SlideShare une entreprise Scribd logo

SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Operations

Télécharger en tant que PPTX, PDF
AlienVault
AlienVault

As cyber attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. Event monitoring and correlation technologies and security operations are often tied to incident handling responsibilities, but the number of attack variations is staggering, and many organizations are struggling to develop incident detection and response processes that work for different situations. In this webcast, we'll outline the most common types of events and indicators of compromise (IOCs) that naturally feed intelligent correlation rules, and walk through a number of different incident types based on these. We'll also outline the differences in response strategies that make the most sense depending on what types of incidents may be occurring. By building a smarter incident response playbook, you'll be better equipped to detect and respond more effectively in a number of scenarios.

Technologie
1  sur  23
An Incident Response Playbook: From Monitoring to Operations Dave Shackleford, Voodoo Security and SANS Joe Schreiber, AlienVault © 2014 The SANS™ Institute - www.sans.org
Introduction • The range and sophistication of today’s attacks are growing rapidly • More and more organizations are dedicating resources to detection and response tools and processes – Less effort and money is spent on purely “preventive” measures • We’ll explore a number of different types of incidents, as well as indicators and monitoring/response process considerations © 2014 The SANS™ Institute - www.sans.org 2
Use What for What? • Right Tool -> Right Job • Right Job -> Right Skills • Right Skills -> Right Response • Right Response -> [right] Incident © 2014 The SANS™ Institute - www.sans.org 3
How do I know which response? © 2014 The SANS™ Institute - www.sans.org 4
Make Plans. • Be prepared for an incident – Create several plans based on incident type – Have a contact methodology – Escalation Paths • So you have a plan? – What’s your backup? – Be Flexible • Time is against you • Outside Help – Pre-arrange services or consultants © 2014 The SANS™ Institute - www.sans.org 5
What if I’m missing something? • Use the Internet – IOCs – Threat Reputation – Malware Analyzers – Virus Scanners • Community Efforts – Open source tools – Message Boards © 2014 The SANS™ Institute - www.sans.org 6
Attack Types and Responses • Sensitive Data • Malware • Insider • Web Application © 2014 The SANS™ Institute - www.sans.org 7
Sensitive Data Exposure/Exfiltration • Data loss and exposure is one of the top concerns and incident types facing organizations today • In the 2014 Verizon DBIR, 1367 data loss incidents were investigated • Most security teams have been focused on data loss in some way since 2005-6. © 2014 The SANS™ Institute - www.sans.org 8
Indicators of sensitive data exposure • A number of leading indicators can lead to detection of exposure or exfiltration • Human-based: – Fraud alerts or identity theft – Notification from 3rd parties – Extortion attempts • Data indicators: – DLP alerts – Proxy logs – Firewall/IDS/IPS events © 2014 The SANS™ Institute - www.sans.org 9
Operations for Data Exposure Incidents • Specific operational steps to be considered for IR with data exposure: – First, unless directed by law enforcement, stop the leak! (if known how/where) – Determine who and what is affected then coordinate with HR/legal/PR – Leverage DLP or other monitoring tools to pattern match data types stored and in transit © 2014 The SANS™ Institute - www.sans.org 10
Advanced Malware Incidents • Not all malware incidents are advanced – Standard antivirus and host-based tools still catch many variants • Some malware is much more stealthy and sophisticated, however – Malware sandboxes, behavioral monitoring, and forensics techniques and tools may be needed © 2014 The SANS™ Institute - www.sans.org 11
Indicators of Advanced Malware • Advanced malware may be detected with a number of indicators: – Unusual processes or services on hosts – Known malicious registry keys and entries – File names or attributes – Network traffic signatures and patterns (ports, protocols, etc.) – Sandbox detonation events © 2014 The SANS™ Institute - www.sans.org 12
Operations for Advanced Malware Incidents • Response processes for advanced malware incidents should include: – Quarantine capabilities (host and network) – Volatile forensic data capture – Rapid development of IOC “fingerprints” to propagate to additional systems – Data leak response steps – Reverse engineering © 2014 The SANS™ Institute - www.sans.org 13
Insider Incidents • Insider incidents can be some of the most challenging to detect and respond to • Insider threats can lead to other types of incidents (data loss, destruction/availability, etc.) • Always coordinate with HR and legal teams for insider threat response • Many insider attacks are not that advanced…just hard to detect © 2014 The SANS™ Institute - www.sans.org 14
Indicators of Insider Incidents • Insider indicators may be more challenging to detect: – Disgruntled behavior – Unusual pattern of file/data access – Changes in working hours or behavior – Disregard for policies and procedures – Account logon failures and unusual patterns – Traffic from personal/work systems – Unusual system command use or attempts at privilege escalation © 2014 The SANS™ Institute - www.sans.org 15
Operations for Insider Incidents • Response processes for insider incidents should include: – Inclusion of law enforcement (maybe) and HR/legal (definitely) – Rapid root cause analysis • Was it accidental? A system hijack? Or deliberate? – Account monitoring – Privilege revocation (maybe) – Equipment seizure when possible – Forensic analysis – Risk analysis © 2014 The SANS™ Institute - www.sans.org 16
Web Application Incidents • Web app attacks are more common than ever • These attacks can lead to defacement and reputation impact, as well as data exposure • Application security often lags network and infrastructure controls • Many open source components, or products like CMS platforms, are notoriously vulnerable © 2014 The SANS™ Institute - www.sans.org 17
Indicators of Web Application Incidents • Web application attacks and breaches may exhibit the following indicators: – Unusual behavior or crashes in applications – Web and app server logs of repeated access attempts – Web and app server logs of SQL syntax and/or scripting characters – IDS/IPS events for known app attacks – High local resource utilization on Web and app servers – Web app firewall events for behavioral or signature-based attacks © 2014 The SANS™ Institute - www.sans.org 18
Operations for Web Application Incidents • Response processes for Web App incidents may include: – Coordination with server operations/admin teams and possibly development teams – Web app firewall or application filtering commands/rules – Load balancer and proxy redirection and traffic control – Correlation between presentation and persistent tier traffic and account data © 2014 The SANS™ Institute - www.sans.org 19
Conclusion • There are a lot of ways to detect and respond to incidents today • Many types of incidents have common tools and processes – Most have their own specific differences, however • Security monitoring and response teams can always enhance their capabilities with new events, correlation, and IOCs from inside and outside their networks © 2014 The SANS™ Institute - www.sans.org 20
Powered by AV Labs Threat Intelligence AlienVault USMTM ASSET DISCOVERY • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory VULNERABILITY ASSESSMENT • Continuous Vulnerability Monitoring • Authenticated / Unauthenticated Active Scanning BEHAVIORAL MONITORING • Log Collection • Netflow Analysis • Service Availability Monitoring THREAT DETECTION • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring A Unified Approach SECURITY INTELLIGENCE • SIEM Event Correlation • Incident Response
Coordinated Analysis, Actionable Guidance • 200-350,000 IPs validated daily • 8,000 collection points • 140 countries Collaborative Threat Intelligence: AlienVault Open Threat ExchangeTM (OTX) Join OTX: www.alienvault.com/open-threat-exchange
Questions? Q@SANS.ORG Thank You! © 2014 The SANS™ Institute - www.sans.org 23 Three Ways to Test Drive AlienVault USM Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/ali envault-usm-live-demo

Recommandé

SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK
Boris Loukanov
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
INCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTSINCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTS
Sylvain Martinez
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 

Recommandé

SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK
Boris Loukanov
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
INCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTSINCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTS
Sylvain Martinez
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
Jonathan Sinclair
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
Iain Dickson
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
Incident response
Incident responseIncident response
Incident response
Anshul Gupta
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
Rizwan S
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program
BeyondTrust
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Introduction to Tenable
Introduction to TenableIntroduction to Tenable
Introduction to Tenable
Bharat Jindal
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
Security operation center
Security operation centerSecurity operation center
Security operation center
MuthuKumaran267
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and Challenges
Happiest Minds Technologies
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
 
Incident Response Swimlanes
Incident Response SwimlanesIncident Response Swimlanes
Incident Response Swimlanes
Daniel P Wallace
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
Albert Hui
 

Contenu connexe

Tendances

Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
Iain Dickson
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
Rizwan S
 

Tendances (20)

SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Incident response
Incident responseIncident response
Incident response
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Introduction to Tenable
Introduction to TenableIntroduction to Tenable
Introduction to Tenable
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
 
Security operation center
Security operation centerSecurity operation center
Security operation center
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and Challenges
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 

En vedette

Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
Albert Hui
 
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Steve Werby
 
Keeping Client Data Safe (Final)
Keeping Client Data Safe (Final)Keeping Client Data Safe (Final)
Keeping Client Data Safe (Final)
AdvogadaZuretti
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Resilient Systems
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
Resilient Systems
 

En vedette (20)

Incident Response Swimlanes
Incident Response SwimlanesIncident Response Swimlanes
Incident Response Swimlanes
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 
Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony
 
Irm 6-website-defacement
Irm 6-website-defacementIrm 6-website-defacement
Irm 6-website-defacement
 
Mandatory data breach notification for Australia
Mandatory data breach notification for AustraliaMandatory data breach notification for Australia
Mandatory data breach notification for Australia
 
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
 
Keeping Client Data Safe (Final)
Keeping Client Data Safe (Final)Keeping Client Data Safe (Final)
Keeping Client Data Safe (Final)
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Monitoramento com ELK - Elasticsearch - Logstash - Kibana
Monitoramento com ELK - Elasticsearch - Logstash - KibanaMonitoramento com ELK - Elasticsearch - Logstash - Kibana
Monitoramento com ELK - Elasticsearch - Logstash - Kibana
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentation
 
Neptune : Re-thinking Incident Response Automation
Neptune : Re-thinking Incident Response Automation Neptune : Re-thinking Incident Response Automation
Neptune : Re-thinking Incident Response Automation
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security Gap
 
Modern Data Architectures for Business Insights at Scale
Modern Data Architectures for Business Insights at ScaleModern Data Architectures for Business Insights at Scale
Modern Data Architectures for Business Insights at Scale
 
Cisco OpenSOC
Cisco OpenSOCCisco OpenSOC
Cisco OpenSOC
 

Similaire à SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Operations

SIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibilitySIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibility
AlienVault
 
The Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is KeyThe Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is Key
AlienVault
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat Intelligence
AlienVault
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Lancope, Inc.
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
Lancope, Inc.
 

Similaire à SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Operations (20)

SIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibilitySIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibility
 
The Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is KeyThe Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is Key
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat Intelligence
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
 
Cybersecurity Fundamentals by Shaw E. Tuma
Cybersecurity Fundamentals by Shaw E. TumaCybersecurity Fundamentals by Shaw E. Tuma
Cybersecurity Fundamentals by Shaw E. Tuma
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
 
Cybersecurity Fundamentals for Legal Professionals (and every other business)
Cybersecurity Fundamentals for Legal Professionals (and every other business)Cybersecurity Fundamentals for Legal Professionals (and every other business)
Cybersecurity Fundamentals for Legal Professionals (and every other business)
 
Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Cybersecurity: How to Protect Your Firm from a Cyber Attack
Cybersecurity: How to Protect Your Firm from a Cyber AttackCybersecurity: How to Protect Your Firm from a Cyber Attack
Cybersecurity: How to Protect Your Firm from a Cyber Attack
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
 
Cybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal ProfessionalsCybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal Professionals
 
Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and compliance
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
Cyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowCyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to Know
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
 
Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web Applications
 

Plus de AlienVault

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
AlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
AlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
AlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
AlienVault
 

Plus de AlienVault (20)

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Dernier (20)

Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 

SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Operations

  • 1. An Incident Response Playbook: From Monitoring to Operations Dave Shackleford, Voodoo Security and SANS Joe Schreiber, AlienVault © 2014 The SANS™ Institute - www.sans.org
  • 2. Introduction • The range and sophistication of today’s attacks are growing rapidly • More and more organizations are dedicating resources to detection and response tools and processes – Less effort and money is spent on purely “preventive” measures • We’ll explore a number of different types of incidents, as well as indicators and monitoring/response process considerations © 2014 The SANS™ Institute - www.sans.org 2
  • 3. Use What for What? • Right Tool -> Right Job • Right Job -> Right Skills • Right Skills -> Right Response • Right Response -> [right] Incident © 2014 The SANS™ Institute - www.sans.org 3
  • 4. How do I know which response? © 2014 The SANS™ Institute - www.sans.org 4
  • 5. Make Plans. • Be prepared for an incident – Create several plans based on incident type – Have a contact methodology – Escalation Paths • So you have a plan? – What’s your backup? – Be Flexible • Time is against you • Outside Help – Pre-arrange services or consultants © 2014 The SANS™ Institute - www.sans.org 5
  • 6. What if I’m missing something? • Use the Internet – IOCs – Threat Reputation – Malware Analyzers – Virus Scanners • Community Efforts – Open source tools – Message Boards © 2014 The SANS™ Institute - www.sans.org 6
  • 7. Attack Types and Responses • Sensitive Data • Malware • Insider • Web Application © 2014 The SANS™ Institute - www.sans.org 7
  • 8. Sensitive Data Exposure/Exfiltration • Data loss and exposure is one of the top concerns and incident types facing organizations today • In the 2014 Verizon DBIR, 1367 data loss incidents were investigated • Most security teams have been focused on data loss in some way since 2005-6. © 2014 The SANS™ Institute - www.sans.org 8
  • 9. Indicators of sensitive data exposure • A number of leading indicators can lead to detection of exposure or exfiltration • Human-based: – Fraud alerts or identity theft – Notification from 3rd parties – Extortion attempts • Data indicators: – DLP alerts – Proxy logs – Firewall/IDS/IPS events © 2014 The SANS™ Institute - www.sans.org 9
  • 10. Operations for Data Exposure Incidents • Specific operational steps to be considered for IR with data exposure: – First, unless directed by law enforcement, stop the leak! (if known how/where) – Determine who and what is affected then coordinate with HR/legal/PR – Leverage DLP or other monitoring tools to pattern match data types stored and in transit © 2014 The SANS™ Institute - www.sans.org 10
  • 11. Advanced Malware Incidents • Not all malware incidents are advanced – Standard antivirus and host-based tools still catch many variants • Some malware is much more stealthy and sophisticated, however – Malware sandboxes, behavioral monitoring, and forensics techniques and tools may be needed © 2014 The SANS™ Institute - www.sans.org 11
  • 12. Indicators of Advanced Malware • Advanced malware may be detected with a number of indicators: – Unusual processes or services on hosts – Known malicious registry keys and entries – File names or attributes – Network traffic signatures and patterns (ports, protocols, etc.) – Sandbox detonation events © 2014 The SANS™ Institute - www.sans.org 12
  • 13. Operations for Advanced Malware Incidents • Response processes for advanced malware incidents should include: – Quarantine capabilities (host and network) – Volatile forensic data capture – Rapid development of IOC “fingerprints” to propagate to additional systems – Data leak response steps – Reverse engineering © 2014 The SANS™ Institute - www.sans.org 13
  • 14. Insider Incidents • Insider incidents can be some of the most challenging to detect and respond to • Insider threats can lead to other types of incidents (data loss, destruction/availability, etc.) • Always coordinate with HR and legal teams for insider threat response • Many insider attacks are not that advanced…just hard to detect © 2014 The SANS™ Institute - www.sans.org 14
  • 15. Indicators of Insider Incidents • Insider indicators may be more challenging to detect: – Disgruntled behavior – Unusual pattern of file/data access – Changes in working hours or behavior – Disregard for policies and procedures – Account logon failures and unusual patterns – Traffic from personal/work systems – Unusual system command use or attempts at privilege escalation © 2014 The SANS™ Institute - www.sans.org 15
  • 16. Operations for Insider Incidents • Response processes for insider incidents should include: – Inclusion of law enforcement (maybe) and HR/legal (definitely) – Rapid root cause analysis • Was it accidental? A system hijack? Or deliberate? – Account monitoring – Privilege revocation (maybe) – Equipment seizure when possible – Forensic analysis – Risk analysis © 2014 The SANS™ Institute - www.sans.org 16
  • 17. Web Application Incidents • Web app attacks are more common than ever • These attacks can lead to defacement and reputation impact, as well as data exposure • Application security often lags network and infrastructure controls • Many open source components, or products like CMS platforms, are notoriously vulnerable © 2014 The SANS™ Institute - www.sans.org 17
  • 18. Indicators of Web Application Incidents • Web application attacks and breaches may exhibit the following indicators: – Unusual behavior or crashes in applications – Web and app server logs of repeated access attempts – Web and app server logs of SQL syntax and/or scripting characters – IDS/IPS events for known app attacks – High local resource utilization on Web and app servers – Web app firewall events for behavioral or signature-based attacks © 2014 The SANS™ Institute - www.sans.org 18
  • 19. Operations for Web Application Incidents • Response processes for Web App incidents may include: – Coordination with server operations/admin teams and possibly development teams – Web app firewall or application filtering commands/rules – Load balancer and proxy redirection and traffic control – Correlation between presentation and persistent tier traffic and account data © 2014 The SANS™ Institute - www.sans.org 19
  • 20. Conclusion • There are a lot of ways to detect and respond to incidents today • Many types of incidents have common tools and processes – Most have their own specific differences, however • Security monitoring and response teams can always enhance their capabilities with new events, correlation, and IOCs from inside and outside their networks © 2014 The SANS™ Institute - www.sans.org 20
  • 21. Powered by AV Labs Threat Intelligence AlienVault USMTM ASSET DISCOVERY • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory VULNERABILITY ASSESSMENT • Continuous Vulnerability Monitoring • Authenticated / Unauthenticated Active Scanning BEHAVIORAL MONITORING • Log Collection • Netflow Analysis • Service Availability Monitoring THREAT DETECTION • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring A Unified Approach SECURITY INTELLIGENCE • SIEM Event Correlation • Incident Response
  • 22. Coordinated Analysis, Actionable Guidance • 200-350,000 IPs validated daily • 8,000 collection points • 140 countries Collaborative Threat Intelligence: AlienVault Open Threat ExchangeTM (OTX) Join OTX: www.alienvault.com/open-threat-exchange
  • 23. Questions? Q@SANS.ORG Thank You! © 2014 The SANS™ Institute - www.sans.org 23 Three Ways to Test Drive AlienVault USM Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/ali envault-usm-live-demo