A Practical Plan to Reduce the Impact and Increase Resilience
There are a lot of things you can’t do or can’t do easily. You can’t stop a breach and you certainly can’t meet the deadline of ‘yesterday’ to get it fixed.
Security is shifting from protection to impact reduction and corporate resilience. However, this shift is leading to collateral risk issues that once were able to be ignored:
* Incident Response
* Data Classification
* Granular Auditing and Investigation
* Legal Ramifications
Topics Covered:
* Security’s Strategic Change
* Resilience – Indicator Tracking and Response
* ASAP – Reducing the Impact
* Reverse Engineering Your Plan
While you can’t fix everything, you can get ahead of the problems!
4. HEUREKA OVERVIEW
Heureka
Meaning: “I’ve found it!”
Heureka was formed to allow
clients to search and respond
quickly to discovery, security,
compliance and free-form
investigation needs.
5. WHY?
There is a need for quick information regarding:
Breach
Lawsuit
HR Issues
BSA Licensing
Inquiry
Process Change
Lack of Planning
Excessive failed
logins undetected
Unpatched Endpoints
Forced to classify data
Unknown what's in the
cloud
Unknown IOC's
Intellectual Property
Loss
Failed Audit
Proof of compliance
6. HOW?
• Endpoint Intelligence
• Viewed via the search and
correlation platform
• Numerous workflows
– eDiscovery
– Data Classification
– Incident and Indicator Response
– Audit and Compliance
– Free Form Investigation
7. YOU CAN’T STOP A BREACH
Overview
• Security’s Strategic Change
• Resilience
• Reducing the Impact
• Reverse Engineering Your Plan of Action
8. “Enterprises have long over-spent on prevention and under-spent
on detection and response.” --Gartner
Verizon breach report shows:
– 80% RATED AS SIMPLE ATTACKS
– ⅔s WERE ACTIVE FOR MONTHS
BEFORE BEING DISCOVERED.
9. PHASES OF A BREACH
•Controls
•Hardening
•Enforcement
BEFORE
• Detect
• Block
• Defend
DURING
• Scope
• Contain
• Remediate
AFTER
14. WHAT WILL IT TAKE?
• Increasing the speed and accuracy of
security response actions during an attack
• Effective and adaptive plans and processes
to identify and remediate security breaches
after they have occurred
- SANS report 2014
16. IMPACT REDUCING EFFORTS
• Data Classification
• Granular Audits
• Solid Proactive Processes
• Anomaly Detection
• Policies and Procedures
• Incident Identification and Remediation
• Patching Process
17. NEED FOR PLANNING
• Incident Response Plan
• Data Classification Plan
• Audit Plan
• Risk Management Plan
• Business Impact Analysis
• Business Continuity Plan
• Patch Plan
– And Everything Must be a Process!
18. YET PLANS TAKE TIME AND RESOURCES
• Again, after a breach, spending only goes up 20%.
Corporations (on average) have
• No patience ( yet lack speed)
• Not enough resources (yet incomplete planning)
Starting with a conceptual plan doesn’t work (easily) in
practice
20. THE FIVE KEYS TO REVERSE
ENGINEERING
1. Determine the most basic level what happened (or
could), what you have, and where it is—(i.e. malware,
data, files, systems, network traffic, etc).
2. Define the problem
3. Identify as many steps as possible that are required to
resolve the issue.
4. Define the tools and resources needed to get the job
done.
5. Create the policies and procedures based on those
steps and resources.
21. BENEFITS OF REVERSE ENGINEERING
• Starting with a blank canvas is too difficult
• Systematically identifies areas to improve
• Provides a baseline for making changes
and testing them
• Helps assess performance and provides a
basis for making improvements.
23. REVERSE ENGINEERED IR
Discover
• Scope
• Validate
Contain
• Prioritize
• Group
Eradicate
• Correlate
• Cleanse
Recover
• Resolve Collateral Issues
• Improve
Goals
• Risks and Impacts
• Classify
Plan
• Policies
• Procedures
24. DISCOVERY IS KEY
What do we have? Where is it? Who owns it?
What’s happening now? Where should we start?
This is critical for many issues
• Incident Response
• Compliance
• Data Classification
• Intellectual Property Loss
• Lawsuits
• Etc.
25. SUMMARY
• You’re breached
• Ensure you ‘know what you know.’
• The ideal doesn’t work in practice
• Begin with the end in mind –Resilience is key
• Have your tools and processes reflect this
fact
• Start from where you are to reduce impact
and collateral risk issues