14th Annual Building and Testing an Effective Incident Response Plan John Gelinne Deloitte & Touche LLP jgelinne@deloitte.com www.linkedin.com/in/jgelinne
No battle plan ever survives contact with the enemy. - Helmuth Von Moltke
CIR Process CIR Team Business Operations Cyber Incident Response Plan Framework The CIRP should follow a consistent set of activities for gathering information, coordinating activities, assessing results, and communicating to involved parties State of California (CISO) Agency/State Entity Agency/State Entity Agency/State Entity State Entity Response Team ** Escalation manager Program Manager of the program or office experiencing the breach Information Security Officer (ISO) Chief Privacy Officer/Coordinator (CPO) or Senior Official for Privacy Public Information or Communications Officer Legal Counsel Others as directed by the California Information Security Office (CISO) Agency/State Entity CIRT Technical Cyber Response Incident Commander(s) ISOC TAC Desktop Support IT Operations Networking Access Control Business Continuity Forensics Other SMEs (as needed) ** Requirements to Respond to Incidents Involving a Breach of Personal Information - SIMM 5340-C HM Health Solutions Inc. For limited distribution 3
Key Activities The Cyber Incident Response Process (CIRP) Our CIRP follows a consistent set of activities for gathering information, coordinating activities, assessing results, and communicating to involved parties CIR Process Alert & Scope Investigate Contain Eradicate/ Mitigate Recover Report Lessons Learned Identify incident and its severity Gather information Classify security incident Escalation Assemble CSIRT Identify potential breach Delegate CSIRT activities Perform forensics Analyze containment requirement Determine and implement plan Plan/execute remediation: - Activities - Resources - Communications Assess impacts Evaluate effectiveness Plan/execute recovery Send status notice Compile results Confirm findings Make notifications Record closure Identify/review lessons learned Implement corrective actions Escalation HM Health Solutions Inc. For limited distribution 4
Illustrative CIR Escalation and Notification Process Cyber security threat levels and response efforts are based on potential impacts 1 Detect Cyber Event 2 (example incidents) Assign Severity Rating 3 Notify Enterprise-wide virus attack Website is attacked, delayed ability to recover Successful unauthorized access to critical systems CIR 1 Severe Impact Executive Management CIR Executive Leadership* CIR Leadership CSIRT External Entities Small scale virus event Website down, immediate restoration CIR 2 Significant or potentially severe impact CIR Executive Leadership* CIR Leadership CSIRT External Entities* Isolated virus infection Unsuccessful network probing CIR 3 Minimal with potential for significant impact CSIRT HM Health Solutions Inc. For limited distribution 5
Effective Cyber Incident Response Plans must be coordinated across multiple parties Remain informed on the cyber incident response process. Provide direction and oversight during a cyber incident. State of California Executive Leadership CSIRT Perform the technical response activities. Provide hands-on execution of the plan. Verify incident scope. Classify incident. Escalate incident specifics. Perform technical response. Evaluate impact to regulatory and third party obligations. Be prepared to notify CHP. Privacy breach notification process (internal and external).* Entity Legal, Privacy, & Comms Cyber Incident Response Process CIR Leadership Validate scope. Evaluate containment strategies. Provide incident details and status to executive leadership. Coordinate incident response efforts with Agency and State leadership to include CISO and CHP through the Cal CSIR * Ensure Incident Response Plan considers impact on critical business processes functions. Ensure recovery efforts prioritize critical processes and applications.* Entity Business Leadership State Entity Leadership Request incident specifics including affected systems, data and severity. Ensure recovery efforts are focused on critical processes and applications. Coordinate communication messaging to internal and external audiences. HM Health Solutions Inc. For limited distribution 6
The way is to avoid what is strong is to strike at what is weak. -Sun Tzu
Cyber Incident Response Case Study Navy-Marine Corp Internet (NMCI) National Global Defenses/Intelligence National Security Agency Defense Information Systems Agency Navy Global Defenses (10th Fleet) Navy Cyber Task Forces Tier II Tier I Adversary Strike Group Point Defense Internet access points Fleet/Strike Group Tier III Navy Boundary navy.mil domain (NMCI) DoD Boundary.mil domain
Do not spare any reasonable expense to come at early and true information. - George Washington
With a clever strategy, each action is self-reinforcing. Each action creates more options that are mutually beneficial. - Max Mckeown
A leader is a man who can adapt principles to circumstances. - Gen. George S. Patton
If words of command are not clear and distinct, if orders are not thoroughly understood, the general is to blame. -Sun Tzu
I should endeavor to acquire as thorough a knowledge of the principles of war and to train myself in their application by playing competitive war games. - Admiral William Sims
Cyber wargaming Cyber wargaming is an interactive technique that immerses potential cyber-incident responders in a simulated cyber scenario to help organizations evaluate their cyber incident response preparedness Cyber wargames drive improvements in cyber resiliency, including: Stronger response capabilities aligned towards mitigating the highest impact risks of a cyber incident Broader consensus on the appropriate strategies and activities to execute cyber incident response Improved understanding of the people, processes, data, and tools needed to respond to a cyber incident Better identification of gaps in cyber incident response people, processes, and tools Enhanced awareness of the downstream impacts of cyber incident response decisions and actions Tighter integration between parties likely to be collectively involved in the response to a cyber incident Improved clarity regarding ownership of authority related to certain key cyber incident response decisions Reduced time-to-response through the development of cyber incident response muscle memory Wargames lead to deeper, broader lessons learned as compared to traditional cyber assessments and tabletop exercises Copyright 2016 Deloitte Development LLC. All rights reserved. 14
Crawl Walk Run Sustain Copyright 2016 Deloitte Development LLC. All rights reserved.
The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him. - Sun Tsu
We have met the enemy and they are ours - Oliver Hazard Perry
John Gelinne Managing Director Deloitte & Touche LLP jgelinne@deloitte.com www.linkedin.com/in/jgelinne
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.