New Technologies in Cyber Detection and Mitigation &

How to Achieve an Effective and Practical Incident Response Plan

SHAHRYAR SHAGHAGHIManaging Director

BDO ConsultingEstados Unidos

I. MEET THE PRESENTERS

II. THE CYBER LANDSCAPE & RECENT TRENDS

III. LEVERAGING NEW TECHNOLOGIES

IV. COMPONENTS OF AN EFFECTIVE INCIDENT RESPONSE PLAN

V. Q&A

agenda

Page 3 Presented by:

MEET THE PRESENTERS

• Shahryar Shaghaghi

• National Leader

• BDO Technology Advisory Services

Meet the presenter

Page 5 Presented by:

THE CYBER LANDSCAPE & RECENT TRENDS

The changing landscape

Attackers are becoming more sophisticated and thefrequency of breaches are increasing

Breaches are not just happening to largeorganizations

Breaches are happening across all industries forvarious incentives beyond just financial

There is a shift from larger organizations to mid-sizeand small organizations as it relates to regulatoryoversight related to cyber

Regulators are expecting proactive and tested plansas part of an organization’s preparedness

There is a growing need for organizations to equipthemselves with not just prevention tools, butdetection and incident response plans as well

BDO Consulting Technology Advisory – Cybersecurity ServicesStrategy | Services | Solutions

There are many different components to produce an effective Cybersecurity program. Core components around Data, Applications and Infrastructure are supported by critical internal and external processes and controls. Industry specific compliance must bemanaged. All these parts require a strong governance model since the underlying components bring to bear resources from different functions including the business, technology, risk management, information security, operations, etc.

Confidentiality Integrity Availability

Governance & Strategy

Identify Protect Detect

Data Protection & Privacy

Application Security

Infrastructure Security

RespondEvent / Incident Management, Disaster Recovery, Business Continuity

RecoverInvestigation, Insurance Preparation, Improvements, Communication

Compliance

Third Party Risk

Management

Vendor Management

Cybersecurity Key Components

Identity and Access Mgmt

External Process / Controls

Internal Process / Controls

Policies

Metrics / Reporting

Training / Awareness

Intelligence

Asset Inventories

7

World’s biggest breaches

Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Industries impacted:

Academic

Banking

Energy

Financial

Gaming

Government

Healthcare

Media

Military

Retail

Technology

Telecom

Transport

Methods of leak:

Accidentally published

Configuration error

Hacked

Inside job

Lost / stolen computer

Lost / stolen media

Poor security

LESSONS LEARNED? Cyber risks

Rate of breaches increasing since 2005

Cross-industry impact: healthcare,

retail, insurance, technology, financial

services

Multiple types of breaches/threats

Cyber attacks: increasingly likely

“Not if, but when.”“If the CIA can get hacked, so can you.”

Organizations still need a COMPREHENSIVE approach to cyber threats.

PROTECTING YOUR ORGANIZATION’S LAYERS OF DEFENSE IS CRITICAL

LAYERS

OF

DEFENSE

EARLY DETECTION

NEEDS TO BE ENHANCED

INCIDENT RESPONSE

PLANS NEED TO BE

EFFECTIVE AND TESTED

Threat vectors

THREAT VECTOR DESCRIPTION EXAMPLE

Unknown Cause of attack is unidentified. This option is acceptable if cause (vector) is unknown upon

initial report. The threat vector may be updated in a

follow-up report.

Attrition An attack that employs brute force

methods to compromise, degrade, or

destroy systems, networks, or

services.

Denial of Service intended to impair or deny access to an

application; a brute force attack against an authentication

mechanism, such as passwords or digital signatures.

Web An attack executed from a website or

web-based application.

Cross-site scripting attack used to steal credentials, or a

redirect to a site that exploits a browser vulnerability and

installs malware.

Email An attack executed via an email

message or attachment.

Exploit code disguised as an attached document, or a link to

a malicious website in the body of an email message.

External/Removable

Media

An attack executed from removable

media or a peripheral device.

Malicious code spreading onto a system from an infected

USB flash drive.

Impersonation/Spoofing An attack involving replacement of

legitimate content/services with a

malicious substitute.

Spoofing, man in the middle attacks, rogue wireless access

points, and SQL injection attacks all involve impersonation.

Improper Usage Any incident resulting from violation

of an organization's acceptable usage

policies by an authorized user,

excluding the above categories.

User installs file-sharing software, leading to the loss of

sensitive data; or a user performs illegal activities on a

system.

Loss or Theft of

Equipment

The loss or theft of a computing

device or media used by the

organization.

A misplaced laptop or mobile device.

Meet the hackers

THREAT TYPE WHO AND WHAT

Advanced Persistent Threat (APT)Organized and state-funded groups methodically infiltrating the enterprise; present

for months / years

Industrial Control System AttackTargeted attack that can disrupt activities of large-scale industrial control systems

(e.g. Stuxnet)

Organized Crime Organized crime rings targeting corporations’ data for financial gain (e.g. Target)

HacktivismHighly visible attacks to advance “movements,” political / policy view (e.g.

Anonymous)

InsidersEmployee or contractor using access to release or ex-filtrate information for

personal, competitive or financial gain (e.g. Wikileaks)

BDO 2015 board survey

“….reveals that there is much work to be done in terms of implementation of cybersecurity mitigation strategies, as only one-third of board members indicate they have both identified and developed solutions to protect their critical digital assets.”

Shahryar ShaghaghiNational Practice Leader, Technology Advisory Services

https://www.bdo.com/insights

The BDO 2015 Board Survey

Page 14 Presented by:

LEVERAGING NEW TECHNOLOGIES

COMMON ASSESSMENT TOOLS

Industry specific cyber risk assessment tools

• i.e. Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool

Risk assessment tools that align with industry standards such as and COSO and NIST

Risk assessment tools that focus on specific areas within an organization, such as penetration testing and user training

For those organizations that do not have specific cyber-related issues that they are focusing on, it is recommended that they apply a comprehensive cybersecurity risk assessment (not just technology).

New technologies

Most security practices have focused on protecting assets

There is a shift in defense strategy to assume that systems have already been breached

• Mathematics (concepts of probability) and machine learning techniques

• Artificial intelligence

• Data and threat visualization tools

• Real-time total network immersion technology

• User, device, and network correlation to identify anomalies (abnormal activity around normal behavior, unusual connections between point of sales, significant volumes of data being moved between machines)

There are new techniques that focus on detecting threats from within (at the earliest stages of the attack lifecycle)

• These technologies analyze all internal network information at real-time and calculate probabilities based on the evidence they receive

These new technologies bypass traditional security controls and can detect emerging threats that have otherwise never been previously identified

A case study

MASTERCARD INC.

New machine learning technology, the Safety Net system, helped MasterCard Inc.control and limit the damage caused by three separate cyber attacks targetingtheir automated bank tellers.

Transaction-monitoring system employs data visualization tools

System analyzes over 1 billion transactions daily using algorithms to assescustomer behavior in real-time

Artificial intelligence, often used by financial services firms to betterunderstand customers, is increasingly being used for data security

The top ten listThe Things I Wish I Would Have Done Before This Breach Event Happened

1. Inserted myself into the reporting and threat intelligence collection process

2. Developed, implemented, socialized and exercised the event response plan

• What constitutes an “event” and who makes that call?• Distinguish between a network security breach and unauthorized access to personal

information

3. Established relationships with outside counsel and a forensic/incident response/technology firm • Preservation of attorney-client privilege• Negotiate a master service agreement• An event should result in two types of report

top ten(Continued)

4. Manage vendors regarding contract language for security standards, privacy policy, and event notice/coordination requirements

5. Identified and introduced myself to representatives from trade/industry groups, regulators and law enforcement agencies for ongoing dialogue, information sharing and event coordination

6. Scripted internal and external communications and had them pre- approved to the extent possible

top ten(Continued)

7. Established criteria for formal notification to customers, regulators, executive management/board and shareholders

8. Designated who leads the investigation, response, remediation, notification and “after” phases and who maintains the “record”

9. Prepared for what happens after the event regarding insurance claims, litigation and remediation

10. Briefed business unit executives, senior management and board of directors about what could happen and how we would address it.

Page 21 Presented by:

COMPONENTS OF AN EFFECTIVE INCIDENT RESPONSE PLAN

Six things every company should have (large or small)

1. Information security policy/program

2. Privacy policy

3. Incident/breach response process

4. Employee training and awareness

5. Vendor management program

6. Business continuity plan

ASSESSMENT CONSISTS OF TWO PARTS:

1. Inherent Risk Profile

2. Cybersecurity Maturity

Upon completion of both parts, management and

board members can evaluate whether the

organization’s inherent risk and preparedness are

aligned.

• DISCOVER, ANALYZE, ASSESS

Determine risk profile to conduct a valid cybersecurity assessment

Leverage Cybersecurity Assessment Tool to determine an organization’s preparedness

Establish metrics and monitor ongoing performance

Incorporate other industry standards (NIST) to ensure comprehensiveness of the approach

Cybersecurity assessment

ASSESSMENT

Inherent Risk Profile

Cybersecurity Maturity

Sample incident response plan

EXAMPLE: DR Incident Response Plan (IRP) — Applications ABC, DEF, GHI (Failover to Site B)

00:00 –

01:30

01:30 –

02:00

02:00 –

02:30

02:30 –

03:00

03:00 –

03:30

03:30 –

04:00

04:00 –

06:00

Application GHI:

Rebuild VM after

vCenter restored

(03:00 – 03:45)

Restore SQL Server

DB BUs

(03:45 – 07:45)

Set up DB Server

(08:00 – 10:00)

Set up App Server and

Web Server

(08:00 – 9:00)

Setup and validate

Citrix access for GHI

(10:00 – 11:00)

DR Notification, Escalation,

and Disaster Declaration

Process

(00:00 – 01:30)

Establish IT command

center (1:30 – 02:00)

Configure Site B

Storage

(02:00 – 02:30)

Additional damage

assessment (to

assess which systems

require full failover)

Restore vCenter

(02:30 – 03:00)

Restore application

ABC BUs

(03:00 – 03:30)

Set up direct access

for ABC VM

(03:30 – 04:00)

Restore application

DEF BUs

(03:30 – 04:00)

Set up direct access

for DEF VM

(04:00 – 04:30)

Restore Citrix

infrastructure

(02:00 – 06:00)

Setup and validate

Citrix access for ABC

and DEF

(06:00 – 07:00)06:00 –

08:00

08:00 –

10:00

10:00 –

12:00

Initiate procuring

hardware for Tier 2

systems

Tier 2

recovery

Example: DR Incident Response Plan (IRP) – Applications ABC, DEF, GHI (Failover to Site B)

Approach to cyber investigations

IDENTIFICATION CONTAINMENT ERADICATION RECOVERYLESSONS LEARNED

Location of the

incident

How was it

discovered?

Other areas

compromised?

Scope of the impact

Have sources been

identified?

Business impact

Short-term

containment (is

problem isolated /

are systems

isolated?)

System-backup

(evidence

collection, imaging)

Long-term

containment

(system off-line)

INCIDENT RESPONSE AND REMEDIATION

Re-image and

update patches,

harden system(s)

Removal of

malware and

artifacts from

system(s)

When can system(s)

come back online?

Have systems been

prepared to thwart

future attacks?

What testing,

monitoring

solutions are going

to be used for

future?

How can we

prevent this in the

future?

Incident Report

• Who?

• What?

• Why?

• How?

• Where?

• When?

Implement

Preventative

Measures

An Exceptional Range of Cybersecurity Services

The services below represent the end-to-end service offering based on a thorough understanding of market demand, leveraging of existing standards (FFIEC, COSO, COBIT, NIST, GLB, FINRA, etc.) , and our own expertise in Cybersecurity best practices.

Design and implement a comprehensive program aligned with an existing enterprise risk management framework.

Includes strategy, organizational structure, governance, policies and procedures, training, and both internal and

external communications.

Assess risks and identify vulnerabilities to digital assets and critical infrastructure to evaluate their potential impact

and damage, prioritizing risks against the costs of protection. Includes assessments, security testing, remediation,

and deep experience in credit card risk mitigation.

Design and implement a Cybersecurity architecture and framework tailored to business needs and the enterprise

ecosystem. Encompasses access controls, entitlement, data protection, data privacy, and monitoring.

Develop and test comprehensive incident response plans to minimize the impact of a breach. Considers company

processes, as well as roles and responsibilities of individuals throughout the organization. Provide response

management services for communication, notifications and coordination to manage an incident towards recovery.

Develop and test company-wide business continuity and disaster recovery plans for critical systems, applications,

infrastructure, facilities, people, and business processes.

Cyber Risk Management Strategy & Program Design

Cyber Risk Assessment & Security Testing

Security Architecture & Transformation

Incident Response Planning & Management

Business Continuity Planning & Disaster

Recovery

Rapid response to breach incidents, including identification of root cause and implementation of remediation

measures for affected areas, as well as expert testimony when needed.

Digital Forensics & Cyber Investigations

Identify and quantify incurred event response costs for inclusion and submission in an insured entity’s insurance

claim. Pre-loss services include measuring estimated response costs related to data breach scenarios to assist in

evaluating cyber insurance coverage.

Cyber Insurance Claim Preparation & Coverage

Adequacy Evaluation

Our strategic advantage starts with having a dedicated practice that spans the full lifecycle of Cybersecurity. This is is supported by other factors such as practice leaders with deep industry and Cybersecurity experience, extensive experience in Financial Services and Healthcare which are the top two impacted industries, and extensive experience in forensics, investigations, and monitoring services.

26

Page 27 Presented by:

RECAP & FINAL THOUGHTS

Q&A

Presented by:

•THANK YOU!