Today's Breach Reality, The IR Imperative, And What You Can Do About It
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Today's Breach Reality, The IR Imperative, And What You Can Do About It

on

  • 145 views

Despite changing threats and the near certainty of compromise, most ...

Despite changing threats and the near certainty of compromise, most
IT security programs are much the same as they were a decade ago. How
have attacker motivations and tactics changed, and why? What does
this mean for IT security departments, and how must they adapt?

This webinar will detail the security challenges organizations face
today, the implications of changes in attacker tactics and
motivations, and what firms can do to better align their security
program with today's reality.

Our featured speakers for this webinar will be:

- Ted Julian, Chief Marketing Officer, Co3 Systems

- Colby Clark, Director of Incident Management, Fishnet Security

Statistics

Views

Total Views
145
Views on SlideShare
140
Embed Views
5

Actions

Likes
0
Downloads
8
Comments
0

1 Embed 5

http://www.slideee.com 5

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Today's Breach Reality, The IR Imperative, And What You Can Do About It Presentation Transcript

  • 1. 1 “Co3 makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” – PC Magazine, Editor’s Choice “Co3…defines what software packages for privacy look like.” – Gartner “Platform is comprehensive, user friendly, and very well designed.” – Ponemon Institute “One of the most important startups in security…” – Business Insider “One of the hottest products at RSA…” – Network World “...an invaluable weapon when responding to security incidents.” – Government Computer News “Co3 has done better than a home-run... it has knocked one out of the park.” – SC Magazine “Most Innovative Security Startup.” – RSA Conference We’ll get started in just a minute.
  • 2. Today's Breach Reality, The IR Imperative, And What You Can Do About It
  • 3. 3 Agenda Introductions Problems We Face The Targets The Victims The Motivations Breach and Response Metrics Key Concepts for Combating Modern Threats The Incident Response Lifecycle
  • 4. 4 Introductions: Today’s Speakers • Ted Julian, Chief Marketing Officer, Co3 Systems • Colby Clark, Director of Incident Management, FishNet Security
  • 5. 5 About Co3 Prepare Improve Organizational Readiness • Appoint team members • Fine tune response SOPs • Link in legacy applications • Run simulations (fire drills, table tops) Mitigate Document Results & Improve Performance • Generate reports for management, auditors, and authorities • Conduct post-mortem • Update SOPs • Track evidence • Evaluate historical performance • Educate the organization Assess Identify and Evaluate Incidents • Assign appropriate team members • Evaluate precursors and indicators • Track incidents, maintain logbook • Automatically prioritize activities based on criticality • Log evidence • Generate assessment Manage Contain, Eradicate and Recover • Generate real-time IR plan • Coordinate team response • Choose appropriate containment strategy • Isolate and remediate cause • Instruct evidence gathering and handling
  • 6. 6 About FishNet • 700+ employees dedicated to helping enterprise customers secure every aspect of their IT environment. 96% Customer Satisfaction / Best-in-Class NPS Benchmark • Established 1996 • 29 Offices • 9 Training Centers • 700+ Certifications VITAL STATS 2013 HIGHLIGHTS • $600M Revenue • 3,200 Customers • 1,500 Service Engagements
  • 7. 7 About FishNet • Our experts take the time to understand your business, so they can develop, implement and support solutions tailored to your environment. SECURITY SOLUTIONS COMBINED CAPABILITIES DRIVE VALUE PROFESSIONAL SERVICES • 31 Strategic Services (StS) Advisors • 300+ Consultants • 2 Security Operations Centers • Frontline Support • Network & Security Training • 250+ Certifications • Information Security Program Model (ISPM) TECHNOLOGY PRODUCTS • 55 Sales Engineers (SE) & Enterprise Architects (EA) • 100+ Vendor Partnerships • Direct Access to Vendor R&D Teams & Advisory Panels • Cloud-Based Testing Lab • 450+ Certifications • ADVISER Solutions Lifecycle
  • 8. 8 Problems We Face • Waves of malware attacks per industry with malware optimized for each wave and software types • Thousands of machines quickly infected in large environments • Large numbers of ingress/egress points and unmanaged devices • Polymorphism of malware per machine instead of per organization circumventing most host and network based detection methods • Multi-vector malware in layers creating distraction and chaos while allowing unauthorized access, performing massive data exfiltration, and leading to extortion and data loss: -W32.Changeup Zeus Cryptolocker Data Loss -Compromise of computer + phone for financial attacks • Ransomware encrypting drives and shares • Long term presence within organizations • Reconnaissance for worse activity later
  • 9. 9 Problems We Face • Compromise of corporate environments to gain access to CDEs • Sophisticated malware and botnets now in point of sale environments • Memory resident • Utilizes jump boxes • Moves around • Delayed detection of cardholder data compromise • Obfuscation of collection • Waiting until cards are about to expire before use • Security devices not properly configured, tuned, and/or monitored • Circumventing network detections through SSL and DGA • Too much reliance on antiquated security solutions • Attack vectors often not notable (low hanging fruit) • Incident response programs and training not adequate
  • 10. 10 Problems We Face Bottom line - Security threats have evolved…
  • 11. 11 Problems We Face – Nobody is immune to compliance. But it’s more than just checking a box. • Everyone needs to be compliant with a policy, regulation or legal requirement: PCI Compliance, HIPAA, GLBA, FTC, NERC, FERC… • Are you secure or just compliant? • You can be completely compliant and totally insecure. • Promote compliance through security. It does not come in a can or clip board.
  • 12. 12 Problems We Face – The uncomfortable truth  Everyone is 0wn3d. – How exposed are you to cyber criminals? • You have been breached whether you know it or not. • Malware patiently waits in nearly every environment allowing clandestine command and control, data harvesting, and arbitrary code execution • Hackers are like water in a bucket. If there is a hole, they will find it. • Focus on solving the security problem holistically.
  • 13. POLL
  • 14. 14 Who are the Targets and Why? • Everyone is a target – Government – Large Corporations – Small Companies – Private Individuals • Every target is of interest – Defacement for bragging rights – PII, IP, and identity theft – Credential stealing – Confidential data leakage – Customer information – Supply chain attacks – Adding to their botnet – Use your network and devices as jump points
  • 15. 15 Victims Recent Top News Clips – What Happened? All were sued (Content Based on Public Knowledge): • Zappos – Class action suit • LinkedIn – $5M class action suit • South Carolina - $12M settlement • Global Payments – Class action suit • Nationwide – Class action suit • Wyndham – FTC Consent Order (really bad) • Yahoo – Class action suit • Target – Class action suit; DOJ • Horizon Blue Cross – Class action suit • Adobe – Class action suit • Most recent large breaches – DOJ
  • 16. 16 Motivations
  • 17. 17 Motivations
  • 18. 18 Motivations • Ransomware becoming increasingly common • Now in corporate environments and affecting hard drives and shares • Highly lucrative; attacks win either way • Disaster recovery strategy is back-up or pay-up
  • 19. 19 Motivations
  • 20. 20 Breach and Response Metrics & Facts Financial Metrics (from Ponemon 2013 Cost of Data Breach Study): • Average total cost of a breach: $5.4 Million • Average per record cost for data breach: $192 (actual costs vary per organization type) • Average per record cost reductions – Having a strong security posture: $34 – Having an incident response plan in place: $42 – Appointing a CISO: $23 – Hiring consultants to respond to a breach: $13 Important Facts: • Attackers infiltrate and maintain persistence for about 1 year on average before detection • Antivirus is around 3-5% effective at detecting new threats • Fran Rosch, Senior Vice President of Mobility at Symantec, testifies before congress that signature-based detection methodology is ineffective • Pentagon claimed that Chinese 2011 military spending equaled $180 billion with sustained investment in cyberwarfare • Hacking has resulted in the largest transfer of wealth in human history – As of July 2013, Chinese hackers have cost the US about $2 Trillion – How about others? – Russia? Middle East?
  • 21. 21 What Does a Trillion Dollars Look Like?
  • 22. 22 Key Concepts for Combatting Modern Threats Endpoint Technology • Corporate environments • Behavioral analysis and retrospection • Continuous monitoring • Least prevalence detection • Not limited to the security perimeter • Application restrictions to know good behavior • Scanning for IOCs • Enterprise forensics • Cardholder data environments • Application whitelisting • Application restrictions to know good behavior • Change detection
  • 23. 23 Key Concepts for Combatting Modern Threats Network Monitoring & Restrictions • Network traffic retrospection • SSL decryption • Network malware analysis • DGA • Tunneling • Network traffic IOCs and anomalies • 2 factor authentication for remote access • Restrict egress from cardholder data environment to processing only
  • 24. 24 Key Concepts for Combatting Modern Threats • Data Security – Cloud, Endpoint, Repository… – DLP + DRM • Lock down documents so it does not matter if they are stolen • Utilize the cloud with out concern • Reduced fear of IP theft • Program Development – Incident response gap analysis – Policy and procedure development – Incident handling playbook development • Training & Testing – Provide hands-on training for all technology, playbook scenarios, and threats – Provide tabletop testing for realistic scenarios involving stakeholders – Practice communications and methodology • Incident Response Retainer – Subject matter experts on call – Augment internal capabilities – Contracts agreed upon ahead of time – Rapid response – 24 hour service level agreement
  • 25. POLL
  • 26. 26 The Incident Response Lifecycle Prepare Improve Organizational Readiness • Appoint team members • Fine tune response SOPs • Link in legacy applications • Run simulations (fire drills, table tops) Mitigate Document Results & Improve Performance • Generate reports for management, auditors, and authorities • Conduct post-mortem • Update SOPs • Track evidence • Evaluate historical performance • Educate the organization Assess Identify and Evaluate Incidents • Assign appropriate team members • Evaluate precursors and indicators • Track incidents, maintain logbook • Automatically prioritize activities based on criticality • Log evidence • Generate assessment Manage Contain, Eradicate and Recover • Generate real-time IR plan • Coordinate team response • Choose appropriate containment strategy • Isolate and remediate cause • Instruct evidence gathering and handling
  • 27. 27 Prepare • Incident response teams often include: – IT, Legal (internal and/or external), Compliance, Audit, Privacy, Marketing, HR, Senior Executive – Pre-define roles and responsibilities • RACI (Responsible, Accountable, Consulted, Informed) • SOPs can include: – Processes to be followed by incident type – Standardized interpretation of legal / regulatory requirements – 3rd party contractual requirements • Simulations – Can range from drills to full-scale exercises – Communications is key • Roles, contact info, internal and external – Gauge organization preparedness, catalyze improvement Prepare Improve Organizational Readiness • Appoint team members • Fine tune response SOPs • Link in legacy applications • Run simulations (fire drills, table tops)
  • 28. 28 Assess • Prioritize efforts – Based on value of asset, potential for customer impact, risk of fines, and other risks • Leverage threat intelligence • Incident declaration matrix – Based on category and severity level – Can set SLAs for each Assess Identify and Evaluate Incidents • Assign appropriate team members • Evaluate precursors and indicators • Track incidents, maintain logbook • Automatically prioritize activities based on criticality • Log evidence • Generate assessment
  • 29. 29 Manage • Iterate on your plan • Communicate status – Different mechanisms for different constituents • Ensure everything is tracked Manage Contain, Eradicate and Recover • Generate real-time IR plan • Coordinate team response • Choose appropriate containment strategy • Isolate and remediate cause • Instruct evidence gathering and handling
  • 30. 30 Mitigate • Conduct a post-mortem – Validate investment or lobby for more – Identify areas for improvement • Did we hit our SLAs? – Update playbooks • Track incident source – pinpoint risk to drive improvement, and/or trigger bill-back • Update preventative and detective controls Mitigate Document Results & Improve Performance • Generate reports for management, auditors, and authorities • Conduct post-mortem • Update SOPs • Track evidence • Evaluate historical performance • Educate the organization
  • 31. QUESTIONS
  • 32. 32 Next Up • BlackHat 2014 – August 5-7, Las Vegas
  • 33. One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900 WWW.CO3SYS.COM “Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE “Co3…defines what software packages for privacy look like.” GARTNER “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE “One of the hottest products at RSA…” NETWORK WORLD – FEBRUARY 2013 Colby Clark Director of Incident Management FishNet Security Colby.clark@fishnetsecurity.com 208.553.3266