Incident Command: The far side of the edge

Similar documents
A company built on security

Addressing Vulnerabilities By Integrating Your Incident Response Plans. Brian Coates Enaxis Consulting

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

locuz.com SOC Services

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

CYBER RESILIENCE & INCIDENT RESPONSE

Department of Management Services REQUEST FOR INFORMATION

American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Security Incident Management in Microsoft Dynamics 365

Major Information Security Incident POLICY TITLE:

Cybersecurity Overview

Cyber Security Program

Heavy Vehicle Cyber Security Bulletin

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Cyber Security Incident Response Fighting Fire with Fire

INTEGRATION BRIEF DFLabs and Jira: Streamline Incident Management and Issue Tracking.

External Supplier Control Obligations. Cyber Security

Introduction to Business continuity Planning

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Effective Cyber Incident Response in Insurance Companies

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Appendix 3 Disaster Recovery Plan

OPERATIONS CENTER. Keep your client s data safe and business going & growing with SOC continuous protection

Security Awareness Training Courses

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Threat Centric Vulnerability Management

BHConsulting. Your trusted cybersecurity partner

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Twilio cloud communications SECURITY

MassMutual Business Continuity Disclosure Statement

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Digital Health Cyber Security Centre

Jeff Wilbur VP Marketing Iconix

Table of Contents. Sample

Railroad Infrastructure Security

Best Practices for Campus Security. January 26, 2017

It s Not If But When: How to Build Your Cyber Incident Response Plan

Incident Response Services

European Union Agency for Network and Information Security

INTELLIGENCE DRIVEN GRC FOR SECURITY

Cyber Security Congress 2017

Member of the County or municipal emergency management organization

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

Cyber Resilience - Protecting your Business 1

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Make IR Effective with Risk Evaluation and Reporting

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Cybersecurity Fundamentals Paul Jones CIO Clerk & Comptroller Palm Beach County CISSP, ITIL Expert, Security+, Project+

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

The HIPAA Omnibus Rule

Ten Ways to Prepare for Incident Response

Data Breach Preparation and Response. April 21, 2017

You ve Been Hacked Now What? Incident Response Tabletop Exercise

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

TSC Business Continuity & Disaster Recovery Session

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

The Common Controls Framework BY ADOBE

Canada Life Cyber Security Statement 2018

Why you should adopt the NIST Cybersecurity Framework

Big data privacy in Australia

Section One of the Order: The Cybersecurity of Federal Networks.

CompTIA CASP (Advanced Security Practitioner)

Cybersecurity Today Avoid Becoming a News Headline

Evolution of a Phish That Got Through the Net[work]

How to Conduct a Business Impact Analysis and Risk Assessment

ABB Ability Cyber Security Services Protection against cyber threats takes ability

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

IBM Resilient Incident Response Platform On Cloud

SECURITY SERVICES SECURITY

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

MITIGATE CYBER ATTACK RISK

CYBER CAMPUS KPMG BUSINESS SCHOOL THE CYBER SCHOOL FOR THE REAL WORLD. The Business School for the Real World

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

85% 89% 10/5/2018. Do You Have A Firewall Around Your Cloud? Conquering The Big Threats & Challenges

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

Cyber Insurance: What is your bank doing to manage risk? presented by

Manage your response. Inform your people. Make it happen. IBM Crisis Management Services Incident Communication Services

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

An Internet of Governments: How Policymakers Became Interested in Cyber. Maarten Van Horenbeeck, FIRST Klee Aiken, APNIC

SECURITY INCIDENT MANAGEMENT. Solution Primer. Jenn Black. Senior Research AnalystSolutions Research and Development Office of the CISO, Optiv

Security

Traditional Security Solutions Have Reached Their Limit

Security and Privacy Governance Program Guidelines

Cyber Risks in the Boardroom Conference

MARCH 2016 ONE BILLION COALITION FOR RESILIENCE

Transcription:

Incident Command: The far side of the edge Lisa Phillips Tom Daly Maarten Van Horenbeeck

30 POPs; 5 Continents; ~7Tb/sec Network

Inspiration

Program Goals FEMA National Incident Management Fire Department and Police Business Crisis Management Technology Peers who came before us

Incidents Fastly sees a variety of events that could classify as an incident Distributed Denial of Service attacks Critical security vulnerabilities Software bugs Upstream network outages Datacenter failures Third Party service provider events Operator Error

What you defend against It s helpful to categorize: Issues that affect reliability of the CDN Issues that affect security of customer data and traffic or the business Both require very different handling, and addressing them requires a different approach ( minimize harm ) Events happen at various levels of customer impact and business risk. While teams can deal with some events autonomously, others require more high level engagement and coordination

Identifying the issue Fastly does not have a NOC We have several team-monitored systems, in addition to some critical cross-business monitoring Ganglia / Icinga ELK Stack Graylog Third party service providers (e.g. Datadog, Catchpoint) Immediate escalation to engineers is needed Engineering teams must own their own destiny and have control over their alert stream. When they don t respond, they are empowered to improve

People It s all about having the right people at the right time engaged Engineers have human needs Private space and time is a necessity Randomization costs more than just the time spent on an interruption Minimize thrash by being specific about inclusion Teams have individual pager rotations Company maintains a company wide pager rotation (Incident Commander) Global Customer Service Focused Engineers

Incident Commander Deep systems understanding of Fastly Well versed in each team s role and its leaders Organizational Trust Focuses on: Coordinating actions across multiple responders; Alerting and updating stakeholders or during major events; designating a specific person to do so; Evaluate the high-level issue and understand its impact; Consult with team experts on necessary actions; Call off or delay other activities that may impact resolution.

Communicating status Identify audiences Customers Our Customers Customers Executives Investors and other interested parties The rest of the company Identify quickly the questions that need answering, and communicate effectively to address them Think through rude Q&A : it helps you respond to the incident better! Ensure communication channels are highly available

Continuous improvement Every incident is logged and tracked in JIRA Incident Commander or executive leader owns generating an Incident Report and if necessary, a service/security advisory Five why s! Intermediate answers help identify mitigation strategies Final answer tells us the root cause we need to address Some mitigations are no longer part of the incident. Be clear where you cut off into new projects, and who owns them

How we put it together!

Incident Response Framework Develop definitions of impact Define severity levels Define response and communication requirements Define post-incident activities

Incident Response Process

Exercises Regular incident reviews Review with all commanders past incidents, ensure documentation is upto-date, and there s an open forum to review interaction Regular training Onboarding of new Incident Commanders Walkthrough of the process Table top exercises Scenario written by an incident commander, with input from a small group of partner teams, focusing on worst cases Group walkthrough Document inefficiencies and mitigation plans

Security Incident Response Plan Employees trained to always invoke IC Anyone can invoke the Security Incident Response Plan (SIRP) by paging the security team Split responsibilities but close coordination: IC focuses on restoring business operations and reducing customer impact SIRP focuses on investigating the security incident, and ensuring security impact is directly communicated to executive levels IC typically has priority on restoring operations. When IC action has security implications SIRP guarantees appropriate escalation

Security Incident Response Plan Security Incident Response Plan convenes a group of executives: Marketing IT Business Operations Engineering Security HR Legal Process is owned by the Chief Security Officer, who reports to CEO

Security Incident Response Plan Phase I: Incident Reporting Phase II: SIRT notification Phase III: Investigation Phase IV: Notification

Case study: Breach at a supplier

Saturday morning e-mail

Vendor security breach DataDog notification received via e-mail 13:24 GMT: Escalation to the security team 13:38 GMT: IC is engaged Initial assessment and questions Partner has suffered a security incident Potential disclosure of metrics data Rotation of credentials is required Initial action items Engage appropriate teams: SRE and Observability Implement Incident Command bridge and meetings Plan for rotation of keys, as advised by vendor Identify all locations where keys are in use

Vendor security breach 13:46 GMT: SIRT is engaged Initial assessment and questions Vendor has suffered a security incident Has the vendor contained the incident? What data do we store with the vendor? How are customers affected? Initial action items Outreach to vendor to understand scope Identify data stored at vendor Investigate customer use of vendor product

Vendor security breach Addressing Fastly s internal use of the vendor 14:10 GMT: All use of API keys across Fastly is identified 14:30 GMT: Plan of action is defined to rotate keys 15:45 GMT: Production keys have been revoked 16:05 GMT: All other integrations have been disconnected. 17:05 GMT: IC is shut down as imminent risk has been addressed. Identify and mitigate customer exposure and security exposure 14:30 GMT: Scope of customer API exposure is identified. 15:05 GMT: SIRT is virtually convened.

Vendor security breach Identify and mitigate customer exposure and security exposure 15:10 GMT: Plan in place to identify and contact all affected customers, and notify them of potential API key exposure. 00:07 GMT: Customers have been warned and made aware of new product features that limit key exposure. Regular check-ins to measure compliance with the customer notification. Based on information available, deep dive into Fastly s network assets to review whether a similar attack could have affected us.

Vendor security breach Incident Command: mitigate immediate business impact

Vendor security breach Security Incident Response Plan: Identify exposure of customer information, coordinate containment, mitigation and customer notification

Vendor security breach: lessons learned Identify automated methods for core vendors to report incidents; Create partnership models that enable secure integrations; When sharing data with a supplier, you continue to own making sure the data is secure; Educate customers on how to use features securely.

Case study: Denial of Service

Sunday Morning DDoS (and Coffee)

Sunday Morning DDoS March 6, 2016: 16:50 GMT: Monitoring systems detect problems in Frankfurt POP 16:52 GMT: Monitoring systems detect problems in Amsterdam POP 16:53 GMT: Incident Command initiated 16:58 GMT: Status posted reflecting impact to EU performance 17:00 GMT to 04:50 GMT+1d: Bifurcation / isolated based mitigation across POPs March 7, 2016 Ongoing: DDoS flows move to Asia POPs 04:50 GMT: Mitigations hold; attack subsides 04:55 GMT+1d: Incident Command concluded

DDoS: Characteristics Shape shifting, with a mix of: UDP floods; notably DNS reflection TCP ACK floods TCP SYN floods Internet Wide Effects: Backbone congestion Elevated TCP Retransmission We saw a few hundred Gb/ssec, but it was quite likely more than that...

DDoS: Retrospective Incident Command: ensure ongoing CDN availability and reliability Security Incident Response Plan: Engage security community to identify flow sources; bad actors; malware; and future capabilities. Lessons learned: Pre-planned bifurcation techniques proved invaluable in time to mitigate Mitigation options were limited by IP addressing architecture DDoS can often mask other system availability events Improvements: Separation of Infrastructure and Customer IP addressing; as well a DNSbased dependencies Continued threat intelligence gathering to understand future TTP vectors Emphasis on team health for long running events; rotations and food.

Lessons Start with the basics Incident discovery Incident management runbooks Clear communication, both up and down A strong focus on post-mortem Empower your engineers to deal effectively with workload Continue to let incidents teach you Partner closely with all stakeholders

Q&A lisa@fastly.com tjd@fastly.com maarten@fastly.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback