Nebraska CERT Conference

Similar documents
locuz.com SOC Services

CCISO Blueprint v1. EC-Council

Department of Management Services REQUEST FOR INFORMATION

Security Solutions. Overview. Business Needs

Cybersecurity: Incident Response Short

NCSF Foundation Certification

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cisco Cyber Range. Paul Qiu Senior Solutions Architect June 2016

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Technology Risk Management and Information Security A Practical Workshop

Cyber Security Program

K12 Cybersecurity Roadmap

Continuous protection to reduce risk and maintain production availability

Designing and Building a Cybersecurity Program

Automating the Top 20 CIS Critical Security Controls

Information Security Management System

SECURITY & PRIVACY DOCUMENTATION

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

NCSF Foundation Certification

Information Security Risk Strategies. By

BUILDING AND MAINTAINING SOC

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

CISO as Change Agent: Getting to Yes

CIRT: Requirements and implementation

SECURE SYSTEMS, NETWORKS AND DEVICES SAFEGUARDING CRITICAL INFRASTRUCTURE OPERATIONS

Cyber Resilience. Think18. Felicity March IBM Corporation

Objectives of the Security Policy Project for the University of Cyprus

align security instill confidence

Certified Information Security Manager (CISM) Course Overview

RSA IT Security Risk Management

INTELLIGENCE DRIVEN GRC FOR SECURITY

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

IT risks and controls

Bringing Cybersecurity to the Boardroom Bret Arsenault

Information Security Architecture Gap Assessment and Prioritization

Security analysis and assessment of threats in European signalling systems?

Consolidation Committee Final Report

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Securing Your Digital Transformation

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Cyber Security For Business

Ensuring System Protection throughout the Operational Lifecycle

SIEM: Five Requirements that Solve the Bigger Business Issues

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Brad Boroff, CISA CRISC Chief Information Security Officer Illinois Department of Revenue

Vulnerability Management Policy

Business continuity management and cyber resiliency

ISE North America Leadership Summit and Awards

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Reinvent Your 2013 Security Management Strategy

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Cyber Risks in the Boardroom Conference

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

FOR FINANCIAL SERVICES ORGANIZATIONS

Rethinking Information Security Risk Management CRM002

Building a Resilient Security Posture for Effective Breach Prevention

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Cyber Criminal Methods & Prevention Techniques. By

CA Security Management

Incident Response. Is Your CSIRT Program Ready for the 21 st Century?

to Enhance Your Cyber Security Needs

Transforming Security Part 2: From the Device to the Data Center

Network Security Whitepaper. Good Security Policy Ensures Payoff from Your Security Technology Investment

External Supplier Control Obligations. Cyber Security

THE TRIPWIRE NERC SOLUTION SUITE

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Security Incident Management in Microsoft Dynamics 365

Vulnerability Assessments and Penetration Testing

Cyber Security Audit & Roadmap Business Process and

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

IBM Security Vaš digitalni imuni sistem. Dejan Vuković Security BU Leader South East Europe IBM Security

Global Security Consulting Services, compliancy and risk asessment services

Information Technology General Control Review

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

CYBER RESILIENCE & INCIDENT RESPONSE

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

CSIRT SERVICES. Service Categories

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

CoreMax Consulting s Cyber Security Roadmap

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

RSA NetWitness Suite Respond in Minutes, Not Months

Skybox Security Vulnerability Management Survey 2012

Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk

Choosing the Right Security Assessment

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Defense in Depth Security in the Enterprise

Overview of the. Computer Security Incident Response Plan. Process Resource Center

CYBERSECURITY MATURITY ASSESSMENT

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Transcription:

Nebraska CERT Conference Security Methodology / Incident Response Patrick Hanrion Security Center of Excellence Sr. Security Consultant

Agenda Security Methodology Security Enabled Business Framework methodology Incident Response Incident Response methodology IR lifecycle Proactive Reactive Remediation Measurement Incident Remediation

Security Enabled Business

Information Security Mission Manage IT security risks to an acceptable level by systematically assessing, communicating and mitigating risks to digital assets Audit Assess Risk Functional Areas Monitor & Response Define Policy

Security Enabled Strategy & IT Governance A word on governance... Security Strategy is a subset, not a substitute, for overall IT Governance IT Governance sustains and extends enterprise strategies and objectives* Strategic Alignment Risk Management Resource Management Performance Measurement IT Governance is essential, but out of scope here This briefing focuses on identifying specific security strategies to help you manage IT risk * source: Institute for IT Governance, 2003

Why We Discuss Security Strategy Security Strategy is: A foundation for deploying tactical solutions to manage risks Define why security is important Identify solution priority and value Define solution scope & success factors Needed to align IT Security to Enterprise objectives Blueprint for a comprehensive IT security program Including Incident Response

IT Security Strategy Executing on the Mission Business Drivers Why is security important? Risk Management What are the priorities? Control Solutions How best to mitigate? How best to respond? Measure How effective are we? Business Drivers Measurement Risk Management Solutions Prevent Detect Respond

Security Enabled: Business Drivers Align with overall Business Objectives Communicates why security is important to the business: Reduce Cost Protect Assets Regulatory Requirements Enable the Business Drivers defined at executive level Defines primary inputs into Risk Management Process Identify Critical Assets & Business Functions Define Risk Tolerance i.e. Acceptable Risk Acceptable levels of business risk against cost of IT

Security Enabled: Risk Management Goal Prioritize IT security risks Select and justify expenditures Develop ROI Risk Management Process Identify threats & vulnerabilities Determine impact Estimate likelihood Enable cost/benefit analysis to select best solution to mitigate risk Risk Management Outputs Current security risks Optimal Security Solutions to mitigate risk

High Understanding Risk Levels Unacceptable Risk Risk Management Impact to business Defined Risk Tolerance Level Solution Malware Threat Malware Threat Acceptable Risk Low Probability of exploit High

Security Enabled: Solutions Solutions encompass people, process, technology to manage risk Microsoft Solutions include Microsoft Products, Services, and Training Microsoft Partner Products and Services as needed Solutions can be mapped to ISO 17799 Because 17799 provides comprehensive IT Security view Solutions can be organized into standard control buckets Prevention Detection Response

Security Solutions Framework Malware Protection Internal abuse External Intruders Regulatory Reqs. Business to Employee Business to Business Business to Consumer Application Dev. Security Policy ISO/ISE 17799:2005(E) Security Control Clauses Security Org. Asset Mngmnt. P, P, P, P, P, P, P, P, HR Security Physical Security Comm. & Operations P, P, P, P, P, P, P, P, Access Control P, P, P, P, P, P, P, P, System Dev/Mntc. P, P, P, P, P, P, P, P, Incident Mngmnt. Business Continuity Compliance LEGEND P MS PRODUCTS S MS SERVICES & SUPPORT G MS GUIDANCE & TRAINING MS PARTNER OFFERINGS AVAILABLE

Security Enabled: Measurement Measure effectiveness of specific security solutions Monitor return on security investment Scorecards for executive summaries Understand enterprise risk posture Current risk levels Drives future focus and investment Demonstrate progress toward security objectives Internal gap and trend analysis Compare against Best Practices External analysis across industry and standards

Security Strategy Deliverables Business Priorities Critical Functions Risk Tolerance Solution Effectiveness Enterprise Effectiveness Comparisons Business Drivers Measurement Risk Management Solutions Prevent Detect Respond Existing risks Solution requirements Expenditure Justification Metrics Targets Actuals

Incident Response

Why do we need Incident Response? IT Security Mission: manage risk, not eliminate risk Incidents will happen Incident response is a control strategy to deal with security events Events that were deemed acceptable Unforeseen events Control failures

Incident Categories Denial of Service an attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources Malicious Code a virus, worm, Trojan horse, or other code-based malicious entity that infects a host Unauthorized Access a person gains logical or physical access without permission to a network, system, application, data, or other resource Inappropriate Usage a person violates acceptable computing use policies Multiple Component a single incident that encompasses two or more incidents.

Incident Detection Network and host based IDS(Intrusion Detection Systems) Antivirus software File and system integrity checking software System service and application log files Network device logs Honeypots Exploit databases and alert tools Security aware system administrators Security aware users Outsource partners

Incident Lifecycle Analysis Before you can act you need to understand the attack Containment Segmentation, Removal, Monitoring Reporting Communicate to management Planning Plan how to remove the intruder Remediate the incident

Analysis Forensics Support organizations Government Intrusion Detection

Containment Segmentation Antivirus IPSec Firewalls Disconnect Rebuild infected systems

Reporting Communication to: Management Press Government

Planning Remove the intruder Understand exploit Stop attack vectors Remediate the incident Create a trusted zone

Incident Remediation

High Understanding Risk Levels Unacceptable Risk Risk Management Impact to business Defined Risk Tolerance Level Solution Malware Threat Malware Threat Acceptable Risk Low Probability of exploit High

Remediation This is where you actually fix the problem Install AV Remove exploits Rebuild systems Some times the hardest for organizations to accept

Proactive Monitor and prevent incidents Monitor IDS Log Management Systems Management Etc Prevent FW IPSEC Certificate usage Etc

MS IT approach to identified risks MS IT Primary Risks and Tactics Enterprise Focus Areas Tactical Solutions Unpatched Devices Unmanaged Devices Host Authorization Remote & Mobile Users Single-Factor Authentication Security Initiatives Host Compliance Management Network Segmentation via IPSec Secure Remote Access 2-Factor for RAS & Administrators Host Security Windows XP SP2

Success Factors Executive sponsorship Overcome denial and blame Fix the problem Internal expertise Roles and Responsibilities

Success Factors Overcome denial and blame Executive sponsorship Business Drivers Roles and Responsibilities Risk Management Internal expertise Measurement Solutions Fix the problem Prevent Detect Respond

Case Study You ve been Hacked!

Company X Scenario We have 4 subsidiaries in the company Sub 1 makes bombs for the government Sub 2 makes consumer electronics Sub 3 makes shoes Sub 4 makes fishing poles We outsource most of our sub 1 infrastructure to a third party, All other subs manage their own infrastructure Our infrastructure outsourcing company has discovered a root kit on some key servers in sub 1 The outsourcer has invited a few other consulting partners in on this incident and they have spent the past few months watching the hacker make moves on honey pots etc

Company X scenario continued They have identified that the hacker entered the infrastructure via sub 3 Security consultants are invited to help with this incident by the outsourcing partner, after 2 months pass with no resolution The outsourcing partner was frustrated because they were blamed for the incident but were not able to resolve the issues because the initial breach was not under their control. One of the 4 consulting companies has worked to take a leadership role in the engagement and proposes a 5 firewall 3 DMZ model which they say will resolve the issue

Company X situation Business Drivers Risk Management Measurement Solutions Prevent Detect Respond

High Understanding Risk Levels Unacceptable Risk Risk Management Impact to business Defined Risk Tolerance Level Solution Malware Threat Malware Threat Acceptable Risk Low Probability of exploit High

What was the resolution? Roles and Responsibilities need to be solidified Someone needs to take responsibility for the overarching security of the system and manage both sub 1 and 3. Create a short term plan to: Stop the breach Manage all of the involved teams Create a long term plan to: Rebuild systems Create a risk modeling team Create a risk management program Create an incident response program

Company Y situation Business Drivers Risk Management Measurement Solutions Prevent Detect Respond

Company Z situation Business Drivers Risk Management Measurement Solutions Prevent Detect Respond

Reference CSIRT Handbook http://www.sei.cmu.edu/publications/documents/9 COBIT http://www.isaca.org/cobit Microsoft security http://www.microsoft.com/security

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback