Kymberlee Price's Black Hat 2016 talk in a live webcast. This presentation will address some best practices and templates to help security teams build or scale their incident response practices.
Presentation on how to chat with PDF using ChatGPT code interpreter
[Webinar] Building a Product Security Incident Response Team: Learnings from the Hivemind
1. BUILDING A PRODUCT
SECURITY INCIDENT
RESPONSE TEAM: LEARNINGS
FROM THE HIVEMIND
KYMBERLEE PRICE
SENIOR DIRECTOR OF RESEARCHER OPERATIONS
2. WHOAMI?
• Senior Director of a Red Team
• PSIRT Case Manager
• Data Analyst
• Internet Crime Inves<gator
• Security Evangelist
• Behavioral Psychologist
• Lawful Good
@kym_possible
4. BUT WHAT ABOUT ISO STANDARDS!?
• In April 2016 ISO 29147 on Vulnerability Disclosure techniques was made free to the
public.
• This is awesome
• The related standard on vulnerability handling processes, ISO 30111 costs approx
$60 USD.
7. COMMON SIRT STRUCTURES
• Technology
• Cloud/Service or Installed SoYware?
• Resources
• $$$
User Ac(on
Required
Tech Program
Manager
Security
Engineer
Comms
(op(onal)
User Ac(on
Not Required
Tech Program
Manager
(op(onal)
Security
Engineer
12. INCIDENT RESPONSE PROCESS
Iden1fy
Issue 1 Assess
Impact 2 Dev & Test
Fix 3 Release
w/ CVE 4 Post
Release 5
So you’re a soHware
vendor…
But wait!
The vulnerability was
in a third party library!
13. INCIDENT RESPONSE PROCESS
Iden1fy
Issue 1 Assess
Impact 2 Dev & Test
Fix 3 Release
w/ CVE 4 Post
Release 5
Iden1fy
Issue 1 Assess
Impact 2 Dev & Test
Fix 3 Release fix
(+advisory?) 4 Post
Release 5 So you’re a soHware
vendor…
But wait!
The vulnerability was
in a third party library!
14. INTERNAL POLICY
• Define your Vulnerability Priori<za<on model
• CVSS or something else?
• What are your acceptable business risks?
• What are your remedia<on SLAs? Escala<on paths?
• When do you release a public advisory?
• When is emergency response indicated?
16. PUBLIC DOCUMENTATION
• Vulnerability Disclosure Policy
• Cri<cal for expecta<on se_ng
• Tells researchers how to report a vulnerability to you
• Security Advisory Knowledge Base
• Where do customers go to quickly learn about security updates
• Researcher Acknowledgements
• Recognize posi<ve behavior and build community
17. TOOLKIT
• How do you want to receive external vulnerability reports?
• Unstructured: encrypted email
• Structured: secure web form
• How do you want to capture inves<ga<on details?
• Case management db (doesn’t have to be complicated, can be specific fields captured in Jira)
18. TOOLKIT
• Do you use third party code?
• Source code scanning tool to track what you use, where
• Vulnerability Intelligence sources
• HIGHLY RECOMMENDED: OSS SECURITY MATURITY: TIME TO PUT ON YOUR BIG BOY PANTS!
Jake Kouns & Chris<ne Gadsby, Jasmine Ballroom, 2:30 pm
19. DATA MANAGEMENT FOR SIRTS
• What Developers need to know to fix vulnerability
• What Leadership needs to know about business risk
• What Customers need to know about product security
• DOCUMENT at <me of inves<ga<on even if you don’t use the data un<l much later
22. PITFALLS
• Failure to thoroughly document vulnerability details during inves<ga<on, leading to re-
inves<ga<on just prior to fix release to remember what the issue was
• Failure to priori<ze effec<vely
• Adopt a priori<za<on model that considers both technical and business impact
• Define your acceptable business risks
• Failure to define clear stakeholders and roles in Incident Response Process
• Failure to communicate effec<vely with product development
• Failure to communicate effec<vely with external researchers