AlienVault, profile picture
Uploaded byAlienVault
777 views

Preparing for a Security Breach

The document serves as a guide for organizations preparing for a security breach, emphasizing the inevitability of such incidents and the importance of readiness. Key recommendations include implementing monitoring technologies, fostering collaboration across departments, and maintaining effective communication channels. Ultimately, it stresses the significance of process and practice in managing a breach efficiently.

Embed presentation

Preparing for a Security Breach A guide to surviving the Infosec worst case scenario. Conrad Constantine Community Manager @AlienVault Sandy Hawke VP, Product Marketing @AlienVault
Introductions Meet today’s presenters Sandy Hawke, CISSP “I used to be an infosec guy” VP, Product Marketing AlienVault @sandybeachSF Conrad Constantine “I’m just some infosec guy” Community Manager, Head Geek AlienVault @cpconstantine 2
“Everyone has a plan until they get punched in the face.” --Mike Tyson Image source: http://www.onpath.com/blog-0/bid/74760/Everybody-has-a-plan-until-they-get-punched-in-the-face 3
Image source: http://richardultra.blogspot.com/2012/07/preparation.html 4
Death, Taxes, and now Breaches NO longer a question of if… …but when. *sigh* Image source: http://datalossdb.org/ 5
Why the Black Hats Always Win* *With credit to Val Smith for the title Defenders have to always be right, attackers only have to be right once. Image source: http://dizzyet.wordpress.com/category/the-dark-knight/ 6
Tales from the Trenches… Worked in Infosec since the mid-90’s Been a sysadmin, a pen-tester and an incident responder. I’ve worked on breaches ranging from mom and pop mail servers to the 2011 RSA Breach. I’ve never worked for one of those companies you pay to come in and handle your breach for you. It’s always been personal. 7
What You Don’t Know Will Hurt You “The Diversionary Attack you are ignoring, is actually the Main Assault” – Murphy’s Laws of Combat Image source: http://casablancapa.blogspot.com/2010/07/hiding-in-plain-sight.html 8
Separate the foxes from the dogs Monitor & Automate What’s / who’s online? What’s normal vs. abnormal? Are our controls working? What are the latest threats? Can I detect and defend against them? Image source: http://casablancapa.blogspot.com/2010/07/hiding-in-plain-sight.html 9
The Best Attacker, Is a Lazy Attacker Image source: http://www.heromachine.com/2009/07/04/random-panel-next-week-on-lazy-criminal-minds/ Not all of the attacks need to be “advanced” / APTs to be successful. In fact, most aren’t. 10
Rule #1 – Don’t Panic! I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain” Litany Against Fear – Frank Herbert – “DUNE” Image source: Hitchhiker’s Guide to the Galaxy 11
Keeping it Under Control Remain calm. Your intruders… Possess no psychic powers Are not space aliens with access to technology far beyond ours. Probably didn’t need vast amounts of insider information They were successful in breaking in so now you have to discover HOW Image source: The X-Files 12
An Ounce of Preparation… Discover when, where and how the event happened – what was taken, when, where Communicate this to your Executive Team. Your ability to deliver this information is entirely dependent upon what you have available to monitor today. “86% of victims had evidence of the breach in their log files” Verizon Data Breach Report - 2010 13
Extend Your “Team”: Collaboration is Key A breach will introduce you to a LOT of new people around the company (HR, Legal, Exec, etc.) Connect and collaborate with them now, before hair is on fire. Goals: Arrive at a common language, agree on priorities, communication channels, and chain of command Image source: http://www.idiomsbykids.com/ 14
Containing The Fire Leave No Stone Unturned. There are no absolutes. Burn out their access. Be prepared to prove the unprovable (as in, they’re now GONE) Logs are your friend. Make sure you can search them. 15
Kicking the Barbarians out of the Castle A good attacker will “blend in” Privileged access is their friend. Pivot, expand, pivot, expand. Capture network baselines Identify suspicious stuff Netflow analysis Service availability monitoring 16
Establishing a timeline Image source: http://www.n2growth.com/blog/the-facts-maam-just-the-facts/ 17
Importance of Logs: “Hiding In Plain Hind- sight” “The Diversionary Attack you are Ignoring, is actually the Main Assault” – Murphy’s Laws of Combat Operations 18
Importance of Shared Threat Intelligence Remember the lazy attacker? He’s using (and reusing) the same exploits against others (and you). Sharing (and receiving) collaborative threat intelligence makes us all more secure. 19
Need to Prioritize? Get Threat Intelligence! Network and host-based IDS signatures – detects the latest threats in your environment Asset discovery signatures – identifies the latest OS’es, applications, and device types Vulnerability assessment signatures – dual database coverage to find the latest vulnerabilities on all your systems Correlation rules – translates raw events into actionable remediation tasks Reporting modules – provides new ways of viewing data about your environment Dynamic incident response templates – delivers customized guidance on how to respond to each alert Newly supported data source plug-ins – expands your monitoring footprint 20
The Technical Checklist  Automated asset discovery and inventory – what’s on my network and what software is running on it?  Behavioral monitoring / netflow analysis – what’s “normal” activity for my servers and my network?  Network, host-based IDS – what threats are active in my network now?  Log management / log search – “long, deep and wide”  Dynamic threat intelligence – threats are constantly changing, so should my defenses 21
The Process Checklist  Set expectations ahead of time:  Document for non-techs – explain what is involved in a security investigation (will save you time later!)  Agree on who will be doing what, when (NOW, not LATER)  Checklists for standard investigative procedures - user activity audits, system configuration changes, cross references to change control, etc.  Templates, tools, for recording long chains of evidence 22
Practice Makes Perfect The only that prepares you for a fight is… getting into a fight. Practice defense during pen-tests. Structured walk-throughs, Red Team exercises… all good. Image source: http://blog.lib.umn.edu/graz0029/ponderingpsychology/2012/04/practice-makes-perfector-does-it.html 23
Never walk into a fight armed with only “a plan”… Image source: http://www.15rounds.com/garcia-stops-remillard-in-ten-032611/ 24
Summary During a breach… it’s all about process and personalities. What can you do now? Implement essential monitoring and detection technologies. Build strong relationships – they will be tested during crisis time! Develop established communication channels, and document them. Run through your checklists and practice sessions 25
Next Steps / Q&A Request an AlienVault USM demo at: www.alienvault.com/schedule-demo.html Request a free trial of AlienVault USM: http://www.alienvault.com/free-trial Not quite ready for all that? Test drive our open source project - OSSIM here: communities.alienvault.com/ Need more info to get started? Try our knowledge base here: alienvault.bloomfire.com These resources are also in the Attachments section Join the conversation! @alienvault #AlienIntel 26

More Related Content

PDF
Defender economics
byaddelindh
 
PDF
Cyber Security Extortion: Defending Against Digital Shakedowns
byCrowdStrike
 
PDF
CrowdCast Monthly: Operationalizing Intelligence
byCrowdStrike
 
PDF
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
byCrowdStrike
 
PDF
Bear Hunting: History and Attribution of Russian Intelligence Operations
byCrowdStrike
 
PPTX
Crowd-Sourced Threat Intelligence
byAlienVault
 
PDF
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
byCrowdStrike
 
PPTX
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
byClare Nelson, CISSP, CIPP-E
 
Defender economics
byaddelindh
 
Cyber Security Extortion: Defending Against Digital Shakedowns
byCrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
byCrowdStrike
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
byCrowdStrike
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
byCrowdStrike
 
Crowd-Sourced Threat Intelligence
byAlienVault
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
byCrowdStrike
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
byClare Nelson, CISSP, CIPP-E
 

What's hot

PDF
CrowdCasts Monthly: You Have an Adversary Problem
byCrowdStrike
 
PDF
Three Considerations To Amplify Your Detection and Response Program
byMorphick
 
PDF
CrowdCasts Monthly: Going Beyond the Indicator
byCrowdStrike
 
PDF
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
PPTX
Beyond the Hype: Understanding Cloud Security by Bryan D. Payne
byNebula
 
ODP
BSides Cincy: Active Defense - Helping threat actors hack themselves!
byThreatReel Podcast
 
PDF
DerbyCon 5 - Tactical Diversion-Driven Defense
byGreg Foss
 
PDF
Honeypots for Active Defense
byGreg Foss
 
PPTX
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
byEC-Council
 
PDF
CSF18 - Guarding Against the Unknown - Rafael Narezzi
byNCCOMMS
 
PDF
Blue team reboot - HackFest
byHaydn Johnson
 
PPTX
Lateral Movement by Default
byInnoTech
 
PPTX
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
byEC-Council
 
PPTX
Jerod Brennen - What You Need to Know About OSINT
bycentralohioissa
 
PDF
Advanced Persistent Threats Cutting Through The Hype
bySymantec
 
PDF
Deception Driven Defense - Infragard 2016
byGreg Foss
 
DOC
Honeypot seminar report
byInder NeGi
 
PDF
How to Replace Your Legacy Antivirus Solution with CrowdStrike
byAdam Barrera
 
PDF
Threat Hunting with Cyber Kill Chain
bySuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
PDF
Offensive malware usage and defense
byChristiaan Beek
 
CrowdCasts Monthly: You Have an Adversary Problem
byCrowdStrike
 
Three Considerations To Amplify Your Detection and Response Program
byMorphick
 
CrowdCasts Monthly: Going Beyond the Indicator
byCrowdStrike
 
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
Beyond the Hype: Understanding Cloud Security by Bryan D. Payne
byNebula
 
BSides Cincy: Active Defense - Helping threat actors hack themselves!
byThreatReel Podcast
 
DerbyCon 5 - Tactical Diversion-Driven Defense
byGreg Foss
 
Honeypots for Active Defense
byGreg Foss
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
byEC-Council
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
byNCCOMMS
 
Blue team reboot - HackFest
byHaydn Johnson
 
Lateral Movement by Default
byInnoTech
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
byEC-Council
 
Jerod Brennen - What You Need to Know About OSINT
bycentralohioissa
 
Advanced Persistent Threats Cutting Through The Hype
bySymantec
 
Deception Driven Defense - Infragard 2016
byGreg Foss
 
Honeypot seminar report
byInder NeGi
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
byAdam Barrera
 
Threat Hunting with Cyber Kill Chain
bySuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Offensive malware usage and defense
byChristiaan Beek
 

Viewers also liked

PDF
How to safe your company from having a security breach
byBaltimax
 
PPT
Current Emerging Threats
bydnomura
 
PDF
Security Breach Laws
byGuardEra Access Solutions, Inc.
 
PPTX
When a Data Breach Happens, What's Your Plan?
byEdge Pereira
 
PDF
5 Critical Steps to Handling a Security Breach
bySeculert
 
PPTX
Vlvj corp ppt
byYanivTaieb
 
PPTX
security in it (data and cyber security)
byRohana K Amarakoon
 
PPTX
Data Security Breach: The Sony & Staples Story
byInternational Institute for Learning
 
PPTX
Data Security Breach – knowing the risks and protecting your business
byEversheds Sutherland
 
PPTX
Sony Playstation Hack Presentation
byCreditCardFinder
 
PPTX
A Brave New World of Cyber Security and Data Breach
byJim Brashear
 
How to safe your company from having a security breach
byBaltimax
 
Current Emerging Threats
bydnomura
 
Security Breach Laws
byGuardEra Access Solutions, Inc.
 
When a Data Breach Happens, What's Your Plan?
byEdge Pereira
 
5 Critical Steps to Handling a Security Breach
bySeculert
 
Vlvj corp ppt
byYanivTaieb
 
security in it (data and cyber security)
byRohana K Amarakoon
 
Data Security Breach: The Sony & Staples Story
byInternational Institute for Learning
 
Data Security Breach – knowing the risks and protecting your business
byEversheds Sutherland
 
Sony Playstation Hack Presentation
byCreditCardFinder
 
A Brave New World of Cyber Security and Data Breach
byJim Brashear
 

Similar to Preparing for a Security Breach

PPTX
Janitor vs cleaner
byJohn Stauffacher
 
PDF
YBB-NW-distribution
byMike Saunders
 
PPTX
You Will Be Breached
byMike Saunders
 
PPTX
Cyber Security for Financial Planners
byMichael O'Phelan
 
PPTX
Offence oriented Defence
bySensePost
 
PPTX
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
PDF
Security crashcourse openwest_2019
bySean Jackson
 
PDF
Event Presentation: Cyber Security for Industrial Control Systems
byInfonaligy
 
PPTX
Be More Secure than your Competition: MePush Cyber Security for Small Business
byArt Ocain
 
PDF
The New Normal - Rackspace Solve 2015
byMajor Hayden
 
PDF
Building an effective Information Security Roadmap
byElliott Franklin
 
PDF
cybersecurity_alert_feb_12_2015
byPaul Ferrillo
 
PDF
BEA Presentation
byGlenn E. Davis
 
PDF
You will be breached
byMike Saunders
 
PDF
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
PPTX
Flipping the script
byChris Nickerson
 
PPTX
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
bySteve Werby
 
PDF
Complete network security protection for sme's within limited resources
byIJNSA Journal
 
PDF
Microsoft power point closing presentation-greenberg
byISSA LA
 
PPTX
FUEL_USERS_GROUP
byWill Pearce
 
Janitor vs cleaner
byJohn Stauffacher
 
YBB-NW-distribution
byMike Saunders
 
You Will Be Breached
byMike Saunders
 
Cyber Security for Financial Planners
byMichael O'Phelan
 
Offence oriented Defence
bySensePost
 
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
Security crashcourse openwest_2019
bySean Jackson
 
Event Presentation: Cyber Security for Industrial Control Systems
byInfonaligy
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
byArt Ocain
 
The New Normal - Rackspace Solve 2015
byMajor Hayden
 
Building an effective Information Security Roadmap
byElliott Franklin
 
cybersecurity_alert_feb_12_2015
byPaul Ferrillo
 
BEA Presentation
byGlenn E. Davis
 
You will be breached
byMike Saunders
 
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
Flipping the script
byChris Nickerson
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
bySteve Werby
 
Complete network security protection for sme's within limited resources
byIJNSA Journal
 
Microsoft power point closing presentation-greenberg
byISSA LA
 
FUEL_USERS_GROUP
byWill Pearce
 

More from AlienVault

PPTX
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
byAlienVault
 
PDF
Malware Invaders - Is Your OS at Risk?
byAlienVault
 
PPTX
How to Solve Your Top IT Security Reporting Challenges with AlienVault
byAlienVault
 
PPTX
Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
PDF
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
byAlienVault
 
PDF
Insider Threat Detection Recommendations
byAlienVault
 
PPTX
Alienvault threat alerts in spiceworks
byAlienVault
 
PDF
Open Source IDS Tools: A Beginner's Guide
byAlienVault
 
PPTX
Malware detection how to spot infections early with alien vault usm
byAlienVault
 
PDF
Security operations center 5 security controls
byAlienVault
 
PDF
PCI DSS Implementation: A Five Step Guide
byAlienVault
 
PPTX
Improve threat detection with hids and alien vault usm
byAlienVault
 
PDF
The State of Incident Response - INFOGRAPHIC
byAlienVault
 
PPTX
Incident response live demo slides final
byAlienVault
 
PPTX
Improve Situational Awareness for Federal Government with AlienVault USM
byAlienVault
 
PPTX
Improve Security Visibility with AlienVault USM Correlation Directives
byAlienVault
 
PPTX
How Malware Works
byAlienVault
 
PPTX
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
byAlienVault
 
PPTX
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
byAlienVault
 
PPTX
AWS Security Best Practices for Effective Threat Detection & Response
byAlienVault
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
byAlienVault
 
Malware Invaders - Is Your OS at Risk?
byAlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
byAlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
byAlienVault
 
Insider Threat Detection Recommendations
byAlienVault
 
Alienvault threat alerts in spiceworks
byAlienVault
 
Open Source IDS Tools: A Beginner's Guide
byAlienVault
 
Malware detection how to spot infections early with alien vault usm
byAlienVault
 
Security operations center 5 security controls
byAlienVault
 
PCI DSS Implementation: A Five Step Guide
byAlienVault
 
Improve threat detection with hids and alien vault usm
byAlienVault
 
The State of Incident Response - INFOGRAPHIC
byAlienVault
 
Incident response live demo slides final
byAlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
byAlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
byAlienVault
 
How Malware Works
byAlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
byAlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
byAlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
byAlienVault
 

Recently uploaded

PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 
PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
PDF
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
PDF
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 

Preparing for a Security Breach

  • 1.
    Preparing for aSecurity Breach A guide to surviving the Infosec worst case scenario. Conrad Constantine Community Manager @AlienVault Sandy Hawke VP, Product Marketing @AlienVault
  • 2.
    Introductions Meet today’s presenters SandyHawke, CISSP “I used to be an infosec guy” VP, Product Marketing AlienVault @sandybeachSF Conrad Constantine “I’m just some infosec guy” Community Manager, Head Geek AlienVault @cpconstantine 2
  • 3.
    “Everyone has aplan until they get punched in the face.” --Mike Tyson Image source: http://www.onpath.com/blog-0/bid/74760/Everybody-has-a-plan-until-they-get-punched-in-the-face 3
  • 4.
  • 5.
    Death, Taxes, andnow Breaches NO longer a question of if… …but when. *sigh* Image source: http://datalossdb.org/ 5
  • 6.
    Why the BlackHats Always Win* *With credit to Val Smith for the title Defenders have to always be right, attackers only have to be right once. Image source: http://dizzyet.wordpress.com/category/the-dark-knight/ 6
  • 7.
    Tales from theTrenches… Worked in Infosec since the mid-90’s Been a sysadmin, a pen-tester and an incident responder. I’ve worked on breaches ranging from mom and pop mail servers to the 2011 RSA Breach. I’ve never worked for one of those companies you pay to come in and handle your breach for you. It’s always been personal. 7
  • 8.
    What You Don’tKnow Will Hurt You “The Diversionary Attack you are ignoring, is actually the Main Assault” – Murphy’s Laws of Combat Image source: http://casablancapa.blogspot.com/2010/07/hiding-in-plain-sight.html 8
  • 9.
    Separate the foxesfrom the dogs Monitor & Automate What’s / who’s online? What’s normal vs. abnormal? Are our controls working? What are the latest threats? Can I detect and defend against them? Image source: http://casablancapa.blogspot.com/2010/07/hiding-in-plain-sight.html 9
  • 10.
    The Best Attacker,Is a Lazy Attacker Image source: http://www.heromachine.com/2009/07/04/random-panel-next-week-on-lazy-criminal-minds/ Not all of the attacks need to be “advanced” / APTs to be successful. In fact, most aren’t. 10
  • 11.
    Rule #1 –Don’t Panic! I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain” Litany Against Fear – Frank Herbert – “DUNE” Image source: Hitchhiker’s Guide to the Galaxy 11
  • 12.
    Keeping it UnderControl Remain calm. Your intruders… Possess no psychic powers Are not space aliens with access to technology far beyond ours. Probably didn’t need vast amounts of insider information They were successful in breaking in so now you have to discover HOW Image source: The X-Files 12
  • 13.
    An Ounce ofPreparation… Discover when, where and how the event happened – what was taken, when, where Communicate this to your Executive Team. Your ability to deliver this information is entirely dependent upon what you have available to monitor today. “86% of victims had evidence of the breach in their log files” Verizon Data Breach Report - 2010 13
  • 14.
    Extend Your “Team”:Collaboration is Key A breach will introduce you to a LOT of new people around the company (HR, Legal, Exec, etc.) Connect and collaborate with them now, before hair is on fire. Goals: Arrive at a common language, agree on priorities, communication channels, and chain of command Image source: http://www.idiomsbykids.com/ 14
  • 15.
    Containing The Fire LeaveNo Stone Unturned. There are no absolutes. Burn out their access. Be prepared to prove the unprovable (as in, they’re now GONE) Logs are your friend. Make sure you can search them. 15
  • 16.
    Kicking the Barbariansout of the Castle A good attacker will “blend in” Privileged access is their friend. Pivot, expand, pivot, expand. Capture network baselines Identify suspicious stuff Netflow analysis Service availability monitoring 16
  • 17.
    Establishing a timeline Imagesource: http://www.n2growth.com/blog/the-facts-maam-just-the-facts/ 17
  • 18.
    Importance of Logs:“Hiding In Plain Hind- sight” “The Diversionary Attack you are Ignoring, is actually the Main Assault” – Murphy’s Laws of Combat Operations 18
  • 19.
    Importance of SharedThreat Intelligence Remember the lazy attacker? He’s using (and reusing) the same exploits against others (and you). Sharing (and receiving) collaborative threat intelligence makes us all more secure. 19
  • 20.
    Need to Prioritize? GetThreat Intelligence! Network and host-based IDS signatures – detects the latest threats in your environment Asset discovery signatures – identifies the latest OS’es, applications, and device types Vulnerability assessment signatures – dual database coverage to find the latest vulnerabilities on all your systems Correlation rules – translates raw events into actionable remediation tasks Reporting modules – provides new ways of viewing data about your environment Dynamic incident response templates – delivers customized guidance on how to respond to each alert Newly supported data source plug-ins – expands your monitoring footprint 20
  • 21.
    The Technical Checklist Automated asset discovery and inventory – what’s on my network and what software is running on it?  Behavioral monitoring / netflow analysis – what’s “normal” activity for my servers and my network?  Network, host-based IDS – what threats are active in my network now?  Log management / log search – “long, deep and wide”  Dynamic threat intelligence – threats are constantly changing, so should my defenses 21
  • 22.
    The Process Checklist Set expectations ahead of time:  Document for non-techs – explain what is involved in a security investigation (will save you time later!)  Agree on who will be doing what, when (NOW, not LATER)  Checklists for standard investigative procedures - user activity audits, system configuration changes, cross references to change control, etc.  Templates, tools, for recording long chains of evidence 22
  • 23.
    Practice Makes Perfect Theonly that prepares you for a fight is… getting into a fight. Practice defense during pen-tests. Structured walk-throughs, Red Team exercises… all good. Image source: http://blog.lib.umn.edu/graz0029/ponderingpsychology/2012/04/practice-makes-perfector-does-it.html 23
  • 24.
    Never walk intoa fight armed with only “a plan”… Image source: http://www.15rounds.com/garcia-stops-remillard-in-ten-032611/ 24
  • 25.
    Summary During a breach…it’s all about process and personalities. What can you do now? Implement essential monitoring and detection technologies. Build strong relationships – they will be tested during crisis time! Develop established communication channels, and document them. Run through your checklists and practice sessions 25
  • 26.
    Next Steps /Q&A Request an AlienVault USM demo at: www.alienvault.com/schedule-demo.html Request a free trial of AlienVault USM: http://www.alienvault.com/free-trial Not quite ready for all that? Test drive our open source project - OSSIM here: communities.alienvault.com/ Need more info to get started? Try our knowledge base here: alienvault.bloomfire.com These resources are also in the Attachments section Join the conversation! @alienvault #AlienIntel 26