incident response: don't mess it up, here's how to get it right
DESCRIPTION
According to Gartner "75% of CISOs who experience publicly disclosed security breaches and lack documented, tested response plans will be fired." According to Forrester, "You can't afford ineffective incident response." Despite these stakes, the incident response capability at most organizations is immature. Based on an anonymized breach scenario, this webinar will define a framework for the broader incident response (IR) process. By highlighting IR components that were handled well, and a few that weren't, attendees will gain practical experience to help them better prepare for the inevitable. Our featured speakers for this webinar will be: - Jim Goddard, Managing Principal, Security Intelligence and Operations Consulting, HP Enterprise Security - Ted Julian, Chief Marketing Officer, Co3 Systems. Serial security and compliance entrepreneur.TRANSCRIPT
Incident Response
Don’t mess it up – here’s how to
get it right
Page 2
Agenda
• Introductions
• Today’s reality
• The Integrated Incident Response Process
• Q&A
Page 3
Introductions: Today’s Speakers
• Jim Goddard, Managing Principal, HP Security Intelligence
& Operations Consulting
• Jim oversees HP’s security intelligence & operations consulting
practice where he helps clients build security analytics and incident
response capabilities.
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Ted is a serial entrepreneur who has launched four companies during
his ~20 years in the security / compliance industry.
Page 4
SS
AE
16
TY
PE
II C
ER
TIF
IED
HO
ST
ING
FA
CIL
ITY
DA
SH
BO
AR
DS
& R
EP
OR
TIN
G
Co3’s Incident Response Management Platform
Automated Escalation Accelerate response by easily
creating incidents from the systems
you already have
Email Web Form Trouble Ticketing Entry Wizard SIEM
Instant Creation and
Streamlined Collaboration IR plans created instantly based on
regulations, best practices, and standard
operating procedure. Collaborate on plan
execution across multiple functions
Marketing
Legal &
Compliance IT
HR
Accelerated Mitigation Speed results by easily outputting results to your
management platforms
SIEM Trouble Ticketing GRC
Organizational
SOPs
Global
Privacy Breach
Regulations
Contractual
Requirements
Intelligent Correlation Determine related incidents
automatically to identify broader,
concerted attacks
Integrated Intelligence Gain valuable threat intelligence
instantly from multiple intelligence feeds
Community
Best
Practices
Industry
Standard
Frameworks
IR Plan
Page 5
HP Security Intelligence & Operations Consulting
Experience:
• Founded 2008
• 30+ Fortune 500 & Fed SOC Builds
• 80+ SOC Assessments
Solution Approach:
• People, Process, & Technology
Accelerated Success:
• Mature Project Methodology
• Best Practices
• Extensive Intellectual Capital
Expertise:
• 50+ Years of SOC Experience in
SIOC Leadership team alone
Page 6
What is so important about these numbers?
94
71
416
Page 7
The time to discover a breach is excessively long.
416 days is the average time to detect a breach
Source: Ponemon Institute
Page 8
Most breaches are discovered through third parties.
94% of breaches are reported by a 3rd party
Source: Ponemon Institute
Page 9
Breach response is becoming more complex.
71% more time is needed to resolve a
breach as compared to 2010.
Source: Ponemon Institute
Page 10
Integrated detection, analysis and incident response
is essential to improve effectiveness.
"75% of chief information security
officers (CISOs) who experience
publicly disclosed security breaches and
lack documented, tested response plans
will be fired."
Gartner, 2013
Source: “Security Information and Event Management Architecture and
Operational Processes,” January 2013, Gartner
Page 11
The new reality is not if but when …
POLL
Page 13
The incident management process is iterative
and self-learning.
Preparation
Detection
Analysis
Containment Eradication
Post-Action
POLL
Page 15
Incident management involves people, process
and technology.
Technology
Network & System Owners
Incident Handler
Case closed
Escalation People
Firewall
Network
ID/PS
Web server
Proxy
ESM server
3
4
5
6
Level 1 Level 2
Engineer
2 1
Business
7
Intel / Threat
Process
Page 16
Incident management also requires full recognition
of the kill chain.
Source: Lockheed Martin
1
Reconnaissance
Weaponization
Delivery
Exploitation C2
Actions on
Objective
2 3 4 5 6 7
Installation
Page 17
Detection is powered by a SIEM
technology such as HP ArcSight. Detection
Firewalls/ VPN
IDS/IPS
Server / Desktop
Network Devices
Antivirus
Apps
Assets
Network Model
Intel
Security Operations Center
React
Respond
Eradicate
Page 18
Hypothesis-driven analysis synthesizes
technology with human interpretation. Analysis
• What are the possibilities?
• What evidence supports each?
• What is the likelihood of each?
• What are our conclusions?
Page 19
Containment requires visibility to the
threat and relevant controls. Containment
Surfaces
Location
Vectors
Contacts
• What are the avenues of approach?
• What components are at risk?
• Where are the at risk surfaces?
• How do we initiate
countermeasures?
Page 20
Eliminating the threat brings together
the security ecosystem. Eradication
Software vendors Service providers
Legal Security Operations
Threat Eradication
Page 21
Regular reviews drive situational
awareness and improve the process. Post-Action
Review
What happened?
Was the analysis correct?
What milestones
are needed?
Can it happen again?
How do we change?
Page 22
All along the way organizations need a controlled
and documented workflow.
Detection Analysis Containment Eradication After action
review
ArcSight shows a
connection to
blacklisted host
Logger evidence
points to advanced
threat.
Main vector shown
in ArcSight is
Oracle.
Database service
provider engaged.
Lessons learned
and milestones set
to monitor threat.
Page 23
SS
AE
16
TY
PE
II C
ER
TIF
IED
HO
ST
ING
FA
CIL
ITY
DA
SH
BO
AR
DS
& R
EP
OR
TIN
G
Co3’s Incident Response Management Platform
Automated Escalation Accelerate response by easily
creating incidents from the systems
you already have
Email Web Form Trouble Ticketing Entry Wizard SIEM
Instant Creation and
Streamlined Collaboration IR plans created instantly based on
regulations, best practices, and standard
operating procedure. Collaborate on plan
execution across multiple functions
Marketing
Legal &
Compliance IT
HR
Accelerated Mitigation Speed results by easily outputting results to your
management platforms
SIEM Trouble Ticketing GRC
Organizational
SOPs
Global
Privacy Breach
Regulations
Contractual
Requirements
Intelligent Correlation Determine related incidents
automatically to identify broader,
concerted attacks
Integrated Intelligence Gain valuable threat intelligence
instantly from multiple intelligence feeds
Community
Best
Practices
Industry
Standard
Frameworks
IR Plan
Page 24
Automatic Escalation
Page 25
Manual Escalation
Instantiate new Co3 Incident from multiple
related alerts
• Automatically imports alert details as artifacts
• Automatically evaluates against current threat
intelligence
• Automatically generated initial IR plan
• Automatically notifies appropriate IR team
Escalate alerts to existing Co3 Incident
• Imports alert details as artifacts
• Automatically evaluates against current
threat intelligence
• Notifies existing IR team of relevant threat
data
Page 26
Remember these numbers?
416 Days to detect a breach
94 % of breaches reported by a 3rd party
71 % more time is needed to
resolve a breach as compared to
2010
Hours, not days
Internal, not external
Reduce response time by
90%
POLL
QUESTIONS
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for
privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and
very well designed.”
PONEMON INSTITUTE
Jim Goddard
Managing Principal
HP Security Intelligence & Operations Consulting
303.818.0583
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013