Preparing for a Security Breach


Published on

How to keep your head (and your job) when the worse case scenario happens.

Due to the increasing frequency of security breaches, defining an action plan is critical for every security practitioner. Getting breached doesn’t determine whether or not you’ve got a good security program in place – but how you respond to one does.

Join security expert Conrad Constantine of AlienVault, for an in-depth discussion on things you and your team should do today to prepare for information security breaches. You’ll get practical, lessons learned advice on:

- The inevitability of security breaches
- Preparing to survive security breaches
- Threat identification and containment
- Handling the aftermath so it’s not worse than the breach itself

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Preparing for a Security Breach

  1. 1. Preparing for a Security BreachA guide to surviving the Infosec worst case scenario.Conrad ConstantineCommunity Manager@AlienVaultSandy HawkeVP, Product Marketing@AlienVault
  2. 2. IntroductionsMeet today’s presentersSandy Hawke, CISSP“I used to be an infosec guy”VP, Product MarketingAlienVault@sandybeachSFConrad Constantine“I’m just some infosec guy”Community Manager, Head GeekAlienVault@cpconstantine2
  3. 3. “Everyone has a plan until theyget punched in the face.”--Mike TysonImage source: 3
  4. 4. Image source:
  5. 5. Death, Taxes, and now BreachesNO longer a question of if……but when.*sigh*Image source:
  6. 6. Why the Black Hats Always Win**With credit to Val Smith for the titleDefenders have to always be right,attackers only have to be right once.Image source:
  7. 7. Tales from the Trenches…Worked in Infosec since the mid-90’sBeen a sysadmin, a pen-tester and an incidentresponder.I’ve worked on breaches ranging from mom andpop mail servers to the 2011 RSA Breach.I’ve never worked for one of thosecompanies you pay to come in andhandle your breach for you.It’s always been personal.7
  8. 8. What You Don’t Know Will Hurt You“The DiversionaryAttack you areignoring, is actuallythe Main Assault”– Murphy’s Laws of CombatImage source: 8
  9. 9. Separate the foxes from the dogsMonitor & AutomateWhat’s / who’s online?What’s normal vs.abnormal?Are our controlsworking?What are the latestthreats?Can I detect and defendagainst them?Image source: 9
  10. 10. The Best Attacker, Is a LazyAttackerImage source: all of the attacks need tobe “advanced” / APTs to besuccessful.In fact, most aren’t.10
  11. 11. Rule #1 – Don’t Panic!I must not fear.Fear is the mind-killer.Fear is the little-death that bringstotal obliteration.I will face my fear.I will permit it to pass over meand through me.And when it has gone past I willturn the inner eye to see its path.Where the fear has gone therewill be nothing.Only I will remain”Litany Against Fear– Frank Herbert – “DUNE”Image source: Hitchhiker’s Guide to the Galaxy11
  12. 12. Keeping it Under ControlRemain calm.Your intruders…Possess no psychic powersAre not space aliens withaccess to technology farbeyond ours.Probably didn’t need vastamounts of insider informationThey were successful inbreaking in so now you haveto discover HOWImage source: The X-Files 12
  13. 13. An Ounce of Preparation…Discover when, where and howthe event happened – what wastaken, when, whereCommunicate this to yourExecutive Team.Your ability to deliver this information isentirely dependent upon what youhave available to monitor today.“86% of victims had evidence of the breach in their log files”Verizon Data Breach Report - 201013
  14. 14. Extend Your “Team”: Collaboration is KeyA breach will introduce you to a LOT of newpeople around the company(HR, Legal, Exec, etc.)Connect and collaboratewith them now, before hair ison fire.Goals: Arrive at a commonlanguage, agree on priorities,communication channels,and chain of commandImage source: 14
  15. 15. Containing The FireLeave No Stone Unturned.There are no absolutes.Burn out their access.Be prepared to prove theunprovable (as in, they’re now GONE)Logs are your friend. Make sure you can searchthem.15
  16. 16. Kicking the Barbarians out of theCastleA good attacker will “blend in”Privileged access is their friend.Pivot, expand, pivot,expand.Capture networkbaselinesIdentify suspiciousstuffNetflow analysisService availabilitymonitoring 16
  17. 17. Establishing a timelineImage source: 17
  18. 18. Importance of Logs: “Hiding In Plain Hind-sight”“The Diversionary Attack you are Ignoring,is actually the Main Assault”– Murphy’s Laws of Combat Operations18
  19. 19. Importance of Shared Threat IntelligenceRemember the lazyattacker?He’s using (and reusing)the same exploits againstothers (and you).Sharing (and receiving)collaborative threatintelligence makes us allmore secure.19
  20. 20. Need to Prioritize?Get Threat Intelligence!Network and host-based IDS signatures – detects the latestthreats in your environmentAsset discovery signatures – identifies the latest OS’es,applications, and device typesVulnerability assessment signatures – dual database coverageto find the latest vulnerabilities on all your systemsCorrelation rules – translates raw events into actionableremediation tasksReporting modules – provides new ways of viewing dataabout your environmentDynamic incident response templates – delivers customizedguidance on how to respond to each alertNewly supported data source plug-ins – expands yourmonitoring footprint20
  21. 21. The Technical Checklist Automated asset discovery and inventory– what’s on my network and whatsoftware is running on it? Behavioral monitoring / netflow analysis– what’s “normal” activity for my servers and my network? Network, host-based IDS – what threats are active in mynetwork now? Log management / log search – “long, deep and wide” Dynamic threat intelligence – threats are constantlychanging, so should my defenses21
  22. 22. The Process Checklist Set expectations ahead of time: Document for non-techs – explain what isinvolved in a security investigation(will save you time later!) Agree on who will be doing what, when (NOW, not LATER) Checklists for standard investigative procedures -user activity audits, system configurationchanges, cross references to change control, etc. Templates, tools, for recording long chains ofevidence22
  23. 23. Practice Makes PerfectThe only that prepares youfor a fight is… getting into a fight.Practice defense during pen-tests.Structured walk-throughs,Red Team exercises… all good.Image source:
  24. 24. Never walk into a fight armedwith only “a plan”…Image source: 24
  25. 25. SummaryDuring a breach… it’s all about processand personalities.What can you do now?Implement essential monitoring and detectiontechnologies.Build strong relationships – they will be tested duringcrisis time!Develop established communication channels, anddocument them.Run through your checklists and practice sessions25
  26. 26. Next Steps / Q&ARequest an AlienVault USM demo a free trial of AlienVault USM: quite ready for all that? Test drive our opensource project - OSSIM more info to get started? Try our knowledgebase here:alienvault.bloomfire.comThese resources are also in the Attachments sectionJoin theconversation!@alienvault#AlienIntel26