You Have Been Breached! How to Prepare a Response to Cyber Attack for a Multinational Company. Chayan Chakravarti, MBA, CISM, PMP Patrick Enyart, CISA, CISM, CRISC
Presenters Chayan Chakravarti Manager, IT Vendor Risk Management, McKesson Extensive experience in managing IT operations and risk management Responsible for IT vendor risk assessments and ongoing risk monitoring Managed global IT operations for offshore IT vendors Patrick Enyart Senior Director, Security Operations and Engineering Years of experience leading operations, risk management, and vulnerability management teams in healthcare and financial sectors Responsible for IT security and communicating system and business security based metrics to senior management
Agenda Impacts to the Enterprise Big Data Considerations Potential Breach Scenarios Existing Controls Proactive Cloud & Big Data Controls Reactive Cloud & Big Data Controls Implications for a Global Company Being Prepared Planning for Breach Response Breach Containment Planning for Breach Aftermath Lesson Learned Other Considerations
Impacts to the Enterprise Brand reputation Customer retention Intellectual Property Competitive Advantage Loss of (Sensitive) Data Regulatory penalties Legal and financial implications Employee attraction and retention
Big Data Considerations Implications Data for sale Data Integrity Data authorizations Data privacy Tools Hadoop Cloudera Key Management Identity Management Cloud Access Security Brokers (CASB)
Potential Breach Scenarios Lost systems containing Personally Identifiable Information (PII) Delivery of sensitive data to an unintended party Multi-tenancy issues Posting of inappropriate data disclosing it to unintended parties Compromised systems Loss or theft of physical property containing sensitive data Lost back-up data A breach of a business partner or vendor with access to your data Improper disposal or destruction of data Storage items (documents, drives)
Existing Controls Process based Vendor Management User Authentication User Authorization User Profiling Data Classification/Tagging Device Based DLP Data in Use/Data at Rest SIEM Log consolidation Log correlation Identity Management (IdM) Infrastructure based DLP Data in Motion Network connections IPS Firewall
Proactive Cloud & Big Data Controls Business view Security Awareness Training Vulnerability Management Patching OS and Application Configuration Management system hardening Identity Management (IdM) Indicators of Attack discovery and remediation Developers/development Secure Programming training Code Analysis as part of SDLC Customers view IdM Security Awareness Portal Management
Reactive Cloud & Big Data Controls Incident Management Response Communications Operational Responses Forensic Analysis Detective Controls DLP EndPoint Security Indicators of Compromise Discovery and remediation Threat Analysis Threat Actor fingerprinting Zero Day publications
Implications for a Global Company Cloud technologies Changing global foot print Acquisitions Divestitures IT outsourcing Data privacy and compliance Social and economic differences Productivity measures
Being Prepared Identify the Crown Jewels Identify internal key players Identify external key players Customers Regulatory resources Legal resources Vendors/ partners Put a plan in place Data/Application Owner Checklist Collaborate with Compliance, Privacy and Legal teams Vendor management Get Board and leadership support Update and test the plan periodically Table Top exercises Incident Breach Communication Cyber insurance
Planning for Breach Response Breach classification Crisis response team Appropriate communication Law enforcement agencies
Breach Containment Keep the business running Identify where attack is coming from Identify impact by system Isolate the network segment\data population Contain the breach and data loss Quantifying the breach Identify types of data lost Keep the business running
Planning for Breach Aftermath Litigation Corporation Image Brand management change of focus Rebuild integrity What is going to be the Positive spin Financial impact Process and System in scope Redesign Redeploy Global Process and System Evaluate and review Communications and post event management Individual level Employees Customers General public
Lessons Learned Updating controls Improved processes Tighten contracts Update breach response plan Incident Management Communications
Other Considerations Investor communications Shareholders Wall Street Long term assessment Residual activities Changing threat landscape
Thank you