WEBINAR
WEBINAR
Slide 3 
Agenda 
• Introductions 
• Who Are We 
• Latest & Greatest Features 
– Threat Intelligence 
– SIEM Integrations 
– Easy Customization 
– Preview: Custom Action Framework 
• Questions
Slide 4 
Introductions 
• Ted Julian, Chief Marketing Officer, Co3 Systems 
• Tim Armstrong, Incident Response Specialist, Co3 
Systems
About Co3 – Incident Response Management 
Slide 5 
MITIGATE 
Document Results & 
Improve Performance 
• Generate reports for management, 
auditors, and authorities 
• Conduct post-mortem 
• Update SOPs 
• Track evidence 
• Evaluate historical performance 
• Educate the organization 
ASSESS 
Identify and Evaluate Incidents 
• Assign appropriate team members 
• Evaluate precursors and indicators 
• Correlate threat intelligence 
• Track incidents, maintain logbook 
• Prioritize activities based on criticality 
• Generate assessment summaries 
PREPARE 
Improve Organizational Readiness 
• Appoint team members 
• Fine-tune response SOPs 
• Escalate from existing systems 
• Run simulations (firedrills / table tops) 
MANAGE 
Contain, Eradicate, and 
Recover 
• Generate real-time IR plan 
• Coordinate team response 
• Choose appropriate containment strategy 
• Isolate and remediate cause 
• Instruct evidence gathering and handling 
• Log evidence
AUTOMATED ESCALATION WEB FORM TROUBLE TICKETING ENTRY WIZARD SIEM 
EMAIL 
Slide 6 
Co3 IRMS 
INCIDENT RESPONSE PLAN INSTANT CREATION 
& STREAMLINED 
COLLABORATION 
HR IT 
LEGAL/ 
COMPLIANCE 
MARKETING 
PLAN SYNTHESIS 
CONTRACTUAL 
REQUIREMENTS 
COMMUNITY 
BEST 
PRACTICES 
INDUSTRY 
STANDARD 
FRAMEWORKS 
ORGANIZATIONAL 
SOPS 
GLOBAL PRIVACY 
BREACH REGULATIONS 
PLAN ENRICHMENT 
PROCESS 
MALWARE 
SAMPLE 
IP 
DNS 
NAME 
NAME 
ADDRESS 
DASHBOARDS 
AND REPORTING 
AUDITOR 
DASHBOARD 
UTILIZATION 
INCIDENT 
TIMELINE / 
STATUS 
CSO 
DASHBOARD 
TEAM 
INCIDENTS 
BY TYPE 
OVER TIME 
ACCELERATED MITIGATION CUSTOM ACTION FRAMEWORK
■
Integrated Threat Intelligence 
New Threat Intelligence Feeds: 
• Virus Total 
• WHOIS 
• GEOIP 
Slide 8
Integrated Threat Intelligence 
Virus Total 
• Provides results from 55 Anti-virus engines 
• Uses VT API key for results 
• Can even upload files 
Slide 9
Integrated Threat Intelligence 
GEO IP 
• Locates the latitude and longitude of an IP 
• Plots on Google map 
Slide 10
Integrated Threat Intelligence 
WHOIS Lookups 
• Detailed insights on all kinds of servers 
Slide 11
POLL
■
Slide 14 
SIEM Integration 
• Manual and Automatic Incident Escalation 
• Threat Artifact submission 
• Bidirectional communication 
• Supports HP ArcSight, IBM Security QRadar, and many 
others
■
Slide 16 
Easy Customization 
• Simple interface 
• Drag and drop, button-based interaction 
• Numerous areas of the UI 
• No programming / coding required
Slide 17 
Custom Fields 
• Any number of fields 
• Supports drop-downs, text, multi-selects, and more 
• Can be used for alerting, sorting, reporting
Slide 18 
Custom Workflows 
• Create a library of response plans quickly 
• SOP for any number of response teams 
• Operationalize static plans 
• Report on their success, SLA’s, etc
Slide 19 
Conditional sections 
• Collect only the relevant details for each incident type 
• Ask the right questions 
• Make fields required on open, close, or optional 
• Create templates
POLL
SNEAK PREVIEW
Connecting people, process, and technology for 
times of crisis 
AUTOMATED ESCALATION WEB FORM TROUBLE TICKETING ENTRY WIZARD SIEM 
INCIDENT RESPONSE PLAN INSTANT CREATION 
Custom Action Framework 
Gather information and execute 
response plan tasks. 
Slide 22 
& STREAMLINED 
COLLABORATION 
HR IT 
LEGAL/ 
COMPLIANCE 
MARKETING 
PLAN SYNTHESIS 
CONTRACTUAL 
REQUIREMENTS 
COMMUNITY 
BEST 
PRACTICES 
INDUSTRY 
STANDARD 
FRAMEWORKS 
ORGANIZATIONAL 
SOPS 
GLOBAL PRIVACY 
BREACH REGULATIONS 
PLAN ENRICHMENT 
PROCESS 
MALWARE 
SAMPLE 
IP 
DNS 
NAME 
NAME 
ADDRESS 
EMAIL 
DASHBOARDS 
AND REPORTING 
AUDITOR 
DASHBOARD 
INCIDENT 
TIMELINE / 
STATUS 
CSO 
DASHBOARD 
TEAM 
UTILIZATION 
INCIDENTS 
BY TYPE 
OVER TIME 
ACCELERATED MITIGATION CUSTOM ACTION FRAMEWORK
Slide 23 
CAF Use Cases 
Pull all employee details (name, dept, role, etc.) 
• Trigger: Adding username artifact 
• Action: Query directory for details, store results in artifact description 
Kick off automatic Splunk / SIEM searches 
• Trigger: new host/IP IOCs 
• Action: Splunk/SIEM API search request 
Automatic malware sandboxing 
• Trigger: Adding a new malware artifact/PE file artifact. 
• Action: Sends malware to internal sandbox. Returns URL to results. 
Have we ever seen this hash before on our systems? 
• Trigger: Adding a new hash artifact 
• Action: Queries our internal application whitelisting logs, returns list of 
machines who have also executed this file or seen this hash.
■
Slide 25 
Upcoming Co3 Events 
• How The Grinch Stole Black Friday: Co3's 2014 Annual 
Review & Predictions, December 18, 2014, 1 pm EST
One Alewife Center, Suite 450 
Cambridge, MA 02140 
PHONE 617.206.3900 
WWW.CO3SYS.COM 
“Co3 Systems makes the process of planning for a 
nightmare scenario as painless as possible, 
making it an Editors’ Choice.” 
PC MAGAZINE, EDITOR’S CHOICE 
“One of the hottest products at RSA…” 
NETWORK WORLD – FEBRUARY 2013 
“Co3…defines what software packages for 
privacy look like.” 
GARTNER 
“Platform is comprehensive, user friendly, and 
very well designed.” 
PONEMON INSTITUTE
“Co3 makes the process of planning for a 
nightmare scenario as painless as possible, 
making it an Editors’ Choice.” 
– PC Magazine, Editor’s Choice 
Most Innovative Product 
Slide 27 
“One of the most important 
startups in security…” 
– Business Insider 
“Platform is comprehensive, user friendly, 
and very well designed.” 
– Ponemon Institute 
“One of the hottest products at RSA…” 
– Network World 
“...an invaluable weapon when 
responding to security incidents.” 
– Government Computer News 
“Co3 has done better than a home-run... 
it has knocked one out of the park.” 
– SC Magazine

By Popular Demand: Co3's Latest and Greatest Features

  • 1.
  • 2.
  • 3.
    Slide 3 Agenda • Introductions • Who Are We • Latest & Greatest Features – Threat Intelligence – SIEM Integrations – Easy Customization – Preview: Custom Action Framework • Questions
  • 4.
    Slide 4 Introductions • Ted Julian, Chief Marketing Officer, Co3 Systems • Tim Armstrong, Incident Response Specialist, Co3 Systems
  • 5.
    About Co3 –Incident Response Management Slide 5 MITIGATE Document Results & Improve Performance • Generate reports for management, auditors, and authorities • Conduct post-mortem • Update SOPs • Track evidence • Evaluate historical performance • Educate the organization ASSESS Identify and Evaluate Incidents • Assign appropriate team members • Evaluate precursors and indicators • Correlate threat intelligence • Track incidents, maintain logbook • Prioritize activities based on criticality • Generate assessment summaries PREPARE Improve Organizational Readiness • Appoint team members • Fine-tune response SOPs • Escalate from existing systems • Run simulations (firedrills / table tops) MANAGE Contain, Eradicate, and Recover • Generate real-time IR plan • Coordinate team response • Choose appropriate containment strategy • Isolate and remediate cause • Instruct evidence gathering and handling • Log evidence
  • 6.
    AUTOMATED ESCALATION WEBFORM TROUBLE TICKETING ENTRY WIZARD SIEM EMAIL Slide 6 Co3 IRMS INCIDENT RESPONSE PLAN INSTANT CREATION & STREAMLINED COLLABORATION HR IT LEGAL/ COMPLIANCE MARKETING PLAN SYNTHESIS CONTRACTUAL REQUIREMENTS COMMUNITY BEST PRACTICES INDUSTRY STANDARD FRAMEWORKS ORGANIZATIONAL SOPS GLOBAL PRIVACY BREACH REGULATIONS PLAN ENRICHMENT PROCESS MALWARE SAMPLE IP DNS NAME NAME ADDRESS DASHBOARDS AND REPORTING AUDITOR DASHBOARD UTILIZATION INCIDENT TIMELINE / STATUS CSO DASHBOARD TEAM INCIDENTS BY TYPE OVER TIME ACCELERATED MITIGATION CUSTOM ACTION FRAMEWORK
  • 7.
  • 8.
    Integrated Threat Intelligence New Threat Intelligence Feeds: • Virus Total • WHOIS • GEOIP Slide 8
  • 9.
    Integrated Threat Intelligence Virus Total • Provides results from 55 Anti-virus engines • Uses VT API key for results • Can even upload files Slide 9
  • 10.
    Integrated Threat Intelligence GEO IP • Locates the latitude and longitude of an IP • Plots on Google map Slide 10
  • 11.
    Integrated Threat Intelligence WHOIS Lookups • Detailed insights on all kinds of servers Slide 11
  • 12.
  • 13.
  • 14.
    Slide 14 SIEMIntegration • Manual and Automatic Incident Escalation • Threat Artifact submission • Bidirectional communication • Supports HP ArcSight, IBM Security QRadar, and many others
  • 15.
  • 16.
    Slide 16 EasyCustomization • Simple interface • Drag and drop, button-based interaction • Numerous areas of the UI • No programming / coding required
  • 17.
    Slide 17 CustomFields • Any number of fields • Supports drop-downs, text, multi-selects, and more • Can be used for alerting, sorting, reporting
  • 18.
    Slide 18 CustomWorkflows • Create a library of response plans quickly • SOP for any number of response teams • Operationalize static plans • Report on their success, SLA’s, etc
  • 19.
    Slide 19 Conditionalsections • Collect only the relevant details for each incident type • Ask the right questions • Make fields required on open, close, or optional • Create templates
  • 20.
  • 21.
  • 22.
    Connecting people, process,and technology for times of crisis AUTOMATED ESCALATION WEB FORM TROUBLE TICKETING ENTRY WIZARD SIEM INCIDENT RESPONSE PLAN INSTANT CREATION Custom Action Framework Gather information and execute response plan tasks. Slide 22 & STREAMLINED COLLABORATION HR IT LEGAL/ COMPLIANCE MARKETING PLAN SYNTHESIS CONTRACTUAL REQUIREMENTS COMMUNITY BEST PRACTICES INDUSTRY STANDARD FRAMEWORKS ORGANIZATIONAL SOPS GLOBAL PRIVACY BREACH REGULATIONS PLAN ENRICHMENT PROCESS MALWARE SAMPLE IP DNS NAME NAME ADDRESS EMAIL DASHBOARDS AND REPORTING AUDITOR DASHBOARD INCIDENT TIMELINE / STATUS CSO DASHBOARD TEAM UTILIZATION INCIDENTS BY TYPE OVER TIME ACCELERATED MITIGATION CUSTOM ACTION FRAMEWORK
  • 23.
    Slide 23 CAFUse Cases Pull all employee details (name, dept, role, etc.) • Trigger: Adding username artifact • Action: Query directory for details, store results in artifact description Kick off automatic Splunk / SIEM searches • Trigger: new host/IP IOCs • Action: Splunk/SIEM API search request Automatic malware sandboxing • Trigger: Adding a new malware artifact/PE file artifact. • Action: Sends malware to internal sandbox. Returns URL to results. Have we ever seen this hash before on our systems? • Trigger: Adding a new hash artifact • Action: Queries our internal application whitelisting logs, returns list of machines who have also executed this file or seen this hash.
  • 24.
  • 25.
    Slide 25 UpcomingCo3 Events • How The Grinch Stole Black Friday: Co3's 2014 Annual Review & Predictions, December 18, 2014, 1 pm EST
  • 26.
    One Alewife Center,Suite 450 Cambridge, MA 02140 PHONE 617.206.3900 WWW.CO3SYS.COM “Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE “One of the hottest products at RSA…” NETWORK WORLD – FEBRUARY 2013 “Co3…defines what software packages for privacy look like.” GARTNER “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE
  • 27.
    “Co3 makes theprocess of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” – PC Magazine, Editor’s Choice Most Innovative Product Slide 27 “One of the most important startups in security…” – Business Insider “Platform is comprehensive, user friendly, and very well designed.” – Ponemon Institute “One of the hottest products at RSA…” – Network World “...an invaluable weapon when responding to security incidents.” – Government Computer News “Co3 has done better than a home-run... it has knocked one out of the park.” – SC Magazine

Editor's Notes

  • #6 Adapted from the standard Emergency Response Process of : Prepare Respond Recover Mitigate
  • #7 “Let’s take a look at how each of the components work.....”
  • #13 Very Somewhat Don’t know Not so much
  • #21 Crucial to our success Important, but not a top requirement Not critical today, but it will be later Not important
  • #23 “Let’s take a look at how each of the components work.....”