Technology Incident Response and Impact Reduction. May 9, David Litton

Similar documents
Cybowall Solution Overview

Symantec Ransomware Protection

Ransomware A case study of the impact, recovery and remediation events

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Service Provider View of Cyber Security. July 2017

Assessing Your Incident Response Capabilities Do You Have What it Takes?

Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

Synchronized Security

You ve Been Hacked Now What? Incident Response Tabletop Exercise

Security & Phishing

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Ransomware A case study of the impact, recovery and remediation events

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Getting over Ransomware - Plan your Strategy for more Advanced Threats

9 Steps to Protect Against Ransomware

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Security+ SY0-501 Study Guide Table of Contents

2017 Annual Meeting of Members and Board of Directors Meeting

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Défense In-Depth Security. Samson Oduor - Internet Solutions Kenya Watson Kamanga - Seacom

Take Risks in Life, Not with Your Security

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Next Generation Enduser Protection

Hello! we are here to share some stories

Incident Response Table Tops

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Incident Response. Is Your CSIRT Program Ready for the 21 st Century?

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Building Resilience in a Digital Enterprise

THE ACCENTURE CYBER DEFENSE SOLUTION

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Endpoint Protection : Last line of defense?

CloudSOC and Security.cloud for Microsoft Office 365

Training for the cyber professionals of tomorrow

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Cyber (In)Security. What Business Leaders Need To Know. Roy Luebke Innovation and Growth Consultant. Presented by:

Security Gaps from the Field

ISO27001 Preparing your business with Snare

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

Cognitive Threat Analytics Tech update

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

OPERATIONS CENTER. Keep your client s data safe and business going & growing with SOC continuous protection

BUSINESS LECTURE TWO. Dr Henry Pearson. Cyber Security and Privacy - Threats and Opportunities.

Restech. User Security AVOIDING LOSS GAINING CONFIDENCE IN THE FACE OF TODAY S THREATS

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

Securing the SMB Cloud Generation

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Dell EMC Isolated Recovery

A Comprehensive Guide to Remote Managed IT Security for Higher Education

Cybersecurity Auditing in an Unsecure World

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cybersecurity: Achieving Prevailing Practices. Session 229, March 8 Mark W. Dill, Partner and Principal Consultant,

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

Threat Centric Vulnerability Management

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Security Architecture

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

KASPERSKY ENDPOINT SECURITY FOR BUSINESS

Managing an Active Incident Response Case. Paul Underwood, COO

South Korea Cyber-attack Heightens Changes in Threat Landscape. Richard Sheng Sr. Director, Enterprise Security, Asia Pacific

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Business continuity management and cyber resiliency

Financial Conduct Authority. Financial Crime : A Guide for Firms

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

CERTIFIED SECURE COMPUTER USER COURSE OUTLINE

The Eight Components of a Strong Cyber Security Defense System

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Intercepting WannaCry

68 Insider Threat Red Flags

Course Outline (version 2)

CYBERSECURITY RISK LOWERING CHECKLIST

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

CTI Capability Maturity Model Marco Lourenco

2016 Tri-State CF Partnership Webinar Series. Cyber Crime Trends a State of the Union April 7, 2016

U.S. State of Cybercrime

Easy Activation Effortless web-based administration that can be activated in as little as one business day - no integration or migration necessary.

SIEM Overview with OSSIM Case Study. Mohammad Husain, PhD Cal Poly Pomona

3 Ways to Prevent and Protect Your Clients from a Cyber-Attack. George Anderson Product Marketing Director Business October 31 st 2017

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Speed Up Incident Response with Actionable Forensic Analytics

Splunk. Plataforma de Datos. Denise Roca / Gerente de Software

Automated Threat Management - in Real Time. Vectra Networks

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Deep instinct For MSSPs

Next Generation Endpoint Security Confused?

Unified Communications Phase 2 Presentation to IT Services Users Group

Cyber Security For Business

SCADA Security: How Do I Know If I ve Already Been Owned?

Real-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant

Designing and Building a Cybersecurity Program

Securing Industrial Control Systems

Transcription:

Technology Incident Response and Impact Reduction May 9, 2018 David Litton dmlitton@vcu.edu

Incidents and Impacts Yahoo! EQUIFAX MedStar Dyn, Inc. Stolen Data Destroyed Data Lost Service / Availability Possible Stolen Data 2

Intrusion / Cyber Kill Chain Developed by Lockheed Martin, Inc. 3

Important Terms Event: any observable occurrence in a system or network Computer Security Incident: a violation of or imminent threat to computer security policies Escalation Criteria: Who to involve by when and how (Test!) Ransomware: a malicious software or cryptovirology threatening to publish or perpetually block access to data unless a ransom is paid SOC: security operations center Fully Managed SOC-as-a-Service SOC and SEIM outsourced Co-managed SOC-as-a-Service Remote SEIM monitoring Hybrid or Custom Build your own 4

Important Terms (continued) IDS: intrusion detection system (Cisco, TrendMicro, McAfee) IPS: intrusion prevention system (FireEye, Alert Logic, NSFOCUS) File Integrity Monitoring (TripWire, EventSentry, Alien Vault) DLP: data loss prevention (Symantec, TrustWave, Check Point) Virus software: definition-based detection (file hashs) (McAfee) Malware software: (MalwareBytes, Sophos, Webroot, Kapersky) Endpoint Protection: Workstation/Servers via Heuristic / Anomaly Quick note: The importance of workstation and database encryption 5

Security Incident Software SIEM (Security Information and Event Management) Security event collector and correlation tool set Custom / proprietary solution Open Source (OSSEC, SNORT, ELK, PRELUDE, OSSIM) SIM and SEM function together as SIEM SIM - Collector gathers traditional logs then parses, aggregates, and normalizes events (e.g. Syslog and Windows) SEM receives events then correlates, analyses, alerts Examples: ArcSight, Q-Radar, LogRhythm, McAfee, Splunk 6

Possible Devices Connected to SIEM Active Directory/Domain Controllers Firewall Network routers and switches Network event/flow monitoring devices Virus software console Operating systems such as Unix/Linux and Windows Database servers Web servers Many use SysLog to store and spool system events 7

Ransomware, Malware, Spyware and How They Enter Your Organization Phishing/Email containing bad URLs and EXEs Surfing infected websites Poor workstation patching including Adobe Flash Administrative accounts on workstations (allow for remote installation of nefarious software) Macros (Microsoft Office/365) Portable storage (CDs, USB drives, etc.) Direct hacks against perimeter servers then used to Worm through the network 8

Phishing / Spearphishing Phishing: Access a victim s personal information through a scam email. Spearphishing: an individually tailored and official-looking e- mails to lure victims to fake websites or open an infected file. Consider administering fake phishing campaigns by ISO/IT VCU PhishingNet: http://phishing.vcu.edu/ Student, faculty and staff training is KEY! 9

NIST Pub 800-61 Computer Security Incident Handling Guide 1. Organizing a Computer Security Incident Response Capability Events and incidents monitoring and identification, respectively Incident response, policy, plan, and procedure creation Incident response team structure 2. Handling an Incident Preparation Detection and analysis Containment, eradication, and recovery Post-incident activity 3. Coordination and Information Sharing Coordination Information sharing techniques Granular information sharing 10

Timeline for Equifax Breach Patch release March 2017 Scan for patch but failed Breach # 3 July 2017 Employee should have patched / patch failed to install Breach # 1 and #2 May 2017 Public Announcement September 2017 11

Controls to Mitigate a Future Equifax or VCU like Data Exfiltrations 1. Database Activity Monitoring to identify copying entire database 2. Better monitoring of network flow(s) 3. Increased network segmentation 4. Effective encryption of the database 5. Patching schedules/logs and patch verification 6. Hardened O/S configuration and remove default passwords 7. Security forensics firm (potentially on retainer) 8. Cyber insurance company involved early 9. Better customer communication (reduce Reputational Risk) 12

Timeline for MedStar Ransomware Breach 2016 Virus Infection Monday, March 27 First MedStar Statement on Computer Downtime Wednesday, March 29 Read med records Other systems still dark Tuesday, March 28 90% system functionality restored Friday, March 31 13

Controls to Mitigate a Future MedStar-like or Other Ransomware Attacks 1. Endpoint protection 2. Updated operating systems 3. Restricting old network communications protocols (SMB v1) 4. Training on phishing 5. Workstation backups or folder redirection (file share policy) 6. External drive restrictions (thumb drives, CDs) 7. Patching schedules/logs and patch verification 8. No world-writable file shares 9. Previous discussion with Board on paying / not paying 14

Intrusion / Cyber Kill Chain Developed by Lockheed Martin, Inc. 15

IR Monitoring and Detection Software Gap Analysis 16

Questions and Comments 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback