new technologies in cyber detection and mitigation & how ...€¦ · new technologies in cyber...
TRANSCRIPT
New Technologies in Cyber Detection and Mitigation &
How to Achieve an Effective and Practical Incident Response Plan
SHAHRYAR SHAGHAGHIManaging Director
BDO ConsultingEstados Unidos
I. MEET THE PRESENTERS
II. THE CYBER LANDSCAPE & RECENT TRENDS
III. LEVERAGING NEW TECHNOLOGIES
IV. COMPONENTS OF AN EFFECTIVE INCIDENT RESPONSE PLAN
V. Q&A
agenda
Page 3 Presented by:
MEET THE PRESENTERS
• Shahryar Shaghaghi
• National Leader
• BDO Technology Advisory Services
Meet the presenter
Page 5 Presented by:
THE CYBER LANDSCAPE & RECENT TRENDS
The changing landscape
Attackers are becoming more sophisticated and thefrequency of breaches are increasing
Breaches are not just happening to largeorganizations
Breaches are happening across all industries forvarious incentives beyond just financial
There is a shift from larger organizations to mid-sizeand small organizations as it relates to regulatoryoversight related to cyber
Regulators are expecting proactive and tested plansas part of an organization’s preparedness
There is a growing need for organizations to equipthemselves with not just prevention tools, butdetection and incident response plans as well
BDO Consulting Technology Advisory – Cybersecurity ServicesStrategy | Services | Solutions
There are many different components to produce an effective Cybersecurity program. Core components around Data, Applications and Infrastructure are supported by critical internal and external processes and controls. Industry specific compliance must bemanaged. All these parts require a strong governance model since the underlying components bring to bear resources from different functions including the business, technology, risk management, information security, operations, etc.
Confidentiality Integrity Availability
Governance & Strategy
Identify Protect Detect
Data Protection & Privacy
Application Security
Infrastructure Security
RespondEvent / Incident Management, Disaster Recovery, Business Continuity
RecoverInvestigation, Insurance Preparation, Improvements, Communication
Compliance
Third Party Risk
Management
Vendor Management
Cybersecurity Key Components
Identity and Access Mgmt
External Process / Controls
Internal Process / Controls
Policies
Metrics / Reporting
Training / Awareness
Intelligence
Asset Inventories
7
World’s biggest breaches
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Industries impacted:
Academic
Banking
Energy
Financial
Gaming
Government
Healthcare
Media
Military
Retail
Technology
Telecom
Transport
Methods of leak:
Accidentally published
Configuration error
Hacked
Inside job
Lost / stolen computer
Lost / stolen media
Poor security
LESSONS LEARNED? Cyber risks
Rate of breaches increasing since 2005
Cross-industry impact: healthcare,
retail, insurance, technology, financial
services
Multiple types of breaches/threats
Cyber attacks: increasingly likely
“Not if, but when.”“If the CIA can get hacked, so can you.”
Organizations still need a COMPREHENSIVE approach to cyber threats.
PROTECTING YOUR ORGANIZATION’S LAYERS OF DEFENSE IS CRITICAL
LAYERS
OF
DEFENSE
EARLY DETECTION
NEEDS TO BE ENHANCED
INCIDENT RESPONSE
PLANS NEED TO BE
EFFECTIVE AND TESTED
Threat vectors
THREAT VECTOR DESCRIPTION EXAMPLE
Unknown Cause of attack is unidentified. This option is acceptable if cause (vector) is unknown upon
initial report. The threat vector may be updated in a
follow-up report.
Attrition An attack that employs brute force
methods to compromise, degrade, or
destroy systems, networks, or
services.
Denial of Service intended to impair or deny access to an
application; a brute force attack against an authentication
mechanism, such as passwords or digital signatures.
Web An attack executed from a website or
web-based application.
Cross-site scripting attack used to steal credentials, or a
redirect to a site that exploits a browser vulnerability and
installs malware.
Email An attack executed via an email
message or attachment.
Exploit code disguised as an attached document, or a link to
a malicious website in the body of an email message.
External/Removable
Media
An attack executed from removable
media or a peripheral device.
Malicious code spreading onto a system from an infected
USB flash drive.
Impersonation/Spoofing An attack involving replacement of
legitimate content/services with a
malicious substitute.
Spoofing, man in the middle attacks, rogue wireless access
points, and SQL injection attacks all involve impersonation.
Improper Usage Any incident resulting from violation
of an organization's acceptable usage
policies by an authorized user,
excluding the above categories.
User installs file-sharing software, leading to the loss of
sensitive data; or a user performs illegal activities on a
system.
Loss or Theft of
Equipment
The loss or theft of a computing
device or media used by the
organization.
A misplaced laptop or mobile device.
Meet the hackers
THREAT TYPE WHO AND WHAT
Advanced Persistent Threat (APT)Organized and state-funded groups methodically infiltrating the enterprise; present
for months / years
Industrial Control System AttackTargeted attack that can disrupt activities of large-scale industrial control systems
(e.g. Stuxnet)
Organized Crime Organized crime rings targeting corporations’ data for financial gain (e.g. Target)
HacktivismHighly visible attacks to advance “movements,” political / policy view (e.g.
Anonymous)
InsidersEmployee or contractor using access to release or ex-filtrate information for
personal, competitive or financial gain (e.g. Wikileaks)
BDO 2015 board survey
“….reveals that there is much work to be done in terms of implementation of cybersecurity mitigation strategies, as only one-third of board members indicate they have both identified and developed solutions to protect their critical digital assets.”
Shahryar ShaghaghiNational Practice Leader, Technology Advisory Services
https://www.bdo.com/insights
The BDO 2015 Board Survey
Page 14 Presented by:
LEVERAGING NEW TECHNOLOGIES
COMMON ASSESSMENT TOOLS
Industry specific cyber risk assessment tools
• i.e. Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool
Risk assessment tools that align with industry standards such as and COSO and NIST
Risk assessment tools that focus on specific areas within an organization, such as penetration testing and user training
For those organizations that do not have specific cyber-related issues that they are focusing on, it is recommended that they apply a comprehensive cybersecurity risk assessment (not just technology).
New technologies
Most security practices have focused on protecting assets
There is a shift in defense strategy to assume that systems have already been breached
• Mathematics (concepts of probability) and machine learning techniques
• Artificial intelligence
• Data and threat visualization tools
• Real-time total network immersion technology
• User, device, and network correlation to identify anomalies (abnormal activity around normal behavior, unusual connections between point of sales, significant volumes of data being moved between machines)
There are new techniques that focus on detecting threats from within (at the earliest stages of the attack lifecycle)
• These technologies analyze all internal network information at real-time and calculate probabilities based on the evidence they receive
These new technologies bypass traditional security controls and can detect emerging threats that have otherwise never been previously identified
A case study
MASTERCARD INC.
New machine learning technology, the Safety Net system, helped MasterCard Inc.control and limit the damage caused by three separate cyber attacks targetingtheir automated bank tellers.
Transaction-monitoring system employs data visualization tools
System analyzes over 1 billion transactions daily using algorithms to assescustomer behavior in real-time
Artificial intelligence, often used by financial services firms to betterunderstand customers, is increasingly being used for data security
The top ten listThe Things I Wish I Would Have Done Before This Breach Event Happened
1. Inserted myself into the reporting and threat intelligence collection process
2. Developed, implemented, socialized and exercised the event response plan
• What constitutes an “event” and who makes that call?• Distinguish between a network security breach and unauthorized access to personal
information
3. Established relationships with outside counsel and a forensic/incident response/technology firm • Preservation of attorney-client privilege• Negotiate a master service agreement• An event should result in two types of report
top ten(Continued)
4. Manage vendors regarding contract language for security standards, privacy policy, and event notice/coordination requirements
5. Identified and introduced myself to representatives from trade/industry groups, regulators and law enforcement agencies for ongoing dialogue, information sharing and event coordination
6. Scripted internal and external communications and had them pre- approved to the extent possible
top ten(Continued)
7. Established criteria for formal notification to customers, regulators, executive management/board and shareholders
8. Designated who leads the investigation, response, remediation, notification and “after” phases and who maintains the “record”
9. Prepared for what happens after the event regarding insurance claims, litigation and remediation
10. Briefed business unit executives, senior management and board of directors about what could happen and how we would address it.
Page 21 Presented by:
COMPONENTS OF AN EFFECTIVE INCIDENT RESPONSE PLAN
Six things every company should have (large or small)
1. Information security policy/program
2. Privacy policy
3. Incident/breach response process
4. Employee training and awareness
5. Vendor management program
6. Business continuity plan
ASSESSMENT CONSISTS OF TWO PARTS:
1. Inherent Risk Profile
2. Cybersecurity Maturity
Upon completion of both parts, management and
board members can evaluate whether the
organization’s inherent risk and preparedness are
aligned.
• DISCOVER, ANALYZE, ASSESS
Determine risk profile to conduct a valid cybersecurity assessment
Leverage Cybersecurity Assessment Tool to determine an organization’s preparedness
Establish metrics and monitor ongoing performance
Incorporate other industry standards (NIST) to ensure comprehensiveness of the approach
Cybersecurity assessment
ASSESSMENT
Inherent Risk Profile
Cybersecurity Maturity
Sample incident response plan
EXAMPLE: DR Incident Response Plan (IRP) — Applications ABC, DEF, GHI (Failover to Site B)
00:00 –
01:30
01:30 –
02:00
02:00 –
02:30
02:30 –
03:00
03:00 –
03:30
03:30 –
04:00
04:00 –
06:00
Application GHI:
Rebuild VM after
vCenter restored
(03:00 – 03:45)
Restore SQL Server
DB BUs
(03:45 – 07:45)
Set up DB Server
(08:00 – 10:00)
Set up App Server and
Web Server
(08:00 – 9:00)
Setup and validate
Citrix access for GHI
(10:00 – 11:00)
DR Notification, Escalation,
and Disaster Declaration
Process
(00:00 – 01:30)
Establish IT command
center (1:30 – 02:00)
Configure Site B
Storage
(02:00 – 02:30)
Additional damage
assessment (to
assess which systems
require full failover)
Restore vCenter
(02:30 – 03:00)
Restore application
ABC BUs
(03:00 – 03:30)
Set up direct access
for ABC VM
(03:30 – 04:00)
Restore application
DEF BUs
(03:30 – 04:00)
Set up direct access
for DEF VM
(04:00 – 04:30)
Restore Citrix
infrastructure
(02:00 – 06:00)
Setup and validate
Citrix access for ABC
and DEF
(06:00 – 07:00)06:00 –
08:00
08:00 –
10:00
10:00 –
12:00
Initiate procuring
hardware for Tier 2
systems
Tier 2
recovery
Example: DR Incident Response Plan (IRP) – Applications ABC, DEF, GHI (Failover to Site B)
Approach to cyber investigations
IDENTIFICATION CONTAINMENT ERADICATION RECOVERYLESSONS LEARNED
Location of the
incident
How was it
discovered?
Other areas
compromised?
Scope of the impact
Have sources been
identified?
Business impact
Short-term
containment (is
problem isolated /
are systems
isolated?)
System-backup
(evidence
collection, imaging)
Long-term
containment
(system off-line)
INCIDENT RESPONSE AND REMEDIATION
Re-image and
update patches,
harden system(s)
Removal of
malware and
artifacts from
system(s)
When can system(s)
come back online?
Have systems been
prepared to thwart
future attacks?
What testing,
monitoring
solutions are going
to be used for
future?
How can we
prevent this in the
future?
Incident Report
• Who?
• What?
• Why?
• How?
• Where?
• When?
Implement
Preventative
Measures
An Exceptional Range of Cybersecurity Services
The services below represent the end-to-end service offering based on a thorough understanding of market demand, leveraging of existing standards (FFIEC, COSO, COBIT, NIST, GLB, FINRA, etc.) , and our own expertise in Cybersecurity best practices.
Design and implement a comprehensive program aligned with an existing enterprise risk management framework.
Includes strategy, organizational structure, governance, policies and procedures, training, and both internal and
external communications.
Assess risks and identify vulnerabilities to digital assets and critical infrastructure to evaluate their potential impact
and damage, prioritizing risks against the costs of protection. Includes assessments, security testing, remediation,
and deep experience in credit card risk mitigation.
Design and implement a Cybersecurity architecture and framework tailored to business needs and the enterprise
ecosystem. Encompasses access controls, entitlement, data protection, data privacy, and monitoring.
Develop and test comprehensive incident response plans to minimize the impact of a breach. Considers company
processes, as well as roles and responsibilities of individuals throughout the organization. Provide response
management services for communication, notifications and coordination to manage an incident towards recovery.
Develop and test company-wide business continuity and disaster recovery plans for critical systems, applications,
infrastructure, facilities, people, and business processes.
Cyber Risk Management Strategy & Program Design
Cyber Risk Assessment & Security Testing
Security Architecture & Transformation
Incident Response Planning & Management
Business Continuity Planning & Disaster
Recovery
Rapid response to breach incidents, including identification of root cause and implementation of remediation
measures for affected areas, as well as expert testimony when needed.
Digital Forensics & Cyber Investigations
Identify and quantify incurred event response costs for inclusion and submission in an insured entity’s insurance
claim. Pre-loss services include measuring estimated response costs related to data breach scenarios to assist in
evaluating cyber insurance coverage.
Cyber Insurance Claim Preparation & Coverage
Adequacy Evaluation
Our strategic advantage starts with having a dedicated practice that spans the full lifecycle of Cybersecurity. This is is supported by other factors such as practice leaders with deep industry and Cybersecurity experience, extensive experience in Financial Services and Healthcare which are the top two impacted industries, and extensive experience in forensics, investigations, and monitoring services.
26
Page 27 Presented by:
RECAP & FINAL THOUGHTS
Q&A
Presented by:
•THANK YOU!