usual? Can we manage the disconnect between the pervasiveness of rumour fuelled by social media and our ability to respond based on fact? Business impact Speed of response Global context Cyber Incident Response Technical implications Consistency of communications Threat awareness How can we ensure our message is consistent from an internal and external perspective? How can we move from a reactive to proactive stance to more effectively understand the cyber threat? What is the worst case scenario and what technical measures can we take to limit the impact without significantly damaging the business? 13

Leveraging Supporting Capabilities Supporting Capabilities Supporting Capabilities Cyber Security Education Cyber Threat Modeling Insider Threat Detection Penetration Testing Vulnerability Management Third Party Threat Monitoring Cyber Security Readiness Assessment Log Collection & Analysis Cyber Incident Response Malware Analysis Identity and Access Management Solution Research and Development Evidence Preservation Network Forensics Brand Monitoring Application Security Review Cyber Threat Intelligence 14

Effective Crisis Management Who should you contact, what is the escalation process and what are your liabilities? Regulators & Cyber Insurance How do you establish a single source of authorised information and intelligence picture (Common Operating Picture)? Ops Board Senior Mgmt What are your obligations and how should you fulfil them and with what frequency? Customers Legal Cyber Incident Response Corp Comms Suppliers IT Marketing Media HR Who are the suppliers impacted or implicated and how best to coordinate? What should be revealed and when? 15

STAYING AHEAD OF THE CURVE CRISC CGEIT CISM CISA 9/13/2013 16

Build an effective CIR program - Preparation A mature, leading practices based Cyber Incident response (CIR) program typically has formality with regard to IR preparation, collection and analysis, communication and post-incident investigation. Preparation Collection, analysis and preservation Communication Post-incident Activities KEY ACTIVITIES Define incident handling team organization Confirm sign off authority and thresholds for response Document security procedures and methods to exchange information Identify support teams and team facilitators at all levels Identify individuals who can be quickly deployed Implement incident reporting mechanisms 17

Build an effective CIR program - Collection, analysis and preservation A mature, leading practices-based CIR program typically has formality with regard to IR preparation, collection and analysis, communication and post-incident investigation. Preparation Collection, analysis and preservation Communication Post-incident Activities KEY ACTIVITIES Detect, capture and analyze network traffic and system data Create backups and isolate potentially compromised systems Identify, capture and analyze pertinent files within compromised local systems and other data sources Reconstruct sequence of events on compromised systems Identify additional investigative steps based on initial analysis Securely preserve and maintain data gathered Generate secure backups of data and evidence collected Preserve the chain of custody Document approach and steps taken to collect and analyze evidence Document output and key findings from evidence analysis Provide interim report on analysis of evidence and provide preliminary conclusions 18

Build an effective CIR program - Communication A mature, leading practices-based CIR program typically has formality with regard to IR preparation, collection and analysis, communication and post-incident investigation. Preparation Collection, analysis and preservation Communication Post-incident Activities KEY ACTIVITIES Inform organization on progress of incident response Inform all parties affected by the incident in a secure manner Establish media and Internet monitoring Notify upstream and downstream parties, such as Internet Service Providers, and other service providers in a secure manner Maintain stakeholder contact lists and logs Consider informing the police/regulators 19

Build an effective CIR program - Post-incident Activities A mature, leading practices-based CIR program typically has formality with regard to IR preparation, collection and analysis, communication and post-incident investigation. Preparation Collection, analysis and preservation Communication Post-incident Activities KEY ACTIVITIES Containment - Contain incident and minimize immediate damage - Apply technical and administrative solutions to mitigate risk of further exposure - Assess cause and symptoms of incident and eradicate any remaining attacker artifacts Prevention - Correct systemic weaknesses and deficiencies by revising security plans and policies - Advise on technical and administrative solutions in order to minimize risk of future cyber incidents - Monitoring to determine effectiveness of response measures Recovery and record - Prioritize recovery activities to support the return to business as usual - Issue formal report detailing the incident response process and providing recommendations for remediation - Hold lessons learned meeting with all involved parties 20

APPENDIX CRISC CGEIT CISM CISA 9/13/2013 21

About Deloitte s Security & Privacy Services At Deloitte, our security and IT risk consulting services are independently recognised as world leading. Our people At Deloitte in the U.S., and globally through the Deloitte Touche Tohmatsu Limited network of member firms, our global team can draw on the experience of; >4500 professionals in North America and over 11,000 risk management and security, privacy and resilience practitioners globally 210 computer forensics examiners, part of Deloitte Financial Advisory Services LLP 11,530 human capital consulting professionals, part of Deloitte Consulting LLP Our skills 53 Security & Forensics labs located strategically across the globe ISACA: Over 8,000 involved with ISACA; approximately 2,000 certified as CISA, CISM, & CGEIT ISC 2 : Over 1,100 CISSPs BSI: 150 trained lead system auditors IAPP: Privacy certified practitioners PMI: PMP certified practitioners 22

Q & A CRISC CGEIT CISM CISA 9/13/2013 23

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. As used in this document, Deloitte means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. CRISC CGEIT CISM CISA 9/13/2013 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback