masstlc opening slides and simulation session
TRANSCRIPT
MassTLC Security ConferenceCOMPREHENSIVE SECURITY –
A 3600 VIEW OF YOUR SECURITY PROGRAM
Tweet it out@MassTLC #MTLCsecurity
The MA Tech Ecosystem
@MassTLC #MTLCSecurity
Thank You to Our Platinum Sponsor
3
Thank You to Our Gold Sponsors
@MassTLC #MTLCSecurity
Thank You to Our Silver Sponsors
Thanks to Our Global Sponsors
@MassTLC #MTLCSecurity
Save the Date!
September 14: MassTLC Leadership Awards Gala
October 6: Software Development Conference: Data, Development, & Drive
November 18: Transform
@MassTLC #MTLCSecurity
WelcomeKeynote: Dave Mahon, VP & Chief Security Officer, CenturyLinkSimulated BreachBreakout Sessions #1– Harnessing the 3rd Party Ecosystem– Building Your Incident Response Plan
Breakout Sessions #2– User Entity Behavior Analytics– Security Operations Analytics and Reporting– Application Security
Networking and Career Fair
Today’s Agenda
@MassTLC #MTLCSecurity
Keynote Address
Dave MahonCenturyLink
@MassTLC #MTLCSecurity
Data Breach Simulation PanelMASSTLC AUGUST 2016
AgendaIntroductionsSimulation–More details are learnedLessons learned
SimulationWe will discuss important topics such as legal disclosure, cyber insurance, incident response plans, communication and working with law enforcement
this simulation is ficticous and ……
Our Victim - WindResourcesWindResources is the global leading manufacturer for wind turbines.Everyone want this technology and some are willing to get it any way possible.WindResources products are network devices.WindResources customers include the government, states and consumers.
How the incident unfolded -WIPA Sales Director, John Doe, has called the WindResources helpdesk to report that his machine is acting sluggishly and that possibly this might be due to a malware infection. He has received an email regarding Nuclear Radiation and has tried unsuccessfully to open the Excel attachment.Triage is performed on John’s computer and it was observed that there are suspicious files in a TEMP folder as well as suspicious processes running.The WindResources SOC Forensics team was engaged to analyze the computer and conclude that it has been compromised. They examine web access (proxy) logs for this computer
ProcessSteady State •Where you want to be
Validation •Validation – Is the event real?•What do I do?
It is Real •What is the impact?•Who needs to be involved?•What are the next steps?
Day – 2 thru 5While the Forensics team was doing their analysis the CERT Incident Coordinator examined email logs. The Incident Coordinator identifies other user from the list affected as well. The coordinator now engages the Forensics team to examine other computers.The forensic analysis of the other computers shows that they are infected by the same malware as was found on first computer.The web access logs obtained earlier also seem to indicate that something may have been uploaded from a machine.One of the files recovered from a computer appears to contain customer login credentials, so the coordinator obtains logs from the system.This showed many customer accounts logging in from Russia. The incident coordinator then escalated to the SOC manager as a critical incident.
Day 5+One of the company security providers contacted the Cybersecurity team reporting that data has been recovered from a Russian hacker web site.A customer who performed a google search on his own name has found his personal details in a hacker forum.
Lessons LearnedHave an incident response planWhen to engage LegalBe prepared to communicateEngage in Threat-SharingSelect Points of ContactWhen to engage Law EnforcementDevelop swift messagingPractice!