INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Similar documents
INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Incident Response. Is Your CSIRT Program Ready for the 21 st Century?

External Supplier Control Obligations. Cyber Security

Assessing Your Incident Response Capabilities Do You Have What it Takes?

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Cybersecurity: Incident Response Short

The McGill University Health Centre (MUHC)

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Overview of the. Computer Security Incident Response Plan. Process Resource Center

You ve Been Hacked Now What? Incident Response Tabletop Exercise

SIEM: Five Requirements that Solve the Bigger Business Issues

Heavy Vehicle Cyber Security Bulletin

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

TRIPWIRE VIA PLATFORM PROTECTING YOUR DATA WITH INTEGRATED SECURITY CONTROLS

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Be Secure! Computer Security Incident Response Team (CSIRT) Guide. Plan Establish Connect. Maliha Alam Mehreen Shahid

RSA NetWitness Suite Respond in Minutes, Not Months

Security Breaches: How to Prepare and Respond

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Total Security Management PCI DSS Compliance Guide

Security Terminology Related to a SOC

align security instill confidence

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Carbon Black PCI Compliance Mapping Checklist

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Privileged Account Security: A Balanced Approach to Securing Unix Environments

WHO AM I? Been working in IT Security since 1992

Real-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant

CyberArk Privileged Threat Analytics

RSA INCIDENT RESPONSE SERVICES

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Cyber Resilience - Protecting your Business 1

NEN The Education Network

Education Network Security

50+ Incident Response Preparedness Checklist Items.

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

RSA INCIDENT RESPONSE SERVICES

IBM Security Vaš digitalni imuni sistem. Dejan Vuković Security BU Leader South East Europe IBM Security

ICS Security Monitoring

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Make IR Effective with Risk Evaluation and Reporting

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Speed Up Incident Response with Actionable Forensic Analytics

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Are we breached? Deloitte's Cyber Threat Hunting

Aligning with the Critical Security Controls to Achieve Quick Security Wins

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Integrated, Intelligence driven Cyber Threat Hunting

Skybox Security Vulnerability Management Survey 2012

HIPAA Compliance Assessment Module

Security by Default: Enabling Transformation Through Cyber Resilience

Reinvent Your 2013 Security Management Strategy

GUIDE. Navigating the General Data Protection Regulation Mini Guide

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

CYBER RESILIENCE & INCIDENT RESPONSE

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

Automating the Top 20 CIS Critical Security Controls

locuz.com SOC Services

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

A Practical Guide to Efficient Security Response

Cyber Liability Preventive Services & Tools Specific & Pre-Emptive Considerations BEFORE the Inevitable Cyber Event.

RSA Security Analytics

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

CCISO Blueprint v1. EC-Council

Compare Security Analytics Solutions

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

IBM services and technology solutions for supporting GDPR program

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

SIEM (Security Information Event Management)

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Cybersecurity for Health Care Providers

Cyber Security Incident Response Fighting Fire with Fire

Critical Hygiene for Preventing Major Breaches

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Cybersecurity The Evolving Landscape

Bomgar Discovery Report

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Cyber Hygiene: A Baseline Set of Practices

Cyber Security For Business

Building Resilience in a Digital Enterprise

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

Transcription:

Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security response team. We hope you find it valuable and ask that you share it with the rest of your organization so you can collectively be successful in managing incidents and reducing risk throughout the business. Your playbook overview - Data Theft Did you know? In 2014, incidents increased by 78% since 2013. 1 1,023,108,627 records were breached in 2014. 1 54% of the breaches consisted of Identity Theft. 1 Prepare Detect Analyze Contain Eradicate Recover Post-Incident Incident Response: A Top Priority in Security Management Programs In the April 2014, U.S. Government Accountability Office reported (GAO-14-354) it s noted that major federal agencies did not consistently demonstrate that they are effectively responding to cyber incidents (a security breach of a computerized system and information). The GAO projects that these agencies did not completely document actions taken in response to detected incidents. While the agencies identified the scope of an incident, they frequently did not demonstrate that they had determined the impact of an incident, nor did they consistently demonstrate how they had handled other key activities, such as whether preventive actions to prevent the reoccurrence of an incident were taken. The GAO notes, without complete policies, plans, and procedures, along with appropriate oversight of response activities, agencies face reduced assurance that they can effectively respond to cyber incidents. 3 $3.5 million is the average cost of a breach for a company. 2 Companies experience an average of 10 unauthorized access incidents per month. 2 Malicious insiders and criminal attacks are the top causes for breaches. 2 1. Source: Gemalto - Breach Level Index 2. Source: Ponemon 2014 Cost of a Data Breach 3. Source: GAO-14-354, p.2-1 - To learn more about playbooks and incident response, visit IncidentResponse.com PRESENTED BY

What is an incident response playbook? According to NIST Special Publication 800-61, an incident response process contains four main phases: preparation, detection and analysis, containment/eradication/reocvery, and post-incident activity. Descriptions for each are included below: Prepare Detect & Analyze Contain, Eradicate & Recover The initial phase where organizations The second phased where will perform preparatory measures to organizations should strive to detect ensure that they can responsd and validate incidents effectively to incidents if and when rapidly because infections can they are uncovered. spread through an organization within a matter of minutes. Early detection can help an organization minimize the number of infected systems, which will lessen the magnitude of the recovery effort and the amount of damage the organization sustains as a result of the incident. The third phase, containment, has two major components: stopping the spread of the attack and preventing further damage to systems. It is important for an organization to decide which methods of containment to employ early in the response. Organizations should have strategies and procedures in place for making containment-related decisions that reflect the level of risk acceptable to the organization. Post-Incident Handling Because the handling of malware incidents can be extremely expensive, it is particularly important for organizations to conduct a robust assessment of lessons learned after major malware incidents to prevent similar incidents from occurring. Data Theft You ve selected the Data Theft playbook. On the pages that follow, you will find your incident response playbook details broken down by the NIST incident handling categories. To view your playbook online, visit https://incidentresponse.com/playbooks/data-theft - 2 - To learn more about playbooks and incident response, visit IncidentResponse.com PRESENTED BY

PREPARE - DATA THEFT Determine Core Ops Team & Define Roles Vulnerability Manager Threat Manager Risk Manager Review & Maintain Timeline Interviews User Manager Physical Security Key Stakeholders Document Internal Path External Path Document

DETECT - DATA THEFT Emails returned as Undeliverable due to size limitations Identification or publication of proprietary information outside the organization Large data dumps of databases, network shares or other computer systems Local disk or network shares that are near full capacity Notification of extortion in order to recover stolen data Standard Define Threat Indicators Custom Custom Indicators Reporting of large emails being sent by a single user Work performed outside of normal business hours Categorize Incident Reports of removable and/or mobile devices being used to copy data Request Packet Capture Conduct Scans

ANALYZE - DATA THEFT Stolen data damaging to business operations or brand of the organization Internal user PII or other protected information has been stolen External user PII or other protected information has been stolen PII or other protected information has been compromised Compliance regulations have been violated Standard Define Risk Factors Custom Custom Factors Public or personnel safety affected Customers are affected by this incident Products/goods /services are affected by this attack Determine Patch Methods Ability to control / record/measure/track any significant amounts of inventory/products / cash/revenue is lost There is indication of who performed the data theft There is internal knowledge of this incident Log Collection There is external knowledge of this incident Identify worst-case business impact if unable to mitigate this attack Identify business operations that may be affected and identify any alternate courses Evidence Collection Identify business implications of the Data Theft Identify additional technical implications of the Data Theft Determine risk of the stolen data being released to the public Data Capture Analysis

CONTAIN - DATA THEFT Identify the system(s) that have been affected Servers Desktop Laptop Mobile VM LDAP Directory Identify user credentials compromised or at risk Identify method used to steal data Identify systems used to steal data Incident Database Threat Database Identify any source Vulnerability System attribution collected Select Database Query Database Logs Logs Generate Report Identify lateral movement of compromised users throughout enterprise View Report View Record Details Select Records Copy Record Details Identify the tools used to detect the attack SIEM IDS Firewall Scanners Antivirus Removable Device Monitors

ERADICATE - DATA THEFT Triage & Confirm Incident Report Request System Patch Test Code Contain malicious Code Sample Direct Phone Call Conference Call In-Person Meeting Intranet Meeting Communications Mobile Messaging Internet Meeting Eradicate Malware Add/Change/ Remove Affected System/Site/Network Perform data forensics Determine method of removing data from the organizations enterprise network Monitor network traffic for ongoing theft Create alert signatures for suspected data exfiltration Prepare to temporarily scan or block all outbound data more than Mb in size Implement device control monitoring and control systems

RECOVER - DATA THEFT Recover Systems Reimage IDS/IPS & Firewall Updates Identify ways to mitigate further removal of data Incident Remediation Wipe & Baseline System Scan host with updated Signature Scan File Share with updated Signature Remove Vulnerabilities & Update Routers Coordinate AV updates to be pushed upon release from AV Vendor

POST-INCIDENT - DATA THEFT Incident Review Electronic Personal Health Information (ephi) Compromised? Sensitive Government Information Compromised? Lessons Uncovered Discovery Meeting Policy Updates Defined Process Updates Defined Configuration Updates Defined Lessons Applied Policies Implemented Process Changes Implemented Configurations Applied Response Workflow Updated

Proactive Response An automated playbook helps security teams optimize for efficiency and productivity. Your security team has the ability to analyze, detect and prioritize when all pertinent data and multiple security tools are integrated into one system. With one-screen visibility you can identify anomalies, assign tasks, access reporting and communicate across multiple departments effectively for quick responses. Quick Containment Time and speed are crucial in assessing the environment and risk in the context of your business. Playbooks give a complete view of the necessary tasks to capture the data needed to support proper recovery and forensics. The efficiency a playbook brings to a security team allows for quick responses to finding the source of the attack, following lateral movement across the organization and taking the proper steps mitigate damage. Effective Remediation Organization and automation are key benefits that result in effective remediation. Automated playbooks help to organize security processes, mitigation plans and smooth communication between multiple departments. By optimizing data collection, analysis, and communications you improve the odds for effective eradication, recovery with integrity and forensic-quality reporting. Action Plan Having a view into what is possible is the first step in taking action. The next step is to bring your team together to drive it toward reality. Email this guide to your peers and managers to begin sharing your playbook with them. With this playbook, you will be better prepared to handle the response. To help with the management and automation of this incident response playbook, consider working with CyberSponse and their partners. Come take a look at what they do. Security Management Benefits Be prepared to handle any incident your team faces Control the situation, minimizing the impact to the business Efficiently manage your response across multiple departments Useful Links: NIST Incident Handling Guide SANS Incident Handler s Handbook Risk Management Benefits Communicate effectively to ensure risk mitigation methods are applied Prioritize resources and activities where they matter most Report and tune based on response learning, reducing risk moving forward Useful Links: NIST Risk Management Framework Guide Sample Policies and Plans For additional incident response playbook examples, visit https://www.incidentresponse.com/playbooks - 10 - To learn more about playbooks and incident response, visit IncidentResponse.com PRESENTED BY

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback