Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Similar documents
You ve Been Hacked Now What? Incident Response Tabletop Exercise

Incident Response Services

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Real-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

locuz.com SOC Services

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

2015 HFMA What Healthcare Can Learn from the Banking Industry

SECURITY & PRIVACY DOCUMENTATION

Incident Response Table Tops

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Cybersecurity and Hospitals: A Board Perspective

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Incident Response. Is Your CSIRT Program Ready for the 21 st Century?

Security Incident Management in Microsoft Dynamics 365

Managing Cybersecurity Risk

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

CYBERSECURITY MATURITY ASSESSMENT

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

It s Not If But When: How to Build Your Cyber Incident Response Plan

Effective Cyber Incident Response in Insurance Companies

RSA NetWitness Suite Respond in Minutes, Not Months

Cybersecurity: Incident Response Short

External Supplier Control Obligations. Cyber Security

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

Cyber Security Incident Response Fighting Fire with Fire

Whip Your Incident Response Program into Shape

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cybersecurity: Achieving Prevailing Practices. Session 229, March 8 Mark W. Dill, Partner and Principal Consultant,

DEFINITIONS AND REFERENCES

Cyber Risks in the Boardroom Conference

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Key Takeaways. 4. Stay calm and do no harm in an incident Overreacting can be as damaging as underreacting

PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Ten Ways to Prepare for Incident Response

Security and Privacy Breach Notification

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

The Data Breach: How to Stay Defensible Before, During & After the Incident

NEN The Education Network

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

Staffing Services UnderDefense your source of experienced professionals to solve security staffing challenges today

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

CYBER RESILIENCE & INCIDENT RESPONSE

Cybersecurity for Health Care Providers

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Incident Response and Cybersecurity: A View from the Boardroom

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Cyber Resilience - Protecting your Business 1

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Lakeshore Technical College Official Policy

Healthcare HIPAA and Cybersecurity Update

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Standard Development Timeline

Incident Response Plans: The Emergency Shutoff Control for Cyber Risk. Tabitha Greiner, Acumera Chris Lietz, Coalfire

Cyber Security Program

Security Breaches: How to Prepare and Respond

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

HIPAA Security Checklist

HIPAA Security Checklist

Information Technology General Control Review

Heavy Vehicle Cyber Security Bulletin

Cyber Security Issues

CRIMINAL NETWORK INTRUSION AND DATA THEFT: Today s Security Landscape and What to Do If You ve Been Compromised

MANAGEMENT OF INFORMATION SECURITY INCIDENTS

Sage Data Security Services Directory

Data Privacy Breach Policy and Procedure

Nebraska CERT Conference

Information Governance, the Next Evolution of Privacy and Security

Appendix 3 Disaster Recovery Plan

The Impact of Cybersecurity, Data Privacy and Social Media

EXHIBIT A. - HIPAA Security Assessment Template -

Managed Security Services - Endpoint Managed Security on Cloud

Cybersecurity Auditing in an Unsecure World

HIPAA Security Rule: Annual Checkup. Matt Sorensen

Altius IT Policy Collection Compliance and Standards Matrix

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Cybersecurity The Evolving Landscape

Best Practices in Healthcare Risk Management. Balancing Frameworks/Compliance and Practical Security

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Structuring Security for Success

Transcription:

Incident Response Lessons From the Front Lines Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles 1

Conflict of Interest Nolan Garrett Has no real or apparent conflicts of interest to report. 2

Agenda What is an Incident Response Plan? Incident Response and Compliance, Security Frameworks Policy, Plans and Process Real World Examples and Lessons Learned 3

Learning Objectives Recognize the importance of incident response planning in relation to maintaining a state of security Employ standard processes for developing, maintaining and testing an incident response plan Demonstrate an understanding of incident response concepts and technical requirements 4

Why Plan for Incident Response? It s not a matter of if an incident will occur Per-record costs for healthcare data breaches have surpassed $400 per record, compared to world wide averages of $158 Costs are on average 37% higher if detection took longer than 100 days Costs are additionally 68.7% higher if containment of an identified incident took more than 30 days Average cost per breach across all industries surveyed reached $4M * Source: Ponemon Institute 2016 Cost of Data Breach Study 5

Describing Security Events Incident An event that has the potential to violate security policies or controls Compromise Breach Unauthorized access to system(s) or infrastructure was achieved Unauthorized access to non-public data was achieved 6

What is an Incident Response Plan? Primary Purpose: Provide an organized, approved structure for responding to and documenting incidents in a forensically sound manner Defines the team structure and process that the organization will follow when an incident occurs Outlines executive support and oversight of the process, as well as key stakeholders Aims to reduce the costs of incidents and the associated response through a well organized strategy for managing the event 7

Incident Response and HIPAA 45 CFR 164.304 defines security incident as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 164.308(a)(6)(i) requires a covered entity to implement policies and procedures to address security incidents. The associated implementation specification for response and reporting at 164.308(a)(6)(ii) requires a covered entity to identify and respond to suspected or known security incidents, mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity, and document security incidents and their outcomes. 8

IR and HIPAA - Distilled Identify Respond Mitigate Documen t Report 9

Plan Components Lessons Learned Preparation Recovery Detection and Analysis Eradication Containment 10

Preparation - Team Select a Team Model Central Distributed Coordinating Select a Staffing Model Employees Partially Outsourced Fully Outsourced 11

Considerations Regarding Models Resource Availability Staff and Outsourcer Expertise Impact on Morale Costs 12

Team Skills Team IR Leader should be experienced in incident response, possessing both strong technical skills as well as technical and executive communication skills Additional skills required for successful teams: Forensic analysts Memory analysts Malware analysts Threat intelligence experts Technical documentation specialists 13

Teams Other Resources Executive Leadership Information Security / Assurance Information Technology Legal and Compliance Human Resources Media / Public Relations / Marketing Physical Security and Facilities External Vendors, Consultants 14

Preparation Tools Team contact information Incident reporting mechanisms Secure communications software War room Secure storage facility Digital forensics software and hardware Dedicated analysis hardware See NIST SP800-61 R2, section 3.1.1 15

Preparation Processes Risk assessment Network and host hardening End-user awareness training Goal: Reduce the number of events to protect the IR team from becoming overwhelmed 16

Detection and Analysis Detection is arguably the most difficult single component of incident response, taking an average of 191 days* Once an incident has been reported (or otherwise identified), the plan is activated and analysis begins Mature Incident Response Plans include an evaluation of the incident s severity or priority The resulting incident s severity drives further decisions about additional team members to engage and to whom to communicate within the organization This should be agreed upon prior to an event occuring * Source: Ponemon Institute 2016 Cost of Data Breach Study 17

Containment Goals: Block further access or damage to systems Collect evidence for use in both the response and potential legal proceedings Gather details on the attack vector and actions taken to allow effective eradication Strategies may greatly vary depending upon the incident type 18

Containment Pre-define playbooks for common or major incident types such as: Ransomware Malware outbreak Social engineering Insider threat Refer to your risk assessment! 19

Eradication Not all incident types require eradication, but many do Short or medium-term steps are applied to eliminate all signs and symptoms of the incident Usually a series of high value quick fixes or protections that temporarily increase the security of the organization while a longterm recovery plan can be formulated 20

Recovery Goal: return to normal operations Recovery may take weeks or months, sometimes even longer Actions required to recover the affected resources are implemented Resources that require changes to prevent incident reoccurrence are reconfigured, updated, tested and redeployed 21

Lessons Learned Often the most frequently skipped portion of the Incident Response lifecycle Acts as your input to a revised IR plan, risk assessment and other organizational policies and procedures Looks to document answers to the following questions: What exactly happened, and when? How well did our team perform? Was our plan adequate? What improvements could be made to increase the speed of execution? What other corrective actions could be applied to prevent future events? 22

Lessons Learned What indicators can we watch to detect future potential events? Were any additional tools, staff, or external resources identified that may assist with future protection or response activities? 23

Test! Setup regular incident response plan testing Quarterly is a good test frequency Real incidents count as a test Use external resources to generate realworld scenarios and challenge the assumptions of your plan Include the outcome of your testing in IT/Information Security KPIs and reports 24

Real World Scenarios A. Lost Laptop B. Ransomware Outbreak C. External Website Compromise 25

Scenario A: Lost Laptop Adhoc Incident Response: Reported on Thursday afternoon to IT helpdesk Technician determines that standard practice is to encrypt laptops Ticket closed, replacement laptop ordered 4 months later, contacted by OCR Internal investigation begins User remembers that the device may have been encrypted Cloud management tools no longer show the device asset history, as they are only kept for 90 days Organization unable to positively attest 26 that device was encrypted at time of loss

Scenario A: Lost Laptop Planned Incident Response: Reported on Thursday afternoon to IT helpdesk, escalated immediately to IR team Asset management checklists were blank under Device Encryption section IR team utilizes Incident Response Playbook and immediately accesses reporting tools to validate laptop is reporting encrypted Device validated as encrypted at time of loss, remote wipe command sent to device Incident closed, but reported to Compliance for awareness Lessons Learned analysis determines 27 that further technician training is required regarding completion of all checklist actions

Scenario B: Ransomware Outbreak Adhoc Incident Response: Ransomware is identified on a critical server in the environment via an antimalware alert Technician responds to alert, immediately removes the malware This action triggers previously unidentified infections across 132 servers to immediately encrypt all data on all compromised devices, including the EMR Attackers demand $10,000 per encrypted device Organization is effectively disabled for 9 days while each system is restored from backup 28

Scenario B: Ransomware Outbreak Planned Incident Response: Ransomware is identified on a critical server in the environment via an antimalware alert Technician responds to alert, following IR playbook, and advises the IR team IR team determines that this particular malware is a Command and Control malware As the team does not employ a full time malware analyst, retained consultants are engaged to evaluate the malware and identify the extent of the infection The internal IT, IR Team and Consultants execute a strategy to progressively remove the malware 29 without triggering encryption

Scenario C: Website Compromise Adhoc Incident Response: Your organization is notified by a patient that their web browser has warned them to avoid your website, as it is malicious An IT staff member reviews the site and determines that this scenario has occurred before, and asks their external marketing firm to restore the site from backup The marketing firm does as requested, unaware of the security incident The website continues to be infected and follow a cycle of infection and restoration Your organization s site is removed from Google search listings 30

Scenario C: Website Compromise Planned Incident Response: Your organization is notified by a patient that their web browser has warned them to avoid your website, as it is malicious An IT staff member reviews the site and determines that the IR team should be contacted The IR team identifies the cause of the infection, and requests a restoration of the website followed by the appropriate security updates to resolve the issue The IR team utilizes the root cause and lessons learned analysis to enable the Information Security team s security scanners to proactively identify this kind of compromise on all current and future organization websites 31

Summary Incidents will occur how you prepare and respond will determine the cost and survivability of your organization The primary purpose of an Incident Response Plan is to provide an organized, approved structure for responding to and documenting incidents in a forensically sound manner The most effective method to ensuring your plan is up to date is to perform regular tabletop and real world testing Most incidents are not reported to law enforcement, and while many breaches are, in most cases law enforcement does not actively review evidence collected unless the breach is financially sizeable Predefining your team and use of internal and external resources is critical to executing a timely, effective response 32

Recommended Reading NIST Special Publication 800-61 R2 http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.8 00-61r2.pdf NIST CyberSecurity Framework (CSF) https://www.nist.gov/cybersecurity-framework 33

Questions Email: Nolan.Garrett@intrinium.com LinkedIn: https://www.linkedin.com/in/nolangarrett/ Twitter: @Nolan_Garrett Please complete the online session evaluation! 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback