We are living in an Internet of Things era. Everyday more and more products are being connected to the Internet and it affects our lives significantly. Therefore, the importance of IT security is increasing every minute. There are many TOP Global IT companies that makes news with the security incident very often and consequences of mishandling incidents has been huge. Handling the incident for the Global level IT companies are very difficult because they make many different types of products and services in many different locations with very fast paced development schedule. Especially, responding to the security incident of consumer grade hardware products such as smartphone and IoT devices are more difficult due to the complexity of patching process. This talk will provide an explicit methodology of building and managing a good PSIRT (Product Security Incident Response Team) for Top Global IT Companies that makes the consumer grade hardware products.

1. 1
How would you
handle and
prevent the fire
from IoT forests?
Copyright © by SecZone All rights reserved.
Mobile & IoT
Security Summit 2016

2. Who Am I ?
Issac Kim
 Network Security Engineer
 Application Security Engineer
 PSIRT Lead
 Runs SDLC
 Penetration Tester
 Security Researcher
 Bug Bounty Hunter
@cassimai
https://www.linkedin.com/in/iamissac
2

3. AGENDA
 What is PSIRT?
 ISSUE in PSIRT
 People + Relationship + Process
 References
Focus on Global IT companies that makes the consumer
grade IoT hardware and smartphone product
3

4. 4
Don’t worry, It is being handled…

5. PSIRT(a.k.a. Fire Station)
 Product Security Incident Response Team
 a.k.a the Fire Station
 Story of the nightmare before Christmas
 Multiple Critical Security Vulnerabilities
 Many calls, reports and meetings were made
 Incident was handled less than a week
 You do NOT need Firefighters or PSIRT until the incident
happens but it will always happen.
 Consequences of a mistake are huge
 Losing company reputation/brand power - SNS
 Can be sued
 Very tough work(24x7x365)
 Respects are not guaranteed as fire fighters
5

6. PSIRT in Global IT Companies
6
Lack of Security
Engineering
• Competition
drives SDLC
• 3rd party code
• Too Many
Product Lines
Patching Difficulties
• Short Product
Lifecycle
• Dist. Hardware
• Complex
Process
Response
• Rapid
• Accurate
• Reliable
 Security Incidents will always happen
 So, how do we solve this?
 Main Issues of Managing PSIRT in Global IT Companies

7. People + Relationship + Process
 To Be Successful, PSIRT needs to be
 Accurate  People
 Reliable  Relationship
 Rapid  Process
 Collaboration is needed as Gears
 to increase speed
 to increase force
 to change directions
7
Process
Relationship
People

8. 8
IR needs people, because successful IR
requires thinking.
Bruce Schneier
People

9. Firefighter == PSIRT ?
1. Become an Emergency Medical Technician
2. Volunteer your time
3. Take fire technology classes
4. Maintain a clean background and lifestyle
5. Stop by fire stations
6. Get some life experience
7. Learn as much as you can about the fire service
and hands-on experience
* http://www.firerescue1.com/Firefighter-
Training/articles/755562-Becoming-a-firefighter-10-must-do-
things/
Becoming a Firefighter: 7 must-do things * Becoming a Core PSIRT Member: 7 must-do things
1. Become an Emergency Medical Technician
 Help you to survive in the hostile environment.
2. Volunteer your time
 Help you to build good relationships.
3. Take fire technology classes
4. Maintain a clean background and lifestyle
5. Stop by fire stations (Attend security conferences)
6. Get some life experience (Participate Bug Bounty, CTF)
7. Learn as much as you can about the fire Incident
Handling service and hands-on experience
PSIRT Lead PSIRT AnalystPSIRT Sec. Engineer
Core PSIRT Members

10. People and Roles
10
PSIRT Lead
PSIRT Analyst
PSIRT Sec. Engineer
PSIRT Executive
Quality Assurance
Communication
Legal
Program Manager
Business Partner
Vendor
Ext. Sec. Researcher
Customer Support
People
In charge of PSIRT team. Makes the final decision.
Leading PSIRT. Point of contact for most of activity. Writes the advisory.
Triage and identify the incident. Point of contact for the ext. security researcher.
Investigate the security incident. Look for variant. Research new technique.
Point of contact for the customers. Delivers the advisory & guideline if necessary.
Partners who provide software and hardware of the product.
Partners who resells the product (Carriers)
Our best friend. Provide security vulnerabilities to PSIRT team.
Reviewing the advisory and the public released documents for the legal purpose.
Reviewing the advisory and the public released documents.
Tests the fixed version of software.
Manager who is the owner of affected product. In charge of fixing the issue.
Roles

11. 11
With guanxi, nothing matters; without
guanxi, everything matters
Relationship

12. Relationship : PSIRT Team
12
PSIRT Lead
PSIRT Analyst
PSIRT Sec. Engineer
PSIRT Executive
People
 Provide Monthly, Quarterly and Yearly Incident Report shows KPI and Metrics
→ Executives can make good/rapid decision in an emergency situation
→ Team will receive continuous support
 Provide continuous support and respect
→ Helps them to overcome difficult situation
 Provide training and education to update their skills
→ Helps them to process the incident more efficiently and accurately
 Send them to the security conferences (FIRST, Blackhat, Owasp)
→ Helps them to build the relationship with the security professionals
 Provide up-to-date tools and infrastructure
→ Helps to reduces incident response time and errors
Building Relationship

13. Relationship : Internal Team
13
People
 Host quarterly, annual security meeting and invite them to provide information
about the common security mistakes, trend and new process
→ Helps them to produce more secure product ,and more cooperative and
effective during an incident response process
 Host monthly meeting to discuss the advisory and public release information.
 Host semi-annual security meeting and invite them to provide information
about the common security trend and new process
→ Helps them to understand the security issue better and will be more
cooperative and efficient during an incident response process
Building Relationship
Quality Assurance
Communication
Legal
Program Manager
 Host semi-annual security meeting and invite them to provide information
about the common security trend related to the legal issue and new process
→ Helps them to understand security issue better and will be more cooperative
and efficient during an incident response process
Customer Support

14. Relationship : Ext. Sec. Researcher
People
 Sponsor security conferences and CTF (Mobile Pwn2own)
 Host a product security website
 Host a public bug bounty program
• Internal or Crowdsourcing: Bug Crowd, HackerOne and Synack
 Host an annual company level security conference and invite them
→ They will be attracted into the responsible disclosure
Building Relationship
Ext. Sec. Researcher
Joshua Drake
 Stagefright: RCE in Android Multimedia Framework Library
 One of the most dangerous security vulnerability in Android history
 Impacting over 1 billion android device
 What if he did not follow the responsible disclosure and disclosed it publicly
→ For a fame
→ Sells it to zero-day buyer (Android RCE pays out $200,000)
Stagefright

15. Relationship : External Groups
15
People
 Host monthly meeting to discuss the security advisory about critical issues
 Host an annual company level security conference and invite them
→ Helps them to become more cooperative and effective during an incident
response process
Building Relationship
Business Partner
Vendor
 Host quarterly meeting to discuss the critical security issues
 Host an annual company level security conference and invite them
→ Helps them to provide more secure code
→ Helps them to become more cooperative and effective during an incident
response process

16. 16
W. Edwards Deming
Process

17. Process
Remember the nightmare before the Christmas story?
Can you do all of them without the reliable process?
© Walt Disney. All rights reserved.
17

18. Update
Roles and Process
INPUT TRIAGE HANDLING
Email
Web
Bug B.
Tracking
System
Identification
Investigation
Countermeasure
POST INCIDENT
Test Fix
Confirm Fix
Risk
Identification
Update
Intermediate
Report
Final Report
Write Advisory
Review Advisory
Release Advisory
Update
Instructions
PSIRT Lead
PSIRT Analyst
PSIRT Sec. Engineer
PSIRT Executive
Quality Assurance
Communication
Legal
Program Manager
Business Partner
Vendor
Ext. Sec. Researcher Press Release
Customer Support
ActionOwner/Sender Receiver
Flows
People Process

19. Process : Tracking System
 Always start with the Tracking System
 Use uniformed vulnerability term (CWE)
 Assign unique identification ID along with CVE
 All internal participant must use the system
 Integrate the policy within the system
 Risk Based Process
 Access Control
 SLA
 KPI (Key Performance Indicator) support
 Types of Tools
 Building the IR system from the scratch
 Integrate Bug Tracking Software (JIRA)
 Vulnerability Management Plaform (Archer)
 Common IT Management Software (ServiceNow)
 Incident Response Tools (Resilent System, RITR, IR-Flow)
19

20. Process: Tips and Mistakes
 Update the reporter with the status until it is resolved.
 Sample policy
• Critical: Every week
• High: Every 2 weeks
• Medium and below: Every months
 When receiving the artifact (Reports and POC), make sure
to open them in a sandboxed environment.
 The artifact is the attachment file that is usually encrypted
so it has high chance of passing the email filters.
 PSIRT members are great target for adversaries
 Thoroughly investigate the report
 Reinvestigation costs lots of resources and leads to a big
failure
 Look for any variant issue
20

21. References
 Building a product security incident response team
presentation by Kymberlee Price, Bugcrowd
 https://pages.bugcrowd.com/best-practices-for-security-incident-response-teams
 FIRST(Forum of Incident Response and Security Team
 CSIRT
 https://www.first.org
 ISO 29147
 Security vulnerabilities disclosure
 https://www.iso.org/obp/ui/#iso:std:45170:en
 ISO 30111
 Vulnerabilities handling process
 http://www.iso.org/iso/catalogue_detail.htm?csnumber=53231
21

22. Thank You!