The document discusses the importance of incident response planning in the context of modern cybersecurity threats, highlighting key challenges organizations face, including malware evolution and compliance issues. It outlines effective strategies for improving organizational readiness, managing incidents, and mitigating risks by using comprehensive security solutions and training. The information is supported by industry insights and expert opinions, demonstrating the necessity for robust incident response plans in today's digital landscape.

1. 1
“Co3 makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
– PC Magazine, Editor’s Choice
“Co3…defines what software
packages for privacy look like.”
– Gartner
“Platform is comprehensive,
user friendly, and very well
designed.”
– Ponemon Institute
“One of the most important
startups in security…”
– Business Insider
“One of the hottest products at RSA…”
– Network World
“...an invaluable weapon when
responding to security incidents.”
– Government Computer News
“Co3 has done better than a home-run...
it has knocked one out of the park.”
– SC Magazine
“Most Innovative Security
Startup.”
– RSA Conference
We’ll get started
in just a minute.

2. Today's Breach Reality, The IR
Imperative, And What You Can
Do About It

3. 3
Agenda
Introductions
Problems We Face
The Targets
The Victims
The Motivations
Breach and Response Metrics
Key Concepts for Combating Modern Threats
The Incident Response Lifecycle

4. 4
Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Colby Clark, Director of Incident Management, FishNet
Security

5. 5
About Co3
Prepare
Improve Organizational
Readiness
• Appoint team members
• Fine tune response
SOPs
• Link in legacy
applications
• Run simulations (fire
drills, table tops)
Mitigate
Document Results
& Improve Performance
• Generate reports for
management, auditors,
and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
Assess
Identify and Evaluate Incidents
• Assign appropriate team
members
• Evaluate precursors and
indicators
• Track incidents, maintain logbook
• Automatically prioritize activities
based on criticality
• Log evidence
• Generate assessment
Manage
Contain, Eradicate and Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment
strategy
• Isolate and remediate cause
• Instruct evidence gathering and
handling

6. 6
About FishNet
• 700+ employees dedicated to helping enterprise
customers secure every aspect of their IT environment.
96% Customer Satisfaction / Best-in-Class NPS Benchmark
• Established 1996
• 29 Offices
• 9 Training Centers
• 700+ Certifications
VITAL STATS
2013 HIGHLIGHTS
• $600M Revenue
• 3,200 Customers
• 1,500 Service Engagements

7. 7
About FishNet
• Our experts take the time to understand your business, so
they can develop, implement and support solutions
tailored to your environment.
SECURITY
SOLUTIONS
COMBINED
CAPABILITIES
DRIVE VALUE
PROFESSIONAL SERVICES
• 31 Strategic Services (StS)
Advisors
• 300+ Consultants
• 2 Security Operations Centers
• Frontline Support
• Network & Security Training
• 250+ Certifications
• Information Security Program
Model (ISPM)
TECHNOLOGY PRODUCTS
• 55 Sales Engineers (SE) &
Enterprise Architects (EA)
• 100+ Vendor Partnerships
• Direct Access to Vendor R&D
Teams & Advisory Panels
• Cloud-Based Testing Lab
• 450+ Certifications
• ADVISER Solutions Lifecycle

8. 8
Problems We Face
• Waves of malware attacks per industry with malware optimized for each wave
and software types
• Thousands of machines quickly infected in large environments
• Large numbers of ingress/egress points and unmanaged devices
• Polymorphism of malware per machine instead of per organization
circumventing most host and network based detection methods
• Multi-vector malware in layers creating distraction and chaos while allowing
unauthorized access, performing massive data exfiltration, and leading to
extortion and data loss:
-W32.Changeup Zeus Cryptolocker Data Loss
-Compromise of computer + phone for financial attacks
• Ransomware encrypting drives and shares
• Long term presence within organizations
• Reconnaissance for worse activity later

9. 9
Problems We Face
• Compromise of corporate environments to gain access to CDEs
• Sophisticated malware and botnets now in point of sale environments
• Memory resident
• Utilizes jump boxes
• Moves around
• Delayed detection of cardholder data compromise
• Obfuscation of collection
• Waiting until cards are about to expire before use
• Security devices not properly configured, tuned, and/or monitored
• Circumventing network detections through SSL and DGA
• Too much reliance on antiquated security solutions
• Attack vectors often not notable (low hanging fruit)
• Incident response programs and training not adequate

10. 10
Problems We Face
Bottom line - Security threats have evolved…

11. 11
Problems We Face
– Nobody is immune to compliance. But it’s more than just
checking a box.
• Everyone needs to be compliant
with a policy, regulation or legal
requirement: PCI Compliance,
HIPAA, GLBA, FTC, NERC,
FERC…
• Are you secure or just compliant?
• You can be completely compliant
and totally insecure.
• Promote compliance through
security. It does not come in a can
or clip board.

12. 12
Problems We Face
– The uncomfortable truth  Everyone is 0wn3d.
– How exposed are you to cyber criminals?
• You have been breached
whether you know it or not.
• Malware patiently waits in
nearly every environment
allowing clandestine command
and control, data harvesting,
and arbitrary code execution
• Hackers are like water in a
bucket. If there is a hole, they
will find it.
• Focus on solving the security
problem holistically.

13. POLL

14. 14
Who are the Targets and Why?
• Everyone is a target
– Government
– Large Corporations
– Small Companies
– Private Individuals
• Every target is of interest
– Defacement for bragging rights
– PII, IP, and identity theft
– Credential stealing
– Confidential data leakage
– Customer information
– Supply chain attacks
– Adding to their botnet
– Use your network and devices as jump points

15. 15
Victims
Recent Top News Clips – What Happened?
All were sued (Content Based on Public Knowledge):
• Zappos – Class action suit
• LinkedIn – $5M class action suit
• South Carolina - $12M settlement
• Global Payments – Class action suit
• Nationwide – Class action suit
• Wyndham – FTC Consent Order (really bad)
• Yahoo – Class action suit
• Target – Class action suit; DOJ
• Horizon Blue Cross – Class action suit
• Adobe – Class action suit
• Most recent large breaches – DOJ

16. 16
Motivations

17. 17
Motivations

18. 18
Motivations
• Ransomware becoming increasingly common
• Now in corporate environments and affecting hard drives and shares
• Highly lucrative; attacks win either way
• Disaster recovery strategy is back-up or pay-up

19. 19
Motivations

20. 20
Breach and Response Metrics & Facts
Financial Metrics (from Ponemon 2013 Cost of Data Breach Study):
• Average total cost of a breach: $5.4 Million
• Average per record cost for data breach: $192 (actual costs vary per organization type)
• Average per record cost reductions
– Having a strong security posture: $34
– Having an incident response plan in place: $42
– Appointing a CISO: $23
– Hiring consultants to respond to a breach: $13
Important Facts:
• Attackers infiltrate and maintain persistence for about 1 year on average before detection
• Antivirus is around 3-5% effective at detecting new threats
• Fran Rosch, Senior Vice President of Mobility at Symantec, testifies before congress that
signature-based detection methodology is ineffective
• Pentagon claimed that Chinese 2011 military spending equaled $180 billion with
sustained investment in cyberwarfare
• Hacking has resulted in the largest transfer of wealth in human history
– As of July 2013, Chinese hackers have cost the US about $2 Trillion
– How about others? – Russia? Middle East?

21. 21
What Does a Trillion Dollars Look Like?

22. 22
Key Concepts for Combatting Modern Threats
Endpoint Technology
• Corporate environments
• Behavioral analysis and retrospection
• Continuous monitoring
• Least prevalence detection
• Not limited to the security perimeter
• Application restrictions to know good behavior
• Scanning for IOCs
• Enterprise forensics
• Cardholder data environments
• Application whitelisting
• Application restrictions to know good behavior
• Change detection

23. 23
Key Concepts for Combatting Modern Threats
Network Monitoring & Restrictions
• Network traffic retrospection
• SSL decryption
• Network malware analysis
• DGA
• Tunneling
• Network traffic IOCs and anomalies
• 2 factor authentication for remote access
• Restrict egress from cardholder data environment to
processing only

24. 24
Key Concepts for Combatting Modern Threats
• Data Security – Cloud, Endpoint, Repository…
– DLP + DRM
• Lock down documents so it does not matter if they are stolen
• Utilize the cloud with out concern
• Reduced fear of IP theft
• Program Development
– Incident response gap analysis
– Policy and procedure development
– Incident handling playbook development
• Training & Testing
– Provide hands-on training for all technology, playbook scenarios, and threats
– Provide tabletop testing for realistic scenarios involving stakeholders
– Practice communications and methodology
• Incident Response Retainer
– Subject matter experts on call
– Augment internal capabilities
– Contracts agreed upon ahead of time
– Rapid response – 24 hour service level agreement

25. POLL

26. 26
The Incident Response Lifecycle
Prepare
Improve Organizational
Readiness
• Appoint team members
• Fine tune response
SOPs
• Link in legacy
applications
• Run simulations (fire
drills, table tops)
Mitigate
Document Results
& Improve Performance
• Generate reports for
management, auditors,
and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
Assess
Identify and Evaluate Incidents
• Assign appropriate team
members
• Evaluate precursors and
indicators
• Track incidents, maintain logbook
• Automatically prioritize activities
based on criticality
• Log evidence
• Generate assessment
Manage
Contain, Eradicate and Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment
strategy
• Isolate and remediate cause
• Instruct evidence gathering and
handling

27. 27
Prepare
• Incident response teams often include:
– IT, Legal (internal and/or external),
Compliance, Audit, Privacy, Marketing, HR,
Senior Executive
– Pre-define roles and responsibilities
• RACI (Responsible, Accountable,
Consulted, Informed)
• SOPs can include:
– Processes to be followed by incident type
– Standardized interpretation of legal /
regulatory requirements
– 3rd party contractual requirements
• Simulations
– Can range from drills to full-scale exercises
– Communications is key
• Roles, contact info, internal and external
– Gauge organization preparedness, catalyze
improvement
Prepare
Improve Organizational
Readiness
• Appoint team members
• Fine tune response
SOPs
• Link in legacy
applications
• Run simulations (fire
drills, table tops)

28. 28
Assess
• Prioritize efforts
– Based on value of asset, potential
for customer impact, risk of fines,
and other risks
• Leverage threat intelligence
• Incident declaration matrix
– Based on category and severity
level
– Can set SLAs for each
Assess
Identify and Evaluate
Incidents
• Assign appropriate team
members
• Evaluate precursors and
indicators
• Track incidents, maintain
logbook
• Automatically prioritize
activities based on
criticality
• Log evidence
• Generate assessment

29. 29
Manage
• Iterate on your plan
• Communicate status
– Different mechanisms for different
constituents
• Ensure everything is tracked
Manage
Contain, Eradicate and
Recover
• Generate real-time IR
plan
• Coordinate team
response
• Choose appropriate
containment strategy
• Isolate and remediate
cause
• Instruct evidence
gathering and handling

30. 30
Mitigate
• Conduct a post-mortem
– Validate investment or lobby for
more
– Identify areas for improvement
• Did we hit our SLAs?
– Update playbooks
• Track incident source
– pinpoint risk to drive improvement,
and/or trigger bill-back
• Update preventative and
detective controls
Mitigate
Document Results
& Improve Performance
• Generate reports for
management, auditors,
and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical
performance
• Educate the organization

31. QUESTIONS

32. 32
Next Up
• BlackHat 2014
– August 5-7, Las Vegas

33. One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for
privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and
very well designed.”
PONEMON INSTITUTE
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
Colby Clark
Director of Incident Management
FishNet Security
Colby.clark@fishnetsecurity.com
208.553.3266