The Critical Incident Response Maturity Journey Why? Why Now? How? Matthew Gardiner, Sr. Manager, RSA 1
Our World is Changing Fast New Threats New Vulnerabilities New Assets 2
Advanced Attackers Are Advanced 3
Applying Yesterday s Techniques to Today s Problems? 4
Imagine Defending With a Purely Perimeter-Based Security System 5
And a Signature-Based System Meaning you Know Exactly What Your Attackers Look Like In Advance 6
Organizations That Get This are Shifting Their Security Investment Priorities Monitoring 15% Response 5% Monitoring 33% Response 33% Prevention 80% Prevention 33% Today s Priorities Intelligence-Driven Security 7
SOC/CIRCs are Moving Up on the Priority list Tier 2 Analyst Tier 1 Analyst Analysis & Tools Support Analyst Threat Intelligence Analyst SOC Manager 8
Why Have A SOC/CIRC Now? Threats Regularly Overcome Preventive Controls 1 TARGETED SPECIFIC OBJECTIVE 2 STEALTHY 3 INTERACTIVE LOW AND SLOW HUMAN INVOLVEMENT System Intrusion Attack Begins Cover-Up Discovery Leap Frog Attacks Cover-Up Complete TIME Dwell Time Response Time 1 Decrease Dwell Time Attack Identified 2 Speed Response Time Response 9
How to Think About Your CIRC Maturity? Cliché Alert 10
How to Think About Your CIRC Maturity? 3 Interdependent Factors People Process Technology 11
How to Think About Your CIRC Maturity? Incident Response as an Emerging Organization Incident Response as a Key Force in security Ad Hoc Incident Response 12
How to Think About Your CIRC Maturity? Part Timers Process? Limited Visibility Incident Response as an Emerging Organization Incident Response as a Key Force in security Ad Hoc Incident Response 13
How to Think About Your CIRC Maturity? Incident Response as an Emerging Organization Incident Response as a Key Force in security Ad Hoc Incident Response Full Timers Critical Assets Visibility & Context 14
How to Think About Your CIRC Maturity? Incident Response as an Emerging Organization Incident Response as a Key Force in security Ad Hoc Incident Response Specialized Team Cont. Improvement CIRC Tech. Platform 15
What Does a Mature CIRC Look Like? Tier 2 Analyst Tier 1 Analyst Analysis & Tools Support Analyst Threat Intelligence Analyst SOC Manager 16
How to Improve Your CIRC Maturity? People Focus on creating a couple CIRC rockstars Specialize from there as you staff-up Use service providers judiciously to fill gaps RSA provides a 5-course analyst education series Processes Create them, document them, learn from actual incidents, adjust them, repeat Simulate an incident & your response address gaps Measure your CIRC on an ongoing basis! RSA Advanced Cyber Defense provides breach readiness, IR, & SOC design services 17
Sources of Context CMDB/Assets RSA s CIRC Technology Platform Incident Mgmt. Breach Mgmt. SOC Program Mgmt. RSA Security Operations Management Risk Mgmt. Hosts SIEM RSA Security Analytics Data Discovery/DLP RSA ECAT Vulnerability Identity RSA Live Threat Intelligence Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports and Custom Actions 18
This session is largely pulled from this WP http://www.emc.com/collateral/white-papers/h12651-wp-critical-incident-response-maturity-journey.pdf 19
Some Suggested Follow-On Actions Attend the following sessions in the SOC track Get my white paper It is free! Use the assessment framework to benchmark your CIRC Check out the following industry analysts Gartner Anton Chuvakin & Neil Macdonald Forrester Rick Holland Securosis Mike Rothman ESG Jon Olstik 20
THANK YOU 21