• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Incident Response: Don't Mess It Up, Here's How To Get It Right
 

Incident Response: Don't Mess It Up, Here's How To Get It Right

on

  • 1,047 views

According to Gartner "75% of CISOs who experience publicly disclosed security breaches and lack documented, tested response plans will be fired." According to Forrester, "You can't afford ineffective ...

According to Gartner "75% of CISOs who experience publicly disclosed security breaches and lack documented, tested response plans will be fired." According to Forrester, "You can't afford ineffective incident response." Despite these stakes, the incident response capability at most organizations is immature.

Based on an anonymized breach scenario, this webinar will define a framework for the broader incident response (IR) process. By highlighting IR components that were handled well, and a few that weren't, attendees will gain practical experience to help them better prepare for the inevitable.

Our featured speakers for this webinar will be:

- Jim Goddard, Managing Principal, Security Intelligence and Operations Consulting, HP Enterprise Security
- Ted Julian, Chief Marketing Officer, Co3 Systems. Serial security and compliance entrepreneur.

Statistics

Views

Total Views
1,047
Views on SlideShare
1,047
Embed Views
0

Actions

Likes
0
Downloads
31
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Incident Response: Don't Mess It Up, Here's How To Get It Right Incident Response: Don't Mess It Up, Here's How To Get It Right Presentation Transcript

    • Incident Response Don’t mess it up – here’s how to get it right
    • Agenda • Introductions • Today’s reality • The Integrated Incident Response Process • Q&A Page 2
    • Introductions: Today’s Speakers • Jim Goddard, Managing Principal, HP Security Intelligence & Operations Consulting • Jim oversees HP’s security intelligence & operations consulting practice where he helps clients build security analytics and incident response capabilities. • Ted Julian, Chief Marketing Officer, Co3 Systems • Ted is a serial entrepreneur who has launched four companies during his ~20 years in the security / compliance industry. Page 3
    • Co3’s Incident Response Management Platform Automated Escalation Accelerate response by easily creating incidents from the systems you already have Industry Standard Frameworks Organizational SOPs Global Privacy Breach Regulations Community Best Practices Web Form Trouble Ticketing IR Plan Entry Wizard SIEM Instant Creation and Streamlined Collaboration IR plans created instantly based on regulations, best practices, and standard operating procedure. Collaborate on plan execution across multiple functions Contractual Requirements Intelligent Correlation IT Legal & Compliance Marketing HR Determine related incidents automatically to identify broader, concerted attacks Integrated Intelligence Gain valuable threat intelligence instantly from multiple intelligence feeds Accelerated Mitigation Speed results by easily outputting results to your management platforms Page 4 Trouble Ticketing SIEM GRC DASHBOARDS & REPORTING SSAE 16 TYPE II CERTIFIED HOSTING FACILITY Email
    • HP Security Intelligence & Operations Consulting Experience: • Founded 2008 • 30+ Fortune 500 & Fed SOC Builds • 80+ SOC Assessments Solution Approach: • People, Process, & Technology Accelerated Success: • Mature Project Methodology • Best Practices • Extensive Intellectual Capital Expertise: • 50+ Years of SOC Experience in SIOC Leadership team alone Page 5
    • What is so important about these numbers? 416 94 71 Page 6
    • The time to discover a breach is excessively long. 416 days is the average time to detect a breach Source: Ponemon Institute Page 7
    • Most breaches are discovered through third parties. 94% of breaches are reported by a 3rd party Source: Ponemon Institute Page 8
    • Breach response is becoming more complex. 71% more time is needed to resolve a breach as compared to 2010. Source: Ponemon Institute Page 9
    • Integrated detection, analysis and incident response is essential to improve effectiveness. "75% of chief information security officers (CISOs) who experience publicly disclosed security breaches and lack documented, tested response plans will be fired." Gartner, 2013 Source: “Security Information and Event Management Architecture and Operational Processes,” January 2013, Gartner Page 10
    • The new reality is not if but when … Page 11
    • POLL
    • The incident management process is iterative and self-learning. Detection Post-Action Preparation Eradication Analysis Containment Page 13
    • POLL
    • Incident management involves people, process and technology. Process Escalation People Technology Intel / Threat 5 Firewall ID/PS Web server Network Incident Handler Level 2 Level 1 2 1 Network & System Owners 6 Case closed 4 Engineer 3 Proxy ESM server 7 Business Page 15
    • Incident management also requires full recognition of the kill chain. 1 Installation Delivery Reconnaissance 2 Weaponization 3 Actions on Objective 5 4 Exploitation 6 7 C2 Source: Lockheed Martin Page 16
    • Detection is powered by a SIEM technology such as HP ArcSight. Firewalls/ VPN Detection Security Operations Center IDS/IPS Assets React Server / Desktop Network Devices Respond Network Model Eradicate Intel Antivirus Apps Page 17
    • Hypothesis-driven analysis synthesizes technology with human interpretation. Analysis • What are the possibilities? • What evidence supports each? • What is the likelihood of each? • What are our conclusions? Page 18
    • Containment requires visibility to the threat and relevant controls. Containment • What are the avenues of approach? • What components are at risk? Surfaces • Where are the at risk surfaces? • How do we initiate Vectors countermeasures? Location Contacts Page 19
    • Eliminating the threat brings together the security ecosystem. Software vendors Eradication Service providers Threat Eradication Legal Security Operations Page 20
    • Regular reviews drive situational awareness and improve the process. What happened? Was the analysis correct? How do we change? Can it happen again? What milestones are needed? Page 21 Post-Action Review
    • All along the way organizations need a controlled and documented workflow. Database service provider engaged. Logger evidence points to advanced threat. Detection ArcSight shows a connection to blacklisted host Analysis Containment Main vector shown in ArcSight is Oracle. Page 22 Eradication After action review Lessons learned and milestones set to monitor threat.
    • Co3’s Incident Response Management Platform Automated Escalation Accelerate response by easily creating incidents from the systems you already have Industry Standard Frameworks Organizational SOPs Global Privacy Breach Regulations Community Best Practices Web Form Trouble Ticketing IR Plan Entry Wizard SIEM Instant Creation and Streamlined Collaboration IR plans created instantly based on regulations, best practices, and standard operating procedure. Collaborate on plan execution across multiple functions Contractual Requirements Intelligent Correlation IT Legal & Compliance Marketing HR Determine related incidents automatically to identify broader, concerted attacks Integrated Intelligence Gain valuable threat intelligence instantly from multiple intelligence feeds Accelerated Mitigation Speed results by easily outputting results to your management platforms Page 23 Trouble Ticketing SIEM GRC DASHBOARDS & REPORTING SSAE 16 TYPE II CERTIFIED HOSTING FACILITY Email
    • Automatic Escalation Page 24
    • Manual Escalation Instantiate new Co3 Incident from multiple related alerts • Automatically imports alert details as artifacts • Automatically evaluates against current threat intelligence • Automatically generated initial IR plan • Automatically notifies appropriate IR team Escalate alerts to existing Co3 Incident • Imports alert details as artifacts • Automatically evaluates against current threat intelligence • Notifies existing IR team of relevant threat data Page 25
    • Remember these numbers? 416 Hours, not days Days to detect a breach 94 Internal, not external % of breaches reported by a 3rd party 71 Reduce response time by 90% % more time is needed to resolve a breach as compared to 2010 Page 26
    • POLL
    • QUESTIONS
    • “Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE “One of the hottest products at RSA…” NETWORK WORLD – FEBRUARY 2013 One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900 WWW.CO3SYS.COM “Co3…defines what software packages for privacy look like.” GARTNER “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE Jim Goddard Managing Principal HP Security Intelligence & Operations Consulting jgoddard@hp.com 303.818.0583