Needs	
  of	
  a	
  
Modern	
  Incident	
  
Response	
  
Program	
  
Tom	
  Cross	
  
Director	
  of	
  Security	
  Resear...
2	
  
What	
  advantages	
  do	
  a8ackers	
  have?	
  
Asymmetry	
  
	
  
“The	
  defender	
  has	
  to	
  cover	
  every...
A8ackers	
  Can	
  O>en	
  Evade	
  Defenses	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
...
Perimeter	
  Security	
  
•  Much	
  of	
  the	
  pracMce	
  of	
  computer	
  security	
  has	
  to	
  do	
  with	
  
mak...
What	
  advantages	
  do	
  defenders	
  have?	
  
Home	
  Court	
  Advantage	
  
•  Defenders	
  create	
  the	
  network...
•  A	
  sophisMcated	
  aGack	
  on	
  a	
  network	
  involves	
  a	
  series	
  of	
  steps	
  
•  TradiMonal	
  thinkin...
Factors	
  driving	
  the	
  change:	
  
	
  
•  The	
  persistent	
  nature	
  of	
  the	
  threat	
  
•  Other	
  organi...
Sample Response Freq Pct%
Sampling frame 20,446 100%
Total returns 793 3.9%
Rejected & screened surveys 119 0.6%
Final sam...
68%	
  
62%	
  
44%	
  
36%	
  
29%	
  
0%	
   10%	
   20%	
   30%	
   40%	
   50%	
   60%	
   70%	
   80%	
  
BeGer	
  in...
34%	
  
18%	
  
45%	
  
3%	
  
How	
  did	
  this	
  percentage	
  change	
  
over	
  the	
  past	
  24	
  months?	
  
Inc...
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
   11	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
   12	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
   13	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
  
80%	
  
76%	
  
67%	
  
65%	
  
0%	
  ...
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
   15	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
   16	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
  
Network	
  
Services	
  
Hosts	
  
17	...
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
   18	
  
NetFlow	
  vs	
  and	
  Packet	
  Capture	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	...
•  NetFlow	
  
–  Lots	
  of	
  breadth,	
  less	
  depth	
  
–  Lower	
  disk	
  space	
  
requirements	
  
•  Full	
  Pa...
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
   21	
  
Service	
  Logs	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
   22	
  
Services	
  
(as	
  targets)	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
   23	
  
Services	
  
(as	
  supplementary	
  informaMon)	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
...
Host	
  Logs	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
   25	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
  
61%	
  
52%	
  
48%	
  
36%	
  
31%	
 ...
•  Are	
  you	
  just	
  logging	
  informaMon	
  or	
  are	
  you	
  also	
  collecMng	
  it?	
  
•  Are	
  you	
  saving...
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
  
Backups	
  -­‐	
  the	
  stakes	
  hav...
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
   29	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
  
43%	
  
54%	
  
3%	
  
0%	
   10%	
   ...
Security	
  Analyst	
  
Network	
  Forensics	
  Analyst	
  
Hard	
  Drive	
  Forensic	
  Analyst	
  
Malware	
  Analyst	
 ...
Staffing	
  
12%	
  
16%	
  
44%	
  
23%	
  
5%	
  
0%	
   10%	
   20%	
   30%	
   40%	
   50%	
  
None	
  
One	
  
2	
  to	...
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
  
21%	
  
14%	
  
6%	
  
12%	
  
29%	
  ...
•  Firewall	
  
•  Web	
  Gateway	
  
•  Mail	
  Gateway	
  
•  IPS	
  /	
  IDS	
  
•  SIEM	
  
©	
  2014	
  Lancope,	
  I...
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
  
45%	
  
26%	
  
23%	
  
15%	
  
12%	
 ...
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
   36	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
  
23%	
  
75%	
  
2%	
  
Do	
  you	
  ha...
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
  
79%	
  
14%	
  
10%	
  
36%	
  
45%	
 ...
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
  
91%	
  
64%	
  
51%	
  
50%	
  
49%	
 ...
Should	
  your	
  CSIRT	
  make	
  decisions	
  or	
  
recommendaMons?	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
 ...
•  Who	
  can	
  approve	
  what	
  acMons?	
  
–  Does	
  the	
  type	
  of	
  incident	
  affect	
  the	
  answer?	
  
– ...
•  What	
  are	
  end-­‐users’	
  responsibiliMes	
  in	
  the	
  incident	
  
response	
  process?	
  
–  Are	
  they	
  ...
•  Can	
  your	
  CSIRT	
  parMcipate	
  in	
  informaMon	
  and	
  indicator	
  
sharing	
  groups?	
  
•  Can	
  your	
 ...
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
   44	
  
§  Ponemon Research Report:
2014 Cyber Security Incident Response
http://www.lancope.com/ponemon-incident-
response
§  T...
Q/A	
  
©	
  2014	
  Lancope,	
  Inc.	
  	
  	
  All	
  rights	
  reserved.	
  	
  	
  	
   46	
  
Upcoming SlideShare
Loading in...5
×

Needs of a Modern Incident Response Program

4,327

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
4,327
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Needs of a Modern Incident Response Program

  1. 1. Needs  of  a   Modern  Incident   Response   Program   Tom  Cross   Director  of  Security  Research,  Lancope     Brandon  Tansey   Security  Researcher,  Lancope   ©  2014  Lancope,  Inc.      All  rights  reserved.         1  
  2. 2. 2   What  advantages  do  a8ackers  have?   Asymmetry     “The  defender  has  to  cover  every   vulnerability  but  the  aGacker  only   has  to  find  one.”       ©  2014  Lancope,  Inc.      All  rights  reserved.        
  3. 3. A8ackers  Can  O>en  Evade  Defenses   ©  2014  Lancope,  Inc.      All  rights  reserved.         3  
  4. 4. Perimeter  Security   •  Much  of  the  pracMce  of  computer  security  has  to  do  with   making  sure  the  doors  are  locked.     –  When  we  have  incidents  we  spend  more  money  on  prevenMon.   –  We  tend  to  assume  that  if  the  bad  guys  are  in,  its  game  over.     •  We’re  focusing  our  energy  where  aGackers  have  the  most   strength     4  ©  2014  Lancope,  Inc.      All  rights  reserved.         4  
  5. 5. What  advantages  do  defenders  have?   Home  Court  Advantage   •  Defenders  create  the  network  environment  that   aGackers  are  trying  to  compromise   •  Defenders   •  Know  what  is  on  the  network   •  Have  visibility  into  the  network   •  AGackers  have  to  discover  the  environment  through   reconnaissance   •  Defenders  can  exploit  the  aGacker’s  lack  of   knowledge  of  the  environment  in  order  to  detect   aGackers  and  waste  their  Mme   ©  2014  Lancope,  Inc.      All  rights  reserved.         5  
  6. 6. •  A  sophisMcated  aGack  on  a  network  involves  a  series  of  steps   •  TradiMonal  thinking  views  any  system  compromise  as  a  successful  breach   •  Any  successful  acMon  taken  to  stop  an  infecMon  prior  to  data  exfiltraMon  can  be  considered  a   win   •  This  is  the  Kill  Chain  concept  introduced  by  Mike  Cloppert  at  Lockheed   •  Controls  should  be  put  in  place  at  each  stage  of  the  chain     ©  2014  Lancope,  Inc.      All  rights  reserved.         A  Four  Dimensional  View  of  A8acker  Behavior   Recon Exploitation Initial Infection Internal Pivot Data Preparation & Exfiltration Command and Control 6  
  7. 7. Factors  driving  the  change:     •  The  persistent  nature  of  the  threat   •  Other  organizaMons  aren’t  necessarily   experiencing  the  same  aGacks   •  The  desire  to  collect  threat  intelligence   that  can  be  used  to  detect  future  incidents   •  A  sophisMcated  aGack  on  a  network   involves  a  series  of  steps   ©  2014  Lancope,  Inc.      All  rights  reserved.         Toward  ConJnuous  Incident  Response   Detect RespondAnalyze Distill Intel 7  
  8. 8. Sample Response Freq Pct% Sampling frame 20,446 100% Total returns 793 3.9% Rejected & screened surveys 119 0.6% Final sample 674 3.3% A scientific sampling frame of 20,446 experienced IT and IT security practitioners located in all regions of the United States and United Kingdom were selected as participants to this survey. Ponemon  Research  Report:   2014  Cyber  Security  Incident  Response   ©  2014  Lancope,  Inc.      All  rights  reserved.         8  
  9. 9. 68%   62%   44%   36%   29%   0%   10%   20%   30%   40%   50%   60%   70%   80%   BeGer  incident  response  capabiliMes   Threat  Intelligence  or  IP  reputaMon  services   Improved  vulnerability  audits  and   assessments   Improved  patch  management  process   Higher  quality  professional  staffing   How  can  your  organizaMon  most  effecMvely   miMgate  future  security  breaches?   ©  2014  Lancope,  Inc.      All  rights  reserved.         9  
  10. 10. 34%   18%   45%   3%   How  did  this  percentage  change   over  the  past  24  months?   Increased   Decreased   Stayed  the  same   Cannot  determine   ©  2014  Lancope,  Inc.      All  rights  reserved.         50%   31%   11%   5%   2%   1%   Percentage  of  security  budget   spent  on  Incident  Response   Less  than  10%   10%  to  20%   21%  to  30%   31%  to  40%   41%  to  50%   More  than  50%   Incident  Response  Budgets   10  
  11. 11. ©  2014  Lancope,  Inc.      All  rights  reserved.         11  
  12. 12. ©  2014  Lancope,  Inc.      All  rights  reserved.   12  
  13. 13. ©  2014  Lancope,  Inc.      All  rights  reserved.         13  
  14. 14. ©  2014  Lancope,  Inc.      All  rights  reserved.         80%   76%   67%   65%   0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   NetFlow  /  Pcap   SIEM   IDS  /  IPS   Threat  Feeds   What  type  of  tools  are  most  effecMve  in  helping  to   detect  breaches?   14  
  15. 15. ©  2014  Lancope,  Inc.      All  rights  reserved.         15  
  16. 16. ©  2014  Lancope,  Inc.      All  rights  reserved.         16  
  17. 17. ©  2014  Lancope,  Inc.      All  rights  reserved.         Network   Services   Hosts   17  
  18. 18. ©  2014  Lancope,  Inc.      All  rights  reserved.         18  
  19. 19. NetFlow  vs  and  Packet  Capture   ©  2014  Lancope,  Inc.      All  rights  reserved.         19  
  20. 20. •  NetFlow   –  Lots  of  breadth,  less  depth   –  Lower  disk  space   requirements   •  Full  Packet  Capture   –  Deep  but  not  broad   –  Expensive   –  High  disk  space   requirements   ©  2014  Lancope,  Inc.      All  rights  reserved.         20  
  21. 21. ©  2014  Lancope,  Inc.      All  rights  reserved.         21  
  22. 22. Service  Logs   ©  2014  Lancope,  Inc.      All  rights  reserved.         22  
  23. 23. Services   (as  targets)   ©  2014  Lancope,  Inc.      All  rights  reserved.         23  
  24. 24. Services   (as  supplementary  informaMon)   ©  2014  Lancope,  Inc.      All  rights  reserved.         24  
  25. 25. Host  Logs   ©  2014  Lancope,  Inc.      All  rights  reserved.         25  
  26. 26. ©  2014  Lancope,  Inc.      All  rights  reserved.         61%   52%   48%   36%   31%   34%   0%   10%   20%   30%   40%   50%   60%   70%   Network  Security  Devices   All  Client  PCs   All  ApplicaMon  Servers   All  IdenMty  Management  Infrastructure   All  Network  Infrastructure   We  Don't   From  where  do  you  send  informaMon  to  your   SIEM?   26  
  27. 27. •  Are  you  just  logging  informaMon  or  are  you  also  collecMng  it?   •  Are  you  saving  only  ‘special’  log  lines,  or  everything?   •  Do  you  have  a  standard  retenMon  period  in  policy?   –  Does  the  budget  control  the  period,  or  the  period  the  budget?   •  If  you  have  end-­‐user  managed  hosts,  are  they  subject  to  the   same  logging  policies?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Regardless  of  the  informaJon  source…   27  
  28. 28. ©  2014  Lancope,  Inc.      All  rights  reserved.         Backups  -­‐  the  stakes  have  been  raised!   28  
  29. 29. ©  2014  Lancope,  Inc.      All  rights  reserved.         29  
  30. 30. ©  2014  Lancope,  Inc.      All  rights  reserved.         43%   54%   3%   0%   10%   20%   30%   40%   50%   60%   Yes   No   Unsure   Do  your  organizaMon's  incident  invesMgaMons   result  in  threat  indicators  which  are  used  to   defend  the  organizaMon  from  future  aGacks?   30  
  31. 31. Security  Analyst   Network  Forensics  Analyst   Hard  Drive  Forensic  Analyst   Malware  Analyst   Threat  Intelligence  Analyst     Security  [OperaJons]  Engineer   OperaMons  Engineer   Sonware  Engineer   Roles  in  a  Modern  Incident  Response  Team   ©  2014  Lancope,  Inc.      All  rights  reserved.         31  
  32. 32. Staffing   12%   16%   44%   23%   5%   0%   10%   20%   30%   40%   50%   None   One   2  to  5   6  to  10   More  than  10   Number  of  team  members  in   CSIRT   45%   28%   14%   11%   2%   0%   10%   20%   30%   40%   50%   None   One   2  to  5   6  to  10   More  than  10   Number  of  team  members  fully   dedicated  to  CSIRT   ©  2014  Lancope,  Inc.      All  rights  reserved.         32  
  33. 33. ©  2014  Lancope,  Inc.      All  rights  reserved.         21%   14%   6%   12%   29%   18%   0%   5%   10%   15%   20%   25%   30%   35%   On  an  ongoing  basis   On  a  quarterly  basis   On  a  semi-­‐annual  basis   On  an  annual  basis   Not  on  a  regular  schedule   Readiness  is  not  assessed   How  frequently  do  you  assess  the  readiness  of   your  Incident  Response  team?   33  
  34. 34. •  Firewall   •  Web  Gateway   •  Mail  Gateway   •  IPS  /  IDS   •  SIEM   ©  2014  Lancope,  Inc.      All  rights  reserved.         Use  of  Indicators   34  
  35. 35. ©  2014  Lancope,  Inc.      All  rights  reserved.         45%   26%   23%   15%   12%   0%   5%   10%  15%  20%  25%  30%  35%  40%  45%  50%   InformaMon  is  neither  received  nor  shared   InformaMon  is  received  from  sharing   partners  but  not  shared  with  them   InformaMon  is  shared  with  law  enforcement   or  other  government  agencies   InformaMon  is  shared  with  various  CERTs   InformaMon  is  shared  with  industry  peers   Are  you  sharing  threat  intelligence?   35  
  36. 36. ©  2014  Lancope,  Inc.      All  rights  reserved.         36  
  37. 37. ©  2014  Lancope,  Inc.      All  rights  reserved.         23%   75%   2%   Do  you  have  a  PR  and  Analyst  RelaMons  plan  in   place  in  the  event  of  a  breach?   Yes   No   Unsure   37  
  38. 38. ©  2014  Lancope,  Inc.      All  rights  reserved.         79%   14%   10%   36%   45%   47%   43%   0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   IT  Management   ExecuMve  Management   Board  of  Directors   Risk  management   Legal   Compliance   HR   What  funcMons  or  departments  are  involved  in   the  incident  response  process?   38  
  39. 39. ©  2014  Lancope,  Inc.      All  rights  reserved.         91%   64%   51%   50%   49%   24%   20%   12%   0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   100%   IT  management   Compliance  /  Audit   Legal   HR   Risk  management   Broadly  within  the  organizaMon   ExecuMve  management   Board  of  directors   Frequency  of  cyber  threat  breifings  to  various   funcMons   39  
  40. 40. Should  your  CSIRT  make  decisions  or   recommendaMons?   ©  2014  Lancope,  Inc.      All  rights  reserved.         40  
  41. 41. •  Who  can  approve  what  acMons?   –  Does  the  type  of  incident  affect  the  answer?   –  If  an  appropriate  person  cannot  be  reached,  can  the  incident   responder  act  on  their  own  aner  a  given  amount  of  Mme?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Things  to  get  in  wriJng   41  
  42. 42. •  What  are  end-­‐users’  responsibiliMes  in  the  incident   response  process?   –  Are  they  required  to  turn  over  machines  to  the  CSIRT?   –  In  the  event  of  a  compromise  resulMng  in  a  wipe,  do  users  get   access  to  their  files?  Which  ones?   –  What  happens  when  a  user  needs  something  that  the  CSIRT  has   blocked?   –  Who  handles  excepMons?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Things  to  get  in  wriJng   42  
  43. 43. •  Can  your  CSIRT  parMcipate  in  informaMon  and  indicator   sharing  groups?   •  Can  your  CSIRT  run  malware  live  on  the  internet?   –  What  are  safe  handling  requirements?   •  Can  your  CSIRT  interact  with  malicious  hosts  for  the   purpose  of  intelligence  gathering?   –  From  the  corporate  LAN?  An  unaGributed  network?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Things  to  get  in  wriJng   43  
  44. 44. ©  2014  Lancope,  Inc.      All  rights  reserved.         44  
  45. 45. §  Ponemon Research Report: 2014 Cyber Security Incident Response http://www.lancope.com/ponemon-incident- response §  The Forum of Incident Response & Security Teams www.first.org §  CERT Division of the Software Engineering Institute (SEI) www.cert.org/incident-management/ Resources   ©  2014  Lancope,  Inc.      All  rights  reserved.         45  
  46. 46. Q/A   ©  2014  Lancope,  Inc.      All  rights  reserved.         46  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×