you've been breached: how to mitigate the incident

You’ve Been Breached: How to Mitigate the Incident

WEBINAR

We’ll Get Started Shortly

You’ve Been Breached: How to Mitigate the Incident

WEBINAR

Slide 3

Agenda

I. Introductions

II. Who Are We

III. The Incident Response Lifecycle

IV. Objectives of Mitigation

V. Effective Paths to Mitigation

VI. Reactive Mitigation Strategies

VII. Proactive Mitigation Strategies

VIII.Close

Slide 4

Introductions

• Ted Julian, Chief Marketing Officer, Co3 Systems

• Stephen Brennan, Global Technical Consulting Lead, CSC

Slide 5

About Co3 – Incident Response Management

MITIGATEDocument Results &

Improve Performance• Generate reports for management, auditors, and authorities • Conduct post-mortem• Update SOPs• Track evidence• Evaluate historical performance• Educate the organization

ASSESSIdentify and Evaluate Incidents• Assign appropriate team members• Evaluate precursors and indicators• Correlate threat intelligence• Track incidents, maintain logbook• Prioritize activities based on criticality• Generate assessment summaries

PREPAREImprove Organizational Readiness• Appoint team members• Fine-tune response SOPs • Escalate from existing systems• Run simulations (firedrills / table tops)

MANAGEContain, Eradicate, and Recover• Generate real-time IR plan• Coordinate team response• Choose appropriate containment strategy• Isolate and remediate cause• Instruct evidence gathering and handling• Log evidence

Slide 6

• 5+ Integrated Global Security Operations Centers

• 15+ Global Alliance Partners Providing Security Expertise

• 35+ Years Providing Cybersecurity Services

• 2000+ Global Cybersecurity Professionals

Who is CSC?

T R U S T E DINTEGRATED EFFICIENT

Slide 7

Recognized Industry Leader:

• Commitment to Growth

• Recent Acquisitions

• Alliance Partnerships

• IDC named CSC a “Leader” in the inaugural IDC MarketScape: Worldwide Managed Security Services 2014 Vendor Assessment.

• The IDC analysis and buyer perception study results placed CSC as the leading provider in the “strategies” axis, and as one of the firms with the greatest capability in delivering global managed security services (MSS).

Who is CSC?

Slide 8

The Incident Response Lifecycle

Does your org have a formal process for mitigating incidents?

POLL QUESTION #1

Slide 10

Objectives of Mitigation

Generate reports for management, auditors, and authorities

Conduct post-mortem

Update SOPs

Track evidence

Evaluate historical performance

Educate the organization

Slide 11

Effective Paths to Mitigation

Source: NIST Preliminary Cybersecurity Framework

Has your org defined a path of mitigation for handling each of the three types of events/incidents?

POLL QUESTION #2

Slide 13

Reactive Mitigation Strategies

• Repair systems

• Eliminate attack vectors

• Mitigate exploitable vulnerabilities

• Validation of the repair process

• Test systems to ensure compliance with policy and risk mitigation

• Perform additional repairs to resolve all current vulnerabilities

Slide 14

Proactive Mitigation Stratergies

• Determine the attack vector and scope of incident

• Know the enemy—identify their tools and tactics

• Collaboratively design a containment strategy and document it

• Create a task list based on containment plan

• Delegate and monitor tasks until containment is achieved

• Restrict Administrative Privileges

• Application Whitelisting

• Patch and Deploy Current Applications and Operating Systems

• Strengthen workstation defences

• Enforce strong user authentication

• Protect your email service

• Defend the web gateway and harden web applications

• Monitor your system infrastructure

• Monitor your network

• Educate users about social engineering

Is your firm practicing both reactive and proactive means of mitigating incidents?

POLL QUESTION #3

Slide 16

Mitigation Example – Pass The Hash

• High privilege domain accounts are used to log on to workstations and servers.

• Applications or services run with high privilege accounts.

• Scheduled tasks run with high privilege accounts.

• Ordinary user accounts (Local or Domain) are granted membership to the local

• Administrators group on their workstations.

• Highly privileged user accounts can be used to directly browse the Internet from workstations, domain controllers, or servers.

• The same password is configured for the built-in local Administrator account on most or all workstations and servers.

Source: Trustworthy Computing

Slide 17

Mitigation Example – Pass The Hash (cont.)

• Restrict and protect high privileged domain accounts

• Restrict and protect local accounts with administrative privileges

• Remove standard users from the local Administrators group.

• Configure outbound proxies to deny Internet access to privileged accounts.

• Ensure administrative accounts do not have email accounts or mailboxes associated with them.

Source: Trustworthy Computing

■ Questions?

Slide 19

Upcoming Co3 Events

• IT-Defense 2015 Leipzig, Germany, Feb 4-6, 2015

Our CTO Bruce Schneier will be delivering a keynote on the "Future of Incident Response" on Thursday, February 5th at 2pm.

• IAPP Global Privacy Summit, Washington D.C., March 4-6, 2015

• RSA Conference 2015, San Francisco, April 20-24, 2015

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“One of the hottest products at RSA…”

NETWORK WORLD – FEBRUARY 2013

“Co3…defines what software packages for privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and very well designed.”

PONEMON INSTITUTE

Stephen BrennanGlobal Technical Consulting Lead CSC

For a free consultation, please visit: info.co3sys.com/free-consultation

Slide 21

“Co3 makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”

– PC Magazine, Editor’s Choice

“Platform is comprehensive, user friendly, and very well designed.”

– Ponemon Institute

“One of the most important startups in security…”

– Business Insider

“One of the hottest products at RSA…”– Network World

“...an invaluable weapon when responding to security incidents.”

– Government Computer News

“Co3 has done better than a home-run...it has knocked one out of the park.”

– SC Magazine

Most Innovative Product