Most organizations have made significant investments in security controls to enable prevention and detection. But when incidents occur, is your firm able to quickly mitigate them? The best security teams are. And as a result their organizations can learn from them and improve their performance next time.
This webinar will review critical components of proper incident mitigation including:
- Conducting post mortem and updating SOPs
- Evaluating historical response performance
- Generating reports for management, auditors, and authorities
Our featured speakers for this webinar will be:
- Stephen Brennan, Global Technical Consulting Lead - Managing Partner, CSC
- Ted Julian, Chief Marketing Officer, Co3 Systems
3. Slide 3
Agenda
I. Introductions
II. Who Are We
III. The Incident Response Lifecycle
IV. Objectives of Mitigation
V. Effective Paths to Mitigation
VI. Reactive Mitigation Strategies
VII. Proactive Mitigation Strategies
VIII.Close
4. Slide 4
Introductions
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Stephen Brennan, Global Technical Consulting Lead,
CSC
5. Slide 5
About Co3 – Incident Response Management
MITIGATE
Document Results &
Improve Performance
• Generate reports for management,
auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
ASSESS
Identify and Evaluate Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Correlate threat intelligence
• Track incidents, maintain logbook
• Prioritize activities based on criticality
• Generate assessment summaries
PREPARE
Improve Organizational Readiness
• Appoint team members
• Fine-tune response SOPs
• Escalate from existing systems
• Run simulations (firedrills / table tops)
MANAGE
Contain, Eradicate, and
Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment strategy
• Isolate and remediate cause
• Instruct evidence gathering and handling
• Log evidence
6. Slide 6
• 5+ Integrated Global Security
Operations Centers
• 15+ Global Alliance Partners
Providing Security Expertise
• 35+ Years Providing
Cybersecurity Services
• 2000+ Global Cybersecurity
Professionals
Who is CSC?
T R U S T E D
INTEGRATED
EFFICIENT
7. Slide 7
Recognized Industry
Leader:
• Commitment to Growth
• Recent Acquisitions
• Alliance Partnerships
• IDC named CSC a “Leader” in the inaugural
IDC MarketScape: Worldwide Managed
Security Services 2014 Vendor Assessment.
• The IDC analysis and buyer perception study
results placed CSC as the leading provider in
the “strategies” axis, and as one of the firms
with the greatest capability in delivering global
managed security services (MSS).
Who is CSC?
13. Slide 13
Reactive Mitigation Strategies
• Repair systems
• Eliminate attack vectors
• Mitigate exploitable vulnerabilities
• Validation of the repair process
• Test systems to ensure compliance with policy and risk
mitigation
• Perform additional repairs to resolve all current
vulnerabilities
14. Slide 14
Proactive Mitigation Stratergies
• Determine the attack vector and scope of incident
• Know the enemy—identify their tools and tactics
• Collaboratively design a containment strategy and document it
• Create a task list based on containment plan
• Delegate and monitor tasks until containment is achieved
• Restrict Administrative Privileges
• Application Whitelisting
• Patch and Deploy Current Applications and Operating Systems
• Strengthen workstation defences
• Enforce strong user authentication
• Protect your email service
• Defend the web gateway and harden web applications
• Monitor your system infrastructure
• Monitor your network
• Educate users about social engineering
16. Slide 16
Mitigation Example – Pass The Hash
• High privilege domain accounts are
used to log on to workstations and
servers.
• Applications or services run with high
privilege accounts.
• Scheduled tasks run with high
privilege accounts.
• Ordinary user accounts (Local or
Domain) are granted membership to
the local
• Administrators group on their
workstations.
• Highly privileged user accounts can
be used to directly browse the
Internet from workstations, domain
controllers, or servers.
• The same password is configured for
the built-in local Administrator
account on most or all workstations
and servers.
Source: Trustworthy Computing
17. Slide 17
Mitigation Example – Pass The Hash (cont.)
• Restrict and protect high
privileged domain accounts
• Restrict and protect local
accounts with administrative
privileges
• Remove standard users from
the local Administrators
group.
• Configure outbound proxies
to deny Internet access to
privileged accounts.
• Ensure administrative
accounts do not have email
accounts or mailboxes
associated with them.
Source: Trustworthy Computing
19. Slide 19
Upcoming Co3 Events
• IT-Defense 2015 Leipzig, Germany, Feb 4-6, 2015
Our CTO Bruce Schneier will be delivering a keynote on
the "Future of Incident Response" on Thursday, February
5th at 2pm.
• IAPP Global Privacy Summit, Washington D.C., March 4-
6, 2015
• RSA Conference 2015, San Francisco, April 20-24, 2015
20. One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
“Co3…defines what software packages for
privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and
very well designed.”
PONEMON INSTITUTE
Stephen Brennan
Global Technical Consulting Lead
CSC
For a free consultation, please visit:
info.co3sys.com/free-consultation
21. Slide 21
“Co3 makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
– PC Magazine, Editor’s Choice
“Platform is comprehensive, user friendly,
and very well designed.”
– Ponemon Institute
“One of the most important
startups in security…”
– Business Insider
“One of the hottest products at RSA…”
– Network World
“...an invaluable weapon when
responding to security incidents.”
– Government Computer News
“Co3 has done better than a home-run...
it has knocked one out of the park.”
– SC Magazine
Most Innovative Product
Editor's Notes
Stephen Brennan:
Over 15 years of security experience work… on all facets of Cybersecurity including: hardware, software, managed services, policy, privacy, threat mitigation, compliance, and governance.
Experience working with all industries…my approach to evaluating real world security as a business driver for organisations has led to the development of proprietary risk assessment methodologies that allow security officers and senior executives to assign a quantifiable value to security risks and initiatives supported by specific business goals and objectives. By focusing on the key business assets, I have helped hundreds of organisations achieve an in-depth evidence based understanding of how to apply protection to areas where it is needed most.
In-depth knowledge of compliance intent and requirements… of such programs as HIPAA, ISA99, PCI-DSS and ISO27000 allowing organisations to achieve both compliance AND effective security.
Adapted from the standard Emergency Response Process of : Prepare Respond Recover Mitigate
Red arrow pointing to CSC
IDC named CSC a “Leader” in the inaugural IDC MarketScape: Worldwide Managed Security Services 2014 Vendor Assessment.
The IDC analysis and buyer perception study results placed CSC as the leading provider in the “strategies” axis, and as one of the firms with the greatest capability in delivering global managed security services (MSS).
Why This is Important For Our Clients
IDC MarketScape provides a clear framework in which the product and service offerings, capabilities and strategies, and current and future market success factors of IT and telecommunications vendors can be meaningfully compared.
They also compare the depth and breadth of services and use of information and communications technology to address their customers needs, suppliers in a given market.
The research methodology utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria.
The framework also provides technology buyers with a 360-degree assessment of the strengths and weaknesses of current and prospective vendors.
According to IDC Marketscape, CSC’s biggest strengths include a commitment to growth in the commercial sector, recent acquisitions related to big data and cloud delivery, and alliance partnerships with HP and Trend Micro.
Incidents can occur in countless ways, so it is infeasible to develop step-by-step instructions for handling
every incident. Organizations should be generally prepared to handle any incident but should focus on
being prepared to handle incidents that use common attack vectors. Different types of incidents merit
different response strategies. The attack vectors listed below are not intended to provide definitive
classification for incidents; rather, they simply list common methods of attack, which can be used as a
basis for defining more specific handling procedures.
Answers:
Yes
No
Unsure
An event is an observable change to the normal behavior of a system, environment, process, workflow or person (components). There are three basic types of events:
Normal—a normal event does not affect critical components or require change controls prior to the implementation of a resolution. Normal events do not require the participation of senior personnel or management notification of the event.
Escalation – an escalated event affects critical production systems or requires that implementation of a resolution that must follow a change control process. Escalated events require the participation of senior personnel and stakeholder notification of the event.
Emergency – an emergency is an event which may impact the health or safety of human beings breach primary controls of critical systems materially affect component performance or because of impact to component systems prevent activities which protect or may affect the health or safety of individuals be deemed an emergency as a matter of policy or by declaration by the available incident coordinator
Answers:
Yes
No
Unsure
Loss or Theft of Equipment: The loss or theft of a computing device or media used by the
organization, such as a laptop, smartphone, or authentication token.
Other: An attack that does not fit into any of the other categories.
This section focuses on recommended practices for handling any type of incident. It is outside the scope
of this publication to give specific advice based on the attack vectors; such guidelines would be provided
in separate publications addressing other incident handling topics, such as NIST SP 800-83 on malware
incident prevention and handling.
In short, the methodology consists of the following steps:
Determine the attack vector and scope of incident
Know the enemy—identify their tools and tactics
Collaboratively design a containment strategy and document it
Create a task list based on containment plan
Delegate and monitor tasks until containment is achieved
Answers:
Yes
No
I’m not sure
In short, the methodology consists of the following steps:
Determine the attack vector and scope of incident
Know the enemy—identify their tools and tactics
Collaboratively design a containment strategy and document it
Create a task list based on containment plan
Delegate and monitor tasks until containment is achieved
In short, the methodology consists of the following steps:
Determine the attack vector and scope of incident
Know the enemy—identify their tools and tactics
Collaboratively design a containment strategy and document it
Create a task list based on containment plan
Delegate and monitor tasks until containment is achieved