A Practical Plan to Reduce the Impact and Increase Resilience There are a lot of things you can’t do or can’t do easily. You can’t stop a breach and you certainly can’t meet the deadline of ‘yesterday’ to get it fixed. Security is shifting from protection to impact reduction and corporate resilience. However, this shift is leading to collateral risk issues that once were able to be ignored: * Incident Response * Data Classification * Granular Auditing and Investigation * Legal Ramifications Topics Covered: * Security’s Strategic Change * Resilience – Indicator Tracking and Response * ASAP – Reducing the Impact * Reverse Engineering Your Plan While you can’t fix everything, you can get ahead of the problems!

1. YOU CAN’T STOP
A BREACH.
NOW WHAT?!?

2. “Begin with the end in mind.”
~Stephen Covey
“You couldn't know what you didn't know,
but now you know.” ~Yogi Berra

3. PRESENTERS
Nate Latessa
Heureka Chief Operating Officer
nate.latessa@heurekasoftware.com
Stephen Marchewitz
VP Client Solutions
Stephen.marchewitz@heurekasoftware.com

4. HEUREKA OVERVIEW
Heureka
Meaning: “I’ve found it!”
Heureka was formed to allow
clients to search and respond
quickly to discovery, security,
compliance and free-form
investigation needs.

5. WHY?
There is a need for quick information regarding:
Breach
Lawsuit
HR Issues
BSA Licensing
Inquiry
Process Change
Lack of Planning
Excessive failed
logins undetected
Unpatched Endpoints
Forced to classify data
Unknown what's in the
cloud
Unknown IOC's
Intellectual Property
Loss
Failed Audit
Proof of compliance

6. HOW?
• Endpoint Intelligence
• Viewed via the search and
correlation platform
• Numerous workflows
– eDiscovery
– Data Classification
– Incident and Indicator Response
– Audit and Compliance
– Free Form Investigation

7. YOU CAN’T STOP A BREACH
Overview
• Security’s Strategic Change
• Resilience
• Reducing the Impact
• Reverse Engineering Your Plan of Action

8. “Enterprises have long over-spent on prevention and under-spent
on detection and response.” --Gartner
Verizon breach report shows:
– 80% RATED AS SIMPLE ATTACKS
– ⅔s WERE ACTIVE FOR MONTHS
BEFORE BEING DISCOVERED.

9. PHASES OF A BREACH
•Controls
•Hardening
•Enforcement
BEFORE
• Detect
• Block
• Defend
DURING
• Scope
• Contain
• Remediate
AFTER

10. SPENDING BEFORE KNOWN BREACH
•$$$$$$$$$$BEFORE
•$$$$DURING
•$AFTER

11. SPENDING SHIFT POST-BREACH
•$$$$$$$$BEFORE
•$$$$$DURING
•$$$$AFTER
A 20% increase in spending after a breach,
disproportionally in forensic and investigative tools.
--Ponemon

12. WHILE WE CAN’T STOP A
BREACH…
Can we realistically contain it?

13. RESILIENT
Patterned After Nature
You have to be

14. WHAT WILL IT TAKE?
• Increasing the speed and accuracy of
security response actions during an attack
• Effective and adaptive plans and processes
to identify and remediate security breaches
after they have occurred
- SANS report 2014

15. THE MOVE FROM PREVENTION
Respond
Detect
Prevent

16. IMPACT REDUCING EFFORTS
• Data Classification
• Granular Audits
• Solid Proactive Processes
• Anomaly Detection
• Policies and Procedures
• Incident Identification and Remediation
• Patching Process

17. NEED FOR PLANNING
• Incident Response Plan
• Data Classification Plan
• Audit Plan
• Risk Management Plan
• Business Impact Analysis
• Business Continuity Plan
• Patch Plan
– And Everything Must be a Process!

18. YET PLANS TAKE TIME AND RESOURCES
• Again, after a breach, spending only goes up 20%.
Corporations (on average) have
• No patience ( yet lack speed)
• Not enough resources (yet incomplete planning)
Starting with a conceptual plan doesn’t work (easily) in
practice

19. REVERSE ENGINEERING
It’s too difficult to forward engineer in
today’s environment.
Data Data

20. THE FIVE KEYS TO REVERSE
ENGINEERING
1. Determine the most basic level what happened (or
could), what you have, and where it is—(i.e. malware,
data, files, systems, network traffic, etc).
2. Define the problem
3. Identify as many steps as possible that are required to
resolve the issue.
4. Define the tools and resources needed to get the job
done.
5. Create the policies and procedures based on those
steps and resources.

21. BENEFITS OF REVERSE ENGINEERING
• Starting with a blank canvas is too difficult
• Systematically identifies areas to improve
• Provides a baseline for making changes
and testing them
• Helps assess performance and provides a
basis for making improvements.

22. IDEAL INCIDENT RESPONSE
Goals
• Risks and Impacts
• Classify
Plan
• Policies
• Procedures
Discover
• Scope
• Validate
Contain
• Prioritize
• Group
Eradicate
• Correlate
• Cleanse
Recover
• Resolve Collateral Issues
• Improve

23. REVERSE ENGINEERED IR
Discover
• Scope
• Validate
Contain
• Prioritize
• Group
Eradicate
• Correlate
• Cleanse
Recover
• Resolve Collateral Issues
• Improve
Goals
• Risks and Impacts
• Classify
Plan
• Policies
• Procedures

24. DISCOVERY IS KEY
What do we have? Where is it? Who owns it?
What’s happening now? Where should we start?
This is critical for many issues
• Incident Response
• Compliance
• Data Classification
• Intellectual Property Loss
• Lawsuits
• Etc.

25. SUMMARY
• You’re breached
• Ensure you ‘know what you know.’
• The ideal doesn’t work in practice
• Begin with the end in mind –Resilience is key
• Have your tools and processes reflect this
fact
• Start from where you are to reduce impact
and collateral risk issues

26. THANK YOU!

27. HEUREKA – I’VE FOUND IT!
www.heurekasoftware.com