Building and Testing an Effective Incident Response Plan

Similar documents
Cyber Security Incident Response Fighting Fire with Fire

Anticipating the wider business impact of a cyber breach in the health care industry

From Dabbling to Doing The Age of the Intuitive Enterprise

The Deloitte-NASCIO Cybersecurity Study Insights from

Standing Together for Financial Industry Resilience Quantum Dawn IV after-action report June 2018

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Spiros Angelopoulos Principal Solutions Architect ForgeRock. Debi Mohanty Senior Manager Deloitte & Touche LLP

Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

Standing Together for Financial Industry Resilience Quantum Dawn 3 After-Action Report. November 19, 2015

Headline Verdana Bold

Are we breached? Deloitte's Cyber Threat Hunting

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Bharath Chari Cyber Risk Sr. Manager, Deloitte & Touche LLP

Effective Cyber Incident Response in Insurance Companies

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

Risk-based security in practice Turning information into smart screening. October 2014

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

Risk Advisory Academy Training Brochure

Building Resilience to Denial-of-Service Attacks

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

Cyber Security is it a boardroom issue?

Cyber Risk and Networked Medical Devices

The Quest to Measure Strength of Function for Authenticators: SOFA, So Good

Cloud and Cyber Security Expo 2019

NYDFS Cybersecurity Regulations

Technical Resilience Building the always-on enterprise with Deloitte Advisory and Amazon Web Services

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

The value of visibility. Cybersecurity risk management examination

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Vulnerability Management. June Risk Advisory

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

PA TechCon. Cyber Wargaming: You ve been breached: Now what? April 26, 2016

Global Mobile Consumer Survey, US Edition Overview of results

CENTER for REGULATORY STRATEGY AMERICAS. Global cybersecurity compliance integrity A daunting but manageable challenge

Webcast title in Verdana Regular

Why you should adopt the NIST Cybersecurity Framework

Incident Response Services

Cyber crisis management: Readiness, response, and recovery

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Cyber Risks in the Boardroom Conference

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Security Incident Management in Microsoft Dynamics 365

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Cyber Espionage A proactive approach to cyber security

Business continuity management and cyber resiliency

Emerging Technologies The risks they pose to your organisations

HOMEPAGE. Start here to find content via search Login, register, or subscribe. Quick links to content

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

#DeloitteInnovation: In-Time Uncover the Potential of SAP HANA

Clarity on Cyber Security. Media conference 29 May 2018

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

MassMEDIC s 21st Annual Conference

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Adopting SSAE 18 for SOC 1 reports

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Whip Your Incident Response Program into Shape

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Multi-factor authentication enrollment guide for Deloitte client or business partner user

Cybersecurity Fortification Initiative (CFI) infrastructure whitepaper

Achieving third-party reporting proficiency with SOC 2+

Safeguarding unclassified controlled technical information (UCTI)

Nebraska CERT Conference

Autobot - IoT enabled security. For Private circulation only October Risk Advisory

CYBER RESILIENCE & INCIDENT RESPONSE

Vulnerability Assessments and Penetration Testing

It s Not If But When: How to Build Your Cyber Incident Response Plan

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Deloitte Discovery Caribbean & Bermuda Countries Guide

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

On the board s agenda US Cyber risk in the boardroom: Accelerating from acceptance to action

Cybersecurity and the role of internal audit An urgent call to action

Cloud Computing Overview. The Business and Technology Impact. October 2013

Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m.

Preface. Operations within the EU. Serving the EU customers. Third parties operating in the EU

Cyber Security: Are digital doors still open?

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Internet of Things (IoT) Securing the Connected Ecosystem

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Cybersecurity requirements for financial services companies

Disaster recovery strategic planning: How achievable will it be?

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

#DeloitteInnovation: In-Time How efficiently do you use your SAP HANA?

Cybersecurity and the Board of Directors

ISE North America Leadership Summit and Awards

Designing and Building a Cybersecurity Program

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors

Achieving effective risk management and continuous compliance with Deloitte and SAP

SECURITY INCIDENT MANAGEMENT. Solution Primer. Jenn Black. Senior Research AnalystSolutions Research and Development Office of the CISO, Optiv

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Department of Management Services REQUEST FOR INFORMATION

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

You ve Been Hacked Now What? Incident Response Tabletop Exercise

Automating the Top 20 CIS Critical Security Controls

Transcription:

14th Annual Building and Testing an Effective Incident Response Plan John Gelinne Deloitte & Touche LLP jgelinne@deloitte.com www.linkedin.com/in/jgelinne

No battle plan ever survives contact with the enemy. - Helmuth Von Moltke

CIR Process CIR Team Business Operations Cyber Incident Response Plan Framework The CIRP should follow a consistent set of activities for gathering information, coordinating activities, assessing results, and communicating to involved parties State of California (CISO) Agency/State Entity Agency/State Entity Agency/State Entity State Entity Response Team ** Escalation manager Program Manager of the program or office experiencing the breach Information Security Officer (ISO) Chief Privacy Officer/Coordinator (CPO) or Senior Official for Privacy Public Information or Communications Officer Legal Counsel Others as directed by the California Information Security Office (CISO) Agency/State Entity CIRT Technical Cyber Response Incident Commander(s) ISOC TAC Desktop Support IT Operations Networking Access Control Business Continuity Forensics Other SMEs (as needed) ** Requirements to Respond to Incidents Involving a Breach of Personal Information - SIMM 5340-C HM Health Solutions Inc. For limited distribution 3

Key Activities The Cyber Incident Response Process (CIRP) Our CIRP follows a consistent set of activities for gathering information, coordinating activities, assessing results, and communicating to involved parties CIR Process Alert & Scope Investigate Contain Eradicate/ Mitigate Recover Report Lessons Learned Identify incident and its severity Gather information Classify security incident Escalation Assemble CSIRT Identify potential breach Delegate CSIRT activities Perform forensics Analyze containment requirement Determine and implement plan Plan/execute remediation: - Activities - Resources - Communications Assess impacts Evaluate effectiveness Plan/execute recovery Send status notice Compile results Confirm findings Make notifications Record closure Identify/review lessons learned Implement corrective actions Escalation HM Health Solutions Inc. For limited distribution 4

Illustrative CIR Escalation and Notification Process Cyber security threat levels and response efforts are based on potential impacts 1 Detect Cyber Event 2 (example incidents) Assign Severity Rating 3 Notify Enterprise-wide virus attack Website is attacked, delayed ability to recover Successful unauthorized access to critical systems CIR 1 Severe Impact Executive Management CIR Executive Leadership* CIR Leadership CSIRT External Entities Small scale virus event Website down, immediate restoration CIR 2 Significant or potentially severe impact CIR Executive Leadership* CIR Leadership CSIRT External Entities* Isolated virus infection Unsuccessful network probing CIR 3 Minimal with potential for significant impact CSIRT HM Health Solutions Inc. For limited distribution 5

Effective Cyber Incident Response Plans must be coordinated across multiple parties Remain informed on the cyber incident response process. Provide direction and oversight during a cyber incident. State of California Executive Leadership CSIRT Perform the technical response activities. Provide hands-on execution of the plan. Verify incident scope. Classify incident. Escalate incident specifics. Perform technical response. Evaluate impact to regulatory and third party obligations. Be prepared to notify CHP. Privacy breach notification process (internal and external).* Entity Legal, Privacy, & Comms Cyber Incident Response Process CIR Leadership Validate scope. Evaluate containment strategies. Provide incident details and status to executive leadership. Coordinate incident response efforts with Agency and State leadership to include CISO and CHP through the Cal CSIR * Ensure Incident Response Plan considers impact on critical business processes functions. Ensure recovery efforts prioritize critical processes and applications.* Entity Business Leadership State Entity Leadership Request incident specifics including affected systems, data and severity. Ensure recovery efforts are focused on critical processes and applications. Coordinate communication messaging to internal and external audiences. HM Health Solutions Inc. For limited distribution 6

The way is to avoid what is strong is to strike at what is weak. -Sun Tzu

Cyber Incident Response Case Study Navy-Marine Corp Internet (NMCI) National Global Defenses/Intelligence National Security Agency Defense Information Systems Agency Navy Global Defenses (10th Fleet) Navy Cyber Task Forces Tier II Tier I Adversary Strike Group Point Defense Internet access points Fleet/Strike Group Tier III Navy Boundary navy.mil domain (NMCI) DoD Boundary.mil domain

Do not spare any reasonable expense to come at early and true information. - George Washington

With a clever strategy, each action is self-reinforcing. Each action creates more options that are mutually beneficial. - Max Mckeown

A leader is a man who can adapt principles to circumstances. - Gen. George S. Patton

If words of command are not clear and distinct, if orders are not thoroughly understood, the general is to blame. -Sun Tzu

I should endeavor to acquire as thorough a knowledge of the principles of war and to train myself in their application by playing competitive war games. - Admiral William Sims

Cyber wargaming Cyber wargaming is an interactive technique that immerses potential cyber-incident responders in a simulated cyber scenario to help organizations evaluate their cyber incident response preparedness Cyber wargames drive improvements in cyber resiliency, including: Stronger response capabilities aligned towards mitigating the highest impact risks of a cyber incident Broader consensus on the appropriate strategies and activities to execute cyber incident response Improved understanding of the people, processes, data, and tools needed to respond to a cyber incident Better identification of gaps in cyber incident response people, processes, and tools Enhanced awareness of the downstream impacts of cyber incident response decisions and actions Tighter integration between parties likely to be collectively involved in the response to a cyber incident Improved clarity regarding ownership of authority related to certain key cyber incident response decisions Reduced time-to-response through the development of cyber incident response muscle memory Wargames lead to deeper, broader lessons learned as compared to traditional cyber assessments and tabletop exercises Copyright 2016 Deloitte Development LLC. All rights reserved. 14

Crawl Walk Run Sustain Copyright 2016 Deloitte Development LLC. All rights reserved.

The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him. - Sun Tsu

We have met the enemy and they are ours - Oliver Hazard Perry

John Gelinne Managing Director Deloitte & Touche LLP jgelinne@deloitte.com www.linkedin.com/in/jgelinne

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback