SlideShare a Scribd company logo

The Seven Deadly Sins of Incident Response

Lancope, Inc.
Lancope, Inc.

According to a recent study from Cisco, organizations show high levels of confidence in their security policies; but when it comes to their ability to scope and contain compromises, their confidence drops significantly. Such statistics demonstrate that organizations continue to struggle with incident response. Join Lancope’s security researcher, Brandon Tansey, and 451 Research’s senior analyst, Javvad Malik, to learn how to avoid The Seven Deadly Sins of Incident Response, and what you can do to improve your organization’s security posture. Sins include: - Lack of visibility/not understanding your environment - Inability to separate the signal from the noise - Modeling use cases on defenses, not attackers

Technology
1 of 51
Download to read offline
© 2015 Lancope, Inc. All rights reserved. The Seven Deadly Sins of Incident Response Brandon Tansey Security Researcher Javvad Malik Senior Analyst, Enterprise Security Practice
© 2015 Lancope, Inc. All rights reserved. 2 The origin of [incident response] sin…
© 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. 1. Not understanding your environment due to a lack of visibility 3
© 2015 Lancope, Inc. All rights reserved. 4
© 2015 Lancope, Inc. All rights reserved. 5
© 2015 Lancope, Inc. All rights reserved. 6 Developer PCs Other PCs Domain Controllers DNS Servers Mail Servers Code Repositories FTP Servers Web Servers Internet Hosts Developer PCs Other PCs Domain Controllers DNS Servers Mail Servers Code Repositories FTP Servers Web Servers Internet Hosts
© 2015 Lancope, Inc. All rights reserved. 7 Developer PCs Other PCs Domain Controllers DNS Servers Mail Servers Code Repositories FTP Servers Web Servers Internet Hosts Developer PCs Other PCs Domain Controllers DNS Servers Mail Servers Code Repositories FTP Servers Web Servers Internet Hosts
© 2015 Lancope, Inc. All rights reserved. 8 Developer PCs Other PCs Domain Controllers DNS Servers Mail Servers Code Repositories FTP Servers Web Servers Internet Hosts Developer PCs Other PCs Domain Controllers DNS Servers Mail Servers Code Repositories FTP Servers Web Servers Internet Hosts
© 2015 Lancope, Inc. All rights reserved. 9 Network Services Hosts
© 2015 Lancope, Inc. All rights reserved. Regardless of the type of information… • Are you just logging information or are you also collecting it? • Are you saving only ‘special’ log lines, or everything? • Do you have a standard retention period in policy? • Does the budget control the period, or the period the budget? • If you have end-user managed hosts, are they subject to the same logging policies? 10
© 2015 Lancope, Inc. All rights reserved. 11
© 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. • 2. Not having the right staff 12
© 2015 Lancope, Inc. All rights reserved. 13 12% 16% 44% 23% 5% 0% 10% 20% 30% 40% 50% None One 2 to 5 6 to 10 More than 10 Number of team members in CSIRT 45% 28% 14% 11% 2% 0% 10% 20% 30% 40% 50% None One 2 to 5 6 to 10 More than 10 Number of team members fully dedicated to CSIRT Or any staff… Source: Lancope / Ponemon Institute Source: Lancope / Ponemon Institute
© 2015 Lancope, Inc. All rights reserved. 14 Collection Analysis Action / Realizing Value
© 2015 Lancope, Inc. All rights reserved. Not having the right staff • Technical skills • Knowledge transfer • Appropriate to type of company 15
© 2015 Lancope, Inc. All rights reserved. 16 79% 14% 10% 36% 45% 47% 43% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% IT Management Executive Management Board of Directors Risk management Legal Compliance HR What functions or departments are involved in the incident response process? Source: Lancope / Ponemon Institute
© 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. 3. Lack of budget (a.k.a. Not being able to speak the language of the business) 17
© 2015 Lancope, Inc. All rights reserved. Lack of budget • Communicating technical issues in technical terms to the business • Not helping to sell more ‘widgets’ • Ineffective allocation of budget 18 Source: 451 Research
© 2015 Lancope, Inc. All rights reserved. 19 Source: 451 Research
© 2015 Lancope, Inc. All rights reserved. How much of your security budget goes towards an incident response program? 20 50% 31% 11% 5% 2% 1% Less than 10% 10% to 20% 21% to 30% 31% to 40% 41% to 50% More than 50% Source: Lancope / Ponemon Institute
© 2015 Lancope, Inc. All rights reserved. 21 46% 50% 4% Yes No Unsure Does your organization have meaningful operational metrics to measure the overall effectiveness of incident response activities? 42% 55% 3% Yes No Unsure Does your organization have meaningful operational metrics to measure the speed at which incidents are being detected and contained? Source: Lancope / Ponemon InstituteSource: Lancope / Ponemon Institute
© 2015 Lancope, Inc. All rights reserved. 22 91% 64% 51% 50% 49% 24% 20% 12% 0% 20% 40% 60% 80% 100% IT Management Compliance / Audit Legal HR Risk Management Broadly throughout org. Executive Management Board of Directors Frequency of cyber threat briefings to various functions within the organization (Very frequently and frequently responses combined) Source: Lancope / Ponemon Institute
© 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. 4. Becoming a headless chicken when IT hits the fan (a.k.a. not having a plan) 23
© 2015 Lancope, Inc. All rights reserved. Becoming a headless chicken when IT hits the fan • Undefined roles and reporting lines • Knee-jerk reactions and decisions • Lack of change management 24
© 2015 Lancope, Inc. All rights reserved. Vince Lombardi, sort of “When you get into [an incident investigation], act like you've been there before.” 25
© 2015 Lancope, Inc. All rights reserved. Things to ask ahead of time • Who can approve what actions? • Does the type of incident affect the answer? • If an appropriate person cannot be reached, can the incident responder act on their own after a given amount of time? (and get in writing) 26
© 2015 Lancope, Inc. All rights reserved. Things to ask ahead of time • What are end-users’ responsibilities in the incident response process? • Are they required to turn over machines to the CSIRT? • In the event of a compromise resulting in a wipe, do users get access to their files? Which ones? • What happens when a user needs something that the CSIRT has blocked? • Who handles exceptions? (and get in writing) 27
© 2015 Lancope, Inc. All rights reserved. Things to ask ahead of time • What are your external (legal, compliance, contractual) obligations? • At what point has there been a “breach”? • Is this the point when other teams (legal, etc) are notified? • If any, what are your external notification requirements? (and get in writing) 28
© 2015 Lancope, Inc. All rights reserved. Things to ask ahead of time • Can your CSIRT participate in information and indicator sharing groups? • Can your CSIRT run malware live on the internet? • What are safe handling requirements? • Can your CSIRT interact with malicious hosts for the purpose of intelligence gathering? • From the corporate LAN? An unattributed network? (and get in writing) 29
© 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. 5. Using generic response processes that aren’t specific to your organization 30
© 2015 Lancope, Inc. All rights reserved. Using generic response processes that aren’t specific to your organization • ‘Monkeys in a cage’ mentality • Not tailoring processes to your company • Lack of risk assessment and measurement 31
© 2015 Lancope, Inc. All rights reserved. 32 Note: All of the ‘questions’ in the last section were just that, questions.
© 2015 Lancope, Inc. All rights reserved. 33 You need to know (or figure out) what is best for your own organization, and that’s not just a technical decision.
© 2015 Lancope, Inc. All rights reserved. 34 Should your CSIRT make decisions or recommendations?
© 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. 6. Improper threat modelling (a.k.a missing the big picture) 35
© 2015 Lancope, Inc. All rights reserved. Improper threat modelling • Missing the big picture • Emotion-based decisions making • Defending against all possible threats all the time 36
© 2015 Lancope, Inc. All rights reserved. 37
© 2015 Lancope, Inc. All rights reserved. 38 The safest network is one with nothing connected. Go ahead and make that your policy.* * Don’t do this.
© 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. 7. Not considering your environment and capabilities when tuning devices 39
© 2015 Lancope, Inc. All rights reserved. Not considering your environment and capabilities when tuning devices • Unable to separate the news from the noise • Settings defaults and forgetting • Monitoring quality of alerts vs. counting stats • Shelfware 40
© 2015 Lancope, Inc. All rights reserved. 41
© 2015 Lancope, Inc. All rights reserved. Things to ask think about when tuning • Tuning is an iterative process Dealing with quantity and sensitivity 42
© 2015 Lancope, Inc. All rights reserved. Things to ask think about when tuning • Tuning is an iterative process • What type of setup are you working to? • A bat-signal to summon the part-time CSIRT employee? • A set of ‘suspicious’ things for analysts to investigate? Dealing with quantity and sensitivity 43
© 2015 Lancope, Inc. All rights reserved. Things to ask think about when tuning • Tuning is an iterative process • What type of setup are you working to? • A bat-signal to summon the part-time CSIRT employee? • A set of ‘suspicious’ things for analysts to investigate? • Using detection tools to supplement your knowledge • Context • Someone on the Internet port scans hosts in your DMZ? Meh. • A host on your LAN begins scanning internal ranges? Hrm… Dealing with quantity and sensitivity 44
© 2015 Lancope, Inc. All rights reserved. Things to ask think about when tuning • Tuning is an iterative process • What type of setup are you working to? • A bat-signal to summon the part-time CSIRT employee? • A set of ‘suspicious’ things for analysts to investigate? • Using detection tools to supplement your knowledge • Context • Someone on the Internet port scans hosts in your DMZ? Meh. • A host on your LAN begins scanning internal ranges? Hrm… • Familiarize yourself with the rules/events/alarms you turn on • The best rule/event/alarm is one that you wrote yourself • Know how it works, when it doesn’t, what it means, and what to do… • Learn which events are your ‘money’ events, figure out why the others aren’t in that bucket Dealing with quantity and sensitivity 45
© 2015 Lancope, Inc. All rights reserved. Recap! • 1. Not understanding your environment due to a lack of visibility • 2. Not having the right staff • 3. Lack of budget • 4. Becoming a headless chicken when IT hits the fan • 5. Using generic response processes that aren’t specific to your organization • 6. Improper threat modelling • 7. Not considering your environment and capabilities when tuning devices 46
© 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. 47 8. Not taking advantage of the fruits of an incident investigation
© 2015 Lancope, Inc. All rights reserved. 48 80% 76% 67% 65% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% NetFlow / Pcap SIEM IDS / IPS Threat Feeds What type of tools are most effective in helping to detect breaches? Source: Lancope / Ponemon Institute
© 2015 Lancope, Inc. All rights reserved. 49 43% 54% 3% 0% 10% 20% 30% 40% 50% 60% Yes No Unsure Do your organization's incident investigations result in threat indicators which are used to defend the organization from future attacks? Source: Lancope / Ponemon Institute
© 2015 Lancope, Inc. All rights reserved. Recap! • 1. Not understanding your environment due to a lack of visibility • 2. Not having the right staff • 3. Lack of budget • 4. Becoming a headless chicken when IT hits the fan • 5. Using generic response processes that aren’t specific to your organization • 6. Improper threat modelling • 7. Not considering your environment and capabilities when tuning devices • 8. Not taking advantage of the fruits of an incident investigation 50
© 2015 Lancope, Inc. All rights reserved. Thank you! 51 @Lancope https://www.facebook.com/Lancope http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about https://plus.google.com/u/0/103996520487697388791/posts http://feeds.feedblitz.com/netflowninjas

Recommended

The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
FireEye, Inc.
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
Digital Bond
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
APNIC
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
Lancope, Inc.
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
Shah Sheikh
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
vngundi
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationPRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
Symantec
 

Recommended

The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
FireEye, Inc.
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
Digital Bond
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
APNIC
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
Lancope, Inc.
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
Shah Sheikh
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
vngundi
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationPRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
Symantec
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
Candan BOLUKBAS
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
Eric Vanderburg
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
Nicolas Beyer
 
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Global Business Events
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
FireEye, Inc.
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
Shah Sheikh
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
Managed Security Services from Symantec
Managed Security Services from SymantecManaged Security Services from Symantec
Managed Security Services from Symantec
Arrow ECS UK
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security Governance
Charles Lim
 
Security Kung Fu: Security vs. Compliance
Security Kung Fu: Security vs. ComplianceSecurity Kung Fu: Security vs. Compliance
Security Kung Fu: Security vs. Compliance
Joshua Berman
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
SecPod Technologies
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Resilient Systems
 
Chamber Technology Committee Presentation
Chamber Technology Committee PresentationChamber Technology Committee Presentation
Chamber Technology Committee Presentation
Tony DeGonia (LION)
 
Day 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A CsirtDay 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A Csirt
vngundi
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
NetIQ
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
Resilient Systems
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
PECB
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
Rahul Neel Mani
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
Lancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 

More Related Content

What's hot

CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
Candan BOLUKBAS
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
Eric Vanderburg
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
Nicolas Beyer
 
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Global Business Events
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
FireEye, Inc.
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
Shah Sheikh
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
Managed Security Services from Symantec
Managed Security Services from SymantecManaged Security Services from Symantec
Managed Security Services from Symantec
Arrow ECS UK
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security Governance
Charles Lim
 
Security Kung Fu: Security vs. Compliance
Security Kung Fu: Security vs. ComplianceSecurity Kung Fu: Security vs. Compliance
Security Kung Fu: Security vs. Compliance
Joshua Berman
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
SecPod Technologies
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Resilient Systems
 
Chamber Technology Committee Presentation
Chamber Technology Committee PresentationChamber Technology Committee Presentation
Chamber Technology Committee Presentation
Tony DeGonia (LION)
 
Day 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A CsirtDay 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A Csirt
vngundi
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
NetIQ
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
Resilient Systems
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
PECB
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
Rahul Neel Mani
 

What's hot (20)

CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
 
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
Kevin Watkins, Enterprise Security Architect at BAT - BAT’s Managed Security ...
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
Managed Security Services from Symantec
Managed Security Services from SymantecManaged Security Services from Symantec
Managed Security Services from Symantec
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security Governance
 
Security Kung Fu: Security vs. Compliance
Security Kung Fu: Security vs. ComplianceSecurity Kung Fu: Security vs. Compliance
Security Kung Fu: Security vs. Compliance
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
 
Chamber Technology Committee Presentation
Chamber Technology Committee PresentationChamber Technology Committee Presentation
Chamber Technology Committee Presentation
 
Day 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A CsirtDay 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A Csirt
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
 

Viewers also liked

So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
Lancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
StackOverflow
StackOverflowStackOverflow
StackOverflow
Susam Pal
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)
Susam Pal
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware
Lancope, Inc.
 
Cisco Threat Defense (Cisco Stealthwatch)
Cisco Threat Defense (Cisco Stealthwatch)Cisco Threat Defense (Cisco Stealthwatch)
Cisco Threat Defense (Cisco Stealthwatch)
Cisco Russia
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
Lancope, Inc.
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Lancope, Inc.
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Lancope, Inc.
 
DDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & InformationDDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & Information
jenkoon
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
RSA NetWitness Log Decoder
RSA NetWitness Log DecoderRSA NetWitness Log Decoder
RSA NetWitness Log Decoder
Susam Pal
 
Fire Eye Appliance Quick Start
Fire Eye Appliance Quick StartFire Eye Appliance Quick Start
Fire Eye Appliance Quick Start
Content Rules, Inc.
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
Lancope, Inc.
 
RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
Lee Wei Yeong
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
Lancope, Inc.
 

Viewers also liked (19)

So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
StackOverflow
StackOverflowStackOverflow
StackOverflow
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware
 
Cisco Threat Defense (Cisco Stealthwatch)
Cisco Threat Defense (Cisco Stealthwatch)Cisco Threat Defense (Cisco Stealthwatch)
Cisco Threat Defense (Cisco Stealthwatch)
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
 
DDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & InformationDDos Attacks and Web Threats: How to Protect Your Site & Information
DDos Attacks and Web Threats: How to Protect Your Site & Information
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
RSA NetWitness Log Decoder
RSA NetWitness Log DecoderRSA NetWitness Log Decoder
RSA NetWitness Log Decoder
 
Fire Eye Appliance Quick Start
Fire Eye Appliance Quick StartFire Eye Appliance Quick Start
Fire Eye Appliance Quick Start
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
 

Similar to The Seven Deadly Sins of Incident Response

Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
Rogue Wave Software
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource
 
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat ReportWebinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Cyren, Inc
 
April 2015 Webinar: Cyber Hunting with Sqrrl
April 2015 Webinar: Cyber Hunting with SqrrlApril 2015 Webinar: Cyber Hunting with Sqrrl
April 2015 Webinar: Cyber Hunting with Sqrrl
Sqrrl
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
WeSecure Data Security Congres: 5 must haves to safe cloud enablement
WeSecure Data Security Congres: 5 must haves to safe cloud enablementWeSecure Data Security Congres: 5 must haves to safe cloud enablement
WeSecure Data Security Congres: 5 must haves to safe cloud enablement
WeSecure
 
Penetration testing as an internal audit activity
Penetration testing as an internal audit activityPenetration testing as an internal audit activity
Penetration testing as an internal audit activity
Transcendent Group
 
Protecting endpoints from targeted attacks
Protecting endpoints from targeted attacksProtecting endpoints from targeted attacks
Protecting endpoints from targeted attacks
AppSense
 
Can containers be secured in paas?
Can containers be secured in paas?Can containers be secured in paas?
Can containers be secured in paas?
Sufyaan Kazi
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Find & fix the flaws in your code
Find & fix the flaws in your codeFind & fix the flaws in your code
Find & fix the flaws in your code
Rogue Wave Software
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Tony Cook
 
2015 1029 webinar_meet_the_tech_savvy_cfo
2015 1029 webinar_meet_the_tech_savvy_cfo2015 1029 webinar_meet_the_tech_savvy_cfo
2015 1029 webinar_meet_the_tech_savvy_cfo
Intacct Corporation
 
Lyra Infosystems Services and Consulting Portfolio 2020
Lyra Infosystems Services and Consulting Portfolio 2020Lyra Infosystems Services and Consulting Portfolio 2020
Lyra Infosystems Services and Consulting Portfolio 2020
Lyra Infosystems Pvt. Ltd
 
LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014
Ashlie Steele
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
CPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor LandscapeCPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor Landscape
Moti Sagey מוטי שגיא
 

Similar to The Seven Deadly Sins of Incident Response (20)

Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
 
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat ReportWebinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
 
April 2015 Webinar: Cyber Hunting with Sqrrl
April 2015 Webinar: Cyber Hunting with SqrrlApril 2015 Webinar: Cyber Hunting with Sqrrl
April 2015 Webinar: Cyber Hunting with Sqrrl
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
WeSecure Data Security Congres: 5 must haves to safe cloud enablement
WeSecure Data Security Congres: 5 must haves to safe cloud enablementWeSecure Data Security Congres: 5 must haves to safe cloud enablement
WeSecure Data Security Congres: 5 must haves to safe cloud enablement
 
Penetration testing as an internal audit activity
Penetration testing as an internal audit activityPenetration testing as an internal audit activity
Penetration testing as an internal audit activity
 
Protecting endpoints from targeted attacks
Protecting endpoints from targeted attacksProtecting endpoints from targeted attacks
Protecting endpoints from targeted attacks
 
Can containers be secured in paas?
Can containers be secured in paas?Can containers be secured in paas?
Can containers be secured in paas?
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Find & fix the flaws in your code
Find & fix the flaws in your codeFind & fix the flaws in your code
Find & fix the flaws in your code
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
 
2015 1029 webinar_meet_the_tech_savvy_cfo
2015 1029 webinar_meet_the_tech_savvy_cfo2015 1029 webinar_meet_the_tech_savvy_cfo
2015 1029 webinar_meet_the_tech_savvy_cfo
 
Lyra Infosystems Services and Consulting Portfolio 2020
Lyra Infosystems Services and Consulting Portfolio 2020Lyra Infosystems Services and Consulting Portfolio 2020
Lyra Infosystems Services and Consulting Portfolio 2020
 
LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
CPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor LandscapeCPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor Landscape
 

More from Lancope, Inc.

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
Lancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Lancope, Inc.
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Lancope, Inc.
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
Lancope, Inc.
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
Lancope, Inc.
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data Breaches
Lancope, Inc.
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
Lancope, Inc.
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14
Lancope, Inc.
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation Tovar
Lancope, Inc.
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
Lancope, Inc.
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
Lancope, Inc.
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
Lancope, Inc.
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch System
Lancope, Inc.
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
Lancope, Inc.
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Lancope, Inc.
 

More from Lancope, Inc. (17)

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data Breaches
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation Tovar
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch System
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
 

Recently uploaded

Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 

Recently uploaded (20)

Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 

The Seven Deadly Sins of Incident Response

  • 1. © 2015 Lancope, Inc. All rights reserved. The Seven Deadly Sins of Incident Response Brandon Tansey Security Researcher Javvad Malik Senior Analyst, Enterprise Security Practice
  • 2. © 2015 Lancope, Inc. All rights reserved. 2 The origin of [incident response] sin…
  • 3. © 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. 1. Not understanding your environment due to a lack of visibility 3
  • 4. © 2015 Lancope, Inc. All rights reserved. 4
  • 5. © 2015 Lancope, Inc. All rights reserved. 5
  • 6. © 2015 Lancope, Inc. All rights reserved. 6 Developer PCs Other PCs Domain Controllers DNS Servers Mail Servers Code Repositories FTP Servers Web Servers Internet Hosts Developer PCs Other PCs Domain Controllers DNS Servers Mail Servers Code Repositories FTP Servers Web Servers Internet Hosts
  • 7. © 2015 Lancope, Inc. All rights reserved. 7 Developer PCs Other PCs Domain Controllers DNS Servers Mail Servers Code Repositories FTP Servers Web Servers Internet Hosts Developer PCs Other PCs Domain Controllers DNS Servers Mail Servers Code Repositories FTP Servers Web Servers Internet Hosts
  • 8. © 2015 Lancope, Inc. All rights reserved. 8 Developer PCs Other PCs Domain Controllers DNS Servers Mail Servers Code Repositories FTP Servers Web Servers Internet Hosts Developer PCs Other PCs Domain Controllers DNS Servers Mail Servers Code Repositories FTP Servers Web Servers Internet Hosts
  • 9. © 2015 Lancope, Inc. All rights reserved. 9 Network Services Hosts
  • 10. © 2015 Lancope, Inc. All rights reserved. Regardless of the type of information… • Are you just logging information or are you also collecting it? • Are you saving only ‘special’ log lines, or everything? • Do you have a standard retention period in policy? • Does the budget control the period, or the period the budget? • If you have end-user managed hosts, are they subject to the same logging policies? 10
  • 11. © 2015 Lancope, Inc. All rights reserved. 11
  • 12. © 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. • 2. Not having the right staff 12
  • 13. © 2015 Lancope, Inc. All rights reserved. 13 12% 16% 44% 23% 5% 0% 10% 20% 30% 40% 50% None One 2 to 5 6 to 10 More than 10 Number of team members in CSIRT 45% 28% 14% 11% 2% 0% 10% 20% 30% 40% 50% None One 2 to 5 6 to 10 More than 10 Number of team members fully dedicated to CSIRT Or any staff… Source: Lancope / Ponemon Institute Source: Lancope / Ponemon Institute
  • 14. © 2015 Lancope, Inc. All rights reserved. 14 Collection Analysis Action / Realizing Value
  • 15. © 2015 Lancope, Inc. All rights reserved. Not having the right staff • Technical skills • Knowledge transfer • Appropriate to type of company 15
  • 16. © 2015 Lancope, Inc. All rights reserved. 16 79% 14% 10% 36% 45% 47% 43% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% IT Management Executive Management Board of Directors Risk management Legal Compliance HR What functions or departments are involved in the incident response process? Source: Lancope / Ponemon Institute
  • 17. © 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. 3. Lack of budget (a.k.a. Not being able to speak the language of the business) 17
  • 18. © 2015 Lancope, Inc. All rights reserved. Lack of budget • Communicating technical issues in technical terms to the business • Not helping to sell more ‘widgets’ • Ineffective allocation of budget 18 Source: 451 Research
  • 19. © 2015 Lancope, Inc. All rights reserved. 19 Source: 451 Research
  • 20. © 2015 Lancope, Inc. All rights reserved. How much of your security budget goes towards an incident response program? 20 50% 31% 11% 5% 2% 1% Less than 10% 10% to 20% 21% to 30% 31% to 40% 41% to 50% More than 50% Source: Lancope / Ponemon Institute
  • 21. © 2015 Lancope, Inc. All rights reserved. 21 46% 50% 4% Yes No Unsure Does your organization have meaningful operational metrics to measure the overall effectiveness of incident response activities? 42% 55% 3% Yes No Unsure Does your organization have meaningful operational metrics to measure the speed at which incidents are being detected and contained? Source: Lancope / Ponemon InstituteSource: Lancope / Ponemon Institute
  • 22. © 2015 Lancope, Inc. All rights reserved. 22 91% 64% 51% 50% 49% 24% 20% 12% 0% 20% 40% 60% 80% 100% IT Management Compliance / Audit Legal HR Risk Management Broadly throughout org. Executive Management Board of Directors Frequency of cyber threat briefings to various functions within the organization (Very frequently and frequently responses combined) Source: Lancope / Ponemon Institute
  • 23. © 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. 4. Becoming a headless chicken when IT hits the fan (a.k.a. not having a plan) 23
  • 24. © 2015 Lancope, Inc. All rights reserved. Becoming a headless chicken when IT hits the fan • Undefined roles and reporting lines • Knee-jerk reactions and decisions • Lack of change management 24
  • 25. © 2015 Lancope, Inc. All rights reserved. Vince Lombardi, sort of “When you get into [an incident investigation], act like you've been there before.” 25
  • 26. © 2015 Lancope, Inc. All rights reserved. Things to ask ahead of time • Who can approve what actions? • Does the type of incident affect the answer? • If an appropriate person cannot be reached, can the incident responder act on their own after a given amount of time? (and get in writing) 26
  • 27. © 2015 Lancope, Inc. All rights reserved. Things to ask ahead of time • What are end-users’ responsibilities in the incident response process? • Are they required to turn over machines to the CSIRT? • In the event of a compromise resulting in a wipe, do users get access to their files? Which ones? • What happens when a user needs something that the CSIRT has blocked? • Who handles exceptions? (and get in writing) 27
  • 28. © 2015 Lancope, Inc. All rights reserved. Things to ask ahead of time • What are your external (legal, compliance, contractual) obligations? • At what point has there been a “breach”? • Is this the point when other teams (legal, etc) are notified? • If any, what are your external notification requirements? (and get in writing) 28
  • 29. © 2015 Lancope, Inc. All rights reserved. Things to ask ahead of time • Can your CSIRT participate in information and indicator sharing groups? • Can your CSIRT run malware live on the internet? • What are safe handling requirements? • Can your CSIRT interact with malicious hosts for the purpose of intelligence gathering? • From the corporate LAN? An unattributed network? (and get in writing) 29
  • 30. © 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. 5. Using generic response processes that aren’t specific to your organization 30
  • 31. © 2015 Lancope, Inc. All rights reserved. Using generic response processes that aren’t specific to your organization • ‘Monkeys in a cage’ mentality • Not tailoring processes to your company • Lack of risk assessment and measurement 31
  • 32. © 2015 Lancope, Inc. All rights reserved. 32 Note: All of the ‘questions’ in the last section were just that, questions.
  • 33. © 2015 Lancope, Inc. All rights reserved. 33 You need to know (or figure out) what is best for your own organization, and that’s not just a technical decision.
  • 34. © 2015 Lancope, Inc. All rights reserved. 34 Should your CSIRT make decisions or recommendations?
  • 35. © 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. 6. Improper threat modelling (a.k.a missing the big picture) 35
  • 36. © 2015 Lancope, Inc. All rights reserved. Improper threat modelling • Missing the big picture • Emotion-based decisions making • Defending against all possible threats all the time 36
  • 37. © 2015 Lancope, Inc. All rights reserved. 37
  • 38. © 2015 Lancope, Inc. All rights reserved. 38 The safest network is one with nothing connected. Go ahead and make that your policy.* * Don’t do this.
  • 39. © 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. 7. Not considering your environment and capabilities when tuning devices 39
  • 40. © 2015 Lancope, Inc. All rights reserved. Not considering your environment and capabilities when tuning devices • Unable to separate the news from the noise • Settings defaults and forgetting • Monitoring quality of alerts vs. counting stats • Shelfware 40
  • 41. © 2015 Lancope, Inc. All rights reserved. 41
  • 42. © 2015 Lancope, Inc. All rights reserved. Things to ask think about when tuning • Tuning is an iterative process Dealing with quantity and sensitivity 42
  • 43. © 2015 Lancope, Inc. All rights reserved. Things to ask think about when tuning • Tuning is an iterative process • What type of setup are you working to? • A bat-signal to summon the part-time CSIRT employee? • A set of ‘suspicious’ things for analysts to investigate? Dealing with quantity and sensitivity 43
  • 44. © 2015 Lancope, Inc. All rights reserved. Things to ask think about when tuning • Tuning is an iterative process • What type of setup are you working to? • A bat-signal to summon the part-time CSIRT employee? • A set of ‘suspicious’ things for analysts to investigate? • Using detection tools to supplement your knowledge • Context • Someone on the Internet port scans hosts in your DMZ? Meh. • A host on your LAN begins scanning internal ranges? Hrm… Dealing with quantity and sensitivity 44
  • 45. © 2015 Lancope, Inc. All rights reserved. Things to ask think about when tuning • Tuning is an iterative process • What type of setup are you working to? • A bat-signal to summon the part-time CSIRT employee? • A set of ‘suspicious’ things for analysts to investigate? • Using detection tools to supplement your knowledge • Context • Someone on the Internet port scans hosts in your DMZ? Meh. • A host on your LAN begins scanning internal ranges? Hrm… • Familiarize yourself with the rules/events/alarms you turn on • The best rule/event/alarm is one that you wrote yourself • Know how it works, when it doesn’t, what it means, and what to do… • Learn which events are your ‘money’ events, figure out why the others aren’t in that bucket Dealing with quantity and sensitivity 45
  • 46. © 2015 Lancope, Inc. All rights reserved. Recap! • 1. Not understanding your environment due to a lack of visibility • 2. Not having the right staff • 3. Lack of budget • 4. Becoming a headless chicken when IT hits the fan • 5. Using generic response processes that aren’t specific to your organization • 6. Improper threat modelling • 7. Not considering your environment and capabilities when tuning devices 46
  • 47. © 2015 Lancope, Inc. All rights reserved.© 2015 Lancope, Inc. All rights reserved. 47 8. Not taking advantage of the fruits of an incident investigation
  • 48. © 2015 Lancope, Inc. All rights reserved. 48 80% 76% 67% 65% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% NetFlow / Pcap SIEM IDS / IPS Threat Feeds What type of tools are most effective in helping to detect breaches? Source: Lancope / Ponemon Institute
  • 49. © 2015 Lancope, Inc. All rights reserved. 49 43% 54% 3% 0% 10% 20% 30% 40% 50% 60% Yes No Unsure Do your organization's incident investigations result in threat indicators which are used to defend the organization from future attacks? Source: Lancope / Ponemon Institute
  • 50. © 2015 Lancope, Inc. All rights reserved. Recap! • 1. Not understanding your environment due to a lack of visibility • 2. Not having the right staff • 3. Lack of budget • 4. Becoming a headless chicken when IT hits the fan • 5. Using generic response processes that aren’t specific to your organization • 6. Improper threat modelling • 7. Not considering your environment and capabilities when tuning devices • 8. Not taking advantage of the fruits of an incident investigation 50
  • 51. © 2015 Lancope, Inc. All rights reserved. Thank you! 51 @Lancope https://www.facebook.com/Lancope http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about https://plus.google.com/u/0/103996520487697388791/posts http://feeds.feedblitz.com/netflowninjas