Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident Response

Uploaded on


More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Structured Incident Types to Streamline Incident Response Predrag Zivic Mike Lecky
  • 2. Agenda• Introduction• Incident Type Definition• Function Based Alerting• Asset Classification• Streamlined Ticket and Severity• Steps to Function Based Alerting• Streamline Incident Response• Benefits• Conclusion
  • 3. Introduction HIDS IDS Platforms AVProxy/Firewall y/ FIM SIEM SCM VA Dashboard Proactive Reactive Typical Integrated Security Monitoring System
  • 4. IntroductionThe ProblemThe Problem• Number of security tools• Large number of rules for alerting b f l f l i• Uncertainty about incident severity level• Inconsistent alerting thresholds• Spotty coverage Spotty coverage• Complexity of tool integration
  • 5. Introduction Success After X  S Aft XWindows Platform  Server XNXYY Failed Logins from  Alert Severity ??  Send Ticket to Windows   IP  Support Incident Ticket – Identified  Security IncidentThe Problem Scenario• First responders confused• Ticket sent to Windows group – after few days  sent to Security Operations tt S it O ti• Security operations confused where this came  from and what severity is anyway from and what severity is anyway
  • 6. Incident Type Definition Incident Type DefinitionC te a o deCriteria for defining incident types to achieve  g c de t types to ac e e streamlined incident response g yg• Following industry guidelines  – NIST, Carnegie Mellon, SANS• Understandable• Reportable• Comprehensive set ‐ but not too many!• Easily applied to security tools• Manageable 
  • 7. Incident Incident Type Definition Examples Security or Privacy Breach NotesUnauthorized  CORPORATE personnel gain logical or physical access Compromise: All unauthorized access incidents should be without permission to network, system, application, data, handled using prescribed CORPORATEAccess  Theft/ Removal facilities or other resource e.g. Hacking CORPORATE incident response operational processes. managed systems or third party managed systems; lost  Destruction Blackberry or laptop.  Modification In such event, internal processes for  External agent gains logical or physical access without  Copying investigation and possible disciplinary or permission to network, system, application, data, facilities  Use criminal charges may apply. or other resource. e.g. hacker, intruder.Unauthorized  CORPORATE employee (IT or non-IT personnel) disclose  Compromise In the case of unauthorized disclosure by a sensitive data to unauthorized persons – may be in any o Theft/ Removal CORPORATE employee, internalDisclosure form of correspondence including oral. o Destruction processes for investigation and possible  CORPORATE client (IT or business personnel) discloses o Modification disciplinary action may apply. confidential data to unauthorized CORPORATE o Copying employees. o Use There might be insufficient restrictions on  CORPORATE client (IT or business personnel) discloses  Disclosure of financial, access privileges for financial, finance confidential data to third parties. finance reports, credit reports, credit card related and personal  Granting read, write or delete privileges to individuals card related and personal information, whose duties do not require such privileges. informationUnauthorized  CORPORATE application uses data matching or other  Collecting financial, Potential problem normally identified in SRA process to collect financial, finance reports, credit card finance reports, credit or audit. Process controls should beCollection related and personal information without consent or card related and personal corrected once incident is identified. knowledge of information owner information without  CORPORATE non-IT personnel: collection or use of identifying the purpose financial or personal information purposes other than verification ifi ti  External agent collecting the information from logical or physical CORPORATE infrastructureUnauthorized  Information such as financial or required finance reporting  Unavailability of financial Policy and process for retention and information not retained in accordance with CORPORATE or required restricted and disposal schedules is required.Disposal standard requirements. confidential information  Unavailability of personal informationUnauthorized  CORPORATE application or a user uses data mining or  Use of financial, finance Policy should be defined for application other process for purposes other than those defined. reports, credit card related, function should be enumeratedUse  Unauthorized correlation of information personal information and  CORPORATE non-IT personnel: use of financial or any other confidential or personal information for purposes other defined. restricted information
  • 8. Incident Type Definition Incident Examples Security or Privacy Breach NotesInfrastructure An attack that prevents or impairs the authorized use of Unavailability Unavailability of financial, finance networks, systems, or applications by exhausting resources, reports, credit card related andAttack e.g. distributed denial of service attack or active WLAN personal information must be reported attack. and notification take place in accordance with CORPORATE standard requirements. SLAs should identify reporting requirements.Malicious Code A code-based malicious entity (virus, worm, trojan horse, Compromise See above - corruption or compromise malformed applet, rootkit, time-bombs etc) that infect or of financial, credit card and personaland Malware o Theft/ Removal destroy a host. information requires detection and o Destruction ti reporting. o Modification o Copying o Use UnavailabilityInfrastructure Any found critical vulnerabilities that expose critical financial May cause unavailability , or loss of Possible unavailability of financial, and personal information financial or personal information that is finance reports, credit card related andVulnerabilities deemed confidential or restricted personal information must be dealt(found during with promptly.vulnerabilitymanagementprocess) )Compliance CEO&CFO Key controls and PCI key controls that could not CORPORATE exposed to not compliant Impact to financial bottom line and be classified as one of the incident type categories specified environment and may incur penalties possible executive prosecution.Specific in this matrixSystem Health Specific to each operational tool with specific health Security monitoring unavailable Impact to security group ability to detect incidents. Security tools can have specific issues that may incidents and increased risk toSpecific impact security monitoring organization. Business is not impacted, but monitoring must be restored as soon as possible.
  • 9. Function Based Alerting Incident Type Alert Scenario EventsUnauthorized Access x failed logins by a user in y mins Windows failed login attempts AIX failed login attempts HP-UX failed login attempts DB failed login attempts ACS failed login attempts Security Tools NIC failed login attempts Checkpoint FW failed login attempts Mainframe failed login attempts Wireless S itch failed login attempts Switch Success after X failed logins by IP Windows failed login attempts AIX failed login attempts HP-UX failed login attempts DB failed login attempts RADIUS failed login attempts Security Tools NIC failed login attempts Checkpoint FW failed login attempts Mainframe failed login attempts Wireless Switch failed login attempts Successful Login as the built-in Windows login administrator account has been AIX login detected HP-UX login DB login g RADIUS login Security Tools login Checkpoint FW login Mainframe login Wireless Switch login
  • 10. Asset Classification Importance  Asset Group Integrity Confidentiality Vulnerability (Availability) 10 10 10 1CKA & PCI 8 8 8 1CKA 8 8 8 1PCI 6 6 6 1Production 3 3 3 1QA 3 3 3 1Development LEGEND:Low 1-3Medium 4-6High 7-8 Align incident response urgency to Very High 9-10 the business for resolution
  • 11. Streamline Incident Ticket & Severity Streamline Incident Ticket & Severity Server XNXX  S XNXXUnauthorized  Success After X  Windows Platform Classified – Access Failed Logins per IP  Severity   10 CIA V1  Level 2 Incident Ticket – Identified  Security IncidentThe Efficient Scenario of Function Based Alerting• First responders know what type of ticket it is• Ticket sent to Security Operations with proper  severity level it l l• Security operations understand server  classification and take appropriate action classification and take appropriate action
  • 12. Streamline Incident Ticket & Severity Streamline Incident Ticket & Severity Server XNXX  Unauthorized  Success After X  Windows Platform Classified – Access Failed Logins per IP  10 CIA V1  10 CIA V1 Severity   Level 1 Server UNYY  Unauthorized  Success After X  UNIX Platform Classified – Access Failed Logins per IP  10 CIA V1  10 CIA V1 Incident Tickets – Identified Multiple Security IncidentsThe Real Life Benefit of Function Based Alerting• First responders saw two severity 2 alerts and one severity  1 alerts from SEIM – Automatic escalation • Alert escalated to Security Operations with proper severity  level• Security operations take incident seriously and engage Security operations take incident seriously and engage  severity 1 level response team
  • 13. Steps to Function Based Alerting• Align incident types and function based  alerting across all security tools alerting across all security tools Start first with:  SEIM then add IDS, HIDS Align vulnerability  tools: VA, Secure Configuration  Align vulnerability tools: VA, Secure Configuration Management, File Integrity Management• By aligning threat and exposure achieve  y g g p quantitative operational risk metrics• Align Risk & Governance with security  g y operational risk using same threat and  vulnerability function based alerting
  • 14. Streamline Incident Response Streamline Incident ResponseStandardized approach for incident investigation,  containment and resolution is achieved by:  containment and resolution is achieved by: Function Based Alerting  Function Based AlertingDetailed, standardized information supporting 1st and n‐ level responders  l l dEnabling efficient and effective security operations• Consistent severity assignment Consistent severity assignment• Consistent investigation• Consistent resolution
  • 15. Benefits• Aligned security incident types to actions by incident  responders d• Structured incident types approach enables completeness  check on alert set• Efficient and streamlined security incident detection and  response• Minimizes gaps in detection capability across security tools g p p y y• Standardized baseline approach for statistical incident  analysis• Structured approach to threat modelling Structured approach to threat modelling• Facilitates identification of new and enhanced security  controls
  • 16. Conclusion• Statistical analysis of incidents• g Straightforward threat modeling  g• Consistent operational security reporting• Foundation for enhanced: Foundation for enhanced: – Preventative controls – Detective controls  PROACTIVE REACTIVE Improve  p Incident  Posture Response Balance Investment Against Risk Appetite
  • 17. Questions?Predrag ZivicPredrag Zivic Mike