When a Data Breach Happens, What's Your Plan?

of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 1
When a Data Breach
Happens,
What’s Your Plan ?
Edge Pereira
ES2 Solutions Architect
edge@es2.com.au
Twitter: @superedge
Stuart Mills
ES2 Director
stuart@es2.com.au
2015

Our Plan for Today
• Making Sense of Threats
• Cloud Breaching Incident Plan
• What to do After the Incident?
• Recommendations
• Q & A

Making Sense of Threats
Outsider
End User
Insider
Secure Design
Secure Code
Protections against attacks
Assume Breach
Contain Attackers
Detect Attackers
Remediate Attacks
Built controls
DLP, Encryption, etc.
Auditing

Internet cafes in
vacation spots
Every time you connect to the internet
Wonderful Internet
Services
Ideological
Movements
Organized
Crime
Nation
States

Hacking in the Good Old Days

Data Breaches
Source: Liam Clearly BRK2142 Microsoft Ignite

Numerous, Active, and Evolving Threats…

…Very Active Threats
Social media giants Facebook, LinkedIn, among others, get hacked… repeatedly.

“The personal details of world leaders – including David Cameron, Barack Obama and Vladimir Putin –
have been accidentally revealed in an embarrassing privacy breach.”
It has been discovered that an employee at the Australian immigration department mistakenly sent personal information of
all world leaders attending the G20 Summit to organisers of the Asian Cup football tournament.
And the heads of government were kept in the dark about the employee’s blunder.
The passport numbers and visa details of United States president, Barack Obama, the Russian president, Vladimir Putin,
the German chancellor, Angela Merkel, the Chinese president, Xi Jinping, the Indian prime minister, Narendra Modi, the
Japanese prime minister, Shinzo Abe, the Indonesian president, Joko Widodo, and the British prime minister, David
Cameron, were all exposed.
Source: http://www.independent.co.uk/news/world/personal-details-of-obama-putin-cameron-and-merkel-sent-to-wrong-email-address-by-g20-summit-organiser-10142539.html
Leaks and Training

Source: http://www.canberratimes.com.au/national/public-service/federal-privacy-authorities-called-in-over-centrelink-breach-20140818-105hjw
Leaks and Training

The Evolution of Attacks
Targeting
Sophistication
Volume and impact
Script kiddies
BLASTER, SLAMMER
Motive: mischief
2003–2004

2005–PRESENT
Organized crime
RANSOMWARE,
CLICK-FRAUD,
IDENTITY THEFT
Motive: profit
Sophistication
Targeting

Organized crime
RANSOMWARE,
CLICK-FRAUD,
IDENTITY THEFT
Motive: profit
2012–BEYOND
Nation states,
activists,
terror groups
BRAZEN,
COMPLEX,
PERSISTENT
Motives:
IP theft,
damage,
disruption
Sophistication
Targeting

Defining Risk
Vulnerability Threat Consequence
Risk
The U .S. Department of Homeland Security (DHS) defines risk as
a vulnerability coupled with a threat that creates a consequence

Writing a Cloud Breach Incident Plan
• What is the problem you are solving?
• No executive sponsor? No worries
• Advisory committee
• Know your audience

Sample Plan
• Foreword
• Objective
• Scope
• Assumptions
• Ownership
• Execution command topologies
• Plan structure

Plan Structure
17
Preparation
Detection
& analysis
Declaration
&
mobilization
Technical
actions
Supporting
actions
Incident
containment
Post
incident
Plan
Maintenance

Incident Preparation
• Crystal ball exercise
• What kind of information could you share with 3rd party or law
enforcement?
• If you loose PCI or PII data, how would you notify them? Who in the
community can help you?
• For credit monitoring, what would be the services, costs involved, and
to whom?
• Compile these into one or more documents. Label it crisis response.

Incident Detection and Analysis
• Sources of information
• Define what is an “incident”, “alert”, “suspicious events”
• Define severities
• Peer-review with IT, InfoSec and Legal

Incident Response
• “Who does what when”
• Tiger team and decision making structure
• Battle rhythm. Everyone needs to know what to do and not wait.
• Time to make decisions not longer than executing
• Declaration of end of incident

Incident Response - Tiger Team
Team Leader
•Oversee all team
work
•Keep team focused
on damage
containment
Lead
Investigator
•Collect & Analyzes
evidence
•Root cause
•Manages the
business continuity
plan
Comms Lead
•Messaging for all
audiences
•Inside and outside
the company
Documentation
and Timeline
Leader
•Investigations
•Discovery and
recovery
•Documents
timeline events
HR/Legal
Leader
•Criminal charges
developments

Plan Post-Incident
• Lessons learned
• Recommendation #1: test the plan once an year

Recommendations
• Expand the use of Encryption
• Workforce training and awareness programs
• Strengthening of perimeter controls
• Implement identity and access management solutions (privileged access first)
• Strong endpoint security solutions
• Implement data loss prevention solutions
• Get a security certification or independent audit
How to Mitigate the Risk and Consequences of a Data
Breach

Q & A

Recap
• Making Sense of Threats
• Cloud Breaching Incident Plan
• What to do After the Incident?
• Recommendations
• Q & A

Learn More
• Office 365 Trust Portal
• ES2 website www.es2.com.au
• Computer Incident Response, NK McCarthy
• BRK2159 Office 365 today and beyond, TechEd NA
• www.superedge.net
Useful Material and Links

Hour of Code - https://code.org/learn

Thank You

Perth Head Office
“The Factory” 69 King Street
Perth, WA 6000
Perth Business Centre
Level 27, 44 St Georges Terrace
Perth, WA 6000
Brisbane Business Centre
Level 18, 123 Eagle Street,
Brisbane, QLD, 4000
Sydney Business Centre
Level 12, 95 Pitt Street,
Sydney NSW, 2000
Paris Business Centre
4 rue Neuve de la Chardonnière, 75018,
Paris, FRANCE
www.es2.com.au

Additional Slides

Common Myths About the Cloud
Myths
• On-premises is more secure
• Data is used for mining (i.e.. Advertising)
• It’s not compliant with industry regulations
• Control of data in the cloud is lost
Office 365
• Built to provide a level of security that exceeds most
customers on infrastructure and scale
• The first to comply with ISO/IEC 27018. Prohibits use of
PII for ads and marketing
• Compliant with HIPAA, FISMA, MPAA etc (industries and
governments)
• Designed for complete customer data control.
• You own the data, MS manages it for you.

Government Access to Cloud Data
Microsoft will not…
• Provide any government with direct or unfettered
access to customer data
• Assist any government’s efforts to break cloud
encryption
• Provide any government with encryption keys
• Engineer back doors into the cloud products (MS will
take steps to ensure governments can independently verify this)
• If governments are engaging in broader
surveillance of communications, MS is not involved
and it is taking steps to enhance the security of
customer’s data
Microsoft will…
http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/
• Disclose enterprise customer data only by a
valid legal order and only for the data required
• Publish a law enforcement request report every
six months
20.8%
7.84%
71.36%
Disclosed content
Only subscriber/transactional data
No data found
Rejected
Australia

Security Innovation
• Continuous investigation
• Advanced tactics
• “Penetration games”
• World-class security experts

Encryption at Rest and In-Transit
• Data Loss Prevention
• Search
• Insights
• Content analysis

Controls Implemented After a Data Breach
35
48
46
40
35
27 26 25
23
21
18
48
41
43
26
22 23
30
19 18
21
52
35
42
23
19 20
32
34
14 15
0
10
20
30
40
50
60
Use of encryption Additional manual
procedures and
controls
Training and
awareness programs
Strenghtening
perimeter controls
Identity and access
management solutions
Other system control
practices
Endpoint security
solutions
Security intelligence
solutions
Data loss prevention
solutions
Security certification or
audit
2013 2014 2015

When a Data Breach Happens, What's Your Plan?

More Related Content

What's hot

Viewers also liked

Similar to When a Data Breach Happens, What's Your Plan?

More from Edge Pereira

Recently uploaded

When a Data Breach Happens, What's Your Plan?