Cyber security lecture for University students, following and expanding on previously delivered presentation on Enterprise Security Incident Management. More in-depth, with the Security Incident lifecycle focus
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
You can tune in for the full webinar recording here: https://www.beyondtrust.com/resources/webinar/10-steps-to-building-an-effective-vulnerability-management-program/
In this presentation from the webinar by cyber security expert Derek A, Smith, hear a step-by-step overview of how to build an effective vulnerability management program. Whether your network consists of just a few connected computers or thousands of servers distributed around the world, this presentation discusses ten actionable steps you can apply whether its to bolster your existing vulnerability management program--or building one from scratch.
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
This presentation covers the essential components of a successful Vulnerability Management program that allows you proactively identify risk to protect your network and critical business assets.
Key take-aways:
* Integrating the 3 critical factors - people, processes & technology
* Saving time and money via automated tools
* Anticipating and overcoming common Vulnerability Management roadblocks
* Meeting security regulations and compliance requirements with Vulnerability Management
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
Abstract:
While vulnerability assessments are an essential part of understanding your risk profile, it's simply not realistic to expect to eliminate all vulnerabilities from your environment. So, when your scan produces a long list of vulnerabilities, how do you prioritize which ones to remediate first? By data criticality? CVSS score? Asset value? Patch availability? Without understanding the context of the vulnerable systems on your network, you may waste time checking things off the list without really improving security.
Join AlienVault for this session to learn:
*The pros & cons of different types of vulnerability scans - passive, active, authenticated, unauthenticated
*Vulnerability scores and how to interpret them
*Best practices for prioritizing vulnerability remediation
*How threat intelligence can help you pinpoint the vulnerabilities that matter most
Enterprise Vulnerability Management: Back to BasicsDamon Small
Vulnerability Management is the lifecycle of identifying and remediating vulnerabilities in an organization's enterprise. A number of companies are starting to do this well, but in some cases, focus on advanced and emerging threats has had the unintended consequence of leaving Vulnerability Management unattended. Defense is actually hard work and people aren't doing it as well as they should! Considered in the context of asymmetric warfare, Blue Teaming is more difficult than Red Teaming. Coupled with the fact that most vulnerabilities do not actually suffer from advanced attacks and 0-days, Vulnerability Management must be the cornerstone of any Information Assurance Program.
The speakers, Kevin Dunn and Damon Small, will describe the key elements of a mature Vulnerability Management Program (VMP) and the pitfalls encountered by many organizations as they try to implement it. Dunn and Small will include detailed examples of why purchasing the scanner should be one of the last decisions made in this process, and what the attendee must do to ensure the successful defense of company assets and data. This session will cover:
- Vulnerability Management: What is it good for?
- What is it not good for?
- How do I make a real difference?
Is Your Vulnerability Management Program Irrelevant?Skybox Security
In this webcast, Scott Crawford from Enterprise Management Associates and Michelle Johnson Cobb of Skybox Security will discuss how to:
Link vulnerability discovery, risk-based prioritization, and remediation activities to effectively mitigate risks before exploitation.
Build a remediation strategy that addresses ‘unpatchable’ systems
Minimize change management headaches by anticipating unintended impacts due to system and application interdependencies.
Use metrics and key performance indicators (KPI’s) like remediation latency to track effectiveness of the vulnerability management program.
Cyber security lecture for University students, following and expanding on previously delivered presentation on Enterprise Security Incident Management. More in-depth, with the Security Incident lifecycle focus
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
You can tune in for the full webinar recording here: https://www.beyondtrust.com/resources/webinar/10-steps-to-building-an-effective-vulnerability-management-program/
In this presentation from the webinar by cyber security expert Derek A, Smith, hear a step-by-step overview of how to build an effective vulnerability management program. Whether your network consists of just a few connected computers or thousands of servers distributed around the world, this presentation discusses ten actionable steps you can apply whether its to bolster your existing vulnerability management program--or building one from scratch.
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
This presentation covers the essential components of a successful Vulnerability Management program that allows you proactively identify risk to protect your network and critical business assets.
Key take-aways:
* Integrating the 3 critical factors - people, processes & technology
* Saving time and money via automated tools
* Anticipating and overcoming common Vulnerability Management roadblocks
* Meeting security regulations and compliance requirements with Vulnerability Management
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
Abstract:
While vulnerability assessments are an essential part of understanding your risk profile, it's simply not realistic to expect to eliminate all vulnerabilities from your environment. So, when your scan produces a long list of vulnerabilities, how do you prioritize which ones to remediate first? By data criticality? CVSS score? Asset value? Patch availability? Without understanding the context of the vulnerable systems on your network, you may waste time checking things off the list without really improving security.
Join AlienVault for this session to learn:
*The pros & cons of different types of vulnerability scans - passive, active, authenticated, unauthenticated
*Vulnerability scores and how to interpret them
*Best practices for prioritizing vulnerability remediation
*How threat intelligence can help you pinpoint the vulnerabilities that matter most
Enterprise Vulnerability Management: Back to BasicsDamon Small
Vulnerability Management is the lifecycle of identifying and remediating vulnerabilities in an organization's enterprise. A number of companies are starting to do this well, but in some cases, focus on advanced and emerging threats has had the unintended consequence of leaving Vulnerability Management unattended. Defense is actually hard work and people aren't doing it as well as they should! Considered in the context of asymmetric warfare, Blue Teaming is more difficult than Red Teaming. Coupled with the fact that most vulnerabilities do not actually suffer from advanced attacks and 0-days, Vulnerability Management must be the cornerstone of any Information Assurance Program.
The speakers, Kevin Dunn and Damon Small, will describe the key elements of a mature Vulnerability Management Program (VMP) and the pitfalls encountered by many organizations as they try to implement it. Dunn and Small will include detailed examples of why purchasing the scanner should be one of the last decisions made in this process, and what the attendee must do to ensure the successful defense of company assets and data. This session will cover:
- Vulnerability Management: What is it good for?
- What is it not good for?
- How do I make a real difference?
Is Your Vulnerability Management Program Irrelevant?Skybox Security
In this webcast, Scott Crawford from Enterprise Management Associates and Michelle Johnson Cobb of Skybox Security will discuss how to:
Link vulnerability discovery, risk-based prioritization, and remediation activities to effectively mitigate risks before exploitation.
Build a remediation strategy that addresses ‘unpatchable’ systems
Minimize change management headaches by anticipating unintended impacts due to system and application interdependencies.
Use metrics and key performance indicators (KPI’s) like remediation latency to track effectiveness of the vulnerability management program.
Is Your Vulnerability Management Program Keeping Pace With Risks?Skybox Security
To effectively reduce the risks of cyber attacks, comply with continuous monitoring requirements, and provide visibility to executives, organizations need to manage their vulnerabilities and associated risks continuously. This is required in order to match or exceed the daily rate of attacks.
Why bother to assess your risks every 90 days when new threats are unleashed every day?
See how you can:
• Transform vulnerability discovery from a ‘round robin’ schedule to continuous monitoring for vulnerabilities
• Prioritize vulnerabilities based on exploitability and potential business impact
• Focus remediation efforts and track progress to show a measurable reduction of risk
• Make vulnerability management an essential part of daily change management processes
These slides will include case studies, survey data, and best practices – ideal for IT security practitioners who are considering, or already implementing, next-generation vulnerability management to effectively and measurably mitigate risk.
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Brian Andrzejewski
Security Operation Centers (SOCs) are the front line for incident detection, response, and escalation for organizations. Few security teams evaluate their SOC's tools, techniques and procedures (TTPs) are working to their expected SOC response - even fewer on live networks with their CISO's approval.
This HOWTO talk for security teams will cover a crawl/walk/run approach to build and execute live fire incidents to target your SOC's TTP abilities to detect, respond, and escalate. Techniques, lessons learned, and WAR stories will be discussed to how to select your exercises, determine expected outcomes, methods to measure results, coordinate for CISO sign off, and how to report lessons learned to improve your SOC's TTP response.
BSidesCharm 2018 video at:
https://www.youtube.com/watch?v=tXwHr4sycew
Enterprise Class Vulnerability Management Like A Bossrbrockway
A fluid and effective Vulnerability Management Framework, a core pillar in most Enterprise Security Architectures (ESA), remains a continual challenge to most organizations. Ask any of the major breach targets of the past several years. This talk takes the recent OWASP Application Security Verification Standard (ASVS) 2014 framework and applies it to Enterprise Vulnerability Management in an attempt to make a clearly complicated yet necessary part of your organization's ESA much more manageable, effective and efficient with feasible recommendations based on your business' needs.
Preparing for future attacks. Solution Brief: Implementing the right securit...Symantec
Recent malware incidents have shown how costly and damaging cyber attacks can be.
The Stuxnet worm is believed to have significantly affected Iranian nuclear processing, and was widely considered to be the first operational cyber weapon1. Shamoon was able to compromise and incapacitate 30,000 work stations within an oil producing organisation2. Another targeted malware attack against a public corporation resulted in the company declaring a $66 million loss relating to the attack3. Such attacks may not necessarily be successful, but when attackers do find their way inside an organisation’s systems, a swift, well-prepared response
can quickly minimise damage and restore systems before significant harm
can be caused.
In order to prepare such a response, organisations must understand how attacks can progress, develop a counteractive strategy, decide who will carry out which actions and then practise and refine the plan.
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
As cyber attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. Event monitoring and correlation technologies and security operations are often tied to incident handling responsibilities, but the number of attack variations is staggering, and many organizations are struggling to develop incident detection and response processes that work for different situations.
In this webcast, we'll outline the most common types of events and indicators of compromise (IOCs) that naturally feed intelligent correlation rules, and walk through a number of different incident types based on these. We'll also outline the differences in response strategies that make the most sense depending on what types of incidents may be occurring. By building a smarter incident response playbook, you'll be better equipped to detect and respond more effectively in a number of scenarios.
This is a presentation discussing recommendations for a secure connection between a remote data center and a primary data center; taking into account user connectivity and end-user security awareness training.
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
Is Your Vulnerability Management Program Keeping Pace With Risks?Skybox Security
To effectively reduce the risks of cyber attacks, comply with continuous monitoring requirements, and provide visibility to executives, organizations need to manage their vulnerabilities and associated risks continuously. This is required in order to match or exceed the daily rate of attacks.
Why bother to assess your risks every 90 days when new threats are unleashed every day?
See how you can:
• Transform vulnerability discovery from a ‘round robin’ schedule to continuous monitoring for vulnerabilities
• Prioritize vulnerabilities based on exploitability and potential business impact
• Focus remediation efforts and track progress to show a measurable reduction of risk
• Make vulnerability management an essential part of daily change management processes
These slides will include case studies, survey data, and best practices – ideal for IT security practitioners who are considering, or already implementing, next-generation vulnerability management to effectively and measurably mitigate risk.
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Brian Andrzejewski
Security Operation Centers (SOCs) are the front line for incident detection, response, and escalation for organizations. Few security teams evaluate their SOC's tools, techniques and procedures (TTPs) are working to their expected SOC response - even fewer on live networks with their CISO's approval.
This HOWTO talk for security teams will cover a crawl/walk/run approach to build and execute live fire incidents to target your SOC's TTP abilities to detect, respond, and escalate. Techniques, lessons learned, and WAR stories will be discussed to how to select your exercises, determine expected outcomes, methods to measure results, coordinate for CISO sign off, and how to report lessons learned to improve your SOC's TTP response.
BSidesCharm 2018 video at:
https://www.youtube.com/watch?v=tXwHr4sycew
Enterprise Class Vulnerability Management Like A Bossrbrockway
A fluid and effective Vulnerability Management Framework, a core pillar in most Enterprise Security Architectures (ESA), remains a continual challenge to most organizations. Ask any of the major breach targets of the past several years. This talk takes the recent OWASP Application Security Verification Standard (ASVS) 2014 framework and applies it to Enterprise Vulnerability Management in an attempt to make a clearly complicated yet necessary part of your organization's ESA much more manageable, effective and efficient with feasible recommendations based on your business' needs.
Preparing for future attacks. Solution Brief: Implementing the right securit...Symantec
Recent malware incidents have shown how costly and damaging cyber attacks can be.
The Stuxnet worm is believed to have significantly affected Iranian nuclear processing, and was widely considered to be the first operational cyber weapon1. Shamoon was able to compromise and incapacitate 30,000 work stations within an oil producing organisation2. Another targeted malware attack against a public corporation resulted in the company declaring a $66 million loss relating to the attack3. Such attacks may not necessarily be successful, but when attackers do find their way inside an organisation’s systems, a swift, well-prepared response
can quickly minimise damage and restore systems before significant harm
can be caused.
In order to prepare such a response, organisations must understand how attacks can progress, develop a counteractive strategy, decide who will carry out which actions and then practise and refine the plan.
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
As cyber attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. Event monitoring and correlation technologies and security operations are often tied to incident handling responsibilities, but the number of attack variations is staggering, and many organizations are struggling to develop incident detection and response processes that work for different situations.
In this webcast, we'll outline the most common types of events and indicators of compromise (IOCs) that naturally feed intelligent correlation rules, and walk through a number of different incident types based on these. We'll also outline the differences in response strategies that make the most sense depending on what types of incidents may be occurring. By building a smarter incident response playbook, you'll be better equipped to detect and respond more effectively in a number of scenarios.
This is a presentation discussing recommendations for a secure connection between a remote data center and a primary data center; taking into account user connectivity and end-user security awareness training.
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
A key business goal of any organization is to maintain the constant availability of data and systems that can be trusted for decision-making purposes. The evolving threat landscape has resulted in increasing focus, right to board level, on cybersecurity. IT operational and security teams should demonstrate a comprehensive, cohesive approach in their response to security incidents and data breaches.
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …Andris Soroka
World's #1 SIEM technology in GRC (Governance, Risk, Compliance). QRadar Risk Manager provides organizations with a pre-exploit solution that allows network security professionals to assess what risks exist during and after an attack, while also answering many "What if?" questions ahead of time, which can greatly improve operational efficiency and reduce network security risks.
knowthyself : Internal IT Security in SA SensePost
Presentation by Charl van der Walt and Roelof Temmingh at IIR in 2000.
The presentation begins with a discussion on global risks, threats, internal risk and security assessments. Steps to building a strong security culture within an organization are discussed. The presentation ends with a brief overview of intrusion detection systems and their use in internal security.
This slide deck highlights the continued growth and evolution of Core Security Technologies and helps introduce an entirely new product for enterprise security testing andmeasurement - CORE INSIGHT Enterprise.
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
Companies are under increasing risks of breaches, theft of intellectual property and erosion of customer trust. CIOs and CISOs need to be able to explain to executive management what's being done to shore up their company's security strategy and defenses.
This document explains the need for information security for all organizations and also the standards to be followed for doing the same. It also gives vendor selection criteria for selecting a consultancy firm for information security. It gives guidelines as to how to stop ethical hacking of your web application, be it any critical data from getting hacked, scripts being run, without the knowledge of the owner.
The Art Pastor's Guide to Sabbath | Steve ThomasonSteve Thomason
What is the purpose of the Sabbath Law in the Torah. It is interesting to compare how the context of the law shifts from Exodus to Deuteronomy. Who gets to rest, and why?
This is a presentation by Dada Robert in a Your Skill Boost masterclass organised by the Excellence Foundation for South Sudan (EFSS) on Saturday, the 25th and Sunday, the 26th of May 2024.
He discussed the concept of quality improvement, emphasizing its applicability to various aspects of life, including personal, project, and program improvements. He defined quality as doing the right thing at the right time in the right way to achieve the best possible results and discussed the concept of the "gap" between what we know and what we do, and how this gap represents the areas we need to improve. He explained the scientific approach to quality improvement, which involves systematic performance analysis, testing and learning, and implementing change ideas. He also highlighted the importance of client focus and a team approach to quality improvement.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
We all have good and bad thoughts from time to time and situation to situation. We are bombarded daily with spiraling thoughts(both negative and positive) creating all-consuming feel , making us difficult to manage with associated suffering. Good thoughts are like our Mob Signal (Positive thought) amidst noise(negative thought) in the atmosphere. Negative thoughts like noise outweigh positive thoughts. These thoughts often create unwanted confusion, trouble, stress and frustration in our mind as well as chaos in our physical world. Negative thoughts are also known as “distorted thinking”.
How to Create Map Views in the Odoo 17 ERPCeline George
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
How to Split Bills in the Odoo 17 POS ModuleCeline George
Bills have a main role in point of sale procedure. It will help to track sales, handling payments and giving receipts to customers. Bill splitting also has an important role in POS. For example, If some friends come together for dinner and if they want to divide the bill then it is possible by POS bill splitting. This slide will show how to split bills in odoo 17 POS.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
2. PwC
Agenda
90 minutes together ahead
Topics
Security incident in the enterprise context
Frameworks and methodology
Lifecycle of the security incident
Future challenges & evolution
Rules of the game
Mutual respect
There are no stupid questions – ask!
Petr Špiřík (PwC EMEA CSIRT Lead)
12+ years of professional experience
Network security & SOC background
Former PwC CEE CISO
Major interests
• Incident response
• Cyber threat intelligence
• Active defense
• Education of cyber security
3. PwC
Key Terms
Leveling the field
Process capabilities
Procedures, protocols & methodology
Communication & escalation paths
Decision making
Technical capabilities
Architecture (AV, FW, IPS)
Detection (SIEM, IDS)
Response & Triage tools
Alert vs Incident vs Breach
Suspicion vs Assurance vs Damage
False positive & negatives
Risk appetite & sensitivity
Operations vs Security incident
Means, motive & opportunity
Different objectives
Intentional vs accidental
4. PwC
Security Incident
What is this, anyway?
Operations incident
Network is down (power outage)
Computer freezes (misconfiguration)
Data is lost (corrupt backups)
Objectives
Become operational ASAP
Return back to normal
ITIL based
Security incident
Network is DDoSed
Environment is compromised
Data is exfiltrated
Objectives
Stop the bleeding
Understand the threat (Potential impact)
Competing interests (Business, CSIRT, Threat
Intelligence)
5. PwC
Enterprise Aspect
Difference between SMB & Enterprise
Scalability & Complexity
30 minutes per machine is great …
… if you don’t have 10 000 machines
Manpower is the limiting factor
Automation is the way to go
Standards are necessary
Documentation is vital
Processes & governance enables the
enterprise incident management
Speed of the enterprise
It is a business decision to turn off the server…
… but who is the business owner?
Complexity is not only technical
Global vs. local
Cost of action vs. cost of inaction
Interaction with Risk management
Enterprise has the agility of an iceberg
and the consensus of a group of cats
6. PwC
Cost of Security
How secure you want to be?
Enterprise wants to …
Make profit!
Do business
Be agile
Not be blocked by security
Enterprise wants to be as secure as possible for
as little cost as possible
Learn to answer the tough question in
the educated way
Security wants to …
Spend resources
Limit access & operations
Have formal procedures & standards
Have control
Security in enterprise is always a cost, never
profit
Learn to make a business case & accept
the business decisions
7. PwC
Standards & Frameworks
Making our lives easier
NIST (800-61)
US-centric
800-X family
Detailed, ready to use
No formal certification
ISO (27001:2013)
EU-centric
High level
Process oriented
Certifiable by independent body
Adoption
Do not invent the wheel
Cost-benefit analysis
Multiple standards implementation
Scope is critical
Customization
Understand your own enterprise
Pick wisely
Involve business
Make sure you understand the framework
9. PwC
Preparation
Technical
Enterprise
Architecture (segmentation, access control)
Hardening (scans, patches, configuration)
Logging & reporting
Visibility & control
Segregation of duties
Ticketing & knowledge management system
Take control over your environment
first, before you try to fight the
incidents
Security team
Logging & monitoring capabilities
Tools for incident response
Forensic/Malware lab (nice to have)
Secured area
Control over key chokepoints
Skilled team
Time invested in preparation phase will
save you during the incident
10. PwC
Preparation
Process
Enterprise
Contact with other functions (IT, business,
Risk management, PR & Communication)
Change management
Incident management in wider sense
Crisis management
Awareness & education
Leadership buy-in
Not only you, but your whole enterprise
needs to act accordingly
Security team
Reporting an incident – identify inputs &
tracking tools interaction
Communication plan
Ownership & governance
Policies & procedures
Templates
Incident response plans
Time invested in preparation phase will
save you during the incident
11. PwC
Detection
Technical
Logging
Continuous activity
Ingestion of log from
identified sources
Storage only (compliance)
Necessary first step
No output!
Reporting
Regular & automated
Defined KPIs & metrics
Strong for spotting trends and
anomalies
Good for predicting future
issues
Easy quick win – good
cost:benefit ratio
Output is static report,
consumed by security
team or leadership
Monitoring / Alerting
Real time
Defined use cases to monitor
(as opposed to “everything”)
Threshold based, complex
rules, function of time
Sensitivity is critical factor
(False positives)
Output is dynamic
alerting via console, SMS,
emails to analysts
12. PwC
Detection
Process
Enterprise
End users
“My computer behaves in a strange
way.”
Human resources
“We fired this guy and we suspect he
might try to damage the company.”
Administrators
“This is not how my domain
controller is supposed to respond.”
3rd parties (Clients, law enforcement,
public)
Security team
Eyes on the glass
“How many analysts do I assign to
security monitoring?”
Threat hunting
“I always assume compromise. And in
such case –what evidence would give the
attacker away?”
Investigation result
“This computer was not only infected
by commodity malware! There is more!”
13. PwC
Analysis
Triage
Is it security incident?
Analyst driven, never certain for 100%
If it is an incident, is it also a breach?
Who initiates the incident response?
What to do in uncertainty?
This is Yes or No question
What can be automated should be
automated as absolute priority.
Is it major?
Major or crisis management needed
Human well-being, company existence at risk
Wider, cross-functional IR team needed
Different rules, protocols – but also prepared
Potential links to Business Continuity
Major incidents are more sensitive to
process management than to technical
response.
14. PwC
Analysis
Preparation for response
Information gathering
Even negative information has value
Systems checked and artifacts gathered
Focus on actionable evidence
Narrowing scope is critical – the final
judgement does not need to happen now
This is going to incident response. The
time is definitely a factor. There is the
whole enterprise waiting to crush you.
Audit trail
Timestamps and non-repudiation
Documentation for legal consequences
Knowledge management
Project/team management in case of scale
explosion
If you are moving too fast to document
your actions – you are moving too fast.
15. PwC
Containment
Stop the bleeding!
Stopping the attack
Primary objective is to stop further damage
Isolation & service reduction
Time is the critical factor
Involve business stakeholders
Follow the procedures
During containment phase, the primary
imperative is to stop the attack from
getting worse …
Intelligence gathering
Preserve the chain of custody
Watch & learn
Look for additional compromise
Know your enemy
Take notes
… however, you also want to learn as
much as you can without alerting the
attacker or giving him what he wants
16. PwC
Containment
Deeper dive
Disconnect the network!
Not always best idea, not always applicable
Is the incident insider? APT? External breach?
Malware outbreak? Phishing campaign?
Prepared scenarios to the rescue
Isolate the incident in its domain (physical,
network, human resources)
Factor in the time & scale
Focus on breach escalation prevention
The initial containment vary from
shutting down system to doing nothing
Major incidents
Communication plan
Governance of the IR team
Regular updates & reassessments
Project plan to remediate
Don’t expect this will be over soon
Scale and complexity are your enemies
In major incident scenario, you are
most likely already in damage control
mode
17. PwC
Eradication
Remove all artifacts
Clean the compromised assets
Remove all entry points
Restore clean data from backups
Patch the vulnerabilities
Close the attacker’s way in
This is the latest stage when the attacker
learns you are after him. In military
terms, you are “operating in contested
environment”.
Project management
To know what to do is not that important
To carry out the plan is
Multiple team coordination
Shared responsibilities
Timelines & change windows
In enterprise environment, the project
manager can make or break the
outcome. Cooperation & execution is
key.
18. PwC
Recovery
Back to production
Business wants to get back operational ASAP
Incident needs be declared over
All compromised assets are clean
Partial recovery for large scale incidents
It is business decision to get back
online. Make sure this decision is
informed!
Continuous monitoring
Attackers do not give up easily
Be prepared for counter-attacks
Set up temporary more sensitive alerting
Go back to analysis if needed
The attacker spent resources to get in.
They will try to reclaim what they once
had.
Did you really eradicate every artifact?
19. PwC
Post-Incident Activity
Immediate & short term
Harden the environment
Cooperate with IT
Follow the change management
Use the knowledge you gained
Plug all the holes
Every incident is an opportunity to improve
Improve your detection systems!
It is no shame to fall victim to an attack.
Is IS a shame to fall victim to the same
attack repeatedly.
Metrics & KPIs
How do you measure success?
Is number of incidents good metric?
What is not measured does not exist
Metrics & KPIs are double edged sword
Useful vs. useless metrics
Long term, well established KPI monitoring
will improve your security posture
Good metrics can motivate team and
give you access to the resources needed.
Bad will put you into uphill battle.
20. PwC
Post-Incident Activity
Knowledge management
Lessons learned
Debriefing after an incident
All parties involved
Review procedures & templates
Plan for changes for the future
Blame is lame
The objective of post-incident activity is
to improve for the future, not to find
scapegoat.
Active defense
Profile the attackers
Profile your organization
Assume compromise
Hunt for the adversaries
Set up traps for the future
Every incident is a lesson – the result is
your threat intelligence
21. PwC
Enterprise Maturity
Don’t try to run if you can’t walk
COBIT maturity levels
Level 1 – Initial
Level 2 – Repeatable
Level 3 – Defined
Level 4 – Managed
Level 5 – Optimized
Be honest with yourself. Work up
through the stack, one step at time. Do
not go for shortcuts. It does not work.
Expectation management
New buzzword every year
Applicability to your organization
Effect of diminishing returns
Build on solid foundation
Going step by step is cost effective
Do not set up incident response team, if
you don’t know your own
infrastructure. Do not buy threat
intelligence, if you cannot consume it.
22. PwC
Future Challenges
I got it! What’s next?
Hunting
Assume compromise
Set up your hunter team
Let them loose
Special mindset is
required.
Clear boundaries need to
be set!
Threat intelligence
Know your enemy
Share the information
Profile your organization
Automate & automate
It is not the threat intel,
but how you apply it.
Build your own threat
intelligence!
Active defense
Sinkholing & tarpitting
Active reconfiguration
Profile the attackers
Dynamic environment
Focus on your own
environment.
Be sure to stay on the
legal side!
23. PwC
Summary
Thank you!
Questions & answers
Ask your questions now…
… or reach out to me after
Thank you all!
Contacts
petr.spirik@gmail.com
petr.spirik@cz.pwc.com
NIST Security (look for 800-61)
csrc.nist.gov
This presentation
https://www.slideshare.net/zapp0/enterprise-
incident-response-2017