We are living in an Internet of Things era. Everyday more and more products are being connected to the Internet and it affects our lives significantly. Therefore, the importance of IT security is increasing every minute. There are many TOP Global IT companies that makes news with the security incident very often and consequences of mishandling incidents has been huge. Handling the incident for the Global level IT companies are very difficult because they make many different types of products and services in many different locations with very fast paced development schedule. Especially, responding to the security incident of consumer grade hardware products such as smartphone and IoT devices are more difficult due to the complexity of patching process.
This talk will provide an explicit methodology of building and managing a good PSIRT (Product Security Incident Response Team) for Top Global IT Companies that makes the consumer grade hardware products.
2. Who Am I ?
Issac Kim
Network Security Engineer
Application Security Engineer
PSIRT Lead
Runs SDLC
Penetration Tester
Security Researcher
Bug Bounty Hunter
@cassimai
https://www.linkedin.com/in/iamissac
2
3. AGENDA
What is PSIRT?
ISSUE in PSIRT
People + Relationship + Process
References
Focus on Global IT companies that makes the consumer
grade IoT hardware and smartphone product
3
5. PSIRT(a.k.a. Fire Station)
Product Security Incident Response Team
a.k.a the Fire Station
Story of the nightmare before Christmas
Multiple Critical Security Vulnerabilities
Many calls, reports and meetings were made
Incident was handled less than a week
You do NOT need Firefighters or PSIRT until the incident
happens but it will always happen.
Consequences of a mistake are huge
Losing company reputation/brand power - SNS
Can be sued
Very tough work(24x7x365)
Respects are not guaranteed as fire fighters
5
6. PSIRT in Global IT Companies
6
Lack of Security
Engineering
• Competition
drives SDLC
• 3rd party code
• Too Many
Product Lines
Patching Difficulties
• Short Product
Lifecycle
• Dist. Hardware
• Complex
Process
Response
• Rapid
• Accurate
• Reliable
Security Incidents will always happen
So, how do we solve this?
Main Issues of Managing PSIRT in Global IT Companies
7. People + Relationship + Process
To Be Successful, PSIRT needs to be
Accurate People
Reliable Relationship
Rapid Process
Collaboration is needed as Gears
to increase speed
to increase force
to change directions
7
Process
Relationship
People
8. 8
IR needs people, because successful IR
requires thinking.
Bruce Schneier
People
9. Firefighter == PSIRT ?
1. Become an Emergency Medical Technician
2. Volunteer your time
3. Take fire technology classes
4. Maintain a clean background and lifestyle
5. Stop by fire stations
6. Get some life experience
7. Learn as much as you can about the fire service
and hands-on experience
* http://www.firerescue1.com/Firefighter-
Training/articles/755562-Becoming-a-firefighter-10-must-do-
things/
Becoming a Firefighter: 7 must-do things * Becoming a Core PSIRT Member: 7 must-do things
1. Become an Emergency Medical Technician
Help you to survive in the hostile environment.
2. Volunteer your time
Help you to build good relationships.
3. Take fire technology classes
4. Maintain a clean background and lifestyle
5. Stop by fire stations (Attend security conferences)
6. Get some life experience (Participate Bug Bounty, CTF)
7. Learn as much as you can about the fire Incident
Handling service and hands-on experience
PSIRT Lead PSIRT AnalystPSIRT Sec. Engineer
Core PSIRT Members
10. People and Roles
10
PSIRT Lead
PSIRT Analyst
PSIRT Sec. Engineer
PSIRT Executive
Quality Assurance
Communication
Legal
Program Manager
Business Partner
Vendor
Ext. Sec. Researcher
Customer Support
People
In charge of PSIRT team. Makes the final decision.
Leading PSIRT. Point of contact for most of activity. Writes the advisory.
Triage and identify the incident. Point of contact for the ext. security researcher.
Investigate the security incident. Look for variant. Research new technique.
Point of contact for the customers. Delivers the advisory & guideline if necessary.
Partners who provide software and hardware of the product.
Partners who resells the product (Carriers)
Our best friend. Provide security vulnerabilities to PSIRT team.
Reviewing the advisory and the public released documents for the legal purpose.
Reviewing the advisory and the public released documents.
Tests the fixed version of software.
Manager who is the owner of affected product. In charge of fixing the issue.
Roles
12. Relationship : PSIRT Team
12
PSIRT Lead
PSIRT Analyst
PSIRT Sec. Engineer
PSIRT Executive
People
Provide Monthly, Quarterly and Yearly Incident Report shows KPI and Metrics
→ Executives can make good/rapid decision in an emergency situation
→ Team will receive continuous support
Provide continuous support and respect
→ Helps them to overcome difficult situation
Provide training and education to update their skills
→ Helps them to process the incident more efficiently and accurately
Send them to the security conferences (FIRST, Blackhat, Owasp)
→ Helps them to build the relationship with the security professionals
Provide up-to-date tools and infrastructure
→ Helps to reduces incident response time and errors
Building Relationship
13. Relationship : Internal Team
13
People
Host quarterly, annual security meeting and invite them to provide information
about the common security mistakes, trend and new process
→ Helps them to produce more secure product ,and more cooperative and
effective during an incident response process
Host monthly meeting to discuss the advisory and public release information.
Host semi-annual security meeting and invite them to provide information
about the common security trend and new process
→ Helps them to understand the security issue better and will be more
cooperative and efficient during an incident response process
Building Relationship
Quality Assurance
Communication
Legal
Program Manager
Host semi-annual security meeting and invite them to provide information
about the common security trend related to the legal issue and new process
→ Helps them to understand security issue better and will be more cooperative
and efficient during an incident response process
Customer Support
14. Relationship : Ext. Sec. Researcher
People
Sponsor security conferences and CTF (Mobile Pwn2own)
Host a product security website
Host a public bug bounty program
• Internal or Crowdsourcing: Bug Crowd, HackerOne and Synack
Host an annual company level security conference and invite them
→ They will be attracted into the responsible disclosure
Building Relationship
Ext. Sec. Researcher
Joshua Drake
Stagefright: RCE in Android Multimedia Framework Library
One of the most dangerous security vulnerability in Android history
Impacting over 1 billion android device
What if he did not follow the responsible disclosure and disclosed it publicly
→ For a fame
→ Sells it to zero-day buyer (Android RCE pays out $200,000)
Stagefright
15. Relationship : External Groups
15
People
Host monthly meeting to discuss the security advisory about critical issues
Host an annual company level security conference and invite them
→ Helps them to become more cooperative and effective during an incident
response process
Building Relationship
Business Partner
Vendor
Host quarterly meeting to discuss the critical security issues
Host an annual company level security conference and invite them
→ Helps them to provide more secure code
→ Helps them to become more cooperative and effective during an incident
response process
18. Update
Roles and Process
INPUT TRIAGE HANDLING
Email
Web
Bug B.
Tracking
System
Identification
Investigation
Countermeasure
POST INCIDENT
Test Fix
Confirm Fix
Risk
Identification
Update
Intermediate
Report
Final Report
Write Advisory
Review Advisory
Release Advisory
Update
Instructions
PSIRT Lead
PSIRT Analyst
PSIRT Sec. Engineer
PSIRT Executive
Quality Assurance
Communication
Legal
Program Manager
Business Partner
Vendor
Ext. Sec. Researcher Press Release
Customer Support
ActionOwner/Sender Receiver
Flows
People Process
19. Process : Tracking System
Always start with the Tracking System
Use uniformed vulnerability term (CWE)
Assign unique identification ID along with CVE
All internal participant must use the system
Integrate the policy within the system
Risk Based Process
Access Control
SLA
KPI (Key Performance Indicator) support
Types of Tools
Building the IR system from the scratch
Integrate Bug Tracking Software (JIRA)
Vulnerability Management Plaform (Archer)
Common IT Management Software (ServiceNow)
Incident Response Tools (Resilent System, RITR, IR-Flow)
19
20. Process: Tips and Mistakes
Update the reporter with the status until it is resolved.
Sample policy
• Critical: Every week
• High: Every 2 weeks
• Medium and below: Every months
When receiving the artifact (Reports and POC), make sure
to open them in a sandboxed environment.
The artifact is the attachment file that is usually encrypted
so it has high chance of passing the email filters.
PSIRT members are great target for adversaries
Thoroughly investigate the report
Reinvestigation costs lots of resources and leads to a big
failure
Look for any variant issue
20
21. References
Building a product security incident response team
presentation by Kymberlee Price, Bugcrowd
https://pages.bugcrowd.com/best-practices-for-security-incident-response-teams
FIRST(Forum of Incident Response and Security Team
CSIRT
https://www.first.org
ISO 29147
Security vulnerabilities disclosure
https://www.iso.org/obp/ui/#iso:std:45170:en
ISO 30111
Vulnerabilities handling process
http://www.iso.org/iso/catalogue_detail.htm?csnumber=53231
21