The document discusses Cisco's incident response services and the importance of preparing for security incidents. It notes that while prevention is important, detection and quick response are also critical given that breaches will happen. It outlines Cisco's offerings for incident response including retainers, exercises, assessments, and proactive threat hunting. Threat hunting is described as a proactive search for intruders led by hypotheses rather than alerts. The document advocates using threat intelligence from multiple sources and evolving security programs and capabilities over different maturity levels.

1. Kaiyang Cai
Cisco Security Services BD Lead for APJC
15th March 2018
Strengthen Your Readiness and Response to Attacks
Cisco Incident Response Services

2. © 2017 Cisco and/or its affiliates. All rights reserved.
Digitization is disrupting every business model
Retail Automotive Music Television/Media
Hotel Print advertising Connected cars Connected aviation

3. © 2017 Cisco and/or its affiliates. All rights reserved.
Security is Fundamental to Digitization
2 in 5
Executives say privacy
and security restrict their
IoT investment
39%
“My organization halted a
mission-critical initiative
due to cybersecurity
concerns.”
71%
“Cybersecurity risks
and threats hinder
innovation in my organization.”
Innovations are moving forward,
but probably at 70%-80% of what they otherwise could if there were
better tools to deal with the dark cloud of cybersecurity threats.
Airline Industry CFO
“
”

4. © 2017 Cisco and/or its affiliates. All rights reserved.
What are the Odds?
Dating a Millionaire
1 out of 220
Experiencing a Data
Breach
1 out of 4
Getting Struck by
Lightning
1 out of 960,000

5. © 2017 Cisco and/or its affiliates. All rights reserved.
Slower Response = Greater Risk
66%
of breaches took
months or even
years to discover
60%
of breaches have
data exfiltrated in
first 24 hours
60,000
Number of alerts
hackers set off at
Global Retailer
184
Median number
of days advanced
attackers present
before detection
27
33%
Of organizations
discover
breaches through
their own
monitoring

6. © 2017 Cisco and/or its affiliates. All rights reserved.
You will get breached
Prevention is not a silver bullet
Detection is an absolute must
Speed to discovery and containment are critical
Intel isn’t just for spies anymore
Upfront Reality

7. © 2017 Cisco and/or its affiliates. All rights reserved.
Enhance
security
status with
regulators
Provides
protection
when its
needed most
Drives cross
architectural
and
organizational
integration
Quickly react
and respond
to security
incidents
Why Incident Response?
Every customer
should have
an Incident
Response
Plan
Open The Door

8. © 2017 Cisco and/or its affiliates. All rights reserved.
I need a plan for
when a data breach
occurs
IR Tabletop
Exercises
I want to know I
have a team
standing by
Incident Response
Retainers
In need help now
Emergency Incident
Response
I need to know what
is in my network
Proactive Threat
Hunting
I need to know if I
can respond
appropriately
IR Readiness
Assessments
Included in the IR Retainers
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Incident Response Services

9. © 2017 Cisco and/or its affiliates. All rights reserved.
Threat Hunting

10. © 2017 Cisco and/or its affiliates. All rights reserved.

11. © 2017 Cisco and/or its affiliates. All rights reserved.

12. © 2017 Cisco and/or its affiliates. All rights reserved.
Threat Detection
vs
Threat Hunting

13. © 2017 Cisco and/or its affiliates. All rights reserved.
Proactive vs reactive
Hunters go out and look for
intruders before alerts are
generated

14. © 2017 Cisco and/or its affiliates. All rights reserved.
Unlike an alert-driven investigation,
threat hunting is a proactive activity that
begins with a hypothesis to verify
(hypothesis-driven investigation).

15. © 2017 Cisco and/or its affiliates. All rights reserved.
Actionable Threat
Intelligence

16. © 2017 Cisco and/or its affiliates. All rights reserved.
• The idea is extending security awareness beyond the internal
network by consuming intelligence from other sources Internet-wide
related to possible threats to your organization.
• For example, you might come to know about a threat that has
impacted multiple organizations, and so you can proactively prepare
rather than react once the threat is seen against your network.
• Critical in delivering retrospective network visibility, where the latest
threat intelligence is applied to network history
Threat Intelligence

17. © 2017 Cisco and/or its affiliates. All rights reserved.
IR Evolution & Maturity
Maturity
Level
Ad-hoc Maturing Strategic
As Needed
Dedicated
Part-Time Full-Time SOC/IR+ Fusion
CMM Equivalent Initial Repeatable Defined Managed Optimized
Existing IR
Capabilities
People
• 0-1 • 1-3
• Specialization
• 2-5
• Formal roles
• ~10
• Shifts (possible
24x7)
• 15+
• Intel, SOC, and IR
Teams
Process
• Chaotic and relying
on individual
heroics; reactive
• General purpose
run-book
• Tribal knowledge
• Situational run
books; some
consistency
• Email-based
processes
• Requirements and
Workflows
documented as
standard business
process
• Some improvement
over time
• Process is
measured via
metrics
• Minimal Threat
Sharing
• Shift turnover
• SLAs
• Processes are
constantly improved
and optimized
• Broad Threat
sharing
• Hunt teams
Technology
• AV
• Firewalls
• IDS/IPS
• SIEM
• Sandboxing
• Continuous
Monitoring
• Endpoint Forensics
• Tactical Intelligence
• Malware Analysis
• Additional
Intelligence
• IT Operations
Integration
• Intel+IR Drives
Security Program
• Strategic
Intelligence
• Coordination with
Physical
Security/Intelligenc
e

18. © 2017 Cisco and/or its affiliates. All rights reserved.
• Prevention Will Fail. Invest in Intel & IR; it can be measured, evolved,
and simplified.
• Intel is more than a nice to have- it is a requirement
• Think beyond IT; Partnerships are critical to success. Educate and
form alliances in the business and externally (e.g. local Law
Enforcement office, competitors, colleges)
• Communicate findings back into other functions; Defense is a team
sport
• Reward your teams!
Final Thoughts