Your SlideShare is downloading. ×
Zero Day Response: Strategies for the Security Innovation in Corporate Defense by Dr. Anton Chuvakin
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Zero Day Response: Strategies for the Security Innovation in Corporate Defense by Dr. Anton Chuvakin

1,009
views

Published on

Zero Day Response: Strategies for the Security Innovation in Corporate Defense by Dr. Anton Chuvakin

Zero Day Response: Strategies for the Security Innovation in Corporate Defense by Dr. Anton Chuvakin

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,009
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • What are the top 3 elements that an effective policy or strategy must have to reduce the breach-to-detection gap?Notes:Cut the “proactive crap” = most orgs have 0 chance to be proactive [neither can the vendors]; accept that you are reactive.Accept that you will be hackedThink “carpet pulling” – what information/IT related event will feel like you had carpet pulled from under you. Result: outcome-focused thinking (not vulnerability-focused thinking), then to threats, then to vulnerabilities, then plan what to doSuch thinking will allow you to reduce losses
  • What are the top 3 elements that an effective policy or strategy must have to reduce the breach-to-detection gap?Notes:Detection, prevention – pah. Response will happen! Thus preparing for it is KEY, despite all the temptations of “prevention-focused security”Hopefully this thinking will help you from the curse of “it won’t happen to us” [it probably already did!]PREPARE = both process and technology – deploying, learning and using technology Don’t harp on “checklist security” = checklists are mandatory under stress when thinking often leads people astray; prepare checklistsTo summarize: disaster prep is not the most fun thing to do, but – guess what? – it needs to happen since this is the only way to reduce the damage; prevention won’t save you.NEW: cloud IH/IR preparation?
  • How do you best ensure that policies are actually being followed?Notes:Awareness + education ONLY go so farNHTSA seatbelt study 2000-2006: awareness + enforcement is the only combo that works (stat research)Policies which are not enforced are NOT followed; even security folks won’t follow their own policies (!!!)Enforce = block, monitor + respond/actPREPARE + policy enforcement = have an action to take when violation/issue is detectedPolicy shame example: post web access to intranet, internal public
  • What are some of the key tools you needto improve and speed upresponse to breaches and optimize investigations?Notes - about each tool:Why CARE?What it IS?What it DOES?Why it is MANDATORY?
  • What are the top 5 specific steps organizations can take to ensure adequate accountability and repeatability of incident response?Notes – about each practice:Why CARE?What it IS?Why it is TOP?Log! Logs are IT vehicle for accountability: record before anything else – easy + useful during IHBuild plans and checklists: when panic hits, prepared actions work; others just FAIL: create and test in advanceTrain people: tools and checklists don’t work alone: “buy the box to catch the fox” is tempting in IT; security is not about boxes (police box?))Build your knowledge base: what worked/failed in incident response: knowledge base is a fancy name, really a logbook or notes from IH to build organization knowledgeFocus on “reactive faster/better”, forget “proactive” for now: what can help you deal with an incident faster? Learn about it sooner? Reduce damage better?
  • Consulting Servicesfocused on security product strategy, SIEM / log management as well as PCI DSS and other regulatory compliance (details [PDF] )Technology Vendor ServicesThis section of the services is intended for security vendors and security services providers. The focus is on security and compliance strategy for product planning, development and marketing as well as on content development. Product management and strategyReview security product compliance strategy, PCI DSS strategy and optimize them for the marketPerform market assessment and analysis, competitive analysis, product strategy (build/buy/partner); prepare Market Requirements Documents (MRDs)Help develop and refine security product marketing and positioning messages, focused on compliance and new threatsAugment internal Product Management staff for strategic security and compliance projects, use case analysis, product definition, Product Requirement Documents (PRD) developmentWork with product management team to help define and prioritize product features based on market feedback and compliance requirements.Research and content developmentLead content development for whitepapers, "thought leadership"; documents, research papers and other messaging documents, related to security and regulatory compliance (example whitepaper, recent book on PCI DSS)Review security and compliance marketing materials, site contents and other public- or partner-facing materialsCreate correlation rules, reports as well as policies and procedures and other operational content to make SIEM and log management products more useful to your customersMap regulatory compliance controls such as PCI DSS (key focus!), HIPAA, NERC, FISMA, NIST, ISO, ITIL to security product features and document the use of the product in support of the mandatesDevelop compliance content such as reports, correlation rules, queries and other relevant compliance content for security product.Events and webinarsPrepare and conduct thought leadership webinars, seminars and other events on PCI DSS, log management, SIEM and other security topics (example webinar).TrainingPrepare and conduct customized training on log management, log review processes, logging "best practices," PCI DSS for customers and partners (example training class).Develop advanced training on effective operation and tuning of SIEM and log management tools to complement basic training.End-user Organization / Enterprise ServicesThis section of services menu applies to end-user organizations. The main theme is related to planning and implementing logging, log management and SIEM / SIM / SEM for security and compliance. Log management and Security Information and Event Management (SIEM) product selection - how to pick the right SIEM and logging product?Develop log management or SIEM product selection criteria (related writing)Identify key use cases aligning log management and SIEM tools with business, compliance and security requirementsPrepare RFP documents for SIEM, SEM, SIM or log managementAssist with analyzing RFP responses from SIEM and log management vendorsEvaluate and test log management and SIEM products together with internal IT security teamAdvise on final product selectionLogging and log management policyLogging and log management policy - how to develop the right logging policy? What to log?Develop logging policies and processes for servers and applications , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problemsInterpret regulations and create specific and actionable logging system settings , processes and log review procedures (example: what to log for PCI DSS?)Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry "best practices" related to logging and log review to fit your environment, help link these practices to business services and regulations (example)Help integrate logging tools and processes into IT and business operationsSIEM and log management product operation optimization - how to get more value out of the tools available?Clarify security, compliance and operational requirementsTune and customize SIEM and log management tools based on requirementsContent developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsTraining - how to get your engineers to use the tools best?Provide the customized training on the tools and practices of log management for compliance, IT operations, or security needs (example training conducted)Develop training on effective operation and tuning of SIEM and log management tools to complement basic vendor training.Incident response artifact analysisAnalyze logs and other evidence collected during security incident response
  • Transcript

    • 1. Zero Day Response: Strategies for the Newest Innovation in Corporate Defense
      Dr. Anton Chuvakin
      SecurityWarrior LLCApril 21, 2010
    • 2. Key Question #1
      How can senior management lead to a focused and effective security program?
    • 3. Leadership
      • Be aware of information security, specifically:
      • 4. Threats to your organization: cybercrime, insiders, etc
      • 5. Impact: data loss, public disclosure, brand damage
      • 6. Vulnerabilities: many of your systems are vulnerable now!
      • 7. Regulations: disclosure laws => fixed incident cost!
      • 8. Security is not “some IT stuff”, it is about information that “runs” your business
      • 9. Security team is NOT the one ultimately responsible for your organization survival – you are!
    • Key Question #2
       
      What are the top 3 elements that an effective policy or strategy must have to reduce the breach-to-detection gap?
    • 10. Reducing the Breach-to-Detection Gap
      • 90% of effective incident response happens before the breach: PREPARE!
      • 11. Log, monitor, build baselines, learn what is normal to respond when anomalies happen
      • 12. Deploy tools (log management, integrity monitoring, network monitoring, etc) BEFORE the incident is the best “incident response” technique
      • 13. Tools don’t run themselves! Train the IR team in using tools and in not panicking  Checklists help.
    • Key Question #3
      How do you best ensure that policies are actually being followed?
    • 14. Ensuring Policies are Followed
      • Same answer: Log, monitor, build baselines
      • 15. Awareness and visibility BEFORE control
      • 16. “Trust but verify” … but really… don’t trust the users!
      • 17. Deploy tools (log management, integrity monitoring, network monitoring, etc)
      • 18. Learn how to use them well; make them part of daily practice
      • 19. Have a plan of action when policy violations are detected: no enforcement action -> no following!
      • 20. Education alone won’t do it!
    • Key Question #4
       
      What are some of the key tools you needto improve and speed upresponse to breaches and optimize investigations?
    • 21. Improving & Speeding up Response to Breaches, Optimizing Investigations
      Key tools:
      • Log management: create an audit trail for ALL IT and user activities; goldmine for forensics and incident response
      • 22. SIEM: automated security monitoring, correlation, incident notification
      • 23. Integrity checking: build the baseline for OS, application and data files
      • 24. Network monitoring: record suspicious traffic as additional evidence
      • 25. Forensic tools: use while investigating an incident
    • Key Question #5
      What are the top 5 specific steps organizations can take to ensure adequate accountability and repeatability of incident response?
    • 26. Slide #5
      Key practices:
      Log! Logs are IT vehicle for accountability.
      Build plans and checklists: when panic hits, prepared actions work; others just FAIL
      Train people: tools and checklists don’t work alone
      Build your knowledge base: what worked/failed in incident response
      Focus on “reactive faster/better”, forget “proactive” for now
    • 27. Questions?
      Dr. Anton Chuvakin
      Security Warrior Consulting
      Email:anton@chuvakin.org
      Site:http://www.chuvakin.org
      Blog:http://www.securitywarrior.org
      Twitter:@anton_chuvakin
      Consulting:http://www.securitywarriorconsulting.com
    • 28. More on Anton
      Now: independent consultant
      Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
      Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide
      Standard developer: CEE, CVSS, OVAL, etc
      Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
      Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
    • 29. Security Warrior Consulting Services
      Logging and log management strategy, procedures and practices
      Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
      Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
      Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
      Help integrate logging tools and processes into IT and business operations
      SIEM and log management content development
      Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
      Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
      More at www.SecurityWarriorConsulting.com
    • 30. More on Anton
      Consultant: http://www.securitywarriorconsulting.com
      Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
      Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
      Standard developer: CEE, CVSS, OVAL, etc
      Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
      Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
    • 31. Security Warrior Consulting Services
      Logging and log management strategy, procedures and practices
      Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
      Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
      Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
      Help integrate logging tools and processes into IT and business operations
      SIEM and log management content development
      Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
      Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
      More at www.SecurityWarriorConsulting.com
    • 32. Want a PCI DSS Book?
      “PCI Compliance” by Anton Chuvakin and Branden Williams
      Useful reference for merchants, vendors – and everybody else
      Released December 2009!
      www.pcicompliancebook.info