Needs of a Modern Incident Response Program
Upcoming SlideShare
Loading in...5
×
 

Needs of a Modern Incident Response Program

on

  • 2,222 views

 

Statistics

Views

Total Views
2,222
Views on SlideShare
157
Embed Views
2,065

Actions

Likes
0
Downloads
7
Comments
0

7 Embeds 2,065

http://www.lancope.com 1668
http://lancope.com 242
http://23.253.126.248 133
http://50.56.184.89 9
http://fiddle.jshell.net 7
http://static.lancope.com 4
https://lancope.com 2
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Needs of a Modern Incident Response Program Needs of a Modern Incident Response Program Presentation Transcript

  • Needs  of  a   Modern  Incident   Response   Program   Tom  Cross   Director  of  Security  Research,  Lancope     Brandon  Tansey   Security  Researcher,  Lancope   ©  2014  Lancope,  Inc.      All  rights  reserved.         1  
  • 2   What  advantages  do  a8ackers  have?   Asymmetry     “The  defender  has  to  cover  every   vulnerability  but  the  aGacker  only   has  to  find  one.”       ©  2014  Lancope,  Inc.      All  rights  reserved.        
  • A8ackers  Can  O>en  Evade  Defenses   ©  2014  Lancope,  Inc.      All  rights  reserved.         3  
  • Perimeter  Security   •  Much  of  the  pracMce  of  computer  security  has  to  do  with   making  sure  the  doors  are  locked.     –  When  we  have  incidents  we  spend  more  money  on  prevenMon.   –  We  tend  to  assume  that  if  the  bad  guys  are  in,  its  game  over.     •  We’re  focusing  our  energy  where  aGackers  have  the  most   strength     4  ©  2014  Lancope,  Inc.      All  rights  reserved.         4  
  • What  advantages  do  defenders  have?   Home  Court  Advantage   •  Defenders  create  the  network  environment  that   aGackers  are  trying  to  compromise   •  Defenders   •  Know  what  is  on  the  network   •  Have  visibility  into  the  network   •  AGackers  have  to  discover  the  environment  through   reconnaissance   •  Defenders  can  exploit  the  aGacker’s  lack  of   knowledge  of  the  environment  in  order  to  detect   aGackers  and  waste  their  Mme   ©  2014  Lancope,  Inc.      All  rights  reserved.         5  
  • •  A  sophisMcated  aGack  on  a  network  involves  a  series  of  steps   •  TradiMonal  thinking  views  any  system  compromise  as  a  successful  breach   •  Any  successful  acMon  taken  to  stop  an  infecMon  prior  to  data  exfiltraMon  can  be  considered  a   win   •  This  is  the  Kill  Chain  concept  introduced  by  Mike  Cloppert  at  Lockheed   •  Controls  should  be  put  in  place  at  each  stage  of  the  chain     ©  2014  Lancope,  Inc.      All  rights  reserved.         A  Four  Dimensional  View  of  A8acker  Behavior   Recon Exploitation Initial Infection Internal Pivot Data Preparation & Exfiltration Command and Control 6  
  • Factors  driving  the  change:     •  The  persistent  nature  of  the  threat   •  Other  organizaMons  aren’t  necessarily   experiencing  the  same  aGacks   •  The  desire  to  collect  threat  intelligence   that  can  be  used  to  detect  future  incidents   •  A  sophisMcated  aGack  on  a  network   involves  a  series  of  steps   ©  2014  Lancope,  Inc.      All  rights  reserved.         Toward  ConJnuous  Incident  Response   Detect RespondAnalyze Distill Intel 7  
  • Sample Response Freq Pct% Sampling frame 20,446 100% Total returns 793 3.9% Rejected & screened surveys 119 0.6% Final sample 674 3.3% A scientific sampling frame of 20,446 experienced IT and IT security practitioners located in all regions of the United States and United Kingdom were selected as participants to this survey. Ponemon  Research  Report:   2014  Cyber  Security  Incident  Response   ©  2014  Lancope,  Inc.      All  rights  reserved.         8  
  • 68%   62%   44%   36%   29%   0%   10%   20%   30%   40%   50%   60%   70%   80%   BeGer  incident  response  capabiliMes   Threat  Intelligence  or  IP  reputaMon  services   Improved  vulnerability  audits  and   assessments   Improved  patch  management  process   Higher  quality  professional  staffing   How  can  your  organizaMon  most  effecMvely   miMgate  future  security  breaches?   ©  2014  Lancope,  Inc.      All  rights  reserved.         9  
  • 34%   18%   45%   3%   How  did  this  percentage  change   over  the  past  24  months?   Increased   Decreased   Stayed  the  same   Cannot  determine   ©  2014  Lancope,  Inc.      All  rights  reserved.         50%   31%   11%   5%   2%   1%   Percentage  of  security  budget   spent  on  Incident  Response   Less  than  10%   10%  to  20%   21%  to  30%   31%  to  40%   41%  to  50%   More  than  50%   Incident  Response  Budgets   10  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         11  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.   12  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         13  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         80%   76%   67%   65%   0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   NetFlow  /  Pcap   SIEM   IDS  /  IPS   Threat  Feeds   What  type  of  tools  are  most  effecMve  in  helping  to   detect  breaches?   14  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         15  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         16  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         Network   Services   Hosts   17  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         18  
  • NetFlow  vs  and  Packet  Capture   ©  2014  Lancope,  Inc.      All  rights  reserved.         19  
  • •  NetFlow   –  Lots  of  breadth,  less  depth   –  Lower  disk  space   requirements   •  Full  Packet  Capture   –  Deep  but  not  broad   –  Expensive   –  High  disk  space   requirements   ©  2014  Lancope,  Inc.      All  rights  reserved.         20  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         21  
  • Service  Logs   ©  2014  Lancope,  Inc.      All  rights  reserved.         22  
  • Services   (as  targets)   ©  2014  Lancope,  Inc.      All  rights  reserved.         23  
  • Services   (as  supplementary  informaMon)   ©  2014  Lancope,  Inc.      All  rights  reserved.         24  
  • Host  Logs   ©  2014  Lancope,  Inc.      All  rights  reserved.         25  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         61%   52%   48%   36%   31%   34%   0%   10%   20%   30%   40%   50%   60%   70%   Network  Security  Devices   All  Client  PCs   All  ApplicaMon  Servers   All  IdenMty  Management  Infrastructure   All  Network  Infrastructure   We  Don't   From  where  do  you  send  informaMon  to  your   SIEM?   26  
  • •  Are  you  just  logging  informaMon  or  are  you  also  collecMng  it?   •  Are  you  saving  only  ‘special’  log  lines,  or  everything?   •  Do  you  have  a  standard  retenMon  period  in  policy?   –  Does  the  budget  control  the  period,  or  the  period  the  budget?   •  If  you  have  end-­‐user  managed  hosts,  are  they  subject  to  the   same  logging  policies?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Regardless  of  the  informaJon  source…   27  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         Backups  -­‐  the  stakes  have  been  raised!   28  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         29  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         43%   54%   3%   0%   10%   20%   30%   40%   50%   60%   Yes   No   Unsure   Do  your  organizaMon's  incident  invesMgaMons   result  in  threat  indicators  which  are  used  to   defend  the  organizaMon  from  future  aGacks?   30  
  • Security  Analyst   Network  Forensics  Analyst   Hard  Drive  Forensic  Analyst   Malware  Analyst   Threat  Intelligence  Analyst     Security  [OperaJons]  Engineer   OperaMons  Engineer   Sonware  Engineer   Roles  in  a  Modern  Incident  Response  Team   ©  2014  Lancope,  Inc.      All  rights  reserved.         31  
  • Staffing   12%   16%   44%   23%   5%   0%   10%   20%   30%   40%   50%   None   One   2  to  5   6  to  10   More  than  10   Number  of  team  members  in   CSIRT   45%   28%   14%   11%   2%   0%   10%   20%   30%   40%   50%   None   One   2  to  5   6  to  10   More  than  10   Number  of  team  members  fully   dedicated  to  CSIRT   ©  2014  Lancope,  Inc.      All  rights  reserved.         32  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         21%   14%   6%   12%   29%   18%   0%   5%   10%   15%   20%   25%   30%   35%   On  an  ongoing  basis   On  a  quarterly  basis   On  a  semi-­‐annual  basis   On  an  annual  basis   Not  on  a  regular  schedule   Readiness  is  not  assessed   How  frequently  do  you  assess  the  readiness  of   your  Incident  Response  team?   33  
  • •  Firewall   •  Web  Gateway   •  Mail  Gateway   •  IPS  /  IDS   •  SIEM   ©  2014  Lancope,  Inc.      All  rights  reserved.         Use  of  Indicators   34  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         45%   26%   23%   15%   12%   0%   5%   10%  15%  20%  25%  30%  35%  40%  45%  50%   InformaMon  is  neither  received  nor  shared   InformaMon  is  received  from  sharing   partners  but  not  shared  with  them   InformaMon  is  shared  with  law  enforcement   or  other  government  agencies   InformaMon  is  shared  with  various  CERTs   InformaMon  is  shared  with  industry  peers   Are  you  sharing  threat  intelligence?   35  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         36  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         23%   75%   2%   Do  you  have  a  PR  and  Analyst  RelaMons  plan  in   place  in  the  event  of  a  breach?   Yes   No   Unsure   37  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         79%   14%   10%   36%   45%   47%   43%   0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   IT  Management   ExecuMve  Management   Board  of  Directors   Risk  management   Legal   Compliance   HR   What  funcMons  or  departments  are  involved  in   the  incident  response  process?   38  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         91%   64%   51%   50%   49%   24%   20%   12%   0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   100%   IT  management   Compliance  /  Audit   Legal   HR   Risk  management   Broadly  within  the  organizaMon   ExecuMve  management   Board  of  directors   Frequency  of  cyber  threat  breifings  to  various   funcMons   39  
  • Should  your  CSIRT  make  decisions  or   recommendaMons?   ©  2014  Lancope,  Inc.      All  rights  reserved.         40  
  • •  Who  can  approve  what  acMons?   –  Does  the  type  of  incident  affect  the  answer?   –  If  an  appropriate  person  cannot  be  reached,  can  the  incident   responder  act  on  their  own  aner  a  given  amount  of  Mme?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Things  to  get  in  wriJng   41  
  • •  What  are  end-­‐users’  responsibiliMes  in  the  incident   response  process?   –  Are  they  required  to  turn  over  machines  to  the  CSIRT?   –  In  the  event  of  a  compromise  resulMng  in  a  wipe,  do  users  get   access  to  their  files?  Which  ones?   –  What  happens  when  a  user  needs  something  that  the  CSIRT  has   blocked?   –  Who  handles  excepMons?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Things  to  get  in  wriJng   42  
  • •  Can  your  CSIRT  parMcipate  in  informaMon  and  indicator   sharing  groups?   •  Can  your  CSIRT  run  malware  live  on  the  internet?   –  What  are  safe  handling  requirements?   •  Can  your  CSIRT  interact  with  malicious  hosts  for  the   purpose  of  intelligence  gathering?   –  From  the  corporate  LAN?  An  unaGributed  network?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Things  to  get  in  wriJng   43  
  • ©  2014  Lancope,  Inc.      All  rights  reserved.         44  
  • §  Ponemon Research Report: 2014 Cyber Security Incident Response http://www.lancope.com/ponemon-incident- response §  The Forum of Incident Response & Security Teams www.first.org §  CERT Division of the Software Engineering Institute (SEI) www.cert.org/incident-management/ Resources   ©  2014  Lancope,  Inc.      All  rights  reserved.         45  
  • Q/A   ©  2014  Lancope,  Inc.      All  rights  reserved.         46