Cyber Information Sharing Renault Ross CISSP, MCSE, CHSS, VCP5 Chief Cybersecurity Business Strategist Ian Schmertzler President
Know Your Team Under Pressure
Trust Your Eyes
Know the Supply Chain
Have Secondary Comms
Do it Right, Make it Here
ENDPOINT Security settings changes Network connections Successful / failed logins Sensitive docs accessed Process behaviors FIREWALL Inbound network traffic Outbound network traffic Protocol tunneling activity Administrative activity Inbound network traffic GATEWAY Email metadata Source email server identity Web connection history Inbound attachments Outbound attachments SERVER Administrative activity Network connections Successful / failed logins Sensitive docs accessed Compliance status
BETTER PROTECTION + REMEDIATION BETTER PROTECTION + REMEDIATION BETTER PROTECTION + REMEDIATION BETTER PROTECTION + REMEDIATION
BENCHMARKING ACROSS PEERS INDUSTRY TARGETED ATTACK CAMPAIGNS GLOBALLY INFORMED SOLUTION SETTINGS ENDLESS USE CASES
TODAY BUILD/ACQUIRE TOMORROW PARTNER COLLECT APP EXCHANGE SOCIAL PLATFORM UNIFIED INCIDENT MGMT. INCIDENT INVESTIGATION INTERACTIVE ANALYTICS RISK ANALYSIS
Information Sharing APP Exchange? Logged In Joe Admin InfoSec Admin, Company 1 APPS Top Rated FREE TRIAL Secure App News Recently Viewed Top Rated New Releases By Industry By Category Load Look Level2 Studio C&C Detector Nova Software Target Sweep GO Getit EX 17Sep2014 Load Look by Level2 Studio, advances to the next level of protection. 17Sep2014 10 new compliance apps added. 16Sep2014 Nova Software contributes robust C&C Detection tool. Developer Zone FREE TRIAL 16Sep2014 Supercoil Software enhances security prioritization and checklist features. Developer Tool Package News Archive >> Q&A Database Message Board Remotecontrol Elipse Strategy Termin8er Supercoil Software Secure Check Supercoil Software 1h Check out our latest development utilizing aggregated risk analysis tolerance feedback Super Coil Software 1D Dashboard elite is not all it s cracked up to be, we ve hit snags with the custom navigation integration module. Joe
Information Sharing Social Platform? Logged In Joe Admin InfoSec Admin, Company 1 Update My Status Trending Joe Admin We are seeing a lot of instances of foo.exe on our endpoints. Where is it coming from? All POST Contacts Groups Joe Admin Software Developer Verified 3 hours ago We are seeing a lot of instances of foo.exe on our endpoints. Where is it coming from? Upcoming Events Interests Source: 172.16.254.1 IP Address Lisa Andrews Manufacturing CISOs 2 hours ago Type: Verified Yes. I saw it a few weeks ago. seems to be related to the earlier attack. I ll ask Dave to send you a source IP we have associated with that executable. Origin: Unknown Dave Admin Manufacturing Admin 1 hours ago Forensic results: Verified Hi Joe, we have traced the origin of foo.exe to the following IP: 172.16.254.1 Connection from SAM_WIN8/SPY.EXE to 172.16.254.1 at 6:18:08 pm on 10/6/14 File TED_WIN7/BOT.EXE retrieved from 172.16.254.1 at 8:20:10 am on 10/24/14 Connection from SALLY_ANDROID_1 to 172.16.254.1 at 4:24:08 pm on 11/6/14 Recommended
STARTING POINT CSF NIST ADOPTION Copyright 2017 Symantec Corporation 14
CSF FUNCTIONS BUILD PROFILE Core Functions ID Identify What assets need protection? PR Protect What safeguards are available? DE Detect What techniques can identify incidents? RS Respond What techniques can contain impacts of incidents? RC Recover What techniques can restore capabilities? Copyright 2017 Symantec Corporation 9
UNDERSTAND YOUR MATURITY: SELF ASSESSMENT LED IDENTIFY ID.BE Organization ID.AM Asset Mgt. ID.RA Risk Assessment ID.RM Risk Strategy Mgt ID.GV Governance PROTECT PR.AT Awareness Training PR.AC Access Control PR.DS Data Security PR.IP Info Processes &, Procedures DETECT DE.AE Anomalies & Events DE.CM Continuous Monitoring DE.DP Detection Processes RESPOND RS.RP Response Planning RS.CO Response Communications RS.AN Response Analysis RS.MI Response Mitigation RS.IM Response Improvements RECOVER RC.RP Recovery Planning RC.IM Recovery Improvements RC.CO Recovery Communications Not At All Planned Partially Mostly In Place Optimized
The image part with relationship ID rid3 was not found in the file. This image cannot currently be displayed. WHERE AM I 6 Fxn. Cat. Sub. Current Profile Fxn. Cat. Sub. Target Profile ID.AM 1 Tier 1 ID.AM 1 Tier 4 ID.AM 2 Tier 1 ID.AM 2 Tier 4 ID ID.AM ID.AM 3 ID.AM 4 ID.AM 5 Tier 2 Unused Tier 4 Enables a prioritized action plan ID ID.AM ID.AM 3 ID.AM 4 ID.AM 5 Tier 2 Unused Tier 4 ID.AM 6 Tier 3 ID.AM 6 Tier 3
HOW CAN I ALIGN WITH BEST PRACTICES Core Function Category Subcategory Informative References Respond (RS) Response Planning (RS.RP): COBIT 5 BAI01.10 RS.RP 1: Response CCS CSC 18 plan is executed during ISA 62443 2 1:2009 4.3.4.5.1 or after an event ISO/IEC 27001:2013 A.16.1.5 NIST SP 800 53 Rev. 4 CP 2, CP 10, IR 4, IR 8 Copyright 2017 Symantec Corporation 10
INFORMATIVE REFERENCES Core Copyright 2017 Symantec Corporation 10
ENTERPRISE TOOLKIT: A Mature Compliance and Security Model Business Strategy and Governance driving Security Operations Governance (security, privacy, compliance) Information Risk Management & Reporting GRC Dashboards Security Policies and procedures Awareness and Training GRC Standards & UA Security Team Structure, Roles & Responsibilities GRC Policy Business Strategy and Governance Secure Info Access Information Protection Infrastructure Management Information Risk Management & Reporting GRC Dashboards Information Risk Management & Reporting GRC Dashboards Information Risk Management & Reporting GRC Dashboards Digital Trust High Assurance PKI Data Loss Controls Data Classification Strategic GRC Policy LOA3 Configuration & Patch Management Sys Integrity & Lockdown HIPS EPM Identity Management Authentication Encryption Electronic Discovery Tactical DLP Inventory & Asset Management Mobility & Wireless. CASB Mobile 2FA EPM ENC On Going Compliance and Security Operations Infrastructure Protection Information Risk Management & Reporting GRC Dashboards Logging & Monitoring Malicious Code Protection Security Intelligence ATP IR Retainer MSSP Secure Network Design Network Perimeter Security EDR PEN Test