SlideShare a Scribd company logo

Incident Response: How To Prepare

Resilient Systems
Resilient Systems

Boxing legend Joe Louis famously said, "Everyone has a plan... until they get hit." While grizzled incident response veterans can relate to this sentiment, they all know that thorough preparation is crucial to success. Response procedures that are so thoroughly ingrained that executing them is like muscle memory have a chance, even in the fog of battle. Have you thoroughly prepared your organization to respond when the inevitable happens? How confident are you that it will work in a real-world situation? Proper incident response preparation is key to answering these questions and is frankly the foundation of any incident response capability. This webinar will review critical components of IR preparation including: - IR Underpinnings - Flexible Frameworks - Leadership Challenges Our featured speakers for this webinar will be: - Ted Julian, Chief Marketing Officer, Co3 Systems - Sean Mason, Global Incident Response Leader, CSC

TechnologyBusiness
1 of 31
Download to read offline
Incident Response: How to Prepare June 11, 2014
Intro Process Fundamentals Technical Fundamentals AGENDA Staying Evergreen Leadership Challenges
• Ted Julian, CMO – Co3 Systems • Sean Mason, Global Incident Response Leader - CSC Introductions
AGILE WEB DEVELOPER Sean A. Mason @SeanAMason SEC ANALYST SR. IT AUDITOR SW DEV MANAGER SUPPLY CHAIN DEVELOPER IR LEADER INFO SEC TEAM LEAD PMP CISA CISSP CISM ISSMP CSSLP DIRECTOR IR ’96-’00 ’01-’03 ’04-’06 ‘07 ’08-’10 ‘11 ’12-13 ’14- BS MIS McKendree University Technical School USAF MBA Webster University NMDC & AIMC GE Crotonville CCFP EXEC IR LEADER
END-TO-END IR: BEFORE, DURING, AND AFTER Prepare Improve Organizational Readiness • Appoint team members • Fine tune response SOPs • Link in legacy applications • Run simulations (fire drills, table tops) Mitigate Document Results & Improve Performance • Generate reports for management, auditors, and authorities • Conduct post-mortem • Update SOPs • Track evidence • Evaluate historical performance • Educate the organization Assess Identify and Evaluate Incidents • Assign appropriate team members • Evaulate precursors and indicators • Track incidents, maintain logbook • Automatically prioritize activities based on criticality • Log evidence • Generate assessment Manage Contain, Eradicate and Recover • Generate real-time IR plan • Coordinate team response • Choose appropriate containment strategy • Isolate and remediate cause • Instruct evidence gathering and handling
Recent incidents highlight exposure to top brands
Leadership Challenges
• Credibility LEADERSHIP • Trust • Rapport • Consistency
Process Fundamentals
IR EVOLUTION IR
END-TO-END IR: BEFORE, DURING, AND AFTER •Movement •Methods •Accounts •Actors •Timelines •Rebuild Host(s) •Reset Password(s) •Countermeasures •Lessons Learned •Contain Host(s) •Reset Password(s) •Acquire Evidence • SIEM • AV/HIPS • Proxy • ATD • DLP • Etc… Detect Contain & Collect AnalyzeRemediate Intel
• Wiki or other Platform • Flexibility • Track Changes • “Open” Access DOCUMENTATION — “A plan doesn’t need to be a single document anymore.”
• Who is needed for wing-to-wing IR? (think outside security) • Who is on-call and when? (consider Holidays) • Pre-built DL’s for e-mails and info • Think through basics: • Phones, chat rooms, conference lines, and remote access PEOPLE Name Role Phone # Ray Incident Coordinator 555-2368 Danny Incident Coordinator 555-0840 Kate Network Team 606-0842 Jenny AD Team 867-5309 Alicia CISO 489-4608 Mike Incident Response 330-281-8004 Emily CIO 212-664-7665 Philip Legal Counsel 818-775-3993 Ramona Public Relations 212-664-7665 Business Leaders? Law Enforcement? • Clear expectations for returning phone calls
• Who does what? (think outside security) • Set expectations • Helps define process RACI
• Define an incident severity model- one common lexicon INCIDENT SEVERITIES — “Not all incidents are created equal.” Rating Impact Description Breach 1 1 Intruder has exfiltrated sensitive data or is suspected of exfiltrating sensitive data based on volume, etc. Breach 2 2 Intruder has exfiltrated nonsensitive data or data that will facilitate access to sensitive data Breach 3 3 Intruder has established command and control channel from asset with ready access to sensitive data Cat 1 4 Intruder has compromised asset with ready access to sensitive data Cat 2 5 Intruder has compromised asset with access to sensitive data but requires privilege escalation Cat 3 6 Intruder is attempting to exploit asset with access to sensitive data Cat 6 7 Intruder is conducting reconnaissance against asset with access to sensitive data Vuln 1 8 Intruder must apply little effort to compromise asset and exfiltrate sensitive data Vuln 2 9 Intruder must apply moderate effort to compromise asset and exfiltrate sensitive data Vuln 3 10 Intruder must apply substantial effort to compromise asset and exfiltrate sensitive data Rating Description Response/Containment Severity 0 Intruder has exfiltrated sensitive data or is currently inside network. DDOS that has impacted availability. Malware outbreak. 1 hour Severity 1 Indicators show that an intruder is attempting to gain a foothold or has attained an initial foothold on the network. DDOS that has the potential to impact availability. Malware causing disruption. 4 hours Severity 2 Compromised machine (General Malware) 72 hours • Simplified & Flexible • Focus more on capability
Incident Severity Comm Rhythm Audience Grave (KC7) Within 1hr – Conf. Call 2x Daily – Conf. Call COB Daily – E-mail • COO • CSO • CIO • General Counsel • Director of PR • CISO • Director of IR • Chief Security Architect Significant (KC6) Within 1hr – E-mail COB Daily – E-mail • CISO • Director of IR • Chief Security Architect Benign (KC1-5) As needed or upon escalation • Director of IR • Security Manager • Communicate broadly, engage others • Communication template, rhythm and formats • Mobile technology and speed of information INTERNAL COMMUNICATION — “Incidents are not an opportunity to compartmentalize information.”
Kill Chain Phase: If your org uses the KC, allows for a quick look at where the current incident is at. Business(es) & Location(s) Impacted: If your org has different locations or business units, helps to narrow impact. Summary: Executive level summary, no longer than a paragraph, on the current status. Impact: Current actual business impact- exfil? Servers down? Next Update: 06-11-2014 1600 EST Incident Status: More details on what is currently happening during the incident. Intelligence & Attribution Summary: If your org has an intelligence group, details would go here. Host Status: Deeper details on affected accounts or hosts. Action Items: Note: Updated information is shaded in Green and completed actions are struck through. Action Status Owner Est. Comp Assemble Response Team Complete J. Smith 11 Jun 1200 EST Review Network Architecture Diagrams Complete S. Johnson 11 Jun 1600 EST Review Configuration Settings In Progress S. Johnson 13 Jun 1200 EST Establish secure FTP site In Progress S. Johnson 13 Jun 1600 EST Collect forensic evidence Pending R. White TBD COMMUNICATIONS — “‘I don’t know’ is a valid answer, but qualify it with actions.”
• “Think Twitter” & the speed of information • Have approved templates ready to go • External, Internal, and Business Partners • Test and ensure you can actually identify all parties • Establish “easy-to-sign” NDA’s for use in the event of x-biz incidents EXTERNAL COMMUNICATIONS
Poll How long ago was your Incident Response plan and related information updated?
Technical Fundamentals
• Who can access the compromised devices? CONTAINMENT — “Containment is arguably the most critical decision in IR” • When do you contain? • Who makes the containment call? • What method(s) will you use? • How will you track down the devices?
• Where are the logs? Do you aggregate logs? • Does the team have access to the compromised logs & devices? • Preserve forensic evidence • Who is properly trained to do the forensics? Do they have tools? HOST & NETWORK FORENSIC ANALYSIS Volatility
Poll Do your Incident Responders have immediate access to logs and devices?
Staying Evergreen
• Paper Test – Ensure all documentation, templates, etc… are properly updated. • Table Top Exercise – Verbally walking through a number of different IR scenarios. • Simulated Incident – A more invasive test that leverages a Red Team to simulate an attack (or utilize existing malware samples). Allows for a more comprehensive test of the IRT, to include forensic work. • Blind Test – Similar to Simulation testing, but leadership coordinates the attack unbeknownst to the IRT. RECURRING TESTING – “You shouldn’t be inventing process during a crisis.”
• Architecture • People • Attacks/TTPs • Infrastructure • Regulations (HIPAA, PCI-DSS, DFARS) ENVIRONMENTAL CHANGES
• DURING the incident- carve out cycles • Carve out a process ahead of time • Dissect every step of the attack • Learn from others/external incidents POST INCIDENT REVIEW
• Leverage the team for other hot issues such as: • Heartbleed • Insider cases • Counterfeit gear • Software piracy • Acquisition evaluations • Etc… OUTSIDE OF IR…
Poll Does your organization test your entire Incident Response plan on an ongoing basis?
• Ensure everything is auditable FINAL THOUGHTS! • Build-in a Contingency Budget • Education ahead of time • Establish a relationship with your local FBI office • Think beyond IT- form allies in the business • Don’t forget metrics • Reward your Incident Responders after the battle
One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900 WWW.CO3SYS.COM “We’re doing IR in one-tenth of the time.” DIRECTOR OF SECURITY & RISK, USA FUNDS “It’s the best purchase we ever made.” CSO, F500 HEATHCARE PROVIDER Sean Mason Executive Incident Response Leader smason33@csc.com 702-498-6615 @SeanAMason www.csc.com/cybersecurity/IR “One of the hottest products at RSA…” NETWORK WORLD “Co3 has done better than a home-run...it has knocked one out of the park.” SC MAGAZINE

Recommended

Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Data Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatData Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatResilient Systems
 
Incident Response
Incident ResponseIncident Response
Incident ResponseMichaelRodriguesdosS1
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response FunctionResilient Systems
 

Recommended

Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Data Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatData Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatResilient Systems
 
Incident Response
Incident ResponseIncident Response
Incident ResponseMichaelRodriguesdosS1
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response FunctionResilient Systems
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksResilient Systems
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2Marneil Sanchez
 
By Popular Demand: Co3's Latest and Greatest Features
By Popular Demand: Co3's Latest and Greatest Features By Popular Demand: Co3's Latest and Greatest Features
By Popular Demand: Co3's Latest and Greatest Features Resilient Systems
 
Co3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions WebinarCo3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions WebinarResilient Systems
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider ThreatsLancope, Inc.
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightResilient Systems
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directorscentralohioissa
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardEnergySec
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedEnergySec
 
You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentResilient Systems
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...North Texas Chapter of the ISSA
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets PersonalNicholas Davis
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surfacePriyanka Aash
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
Importance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessImportance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessAnton Chuvakin
 

More Related Content

What's hot

Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksResilient Systems
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire
 
By Popular Demand: Co3's Latest and Greatest Features
By Popular Demand: Co3's Latest and Greatest Features By Popular Demand: Co3's Latest and Greatest Features
By Popular Demand: Co3's Latest and Greatest Features Resilient Systems
 
Co3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions WebinarCo3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions WebinarResilient Systems
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider ThreatsLancope, Inc.
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightResilient Systems
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directorscentralohioissa
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardEnergySec
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedEnergySec
 
You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentResilient Systems
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...North Texas Chapter of the ISSA
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets PersonalNicholas Davis
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surfacePriyanka Aash
 

What's hot (20)

Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale Peterson
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2
 
By Popular Demand: Co3's Latest and Greatest Features
By Popular Demand: Co3's Latest and Greatest Features By Popular Demand: Co3's Latest and Greatest Features
By Popular Demand: Co3's Latest and Greatest Features
 
Co3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions WebinarCo3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions Webinar
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider Threats
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It Right
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directors
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response Program
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun Intended
 
You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The Incident
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets Personal
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surface
 

Viewers also liked

The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
Importance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessImportance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessAnton Chuvakin
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Source Conference
 
Building an Incident Response Team
Building an Incident Response TeamBuilding an Incident Response Team
Building an Incident Response TeamEnergySec
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
Incident Response Swimlanes
Incident Response SwimlanesIncident Response Swimlanes
Incident Response SwimlanesDaniel P Wallace
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureOllie Whitehouse
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016IBM Security
 
Your Wedding---Bridesmaid dresses on Vponsale
Your Wedding---Bridesmaid dresses on VponsaleYour Wedding---Bridesmaid dresses on Vponsale
Your Wedding---Bridesmaid dresses on Vponsalebejamin9
 
Presentatie inleidende cijfers_#mk12
Presentatie inleidende cijfers_#mk12Presentatie inleidende cijfers_#mk12
Presentatie inleidende cijfers_#mk12marketingdag2012
 
150629 教育評価論 第11講
150629 教育評価論 第11講150629 教育評価論 第11講
150629 教育評価論 第11講Koyo Yamamori
 
งานนำเสนอ1
งานนำเสนอ1งานนำเสนอ1
งานนำเสนอ1surasak2222
 
Self-Publishing and Libraries
Self-Publishing and LibrariesSelf-Publishing and Libraries
Self-Publishing and LibrariesJennifer Webb
 

Viewers also liked (18)

The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 
Importance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessImportance Of Structured Incident Response Process
Importance Of Structured Incident Response Process
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
 
Building an Incident Response Team
Building an Incident Response TeamBuilding an Incident Response Team
Building an Incident Response Team
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
 
Incident Response Swimlanes
Incident Response SwimlanesIncident Response Swimlanes
Incident Response Swimlanes
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
 
Wanted & available
Wanted & availableWanted & available
Wanted & available
 
Your Wedding---Bridesmaid dresses on Vponsale
Your Wedding---Bridesmaid dresses on VponsaleYour Wedding---Bridesmaid dresses on Vponsale
Your Wedding---Bridesmaid dresses on Vponsale
 
Hot tubs milwaukee
Hot tubs milwaukeeHot tubs milwaukee
Hot tubs milwaukee
 
Presentatie inleidende cijfers_#mk12
Presentatie inleidende cijfers_#mk12Presentatie inleidende cijfers_#mk12
Presentatie inleidende cijfers_#mk12
 
Hot tubs wisconsin
Hot tubs wisconsinHot tubs wisconsin
Hot tubs wisconsin
 
Smoking effects
Smoking effectsSmoking effects
Smoking effects
 
150629 教育評価論 第11講
150629 教育評価論 第11講150629 教育評価論 第11講
150629 教育評価論 第11講
 
งานนำเสนอ1
งานนำเสนอ1งานนำเสนอ1
งานนำเสนอ1
 
Self-Publishing and Libraries
Self-Publishing and LibrariesSelf-Publishing and Libraries
Self-Publishing and Libraries
 

Similar to Incident Response: How To Prepare

Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
24 Hours After a Breach
24 Hours After a Breach 24 Hours After a Breach
24 Hours After a Breach LIFARS
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)Andrew Case
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security BreakfastRackspace
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteSplunk
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghNapier University
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertISSA LA
 
Splunk at Aaron's Inc
Splunk at Aaron's IncSplunk at Aaron's Inc
Splunk at Aaron's IncSplunk
 
Community IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Innovators
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense OperationRob Fry
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyResilient Systems
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Resolver Inc.
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issuesErnest Staats
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?PECB
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management ProgramTripwire
 

Similar to Incident Response: How To Prepare (20)

Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
24 Hours After a Breach
24 Hours After a Breach 24 Hours After a Breach
24 Hours After a Breach
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security Breakfast
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvert
 
Splunk at Aaron's Inc
Splunk at Aaron's IncSplunk at Aaron's Inc
Splunk at Aaron's Inc
 
Community IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for Nonprofits
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense Operation
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The Ugly
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issues
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program
 
Cyber Resiliency
Cyber ResiliencyCyber Resiliency
Cyber Resiliency
 

More from Resilient Systems

Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Resilient Systems
 
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits Resilient Systems
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaResilient Systems
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
EU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response ImperativeEU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response ImperativeResilient Systems
 
The Target Breach - Follow The Money EU
The Target Breach - Follow The Money EUThe Target Breach - Follow The Money EU
The Target Breach - Follow The Money EUResilient Systems
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response PlanResilient Systems
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceResilient Systems
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 DaysResilient Systems
 
How To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksHow To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksResilient Systems
 
The Target Breach – Follow The Money
The Target Breach – Follow The MoneyThe Target Breach – Follow The Money
The Target Breach – Follow The MoneyResilient Systems
 
A Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsA Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsResilient Systems
 
Treat a Breach Like a Customer, Not a Compliance Issue
Treat a Breach Like a Customer, Not a Compliance IssueTreat a Breach Like a Customer, Not a Compliance Issue
Treat a Breach Like a Customer, Not a Compliance IssueResilient Systems
 
You're Breached: Information Risk Analysis for Today's Threat Landscape
You're Breached: Information Risk Analysis for Today's Threat LandscapeYou're Breached: Information Risk Analysis for Today's Threat Landscape
You're Breached: Information Risk Analysis for Today's Threat LandscapeResilient Systems
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceResilient Systems
 
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...Resilient Systems
 
The Patriot Act and Cloud Security - Busting the European FUD
The Patriot Act and Cloud Security - Busting the European FUDThe Patriot Act and Cloud Security - Busting the European FUD
The Patriot Act and Cloud Security - Busting the European FUDResilient Systems
 
Incident Response: Security's Special Teams
Incident Response: Security's Special TeamsIncident Response: Security's Special Teams
Incident Response: Security's Special TeamsResilient Systems
 
SEC Cybersecurity Disclosure Guidelines
SEC Cybersecurity Disclosure GuidelinesSEC Cybersecurity Disclosure Guidelines
SEC Cybersecurity Disclosure GuidelinesResilient Systems
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsResilient Systems
 

More from Resilient Systems (20)

Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents
 
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a Panacea
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
EU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response ImperativeEU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response Imperative
 
The Target Breach - Follow The Money EU
The Target Breach - Follow The Money EUThe Target Breach - Follow The Money EU
The Target Breach - Follow The Money EU
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
 
How To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksHow To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their Tracks
 
The Target Breach – Follow The Money
The Target Breach – Follow The MoneyThe Target Breach – Follow The Money
The Target Breach – Follow The Money
 
A Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsA Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 Predictions
 
Treat a Breach Like a Customer, Not a Compliance Issue
Treat a Breach Like a Customer, Not a Compliance IssueTreat a Breach Like a Customer, Not a Compliance Issue
Treat a Breach Like a Customer, Not a Compliance Issue
 
You're Breached: Information Risk Analysis for Today's Threat Landscape
You're Breached: Information Risk Analysis for Today's Threat LandscapeYou're Breached: Information Risk Analysis for Today's Threat Landscape
You're Breached: Information Risk Analysis for Today's Threat Landscape
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
 
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
 
The Patriot Act and Cloud Security - Busting the European FUD
The Patriot Act and Cloud Security - Busting the European FUDThe Patriot Act and Cloud Security - Busting the European FUD
The Patriot Act and Cloud Security - Busting the European FUD
 
Incident Response: Security's Special Teams
Incident Response: Security's Special TeamsIncident Response: Security's Special Teams
Incident Response: Security's Special Teams
 
SEC Cybersecurity Disclosure Guidelines
SEC Cybersecurity Disclosure GuidelinesSEC Cybersecurity Disclosure Guidelines
SEC Cybersecurity Disclosure Guidelines
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
 

Recently uploaded

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Recently uploaded (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

Incident Response: How To Prepare

  • 1. Incident Response: How to Prepare June 11, 2014
  • 3. • Ted Julian, CMO – Co3 Systems • Sean Mason, Global Incident Response Leader - CSC Introductions
  • 4. AGILE WEB DEVELOPER Sean A. Mason @SeanAMason SEC ANALYST SR. IT AUDITOR SW DEV MANAGER SUPPLY CHAIN DEVELOPER IR LEADER INFO SEC TEAM LEAD PMP CISA CISSP CISM ISSMP CSSLP DIRECTOR IR ’96-’00 ’01-’03 ’04-’06 ‘07 ’08-’10 ‘11 ’12-13 ’14- BS MIS McKendree University Technical School USAF MBA Webster University NMDC & AIMC GE Crotonville CCFP EXEC IR LEADER
  • 5. END-TO-END IR: BEFORE, DURING, AND AFTER Prepare Improve Organizational Readiness • Appoint team members • Fine tune response SOPs • Link in legacy applications • Run simulations (fire drills, table tops) Mitigate Document Results & Improve Performance • Generate reports for management, auditors, and authorities • Conduct post-mortem • Update SOPs • Track evidence • Evaluate historical performance • Educate the organization Assess Identify and Evaluate Incidents • Assign appropriate team members • Evaulate precursors and indicators • Track incidents, maintain logbook • Automatically prioritize activities based on criticality • Log evidence • Generate assessment Manage Contain, Eradicate and Recover • Generate real-time IR plan • Coordinate team response • Choose appropriate containment strategy • Isolate and remediate cause • Instruct evidence gathering and handling
  • 11. END-TO-END IR: BEFORE, DURING, AND AFTER •Movement •Methods •Accounts •Actors •Timelines •Rebuild Host(s) •Reset Password(s) •Countermeasures •Lessons Learned •Contain Host(s) •Reset Password(s) •Acquire Evidence • SIEM • AV/HIPS • Proxy • ATD • DLP • Etc… Detect Contain & Collect AnalyzeRemediate Intel
  • 12. • Wiki or other Platform • Flexibility • Track Changes • “Open” Access DOCUMENTATION — “A plan doesn’t need to be a single document anymore.”
  • 13. • Who is needed for wing-to-wing IR? (think outside security) • Who is on-call and when? (consider Holidays) • Pre-built DL’s for e-mails and info • Think through basics: • Phones, chat rooms, conference lines, and remote access PEOPLE Name Role Phone # Ray Incident Coordinator 555-2368 Danny Incident Coordinator 555-0840 Kate Network Team 606-0842 Jenny AD Team 867-5309 Alicia CISO 489-4608 Mike Incident Response 330-281-8004 Emily CIO 212-664-7665 Philip Legal Counsel 818-775-3993 Ramona Public Relations 212-664-7665 Business Leaders? Law Enforcement? • Clear expectations for returning phone calls
  • 14. • Who does what? (think outside security) • Set expectations • Helps define process RACI
  • 15. • Define an incident severity model- one common lexicon INCIDENT SEVERITIES — “Not all incidents are created equal.” Rating Impact Description Breach 1 1 Intruder has exfiltrated sensitive data or is suspected of exfiltrating sensitive data based on volume, etc. Breach 2 2 Intruder has exfiltrated nonsensitive data or data that will facilitate access to sensitive data Breach 3 3 Intruder has established command and control channel from asset with ready access to sensitive data Cat 1 4 Intruder has compromised asset with ready access to sensitive data Cat 2 5 Intruder has compromised asset with access to sensitive data but requires privilege escalation Cat 3 6 Intruder is attempting to exploit asset with access to sensitive data Cat 6 7 Intruder is conducting reconnaissance against asset with access to sensitive data Vuln 1 8 Intruder must apply little effort to compromise asset and exfiltrate sensitive data Vuln 2 9 Intruder must apply moderate effort to compromise asset and exfiltrate sensitive data Vuln 3 10 Intruder must apply substantial effort to compromise asset and exfiltrate sensitive data Rating Description Response/Containment Severity 0 Intruder has exfiltrated sensitive data or is currently inside network. DDOS that has impacted availability. Malware outbreak. 1 hour Severity 1 Indicators show that an intruder is attempting to gain a foothold or has attained an initial foothold on the network. DDOS that has the potential to impact availability. Malware causing disruption. 4 hours Severity 2 Compromised machine (General Malware) 72 hours • Simplified & Flexible • Focus more on capability
  • 16. Incident Severity Comm Rhythm Audience Grave (KC7) Within 1hr – Conf. Call 2x Daily – Conf. Call COB Daily – E-mail • COO • CSO • CIO • General Counsel • Director of PR • CISO • Director of IR • Chief Security Architect Significant (KC6) Within 1hr – E-mail COB Daily – E-mail • CISO • Director of IR • Chief Security Architect Benign (KC1-5) As needed or upon escalation • Director of IR • Security Manager • Communicate broadly, engage others • Communication template, rhythm and formats • Mobile technology and speed of information INTERNAL COMMUNICATION — “Incidents are not an opportunity to compartmentalize information.”
  • 17. Kill Chain Phase: If your org uses the KC, allows for a quick look at where the current incident is at. Business(es) & Location(s) Impacted: If your org has different locations or business units, helps to narrow impact. Summary: Executive level summary, no longer than a paragraph, on the current status. Impact: Current actual business impact- exfil? Servers down? Next Update: 06-11-2014 1600 EST Incident Status: More details on what is currently happening during the incident. Intelligence & Attribution Summary: If your org has an intelligence group, details would go here. Host Status: Deeper details on affected accounts or hosts. Action Items: Note: Updated information is shaded in Green and completed actions are struck through. Action Status Owner Est. Comp Assemble Response Team Complete J. Smith 11 Jun 1200 EST Review Network Architecture Diagrams Complete S. Johnson 11 Jun 1600 EST Review Configuration Settings In Progress S. Johnson 13 Jun 1200 EST Establish secure FTP site In Progress S. Johnson 13 Jun 1600 EST Collect forensic evidence Pending R. White TBD COMMUNICATIONS — “‘I don’t know’ is a valid answer, but qualify it with actions.”
  • 18. • “Think Twitter” & the speed of information • Have approved templates ready to go • External, Internal, and Business Partners • Test and ensure you can actually identify all parties • Establish “easy-to-sign” NDA’s for use in the event of x-biz incidents EXTERNAL COMMUNICATIONS
  • 19. Poll How long ago was your Incident Response plan and related information updated?
  • 21. • Who can access the compromised devices? CONTAINMENT — “Containment is arguably the most critical decision in IR” • When do you contain? • Who makes the containment call? • What method(s) will you use? • How will you track down the devices?
  • 22. • Where are the logs? Do you aggregate logs? • Does the team have access to the compromised logs & devices? • Preserve forensic evidence • Who is properly trained to do the forensics? Do they have tools? HOST & NETWORK FORENSIC ANALYSIS Volatility
  • 23. Poll Do your Incident Responders have immediate access to logs and devices?
  • 25. • Paper Test – Ensure all documentation, templates, etc… are properly updated. • Table Top Exercise – Verbally walking through a number of different IR scenarios. • Simulated Incident – A more invasive test that leverages a Red Team to simulate an attack (or utilize existing malware samples). Allows for a more comprehensive test of the IRT, to include forensic work. • Blind Test – Similar to Simulation testing, but leadership coordinates the attack unbeknownst to the IRT. RECURRING TESTING – “You shouldn’t be inventing process during a crisis.”
  • 26. • Architecture • People • Attacks/TTPs • Infrastructure • Regulations (HIPAA, PCI-DSS, DFARS) ENVIRONMENTAL CHANGES
  • 27. • DURING the incident- carve out cycles • Carve out a process ahead of time • Dissect every step of the attack • Learn from others/external incidents POST INCIDENT REVIEW
  • 28. • Leverage the team for other hot issues such as: • Heartbleed • Insider cases • Counterfeit gear • Software piracy • Acquisition evaluations • Etc… OUTSIDE OF IR…
  • 29. Poll Does your organization test your entire Incident Response plan on an ongoing basis?
  • 30. • Ensure everything is auditable FINAL THOUGHTS! • Build-in a Contingency Budget • Education ahead of time • Establish a relationship with your local FBI office • Think beyond IT- form allies in the business • Don’t forget metrics • Reward your Incident Responders after the battle
  • 31. One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900 WWW.CO3SYS.COM “We’re doing IR in one-tenth of the time.” DIRECTOR OF SECURITY & RISK, USA FUNDS “It’s the best purchase we ever made.” CSO, F500 HEATHCARE PROVIDER Sean Mason Executive Incident Response Leader smason33@csc.com 702-498-6615 @SeanAMason www.csc.com/cybersecurity/IR “One of the hottest products at RSA…” NETWORK WORLD “Co3 has done better than a home-run...it has knocked one out of the park.” SC MAGAZINE