RELEVANT IMPACT: Building a Successful Threat Management Program. NTX ISSA 3 rd Semi-Annual Cyber Security Conference

Similar documents
RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

BUILDING AND MAINTAINING SOC

One Hospital s Cybersecurity Journey

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

A Survival Guide to Continuity of Operations. David B. Little Senior Principal Product Specialist

Click to edit Master title style. DIY vs. Managed SIEM

NEXT GENERATION SECURITY OPERATIONS CENTER

CYBER THREAT INTEL: A STATE OF MIND. Internal Audit, Risk, Business & Technology Consulting

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Cyber Security in the time of Austerity. Shannon Simpson, CCO CNS Group

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Protecting organisations from the ever evolving Cyber Threat

locuz.com SOC Services

INTELLIGENCE DRIVEN GRC FOR SECURITY

State of Security Operations

Cyber Resilience - Protecting your Business 1

Cloud and Cyber Security Expo 2019

CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]

50+ Incident Response Preparedness Checklist Items.

SIEMLESS THREAT DETECTION FOR AWS

SIEM: Five Requirements that Solve the Bigger Business Issues

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

A Practical Guide to Efficient Security Response

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

How to Conduct a Business Impact Analysis and Risk Assessment

4/13/2018. Certified Analyst Program Infosheet

SIEM (Security Information Event Management)

ForeScout Extended Module for Splunk

SOLUTION BRIEF Virtual CISO

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Device Discovery for Vulnerability Assessment: Automating the Handoff

Managed Security Services - Automated Analysis, Threat Analyst Monitoring and Notification

Security Architecture

Readiness, Response & Resilence:

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

IT Service Management: Southeast Area Practice Gary West Solution director Business Service Optimization

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

RiskSense Attack Surface Validation for IoT Systems

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Unlocking the Power of the Cloud

CYBERSECURITY MATURITY ASSESSMENT

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Securing Your Cloud Introduction Presentation

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

Title: Planning AWS Platform Security Assessment?

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

THE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

The Resilient Incident Response Platform

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Reinvent Your 2013 Security Management Strategy

Security Operations 2018: What is Working? What is Not.

The State of Security

RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?

Defining cybersecurity.

Designing and Building a Cybersecurity Program

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

External Supplier Control Obligations. Cyber Security

How to Write an MSSP RFP. White Paper

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

Avanade s Approach to Client Data Protection

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

RSA Security Analytics

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

ACM Retreat - Today s Topics:

Automating the Top 20 CIS Critical Security Controls

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Support and Management for AWS

SECURITY INCIDENT MANAGEMENT. Solution Primer. Jenn Black. Senior Research AnalystSolutions Research and Development Office of the CISO, Optiv

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

align security instill confidence

Un SOC avanzato per una efficace risposta al cybercrime

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Security Issues that deserve a logo

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Building a Resilient Security Posture for Effective Breach Prevention

Security Automation Best Practices

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Getting Security Operations Right with TTP0

Defensible Security DefSec 101

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Nebraska CERT Conference

How AlienVault ICS SIEM Supports Compliance with CFATS

Centralised service 6-7: Ensuring the resilience of centralised services cyber-security and sharing cyber intelligence

University of Pittsburgh Security Assessment Questionnaire (v1.7)

RSA ADVANCED SOC SERVICES

Examining the Evolution of CERT Operations. Managed Incident Program Prevention & Response. The Methodology of INTEL

CYBER RESILIENCE & INCIDENT RESPONSE

Transcription:

RELEVANT IMPACT: Building a Successful Threat Management Program NTX ISSA 3 rd Semi-Annual Cyber Security Conference 10-2-15

Threat Management Definition Current State of Threat Management in Most Organizations Threat Management Goals Traits of a Successful Threat Monitoring Program Gathering Requirements 2

THREAT MANAGEMENT: The ability to detect, analyze, remediate and report on threats to the business using human, or technological intelligence. 3

CURRENT STATE OF THREAT MANAGEMENT IN MOST ORGANIZATIONS 4

We have nothing to protect. We have controls - they should work 5

THE FOOL S PARADISE MODEL No threat management toolsets, or services Logging Alerting Processes Reporting Constantly overwriting Too many to handle - so ignored Non existent, mostly focused on availability Only when needed, not targeted, too hard to understand Accountability Typically execs trust their management is getting things done Management trust IT Sec (or Ops), who usually have no time 6

Most of the time, the team is dependent on a single brain-trust 7

THE DUCT TAPE MODEL Service is built off different borrowed parts Logging Alerting Processes Reporting Done using the cheapest methods, and likely unreliable Alerts are handled hastily, and investigation is typically mishandled Little/no processes Takes hours and hours to do - and still looks misassembled Accountability Management assume IT staff is handy and is on top of it 8

You don t get fired for buying ACME Simply implementing technology doesn t give you a threat management service. 9

THE SET IT AND FORGET MODEL Tool vendor driven threat management, lots of capital spending not much operational Logging Alerting Processes Done automatically on expensive hardware Was supposed to work out the box, but requires extensive configuration Internal team unaware of details Yet to be created around tool Reporting Accountability A lot of reports, but none that fit the business requirements Spent a lot money on tools, so the vendor is on the hook (not really) 10

Services that lack context of the environment, don t integrate with processes do not offer value. 11

THE PASSING THE BUCK MODEL Managed Security Service without proper integration Logging Alerting Processes Reporting Managed by Managed Security Service Provider (MSSP) Sent by MSSP to operations, and typically ignored by operations Delegated, internal processes not developed Provided by MSSP, but typically no real context added Accountability Service Level Agreement (SLA), so MSSP vendor is on the hook (not really) 12

THREAT MANAGEMENT GOALS 13

THREAT MANAGEMENT GOALS Identify malicious content (stationary and mobile) Identify malicious behavior 14

THREAT MANAGEMENT GOALS Ensure that the content detection occurs for all architectural layers Platform: Unix Syslog, System Event Data Application: Web App logs, Database Logs Network: Flow, IDS/IPS 15

THREAT MANAGEMENT GOALS Ensure appropriate controls are in place between different security domains, or zones within the environment. 16

THREAT MANAGEMENT GOALS Triage the alert for priority and context 17

THREAT MANAGEMENT GOALS Ensure that activities indicative of an attack are escalated, assigned to the appropriate resource within the environment, and tracked 18

THREAT MANAGEMENT GOALS Provide a proper handoff to incident handling and response team(s) Tracking is very important, especially if the incident is beyond the knowledge of the operations team 19

TRAITS OF A SUCCESSFUL THREAT MONITORING PROGRAM 20

SUCCESSFUL THREAT MANAGEMENT 1. Asset/data classification Asset classification not only gives the ability to create context during threat management, but also to have the ability to group these assets and providing reporting at a higher level. 21

SUCCESSFUL THREAT MANAGEMENT 2. Threat and risk assessment - Know the threats that can affect you - Knowing where your vulnerabilities are - Knowing where your controls are failing you 22

SUCCESSFUL THREAT MANAGEMENT 3. Network zoning Network zoning is the logical and sometimes physical segregation of parts of the network based on their security value. Zones may be broken out in different trust levels. Having proper zoning indicates that there s a good understanding of the network security requirements Threat monitoring can scale starting with the secure zones first. 23

SUCCESSFUL THREAT MANAGEMENT 4. Incident response capabilities Organizations that know how to handle typical IT events, have a higher likelihood of being able to handle security events. IT Incident Management Methodology Preparation Detection Diagnosis Repair Recovery Resolution 24

SUCCESSFUL THREAT MANAGEMENT 4. Incident response capabilities Security Incident Management Process Preparation Detection Containment Analysis Eradication Recovery Follow-up Security incidents require more effort over a shorter amount of time to achieve containment. 25

SUCCESSFUL THREAT MANAGEMENT 4. Incident response capabilities Security Incident Management Process Preparation Detection Containment Analysis Eradication Recovery Follow-up IT Incident Management Methodology Preparation Detection Diagnosis Repair Recovery Resolution 26

GATHERING REQUIREMENTS 27

GATHERING REQUIREMENTS Identify the goals Define requirements: Service Reporting Technical (toolset) 28

GATHERING REQUIREMENTS: SERVICE WHO Architect Management Security Operational WHAT Identify if the existing controls will provide the visibility to detect threats Define whether the organization be able to handle the service outputs Will operational teams be leveraged Define Service Levels/Service Flow 29

GATHERING REQUIREMENTS: SERVICE WHO Information security staff Operational staff WHAT Is Ad hoc reporting a requirement? What data is necessary for: Internal Departmental Reports Executive Reporting Compliance/Audit Reporting Can the reports be generated with existing set of data sources 30

GATHERING REQUIREMENTS: SERVICE WHO Information security staff Operational staff WHAT Data Source Compatibility (FW, IPS, AV, custom) Remote data collection Encryption requirements Threat identification Correlation Service Integration Alerting Integrated Alerting Integrated Ticketing 31

SECURITY EVENT TICKET Source: Network Zone: Ticket Identifier: Short Description: Initial Diagnosis: Traffic Flow Details: Traffic Correlations: Time Stamps: User: Department: Impacted device type specification: What security attributes could be impacted: Asset Classification Rating: Containment Recommendations: Typical data that should be in a security event ticket 32

ALIGN AND INTEGRATE AS PART OF DETECTION AND ANALYSIS Integrate detection in help desk processes Start to integrate information security tasks into day-today processes Engage security analysts to aid in security incidents Begin cross-training all analysts in handling security incidents 33

CONCLUSION A well designed threat management service is not built only on technology. But rather built on understanding what your organizations business and security requirements are, prior to deploying a threat management service. 34

THANK YOU Questions? Contact Information: Patrick M. Hayes Managing Director 817-876-5288 patrick.hayes@abovesecurity.com www.abovesecurity.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback