Is your organization ready to respond to an incident? More specifically, do you have the people, process, and technology in place that is required to cope with today's threats?
This webinar will provide practical steps on how to assess your organization's risks, threats, and current capabilities through a methodical and proven approach. From there, it will detail the people, process, and technology considerations when standing up or revitalizing an incident response (IR) program.
Specifically it will cover the four pillars of a modern IR function:
- Identify what must be protected
- Scope potential breach impact to the organization
- Define IR management capabilities
- Determine likely threats and their potential impact
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Richard White, Solutions Principal, HP
Breaking the Kubernetes Kill Chain: Host Path Mount
How To Build An Incident Response Function
1.
2. 2
Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Richard White, MBA CISP CHP/CHSS, Solutions
Principal, HP Security Intelligence and Operational
Consulting
3. 3
Agenda
• The Four Pillars of an Incident Response function:
– Pillar 1: Identifying Critical Assets and Risks
– Pillar 2: Scope the potential impact to the organization
– Pillar 3: Understand your capabilities
– Pillar 4: Know your threats and prepare
• Questions
4. 4
About Co3’s Incident Response Management
System
MITIGATE
Document Results &
Improve Performance
• Generate reports for management,
auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
ASSESS
Identify and Evaluate Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Correlate threat intelligence
• Track incidents, maintain logbook
• Prioritize activities based on criticality
• Generate assessment summaries
PREPARE
Improve Organizational Readiness
• Appoint team members
• Fine-tune response SOPs
• Escalate from existing systems
• Run simulations (firedrills / table tops)
MANAGE
Contain, Eradicate, and
Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment strategy
• Isolate and remediate cause
• Instruct evidence gathering and handling
• Log evidence
5. 5
Security Intelligence & Operations Consulting
ESP
Services
Founded: 2007
Experience:
• 30+ SOC Builds
• 90+ SOC Assessments
• 30+ SIOC Consultants worldwide
Solution Approach:
• People, Process, & Technology
Accelerated Success:
• Mature Project Methodology
• Best Practices
• Extensive Intellectual Capital
Purpose:
Ensure our customers are successful with ESP
products by providing the right People, building the
right Processes and delivering effective Technology.
6. 6
HP’s industry-leading scale
10 out of 10
Top telecoms
HP Security Professionals 5000+
2.3billion
Monthly security events
47m
HP Secured User Accounts
9 out
of 10
Major
banks
All major branches
US Department of Defense
9 out of 10
Top software companies
8
Global Security
Operations Centers
Global SOC
Planned regional SOC
900+
HP managed security customers
8. 8
Pillar 1: Identifying Critical Assets and Risks
Create an Asset and Threat Inventory
• Asset Inventory – what are you trying to
protect (people, processes, physical,
data)
• Threat Inventory – what are the threats
(Cyber, Weather, Infrastructure, etc…)
Asset Description Owner Category BU Date Vendor Qty Value Model No. Serial No.
Marketing
database
Marketing database,
customer list
Bob ratchet Data ME Dept. 4/17/14 Oracle 1 $ 25,000
Web Server
Linuc Serv er, apache
web server;
Debbie
Thompson
Hardware/Soft
ware/Data
Operations 9/3/14 Multiple 4 $1,200,000
$ -
Name Host Name IP Address MAC Address Static Addressing Category URI
WMServer1 WMServer1 10.100.4.128 00:AE:FE:01:08 10.100.4.128 /All Asset Categories/Prod
WMServer2 WMServer2 10.100.4.130 01:AF:CB:02:09 10.100.4.130 /All Asset Categories/Prod
WMServer3 WMServer3 10.100.4.127 00:AE:FE:01:08 10.100.4.127 /All Asset Categories/Prod
WMServer4 WMServer4 10.100.4.125 01:AF:CB:02:11 10.100.4.125 /All Asset Categories/Prod
WMServer10 WMServer10 10.100.4.121 00:AE:FE:01:00 10.100.4.121 /All Asset Categories/Prod
DBServer3 DBServer3 10.101.4.99 01:AF:CB:02:21 10.101.4.99 /All Asset Categories/Prod
9. 9
Pillar 1: Identifying Critical Assets and Risks
• Identify the assets at a high level and work down
– What is critical?
– What is its value if lost?
• Replacement cost, additional staffing, resource expenses, manual
processing costs.
• Lost revenue.
– What are the dependencies and interdependencies.
• Impact to people?
• How will processes will be affected in other areas
10. 10
Pillar 1: Identifying Critical Assets and Risks
• Get the business partners involved in the data collection
process
– What is mission critical?
– Where is critical or sensitive information stored or processed?
– What locations are mission critical or high value?
– Assess the impact on the organizations critical functions, operations, and
customer.
• Collect the information:
Questionnaires/Interviews/workshops
11. 11
Pillar 1: Identifying Critical Assets and Risks
Threat
• Fire
• Flood
• Cyber Attacks
• Insider Fraud
• Failed Backup
• HVAC Failure
• Hurricane
• Terrorism
• Data Theft
• PII Disclosure
• Power Failure
• Phishing Attack
• Loss of Key Staff
• Virus Outbreak
• Pandemic
• Lawsuits
12. 12
Risk Distribution
Threat No.
Fire R01
Flood R02
Cyber Attacks R03
Insider Fraud R04
Failed Backup R05
Virus Outbreak R06
HVAC Failure R07
Data Theft R08
PII Disclosure R09
Power Failure R10
Phishing Attack R11
Loss of Key Staff R12
10 50 100
Low-High
R0
6
Medium-
High
High
05 25
R0
4
Low-Medium Medium
High-
Medium
R0
1
R0
8
01 05
R0
3
R0
2
Low Medium-Low High-Low
R1
2
R1
1
R0
9
R1
0
R0
7
R0
5
50
10
15. 15
Pillar 2: Scope the Potential Impact to the
Organization
Priority
Asset/Business
Process
Recovery Time
Objective (RTO)
Maximum
Tolerable
Downtime (MTD)
Recovery Point
Objective (RPO)
1 Point of Sale 15 minutes 30 minutes 4 hours
2 Email 12 hours 48 hours 24 hours
2 Employee payroll 48 hours 96 hours 12 hours
Priority Severe Moderate Minimal
Loss of revenue,
overtime costs, loss of
customer loyalty, data
loss
Some revenue loss,
overtime costs, customer
annoyance
Loss of revenue
Greater that 300k per
hour
100-150k per hour <25k per hour
3% 22% 60%
Point of Sale
16. 16
Pillar 2: Scope the Potential Impact to the
Organization
Understand what has a negative impact on the business
• Loss of data.
• Reputation.
• Legal requirements.
• What’s the cost of a severe, moderate or minimal incident?
• How long can we be
down and survive?
• Who will be impacted
the most?
18. 18
Pillar 3: Understand your Capabilities
A IR function consists of People, Processes and Technology
The team must consist of individuals with the appropriate skills/experience
for the incident response team. The effectiveness of the team depends on the
technical skills and critical thinking abilities of its members.
Create an incident response policy. The incident response policy is the
foundation of the incident response function. As an important first step it defines
what is considered an incident, establishes the organizational structure for incident
response, defines roles and responsibilities and defines the reporting requirements.
Identify the security technology defenses, logging and detection tools, forensics
tools, system monitoring and communication platforms.
19. 19
Pillar 3: Understand Your Capabilities
Team Roles
• Executive Sponsor – Incident Response Owner and accountable for the IR
function. Typically an officer of the company or CISO.
• Incident Commander – Leads the team; Activates the team, trains the team,
maintaining communication with stake holders.
• Subject Matter Experts – Individuals with expertise, system access, training and
experience with responding to incidents.
20. 20
Pillar 3: Understand Your Capabilities
Who is on the team
• Ensure that all members and their management understand their roles
and responsibilities.
• Education and training are critical.
• Have a well defined Mission statement.
• Identify other groups within and outside the organization that may need
to participate in incident handling.
• Identify 3rd parties that may be needed for expertise that is not normally
available.
21. 21
Pillar 3: Understand Your Capabilities
Processes
• Incident response policy.
• Incident response plan based on the incident response policy
• Develop incident response procedures based on all threats not just based
on likelihood.
• Communication plan – the company directory is not adequate
• Disaster recovery planning
22. 22
Pillar 3: Understand Your Capabilties
Technological capabilities
• Work with the SME’s
• IDS/IPS
• SIEM
• AV/Malware
• FIPS/FIDS
• Monitoring tools
• OS/Application logs
• Network tools/logs
• Network Flows
• Vulnerability scanners
• Forensic tools
• Encryption tools
• Database
• Research tools
25. 25
Pillar 4: Know Your Threats and Prepare
When asked why he robbed banks, Willie Sutton said
“Because that is where all the money is…”
26. 26
Pillar 4: Know Your Threats and Prepare
• What would an attacker
gain by attacking you?
• Monetary
• Political
• Prestige
• Data
• Control of infrastructure
• Etc..
• What kind of attacker
would attack you?
• Insider threat/Disgruntled
employee
• State Sponsored
• Hactivist
• Hacker
• Malicious vs. Non-malicious
threats
27. 27
Pillar 4: Know Your Threats and Prepare
• Drills
• Desktop exercises
• Functional Exercises
• Full scale exercises
Preparation
Detection
and Analysis
Recovery
Eradication Containment
The exercise scenarios are designed to simulate technical, operational,
communication and/or strategic responses to incidents with a view to reviewing and
refining current capabilities.
28. 28
Pillar 4: Know Your Threats and Prepare
• Overall goals
– Examine information sharing
– Assess decision making
– Evaluate roles and responsibilities within the organization
• Multi-group participation allows us to
– Understand incident management across multiple departments and
entities
– Evaluate threat information sharing among the whole community
– Understand roles and responsibilities
– Test and evaluate Incident Response coordination
29. 29
Resources
• Cyber Incident Response: Are business leaders ready?
http://www.arbornetworks.com/news-and-events/press-releases/recent-press-releases/5160-
economist-intelligence-unit-and-arbor-networks-research-show-83-percent-of-businesses-are-
not-fully-prepared-for-an-online-security-incident
• NIST Computer Security Incident Handling Guide
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
• State of Security Operations – HP
https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-0501enw.pdf
• 5 stages of defense: Understanding the kill chain
http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/jul/5-stages-of-
defense--understanding-the-kill-chain_1307229.html
31. 31
Upcoming Co3 Events
• “Encryption: Who, What, When, Where, and Why It's Not
a Panacea”
– Webinar with Morrison Foerster: October 2, 2014, 1-2 pm
– https://www4.gotomeeting.com/register/525395863
• Cyber IP Expo, London, UK: October 8-9, 2014
32. One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
“Co3…defines what software packages for
privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and
very well designed.”
PONEMON INSTITUTE
Richard White MBA CISSP CHP/CHSS
Principal, Security Intelligence and operations
Richard.paul.white@hp.com
Editor's Notes
Adapted from the standard Emergency Response Process of : Prepare Respond Recover Mitigate
HP Security footprint
8 Global security operations centers
500 security professionals
Car Example
Business process flows examples to find the critical processes
Email example: IT vs. business
Valuation examples
5 dollar Horse and Plow example
Its ok they are subjective
Not all threats are malicious – network engineer says ooopps
People want to associate a value to justify the expenses
Start with your history to see what incidents have happened in the past
Yes
No
I’m not sure
(only one answer allowed)
Well defined mission statement example
z
A good Incident Response Plan defines:
Roles and responsibilities
Description, goals and objectives
Process for how to determine/declaring an incident
Definition of different incident types and severity criteria
Process flows from beginning to recovery
Communication plans internally and externally
Chain of command for each Incident Type
Yes
No
I’m not sure
(only one answer allowed)
Accidental – ooops example
Expect the unexpected
Update plans often