when a data breach happens, what's your plan?
TRANSCRIPT
Slide 1 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 1
When a Data Breach Happens, What’s Your Plan ?
Edge PereiraES2 Solutions [email protected]: @superedge
Stuart MillsES2 [email protected] 2015
Slide 2 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 2
Our Plan for Today
• Making Sense of Threats• Cloud Breaching Incident Plan• What to do After the Incident?• Recommendations• Q & A
Slide 3 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 3
Making Sense of Threats
Outsider
End User
Insider
Prevent Breach
Customer Controls
Secure DesignSecure CodeProtections against attacks
Assume BreachContain AttackersDetect Attackers Remediate Attacks
Built controlsDLP, Encryption, etc.Auditing
Slide 4 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 4
Internet cafes in vacation spots
Every time you connect to the internet
Wonderful Internet Services
Ideological Movements
OrganizedCrime
NationStates
Slide 5 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 5
Hacking in the Good Old Days
Slide 6 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 6
Data Breaches
2005 20152007 2009 2011 2013 2014
Source: Liam Clearly BRK2142 Microsoft Ignite
Slide 7 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 7
Numerous, Active, and Evolving Threats…
Slide 8 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 8
…Very Active Threats
Social media giants Facebook, LinkedIn, among others, get hacked… repeatedly.
Slide 9 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 9
“The personal details of world leaders – including David Cameron, Barack Obama and Vladimir Putin – have been accidentally revealed in an embarrassing privacy breach.”It has been discovered that an employee at the Australian immigration department mistakenly sent personal information of all world leaders attending the G20 Summit to organisers of the Asian Cup football tournament.
And the heads of government were kept in the dark about the employee’s blunder.
The passport numbers and visa details of United States president, Barack Obama, the Russian president, Vladimir Putin, the German chancellor, Angela Merkel, the Chinese president, Xi Jinping, the Indian prime minister, Narendra Modi, the Japanese prime minister, Shinzo Abe, the Indonesian president, Joko Widodo, and the British prime minister, David Cameron, were all exposed.Source: http://www.independent.co.uk/news/world/personal-details-of-obama-putin-cameron-and-merkel-sent-to-wrong-email-address-by-g20-summit-organiser-10142539.html
Leaks and Training
Slide 10 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 10
Source: http://www.canberratimes.com.au/national/public-service/federal-privacy-authorities-called-in-over-centrelink-breach-20140818-105hjw
Leaks and Training
Slide 11 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 11
The Evolution of Attacks
Targeting
Soph
istica
tion
Volume and impact
Script kiddiesBLASTER, SLAMMER
Motive: mischief
2003–2004
Slide 12 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 12
The Evolution of Attacks
2005–PRESENT
Organized crime
RANSOMWARE,
CLICK-FRAUD, IDENTITY
THEFT
Motive: profitScript kiddiesBLASTER, SLAMMER
Motive: mischief
2003–2004
Soph
istica
tion
Targeting
Slide 13 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 13
The Evolution of Attacks
2005–PRESENT
Organized crime
RANSOMWARE,
CLICK-FRAUD, IDENTITY
THEFT
Motive: profitScript kiddiesBLASTER, SLAMMER
Motive: mischief
2012–BEYOND
Nation states,
activists, terror groups
BRAZEN, COMPLEX, PERSISTENT
Motives:IP theft,damage,disruption
2003–2004
Soph
istica
tion
Targeting
Slide 14 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 14
Defining Risk
Vulnerability Threat Consequenc
eRisk
The U .S. Department of Homeland Security (DHS) defines risk as a vulnerability coupled with a threat that creates a consequence
Slide 15 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 15
Writing a Cloud Breach Incident Plan
• What is the problem you are solving?• No executive sponsor? No worries• Advisory committee• Know your audience
Slide 16 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 16
Sample Plan
• Foreword• Objective• Scope• Assumptions• Ownership• Execution command topologies• Plan structure
Slide 17 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 17
Plan Structure
17
Preparation
Detection &
analysis
Declaration &
mobilization
Technical actions
Supporting actions
Incident containment
Post inciden
t
Plan Maintenance
Slide 18 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 18
Incident Preparation
• Crystal ball exercise• What kind of information could you share with 3rd party or
law enforcement?• If you loose PCI or PII data, how would you notify them?
Who in the community can help you?• For credit monitoring, what would be the services, costs
involved, and to whom?• Compile these into one or more documents. Label it crisis
response.
Slide 19 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 19
Incident Detection and Analysis
• Sources of information• Define what is an “incident”, “alert”, “suspicious events”• Define severities• Peer-review with IT, InfoSec and Legal
Slide 20 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 20
Incident Response
• “Who does what when”• Tiger team and decision making structure• Battle rhythm. Everyone needs to know what to do and not
wait.• Time to make decisions not longer than executing
• Declaration of end of incident
Slide 21 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 21
Incident Response - Tiger Team
Team Leader•Oversee all team work
•Keep team focused on damage containment
Lead Investigator•Collect & Analyzes evidence
•Root cause•Manages the business continuity plan
Comms Lead•Messaging for all audiences
• Inside and outside the company
Documentation and Timeline Leader• Investigations•Discovery and recovery
•Documents timeline events
HR/Legal Leader•Criminal charges developments
Slide 22 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 22
Plan Post-Incident
• Lessons learned• Recommendation #1: test the plan once an year
Slide 23 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 23
Recommendations• Expand the use of Encryption• Workforce training and awareness programs• Strengthening of perimeter controls• Implement identity and access management solutions (privileged
access first)• Strong endpoint security solutions• Implement data loss prevention solutions• Get a security certification or independent audit
How to Mitigate the Risk and Consequences of a Data Breach
Slide 24 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 24
Q & A
Slide 25 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 25
Recap
• Making Sense of Threats• Cloud Breaching Incident Plan• What to do After the Incident?• Recommendations• Q & A
Slide 26 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 26
Learn More
• Office 365 Trust Portal• ES2 website www.es2.com.au• Computer Incident Response, NK McCarthy• BRK2159 Office 365 today and beyond, TechEd NA• www.superedge.net
Useful Material and Links
Slide 27 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 27
Hour of Code - https://code.org/learn
Slide 28 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 28
Thank You
Perth Head Office“The Factory” 69 King StreetPerth, WA 6000 Perth Business CentreLevel 27, 44 St Georges TerracePerth, WA 6000
Brisbane Business CentreLevel 18, 123 Eagle Street, Brisbane, QLD, 4000
Sydney Business CentreLevel 12, 95 Pitt Street, Sydney NSW, 2000
Paris Business Centre4 rue Neuve de la Chardonnière, 75018, Paris, FRANCE
www.es2.com.au
Slide 30 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 30
Additional Slides
Slide 31 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 31
Common Myths About the Cloud
Myths• On-premises is more secure• Data is used for mining (i.e.. Advertising)• It’s not compliant with industry regulations• Control of data in the cloud is lost
Office 365• Built to provide a level of security that exceeds
most customers on infrastructure and scale• The first to comply with ISO/IEC 27018. Prohibits
use of PII for ads and marketing• Compliant with HIPAA, FISMA, MPAA etc
(industries and governments)• Designed for complete customer data control.
• You own the data, MS manages it for you.
Slide 32 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 32
Government Access to Cloud Data
Microsoft will not…• Provide any government with direct or
unfettered access to customer data• Assist any government’s efforts to break
cloud encryption• Provide any government with encryption
keys• Engineer back doors into the cloud products
(MS will take steps to ensure governments can independently verify this)
• If governments are engaging in broader surveillance of communications, MS is not involved and it is taking steps to enhance the security of customer’s data
Microsoft will…
http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/
• Disclose enterprise customer data only by a valid legal order and only for the data required
• Publish a law enforcement request report every six months
20.8%
7.84%
71.36%
Disclosed content
Only subscriber/transactional data
No data found
Rejected
Australia
Slide 33 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 33
Security Innovation
• Continuous investigation• Advanced tactics
• “Penetration games”
• World-class security experts
Slide 34 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 34
Encryption at Rest and In-Transit
• Data Loss Prevention• Search
• Insights
• Content analysis
Slide 35 of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 35
Controls Implemented After a Data Breach
35
Use of
encry
ption
Additio
nal m
anua
l proc
edure
s and
contr
ols
Traini
ng an
d aware
ness
progra
ms
Stren
ghten
ing pe
rimete
r con
trols
Identi
ty an
d acce
ss man
agem
ent s
olutio
ns
Other s
ystem
contr
ol pra
ctice
s
Endp
oint s
ecuri
ty so
lution
s
Secu
rity in
tellig
ence
solut
ions
Data lo
ss pre
venti
on so
lution
s
Secu
rity ce
rtifica
tion o
r aud
it0
10
20
30
40
50
60
48 4640
3527 26 25 23 21 18
4841 43
2622 23
30
19 18 21
52
3542
2319 20
32 34
14 15
2013 2014 2015
38