SlideShare une entreprise Scribd logo

Enterprise incident response 2017

Télécharger en tant que PPTX, PDF
Z
zapp0

Enterprise security incident management, incident response, CSIRT concepts. Lecture for University of Economics, Prague. Spring 2017, third version.

Formation
1  sur  23
Enterprise Incident Response VŠE, Prague Petr Špiřík, 18. 4. 2017
PwC Agenda 90 minutes together ahead Topics Security incident in the enterprise context Frameworks and methodology Lifecycle of the security incident Future challenges & evolution Rules of the game Mutual respect There are no stupid questions – ask! Petr Špiřík (PwC EMEA CSIRT Lead) 12+ years of professional experience Network security & SOC background Former PwC CEE CISO Major interests • Incident response • Cyber threat intelligence • Active defense • Education of cyber security
PwC Key Terms Leveling the field Process capabilities Procedures, protocols & methodology Communication & escalation paths Decision making Technical capabilities Architecture (AV, FW, IPS) Detection (SIEM, IDS) Response & Triage tools Alert vs Incident vs Breach Suspicion vs Assurance vs Damage False positive & negatives Risk appetite & sensitivity Operations vs Security incident Means, motive & opportunity Different objectives Intentional vs accidental
PwC Security Incident What is this, anyway? Operations incident Network is down (power outage) Computer freezes (misconfiguration) Data is lost (corrupt backups) Objectives Become operational ASAP Return back to normal ITIL based Security incident Network is DDoSed Environment is compromised Data is exfiltrated Objectives Stop the bleeding Understand the threat (Potential impact) Competing interests (Business, CSIRT, Threat Intelligence)
PwC Enterprise Aspect Difference between SMB & Enterprise Scalability & Complexity 30 minutes per machine is great … … if you don’t have 10 000 machines Manpower is the limiting factor Automation is the way to go Standards are necessary Documentation is vital Processes & governance enables the enterprise incident management Speed of the enterprise It is a business decision to turn off the server… … but who is the business owner? Complexity is not only technical Global vs. local Cost of action vs. cost of inaction Interaction with Risk management Enterprise has the agility of an iceberg and the consensus of a group of cats
PwC Cost of Security How secure you want to be? Enterprise wants to … Make profit! Do business Be agile Not be blocked by security Enterprise wants to be as secure as possible for as little cost as possible Learn to answer the tough question in the educated way Security wants to … Spend resources Limit access & operations Have formal procedures & standards Have control Security in enterprise is always a cost, never profit Learn to make a business case & accept the business decisions
PwC Standards & Frameworks Making our lives easier NIST (800-61) US-centric 800-X family Detailed, ready to use No formal certification ISO (27001:2013) EU-centric High level Process oriented Certifiable by independent body Adoption Do not invent the wheel Cost-benefit analysis Multiple standards implementation Scope is critical Customization Understand your own enterprise Pick wisely Involve business Make sure you understand the framework
PwC Information Security Incident Lifecycle NIST 800-61
PwC Preparation Technical Enterprise Architecture (segmentation, access control) Hardening (scans, patches, configuration) Logging & reporting Visibility & control Segregation of duties Ticketing & knowledge management system Take control over your environment first, before you try to fight the incidents Security team Logging & monitoring capabilities Tools for incident response Forensic/Malware lab (nice to have) Secured area Control over key chokepoints Skilled team Time invested in preparation phase will save you during the incident
PwC Preparation Process Enterprise Contact with other functions (IT, business, Risk management, PR & Communication) Change management Incident management in wider sense Crisis management Awareness & education Leadership buy-in Not only you, but your whole enterprise needs to act accordingly Security team Reporting an incident – identify inputs & tracking tools interaction Communication plan Ownership & governance Policies & procedures Templates Incident response plans Time invested in preparation phase will save you during the incident
PwC Detection Technical Logging Continuous activity Ingestion of log from identified sources Storage only (compliance) Necessary first step No output! Reporting Regular & automated Defined KPIs & metrics Strong for spotting trends and anomalies Good for predicting future issues Easy quick win – good cost:benefit ratio Output is static report, consumed by security team or leadership Monitoring / Alerting Real time Defined use cases to monitor (as opposed to “everything”) Threshold based, complex rules, function of time Sensitivity is critical factor (False positives) Output is dynamic alerting via console, SMS, emails to analysts
PwC Detection Process Enterprise End users “My computer behaves in a strange way.” Human resources “We fired this guy and we suspect he might try to damage the company.” Administrators “This is not how my domain controller is supposed to respond.” 3rd parties (Clients, law enforcement, public) Security team Eyes on the glass “How many analysts do I assign to security monitoring?” Threat hunting “I always assume compromise. And in such case –what evidence would give the attacker away?” Investigation result “This computer was not only infected by commodity malware! There is more!”
PwC Analysis Triage Is it security incident? Analyst driven, never certain for 100% If it is an incident, is it also a breach? Who initiates the incident response? What to do in uncertainty? This is Yes or No question What can be automated should be automated as absolute priority. Is it major? Major or crisis management needed Human well-being, company existence at risk Wider, cross-functional IR team needed Different rules, protocols – but also prepared Potential links to Business Continuity Major incidents are more sensitive to process management than to technical response.
PwC Analysis Preparation for response Information gathering Even negative information has value Systems checked and artifacts gathered Focus on actionable evidence Narrowing scope is critical – the final judgement does not need to happen now This is going to incident response. The time is definitely a factor. There is the whole enterprise waiting to crush you. Audit trail Timestamps and non-repudiation Documentation for legal consequences Knowledge management Project/team management in case of scale explosion If you are moving too fast to document your actions – you are moving too fast.
PwC Containment Stop the bleeding! Stopping the attack Primary objective is to stop further damage Isolation & service reduction Time is the critical factor Involve business stakeholders Follow the procedures During containment phase, the primary imperative is to stop the attack from getting worse … Intelligence gathering Preserve the chain of custody Watch & learn Look for additional compromise Know your enemy Take notes … however, you also want to learn as much as you can without alerting the attacker or giving him what he wants
PwC Containment Deeper dive Disconnect the network! Not always best idea, not always applicable Is the incident insider? APT? External breach? Malware outbreak? Phishing campaign? Prepared scenarios to the rescue Isolate the incident in its domain (physical, network, human resources) Factor in the time & scale Focus on breach escalation prevention The initial containment vary from shutting down system to doing nothing Major incidents Communication plan Governance of the IR team Regular updates & reassessments Project plan to remediate Don’t expect this will be over soon Scale and complexity are your enemies In major incident scenario, you are most likely already in damage control mode
PwC Eradication Remove all artifacts Clean the compromised assets Remove all entry points Restore clean data from backups Patch the vulnerabilities Close the attacker’s way in This is the latest stage when the attacker learns you are after him. In military terms, you are “operating in contested environment”. Project management To know what to do is not that important To carry out the plan is Multiple team coordination Shared responsibilities Timelines & change windows In enterprise environment, the project manager can make or break the outcome. Cooperation & execution is key.
PwC Recovery Back to production Business wants to get back operational ASAP Incident needs be declared over All compromised assets are clean Partial recovery for large scale incidents It is business decision to get back online. Make sure this decision is informed! Continuous monitoring Attackers do not give up easily Be prepared for counter-attacks Set up temporary more sensitive alerting Go back to analysis if needed The attacker spent resources to get in. They will try to reclaim what they once had. Did you really eradicate every artifact?
PwC Post-Incident Activity Immediate & short term Harden the environment Cooperate with IT Follow the change management Use the knowledge you gained Plug all the holes Every incident is an opportunity to improve Improve your detection systems! It is no shame to fall victim to an attack. Is IS a shame to fall victim to the same attack repeatedly. Metrics & KPIs How do you measure success? Is number of incidents good metric? What is not measured does not exist Metrics & KPIs are double edged sword Useful vs. useless metrics Long term, well established KPI monitoring will improve your security posture Good metrics can motivate team and give you access to the resources needed. Bad will put you into uphill battle.
PwC Post-Incident Activity Knowledge management Lessons learned Debriefing after an incident All parties involved Review procedures & templates Plan for changes for the future Blame is lame The objective of post-incident activity is to improve for the future, not to find scapegoat. Active defense Profile the attackers Profile your organization Assume compromise Hunt for the adversaries Set up traps for the future Every incident is a lesson – the result is your threat intelligence
PwC Enterprise Maturity Don’t try to run if you can’t walk COBIT maturity levels Level 1 – Initial Level 2 – Repeatable Level 3 – Defined Level 4 – Managed Level 5 – Optimized Be honest with yourself. Work up through the stack, one step at time. Do not go for shortcuts. It does not work. Expectation management New buzzword every year Applicability to your organization Effect of diminishing returns Build on solid foundation Going step by step is cost effective Do not set up incident response team, if you don’t know your own infrastructure. Do not buy threat intelligence, if you cannot consume it.
PwC Future Challenges I got it! What’s next? Hunting Assume compromise Set up your hunter team Let them loose Special mindset is required. Clear boundaries need to be set! Threat intelligence Know your enemy Share the information Profile your organization Automate & automate It is not the threat intel, but how you apply it. Build your own threat intelligence! Active defense Sinkholing & tarpitting Active reconfiguration Profile the attackers Dynamic environment Focus on your own environment. Be sure to stay on the legal side!
PwC Summary Thank you! Questions & answers Ask your questions now… … or reach out to me after Thank you all! Contacts petr.spirik@gmail.com petr.spirik@cz.pwc.com NIST Security (look for 800-61) csrc.nist.gov This presentation https://www.slideshare.net/zapp0/enterprise- incident-response-2017

Recommandé

Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management IIzapp0
 
Enterprise security incident management
Enterprise security incident managementEnterprise security incident management
Enterprise security incident managementzapp0
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Managementjpubal
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Skybox Security
 

Recommandé

Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management IIzapp0
 
Enterprise security incident management
Enterprise security incident managementEnterprise security incident management
Enterprise security incident managementzapp0
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Managementjpubal
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Skybox Security
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?Skybox Security
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Frameworkjpubal
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Brian Andrzejewski
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyRapidSSLOnline.com
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Symantec
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptxPiyush Jain
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementJim Piechocki
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)April Mardock CISSP
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsMichael Kaishar, MSIA | CISSP
 
Challenges of Vulnerability Management
Challenges of Vulnerability Management Challenges of Vulnerability Management
Challenges of Vulnerability ManagementRahul Neel Mani
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention Manish Dixit Ceh
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 

Contenu connexe

Tendances

The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?Skybox Security
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Frameworkjpubal
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Brian Andrzejewski
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyRapidSSLOnline.com
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Symantec
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptxPiyush Jain
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementJim Piechocki
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)April Mardock CISSP
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsMichael Kaishar, MSIA | CISSP
 
Challenges of Vulnerability Management
Challenges of Vulnerability Management Challenges of Vulnerability Management
Challenges of Vulnerability ManagementRahul Neel Mani
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 

Tendances (20)

The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
 
Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategy
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability Management
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Boss
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability Management
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security Recommendations
 
Challenges of Vulnerability Management
Challenges of Vulnerability Management Challenges of Vulnerability Management
Challenges of Vulnerability Management
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 

Similaire à Enterprise incident response 2017

Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention Manish Dixit Ceh
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
Events Management or How to Survive Security Incidents
Events Management or How to Survive Security IncidentsEvents Management or How to Survive Security Incidents
Events Management or How to Survive Security Incidentsguest6fd3c2f9
 
Belnet events management
Belnet events managementBelnet events management
Belnet events managementXavier Mertens
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integrationMichael Nickle
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 
DeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItDeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItEmerson Exchange
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …Andris Soroka
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environmentsamiable_indian
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA SensePost
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessmentpchronis
 
Anton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 

Similaire à Enterprise incident response 2017 (20)

Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
Risk Assessment Methodologies
Risk Assessment MethodologiesRisk Assessment Methodologies
Risk Assessment Methodologies
 
Events Management or How to Survive Security Incidents
Events Management or How to Survive Security IncidentsEvents Management or How to Survive Security Incidents
Events Management or How to Survive Security Incidents
 
Belnet events management
Belnet events managementBelnet events management
Belnet events management
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
DeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItDeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without It
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
 
Penetration Testing Guide
Penetration Testing GuidePenetration Testing Guide
Penetration Testing Guide
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessment
 
Anton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin on Threat and Vulnerability Intelligence
Anton Chuvakin on Threat and Vulnerability Intelligence
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Information Security
Information SecurityInformation Security
Information Security
 

Dernier

TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxDr. Ravikiran H M Gowda
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxPooja Bhuva
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...Amil baba
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Pooja Bhuva
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxUmeshTimilsina1
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17Celine George
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfDr Vijay Vishwakarma
 

Dernier (20)

TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 

Enterprise incident response 2017

  • 1. Enterprise Incident Response VŠE, Prague Petr Špiřík, 18. 4. 2017
  • 2. PwC Agenda 90 minutes together ahead Topics Security incident in the enterprise context Frameworks and methodology Lifecycle of the security incident Future challenges & evolution Rules of the game Mutual respect There are no stupid questions – ask! Petr Špiřík (PwC EMEA CSIRT Lead) 12+ years of professional experience Network security & SOC background Former PwC CEE CISO Major interests • Incident response • Cyber threat intelligence • Active defense • Education of cyber security
  • 3. PwC Key Terms Leveling the field Process capabilities Procedures, protocols & methodology Communication & escalation paths Decision making Technical capabilities Architecture (AV, FW, IPS) Detection (SIEM, IDS) Response & Triage tools Alert vs Incident vs Breach Suspicion vs Assurance vs Damage False positive & negatives Risk appetite & sensitivity Operations vs Security incident Means, motive & opportunity Different objectives Intentional vs accidental
  • 4. PwC Security Incident What is this, anyway? Operations incident Network is down (power outage) Computer freezes (misconfiguration) Data is lost (corrupt backups) Objectives Become operational ASAP Return back to normal ITIL based Security incident Network is DDoSed Environment is compromised Data is exfiltrated Objectives Stop the bleeding Understand the threat (Potential impact) Competing interests (Business, CSIRT, Threat Intelligence)
  • 5. PwC Enterprise Aspect Difference between SMB & Enterprise Scalability & Complexity 30 minutes per machine is great … … if you don’t have 10 000 machines Manpower is the limiting factor Automation is the way to go Standards are necessary Documentation is vital Processes & governance enables the enterprise incident management Speed of the enterprise It is a business decision to turn off the server… … but who is the business owner? Complexity is not only technical Global vs. local Cost of action vs. cost of inaction Interaction with Risk management Enterprise has the agility of an iceberg and the consensus of a group of cats
  • 6. PwC Cost of Security How secure you want to be? Enterprise wants to … Make profit! Do business Be agile Not be blocked by security Enterprise wants to be as secure as possible for as little cost as possible Learn to answer the tough question in the educated way Security wants to … Spend resources Limit access & operations Have formal procedures & standards Have control Security in enterprise is always a cost, never profit Learn to make a business case & accept the business decisions
  • 7. PwC Standards & Frameworks Making our lives easier NIST (800-61) US-centric 800-X family Detailed, ready to use No formal certification ISO (27001:2013) EU-centric High level Process oriented Certifiable by independent body Adoption Do not invent the wheel Cost-benefit analysis Multiple standards implementation Scope is critical Customization Understand your own enterprise Pick wisely Involve business Make sure you understand the framework
  • 8. PwC Information Security Incident Lifecycle NIST 800-61
  • 9. PwC Preparation Technical Enterprise Architecture (segmentation, access control) Hardening (scans, patches, configuration) Logging & reporting Visibility & control Segregation of duties Ticketing & knowledge management system Take control over your environment first, before you try to fight the incidents Security team Logging & monitoring capabilities Tools for incident response Forensic/Malware lab (nice to have) Secured area Control over key chokepoints Skilled team Time invested in preparation phase will save you during the incident
  • 10. PwC Preparation Process Enterprise Contact with other functions (IT, business, Risk management, PR & Communication) Change management Incident management in wider sense Crisis management Awareness & education Leadership buy-in Not only you, but your whole enterprise needs to act accordingly Security team Reporting an incident – identify inputs & tracking tools interaction Communication plan Ownership & governance Policies & procedures Templates Incident response plans Time invested in preparation phase will save you during the incident
  • 11. PwC Detection Technical Logging Continuous activity Ingestion of log from identified sources Storage only (compliance) Necessary first step No output! Reporting Regular & automated Defined KPIs & metrics Strong for spotting trends and anomalies Good for predicting future issues Easy quick win – good cost:benefit ratio Output is static report, consumed by security team or leadership Monitoring / Alerting Real time Defined use cases to monitor (as opposed to “everything”) Threshold based, complex rules, function of time Sensitivity is critical factor (False positives) Output is dynamic alerting via console, SMS, emails to analysts
  • 12. PwC Detection Process Enterprise End users “My computer behaves in a strange way.” Human resources “We fired this guy and we suspect he might try to damage the company.” Administrators “This is not how my domain controller is supposed to respond.” 3rd parties (Clients, law enforcement, public) Security team Eyes on the glass “How many analysts do I assign to security monitoring?” Threat hunting “I always assume compromise. And in such case –what evidence would give the attacker away?” Investigation result “This computer was not only infected by commodity malware! There is more!”
  • 13. PwC Analysis Triage Is it security incident? Analyst driven, never certain for 100% If it is an incident, is it also a breach? Who initiates the incident response? What to do in uncertainty? This is Yes or No question What can be automated should be automated as absolute priority. Is it major? Major or crisis management needed Human well-being, company existence at risk Wider, cross-functional IR team needed Different rules, protocols – but also prepared Potential links to Business Continuity Major incidents are more sensitive to process management than to technical response.
  • 14. PwC Analysis Preparation for response Information gathering Even negative information has value Systems checked and artifacts gathered Focus on actionable evidence Narrowing scope is critical – the final judgement does not need to happen now This is going to incident response. The time is definitely a factor. There is the whole enterprise waiting to crush you. Audit trail Timestamps and non-repudiation Documentation for legal consequences Knowledge management Project/team management in case of scale explosion If you are moving too fast to document your actions – you are moving too fast.
  • 15. PwC Containment Stop the bleeding! Stopping the attack Primary objective is to stop further damage Isolation & service reduction Time is the critical factor Involve business stakeholders Follow the procedures During containment phase, the primary imperative is to stop the attack from getting worse … Intelligence gathering Preserve the chain of custody Watch & learn Look for additional compromise Know your enemy Take notes … however, you also want to learn as much as you can without alerting the attacker or giving him what he wants
  • 16. PwC Containment Deeper dive Disconnect the network! Not always best idea, not always applicable Is the incident insider? APT? External breach? Malware outbreak? Phishing campaign? Prepared scenarios to the rescue Isolate the incident in its domain (physical, network, human resources) Factor in the time & scale Focus on breach escalation prevention The initial containment vary from shutting down system to doing nothing Major incidents Communication plan Governance of the IR team Regular updates & reassessments Project plan to remediate Don’t expect this will be over soon Scale and complexity are your enemies In major incident scenario, you are most likely already in damage control mode
  • 17. PwC Eradication Remove all artifacts Clean the compromised assets Remove all entry points Restore clean data from backups Patch the vulnerabilities Close the attacker’s way in This is the latest stage when the attacker learns you are after him. In military terms, you are “operating in contested environment”. Project management To know what to do is not that important To carry out the plan is Multiple team coordination Shared responsibilities Timelines & change windows In enterprise environment, the project manager can make or break the outcome. Cooperation & execution is key.
  • 18. PwC Recovery Back to production Business wants to get back operational ASAP Incident needs be declared over All compromised assets are clean Partial recovery for large scale incidents It is business decision to get back online. Make sure this decision is informed! Continuous monitoring Attackers do not give up easily Be prepared for counter-attacks Set up temporary more sensitive alerting Go back to analysis if needed The attacker spent resources to get in. They will try to reclaim what they once had. Did you really eradicate every artifact?
  • 19. PwC Post-Incident Activity Immediate & short term Harden the environment Cooperate with IT Follow the change management Use the knowledge you gained Plug all the holes Every incident is an opportunity to improve Improve your detection systems! It is no shame to fall victim to an attack. Is IS a shame to fall victim to the same attack repeatedly. Metrics & KPIs How do you measure success? Is number of incidents good metric? What is not measured does not exist Metrics & KPIs are double edged sword Useful vs. useless metrics Long term, well established KPI monitoring will improve your security posture Good metrics can motivate team and give you access to the resources needed. Bad will put you into uphill battle.
  • 20. PwC Post-Incident Activity Knowledge management Lessons learned Debriefing after an incident All parties involved Review procedures & templates Plan for changes for the future Blame is lame The objective of post-incident activity is to improve for the future, not to find scapegoat. Active defense Profile the attackers Profile your organization Assume compromise Hunt for the adversaries Set up traps for the future Every incident is a lesson – the result is your threat intelligence
  • 21. PwC Enterprise Maturity Don’t try to run if you can’t walk COBIT maturity levels Level 1 – Initial Level 2 – Repeatable Level 3 – Defined Level 4 – Managed Level 5 – Optimized Be honest with yourself. Work up through the stack, one step at time. Do not go for shortcuts. It does not work. Expectation management New buzzword every year Applicability to your organization Effect of diminishing returns Build on solid foundation Going step by step is cost effective Do not set up incident response team, if you don’t know your own infrastructure. Do not buy threat intelligence, if you cannot consume it.
  • 22. PwC Future Challenges I got it! What’s next? Hunting Assume compromise Set up your hunter team Let them loose Special mindset is required. Clear boundaries need to be set! Threat intelligence Know your enemy Share the information Profile your organization Automate & automate It is not the threat intel, but how you apply it. Build your own threat intelligence! Active defense Sinkholing & tarpitting Active reconfiguration Profile the attackers Dynamic environment Focus on your own environment. Be sure to stay on the legal side!
  • 23. PwC Summary Thank you! Questions & answers Ask your questions now… … or reach out to me after Thank you all! Contacts petr.spirik@gmail.com petr.spirik@cz.pwc.com NIST Security (look for 800-61) csrc.nist.gov This presentation https://www.slideshare.net/zapp0/enterprise- incident-response-2017