Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

When a Data Breach Happens, What's Your Plan?

316 views

Published on

Ashley Madison, Sony, Kapersky Labs, LastPass, CentreLink, G20 event in Brisbane…What do they all have in common? They were victims of data breaches. And as you probably know by now, some were handled better than others. In this session we will talk about strategies, from mitigation to handling, used when a data breach happens (not “if”) and what controls do we have if you are using Office 365.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

When a Data Breach Happens, What's Your Plan?

  1. 1. Slide 1 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 1 When a Data Breach Happens, What’s Your Plan ? Edge Pereira ES2 Solutions Architect edge@es2.com.au Twitter: @superedge Stuart Mills ES2 Director stuart@es2.com.au 2015
  2. 2. Slide 2 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 2 Our Plan for Today • Making Sense of Threats • Cloud Breaching Incident Plan • What to do After the Incident? • Recommendations • Q & A
  3. 3. Slide 3 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 3 Making Sense of Threats Outsider End User Insider Secure Design Secure Code Protections against attacks Assume Breach Contain Attackers Detect Attackers Remediate Attacks Built controls DLP, Encryption, etc. Auditing
  4. 4. Slide 4 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 4 Internet cafes in vacation spots Every time you connect to the internet Wonderful Internet Services Ideological Movements Organized Crime Nation States
  5. 5. Slide 5 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 5 Hacking in the Good Old Days
  6. 6. Slide 6 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 6 Data Breaches Source: Liam Clearly BRK2142 Microsoft Ignite
  7. 7. Slide 7 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 7 Numerous, Active, and Evolving Threats…
  8. 8. Slide 8 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 8 …Very Active Threats Social media giants Facebook, LinkedIn, among others, get hacked… repeatedly.
  9. 9. Slide 9 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 9 “The personal details of world leaders – including David Cameron, Barack Obama and Vladimir Putin – have been accidentally revealed in an embarrassing privacy breach.” It has been discovered that an employee at the Australian immigration department mistakenly sent personal information of all world leaders attending the G20 Summit to organisers of the Asian Cup football tournament. And the heads of government were kept in the dark about the employee’s blunder. The passport numbers and visa details of United States president, Barack Obama, the Russian president, Vladimir Putin, the German chancellor, Angela Merkel, the Chinese president, Xi Jinping, the Indian prime minister, Narendra Modi, the Japanese prime minister, Shinzo Abe, the Indonesian president, Joko Widodo, and the British prime minister, David Cameron, were all exposed. Source: http://www.independent.co.uk/news/world/personal-details-of-obama-putin-cameron-and-merkel-sent-to-wrong-email-address-by-g20-summit-organiser-10142539.html Leaks and Training
  10. 10. Slide 10 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 10 Source: http://www.canberratimes.com.au/national/public-service/federal-privacy-authorities-called-in-over-centrelink-breach-20140818-105hjw Leaks and Training
  11. 11. Slide 11 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 11 The Evolution of Attacks Targeting Sophistication Volume and impact Script kiddies BLASTER, SLAMMER Motive: mischief 2003–2004
  12. 12. Slide 12 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 12 The Evolution of Attacks 2005–PRESENT Organized crime RANSOMWARE, CLICK-FRAUD, IDENTITY THEFT Motive: profit Sophistication Targeting
  13. 13. Slide 13 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 13 The Evolution of Attacks Organized crime RANSOMWARE, CLICK-FRAUD, IDENTITY THEFT Motive: profit 2012–BEYOND Nation states, activists, terror groups BRAZEN, COMPLEX, PERSISTENT Motives: IP theft, damage, disruption Sophistication Targeting
  14. 14. Slide 14 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 14 Defining Risk Vulnerability Threat Consequence Risk The U .S. Department of Homeland Security (DHS) defines risk as a vulnerability coupled with a threat that creates a consequence
  15. 15. Slide 15 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 15 Writing a Cloud Breach Incident Plan • What is the problem you are solving? • No executive sponsor? No worries • Advisory committee • Know your audience
  16. 16. Slide 16 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 16 Sample Plan • Foreword • Objective • Scope • Assumptions • Ownership • Execution command topologies • Plan structure
  17. 17. Slide 17 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 17 Plan Structure 17 Preparation Detection & analysis Declaration & mobilization Technical actions Supporting actions Incident containment Post incident Plan Maintenance
  18. 18. Slide 18 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 18 Incident Preparation • Crystal ball exercise • What kind of information could you share with 3rd party or law enforcement? • If you loose PCI or PII data, how would you notify them? Who in the community can help you? • For credit monitoring, what would be the services, costs involved, and to whom? • Compile these into one or more documents. Label it crisis response.
  19. 19. Slide 19 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 19 Incident Detection and Analysis • Sources of information • Define what is an “incident”, “alert”, “suspicious events” • Define severities • Peer-review with IT, InfoSec and Legal
  20. 20. Slide 20 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 20 Incident Response • “Who does what when” • Tiger team and decision making structure • Battle rhythm. Everyone needs to know what to do and not wait. • Time to make decisions not longer than executing • Declaration of end of incident
  21. 21. Slide 21 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 21 Incident Response - Tiger Team Team Leader •Oversee all team work •Keep team focused on damage containment Lead Investigator •Collect & Analyzes evidence •Root cause •Manages the business continuity plan Comms Lead •Messaging for all audiences •Inside and outside the company Documentation and Timeline Leader •Investigations •Discovery and recovery •Documents timeline events HR/Legal Leader •Criminal charges developments
  22. 22. Slide 22 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 22 Plan Post-Incident • Lessons learned • Recommendation #1: test the plan once an year
  23. 23. Slide 23 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 23 Recommendations • Expand the use of Encryption • Workforce training and awareness programs • Strengthening of perimeter controls • Implement identity and access management solutions (privileged access first) • Strong endpoint security solutions • Implement data loss prevention solutions • Get a security certification or independent audit How to Mitigate the Risk and Consequences of a Data Breach
  24. 24. Slide 24 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 24 Q & A
  25. 25. Slide 25 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 25 Recap • Making Sense of Threats • Cloud Breaching Incident Plan • What to do After the Incident? • Recommendations • Q & A
  26. 26. Slide 26 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 26 Learn More • Office 365 Trust Portal • ES2 website www.es2.com.au • Computer Incident Response, NK McCarthy • BRK2159 Office 365 today and beyond, TechEd NA • www.superedge.net Useful Material and Links
  27. 27. Slide 27 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 27 Hour of Code - https://code.org/learn
  28. 28. Slide 28 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 28 Thank You
  29. 29. Perth Head Office “The Factory” 69 King Street Perth, WA 6000 Perth Business Centre Level 27, 44 St Georges Terrace Perth, WA 6000 Brisbane Business Centre Level 18, 123 Eagle Street, Brisbane, QLD, 4000 Sydney Business Centre Level 12, 95 Pitt Street, Sydney NSW, 2000 Paris Business Centre 4 rue Neuve de la Chardonnière, 75018, Paris, FRANCE www.es2.com.au
  30. 30. Slide 30 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 30 Additional Slides
  31. 31. Slide 31 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 31 Common Myths About the Cloud Myths • On-premises is more secure • Data is used for mining (i.e.. Advertising) • It’s not compliant with industry regulations • Control of data in the cloud is lost Office 365 • Built to provide a level of security that exceeds most customers on infrastructure and scale • The first to comply with ISO/IEC 27018. Prohibits use of PII for ads and marketing • Compliant with HIPAA, FISMA, MPAA etc (industries and governments) • Designed for complete customer data control. • You own the data, MS manages it for you.
  32. 32. Slide 32 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 32 Government Access to Cloud Data Microsoft will not… • Provide any government with direct or unfettered access to customer data • Assist any government’s efforts to break cloud encryption • Provide any government with encryption keys • Engineer back doors into the cloud products (MS will take steps to ensure governments can independently verify this) • If governments are engaging in broader surveillance of communications, MS is not involved and it is taking steps to enhance the security of customer’s data Microsoft will… http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/ • Disclose enterprise customer data only by a valid legal order and only for the data required • Publish a law enforcement request report every six months 20.8% 7.84% 71.36% Disclosed content Only subscriber/transactional data No data found Rejected Australia
  33. 33. Slide 33 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 33 Security Innovation • Continuous investigation • Advanced tactics • “Penetration games” • World-class security experts
  34. 34. Slide 34 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 34 Encryption at Rest and In-Transit • Data Loss Prevention • Search • Insights • Content analysis
  35. 35. Slide 35 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 35 Controls Implemented After a Data Breach 35 48 46 40 35 27 26 25 23 21 18 48 41 43 26 22 23 30 19 18 21 52 35 42 23 19 20 32 34 14 15 0 10 20 30 40 50 60 Use of encryption Additional manual procedures and controls Training and awareness programs Strenghtening perimeter controls Identity and access management solutions Other system control practices Endpoint security solutions Security intelligence solutions Data loss prevention solutions Security certification or audit 2013 2014 2015
  36. 36. 38

×