How security intelligence can be used for incident management. Volker Rath, Techn. Lead Consulting Services

Similar documents
Symantec Security Monitoring Services

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0

Be Secure! Computer Security Incident Response Team (CSIRT) Guide. Plan Establish Connect. Maliha Alam Mehreen Shahid

locuz.com SOC Services

Nebraska CERT Conference

CERT Development EFFECTIVE RESPONSE

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Qualys Indication of Compromise

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

BUILDING AND MAINTAINING SOC

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

@sec the information security provider

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

Cisco Incident Control System

CNIT 50: Network Security Monitoring. 9 NSM Operations

Position Title: IT Security Specialist

Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

White Paper April McAfee Protection-in-Depth. The Risk Management Lifecycle Protecting Critical Business Assets.

CA Security Management

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Reinvent Your 2013 Security Management Strategy

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Kevin Mandia MANDIANT. Carnegie Mellon University Incident Response Master of Information System Management

Think Like an Attacker

RSA Security Analytics

Configuring Antivirus Devices

Designing and Building a Cybersecurity Program

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Cisco Security Monitoring, Analysis and Response System 4.2

Symantec Client Security. Integrated protection for network and remote clients.

CyberSecurity Situational Awareness Monitoring & Reporting Platform Pharos. Cyber Security Showcase Wednesday, 29 February 2012 Brussels, Belgium

ICS Dissolvable Agent for SafeGuard

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

How Cisco IT Upgraded Intrusion Prevention Software to Improve Endpoint Security

Un SOC avanzato per una efficace risposta al cybercrime

Security Threats & Trends Arvind Sahay, Enterprise Manager India, McAfee

epldt Web Builder Security March 2017

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Think Like an Attacker

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

The Convergence of Management and Security. Stephen Brown, Sr. Product Manager December 2008

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

One Hospital s Cybersecurity Journey

Integrated, Intelligence driven Cyber Threat Hunting

Cyber Security Solutions Mitigating risk and enhancing plant reliability

Trust Services Principles and Criteria

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Cyber Security Audit & Roadmap Business Process and

IBM services and technology solutions for supporting GDPR program

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Cyber Security For Business

Click to edit Master title style. DIY vs. Managed SIEM

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Dynamic Risk Management for Cyber Defence

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Carbon Black PCI Compliance Mapping Checklist

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

CA Host-Based Intrusion Prevention System r8

Vulnerability Management Policy

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

UP L13: Leveraging the full protection of SEP 12.1.x

A Risk Management Platform

Security Architecture

Not your Father s SIEM

Incident Response Agility: Leverage the Past and Present into the Future

Security Information & Event Management (SIEM)

Real-time Cyber Situational Awareness for Satellite Ground Networks. March 2015 Presenter: Ted Vera

Altitude Software. Data Protection Heading 2018

Industrial Security Getting Started

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Free Download BitDefender Client Security 1 Year 50 PCs softwares download ]

ITSM SERVICES. Delivering Technology Solutions With Passion

Quick Heal AntiVirus for Server. Optimized Antivirus Scanning. Low on Resources. Strong on Technology.

ForeScout Extended Module for Carbon Black

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

MITIGATE CYBER ATTACK RISK

Combating Today s Cyber Threats Inside Look at McAfee s Security

Cisco Secure Ops Solution

Symantec Ransomware Protection


Global Response Centre (GRC) & CIRT Lite. Regional Cyber security Forum 2009, Hyderabad, India 23 rd to 25 th September 2009

Incident Response Services

External Supplier Control Obligations. Cyber Security

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

ABB Ability Cyber Security Services Protection against cyber threats takes ability

ForeScout Extended Module for Symantec Endpoint Protection

Transcription:

How security intelligence can be used for incident management Volker Rath, Techn. Lead Consulting Services

Safety and protection matters Lots of news about threats and diseases. Which immunizations? Spreading new viruses. Public avail. information of Being paranoid is no the solution! unknown quality (web, rumors) Unable to prioritize infos Information is there and available but I'm not able to filter, prioritize them to define the right actions!

How to deal with (IT) risks I need to know the risks Identify the risk factors (Likelihood, potential damage, potential targets etc.) Define risk estimation Define countermeasures Define action plan

Symantec Threat and Vulnerability Service Model Information Management Process Management

How to get risk related information? Security Intelligence Services provide information on risks: Threats Vulnerabilities Suspect internet behavior Current attacks and Virus outbreaks Semiannual Internet Security Threat Report What is DeepSight Threat Management System?

Why Security Intelligence helps Incident Management Provides background information for incident management and forensics (how an attack, virus etc. works) Helps to find a proper individual risk rating to threats and incidents to prioritize actions (we do not have unlimited resources) Reactive to proactive approach in security area to minimize risk ( incidents)

Threat & Vulnerability Mgmnt. vs. Incident Management TVM Proactive, tries to fix problems before they become an incident IM Reactive, manages mitigation of threats and incidents Both deal with Technology Assets People Process

Treat and Vulnerability Management today Surf the web to get information Subscribe Intelligence Services (e.g. Symantec DeepSight ) Analysis of unstructured information (mainly mail notifications) Correlate information new postings + all following updates find relations (vulnerabilities used in malicious codes) Vulnerabilities and Malicious codes used in attacks Define countermeasures what to do? (e.g. patch) where (technical)? (e.g. affected HW/SW) where (geographical)? who? (e.g. local admins) Tracking activities (what has been done till when) Reporting

Challenges in the TVM area Information is available (mail, web), but not manageable, because information is unstructured (e.g. email text) to many data sources no complex queries possible on information sources individual ratings, comments etc. can not be added rating mathematics cannot be changed no individual reports available (e.g. get all vulnerabilities, that use port 80 get all patches for product X and version Y) information cannot be used automatically in other security solutions ( Integration into Policy Compliance, SW-Rollout, Messaging etc. )

Challenges in management? People who are responsible for availability are also responsible for security. That does not work! (Risk management is not an admin's job! Example: SQL Slammer) Information coming via email does not give customers Knowledge-Base features on vulnerabilities and threats. (New postings + x updates = information that is needed) Information is flooding people that are under time pressure Information is not provided on a need-to-know basis (Useless information is annoying people who will start to ignore it)

TVM Process Information Provide Information TVMS System Decision T&V Officer Notify on need-to-know basis Technology Owner / Service Provider Action Individual tools Verify & Supervise Manager / CSO

What a basic TVM System has to cover Getting Information Classify, Priorize Make Decision wait for more info, decision pending Initiate Action Add comments and notes Inform, Notify, Alert Inform on need-to-know basis Generating Reports Feedback, Report

Symantec s approach for a TVM System 101101101 Information Provider SOAP Access LAMP/WAMP *) Server Notification Ticket / Service Desk System Mail, SMS, Pager System Software Inventory Hardware Inventory LDAP T&V Infobase and portal Technical, process related and management reports Internal process infos and notes *) Linux/Windows, Apache, MySQL, PHP

Get an impression Data mining in data mines: Important things are hidden in the data forest.

Get an impression Same name, different technology, different risks, different mitigation.

Information on need-to-know basis Individual risk ratings by CERT User individual technology filters Tailored security advisories

Get an impression Need of well coordinated actions in a connected world.

New threat scenario

Vision Antivirus Get details about virus Verify virus appearance Get report about virus appearance, that fulfill very specific filter settings (e.g. only keylogger) Software Inventory Report about vulnerable software versions in the IT environment Notification on new incoming vulnerabilities based on affected and installed software Inform and steer TVMS Verify and report Firewall New Vulnerability: Check all rules for relevant protocols and ports New rule: Check against known vulnerabilities Policy Compliance Check for relevant files, configurations, Registry keys etc. Risk assessment on live data Intrusion Detection, Log Analysis, etc.

How Incident Management profits from this Good TVM minimized risk less incidents In case of an incident, useful information is available immediately: technical background information fine-tuning of security policies and compliance tools who is potentially affected? who are the people that need to involved in the mitigation? who is protected and who isn't? what is the situation outside of our organization? etc. Combined managent systems data (Policy Compliance, TVM, IM, Risk Management, SD, AV, FW etc.) allows to generate high level risk reports to the management Key Performance Indicators, Key Risk Indicators

Success factors What are the key success factors to build successful processes? Some tips

Realize risk in a connected world

Built processes and solutions that are mature. Processes needs to be understandable, accepted and proven.

Realize that security is a speed game. Proactive and reactive processes are worthless if they are too slow!

Build effective processes that people understand

Build the right teams - find the right partners.

Thank you very much

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback