How To Build An Incident Response Function
Aug 07, 2015
2
Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Richard White, MBA CISP CHP/CHSS, Solutions Principal, HP Security Intelligence and Operational Consulting
3
Agenda
• The Four Pillars of an Incident Response function:– Pillar 1: Identifying Critical Assets and Risks
– Pillar 2: Scope the potential impact to the organization
– Pillar 3: Understand your capabilities
– Pillar 4: Know your threats and prepare
• Questions
4
About Co3’s Incident Response Management System
MITIGATEDocument Results &
Improve Performance• Generate reports for management, auditors, and authorities • Conduct post-mortem• Update SOPs• Track evidence• Evaluate historical performance• Educate the organization
ASSESSIdentify and Evaluate Incidents• Assign appropriate team members• Evaluate precursors and indicators• Correlate threat intelligence• Track incidents, maintain logbook• Prioritize activities based on criticality• Generate assessment summaries
PREPAREImprove Organizational Readiness• Appoint team members• Fine-tune response SOPs • Escalate from existing systems• Run simulations (firedrills / table tops)
MANAGEContain, Eradicate, and Recover• Generate real-time IR plan• Coordinate team response• Choose appropriate containment strategy• Isolate and remediate cause• Instruct evidence gathering and handling• Log evidence
5
Security Intelligence & Operations Consulting
ESPServices
Founded: 2007
Experience:• 30+ SOC Builds• 90+ SOC Assessments • 30+ SIOC Consultants worldwide
Solution Approach: • People, Process, & Technology
Accelerated Success: • Mature Project Methodology• Best Practices• Extensive Intellectual Capital
Purpose:
Ensure our customers are successful with ESP products by providing the right People, building the right Processes and delivering effective Technology.
6
HP’s industry-leading scale
Monthly security events
2.3billion
HP Secured User Accounts47m
HP Security Professionals5000+
10 out of 10Top telecoms
9 out of 10
Major banks
Global Security Operations Centers
8 Global SOCPlanned regional SOC
HP managed security customers900+
All major branchesUS Department of Defense
9 out of 10Top software companies
8
Pillar 1: Identifying Critical Assets and Risks
Create an Asset and Threat Inventory• Asset Inventory – what are you trying to
protect (people, processes, physical, data)
• Threat Inventory – what are the threats (Cyber, Weather, Infrastructure, etc…)
Asset Description Owner Category BU Date Vendor Qty Value Model No. Serial No.Marketing database
Marketing database, customer list
Bob ratchet Data ME Dept. 4/17/14 Oracle 1 $ 25,000
Web Server Linuc Serv er, apache web server;
Debbie Thompson
Hardware/Software/Data
Operations 9/3/14 Multiple 4 $1,200,000
$ -
Name Host Name IP Address MAC Address Static Addressing Category URI
WMServer1 WMServer1 10.100.4.128 00:AE:FE:01:08 10.100.4.128 /All Asset Categories/Prod
WMServer2 WMServer2 10.100.4.130 01:AF:CB:02:09 10.100.4.130 /All Asset Categories/ProdWMServer3 WMServer3 10.100.4.127 00:AE:FE:01:08 10.100.4.127 /All Asset Categories/ProdWMServer4 WMServer4 10.100.4.125 01:AF:CB:02:11 10.100.4.125 /All Asset Categories/ProdWMServer10 WMServer10 10.100.4.121 00:AE:FE:01:00 10.100.4.121 /All Asset Categories/ProdDBServer3 DBServer3 10.101.4.99 01:AF:CB:02:21 10.101.4.99 /All Asset Categories/Prod
9
Pillar 1: Identifying Critical Assets and Risks
• Identify the assets at a high level and work down– What is critical?
– What is its value if lost?
• Replacement cost, additional staffing, resource expenses, manual processing costs.
• Lost revenue.
– What are the dependencies and interdependencies.
• Impact to people?
• How will processes will be affected in other areas
10
Pillar 1: Identifying Critical Assets and Risks
• Get the business partners involved in the data collection process
– What is mission critical?
– Where is critical or sensitive information stored or processed?
– What locations are mission critical or high value?
– Assess the impact on the organizations critical functions, operations, and customer.
• Collect the information: Questionnaires/Interviews/workshops
11
Threat
• Fire
• Flood
• Cyber Attacks
• Insider Fraud
• Failed Backup
• HVAC Failure
• Hurricane
• Terrorism
• Data Theft
• PII Disclosure
• Power Failure
• Phishing Attack
• Loss of Key Staff
• Virus Outbreak
• Pandemic
• Lawsuits
Pillar 1: Identifying Critical Assets and Risks
12
Risk Distribution
Threat No.
Fire R01
Flood R02
Cyber Attacks R03
Insider Fraud R04
Failed Backup R05
Virus Outbreak R06
HVAC Failure R07
Data Theft R08
PII Disclosure R09
Power Failure R10
Phishing Attack R11
Loss of Key Staff R12
Low-HighMedium-
HighHigh
Low-Medium MediumHigh-
Medium
Low Medium-Low High-Low
1005010
2505
0501
R04
R03
R02
R01
R06
R08
R12
R11R0
9
R10
R07
R05
10
50
15
Pillar 2: Scope the Potential Impact to the Organization
PriorityAsset/Business
ProcessRecovery Time
Objective (RTO)
Maximum Tolerable
Downtime (MTD)
Recovery Point Objective (RPO)
1 Point of Sale 15 minutes 30 minutes 4 hours
2 Email 12 hours 48 hours 24 hours
2 Employee payroll 48 hours 96 hours 12 hours
Priority Severe Moderate Minimal
Loss of revenue, overtime costs, loss of customer loyalty, data
loss
Some revenue loss, overtime costs, customer
annoyanceLoss of revenue
Greater that 300k per hour
100-150k per hour <25k per hour
3% 22% 60%
Point of Sale
16
Pillar 2: Scope the Potential Impact to the Organization
Understand what has a negative impact on the business
• Loss of data.• Reputation.• Legal requirements.• What’s the cost of a severe, moderate or minimal incident?
• How long can we be down and survive?
• Who will be impacted the most?
18
Pillar 3: Understand your Capabilities
A IR function consists of People, Processes and Technology
The team must consist of individuals with the appropriate skills/experience for the incident response team. The effectiveness of the team depends on the technical skills and critical thinking abilities of its members.
Create an incident response policy. The incident response policy is the foundation of the incident response function. As an important first step it defines what is considered an incident, establishes the organizational structure for incident response, defines roles and responsibilities and defines the reporting requirements.
Identify the security technology defenses, logging and detection tools, forensics tools, system monitoring and communication platforms.
19
Pillar 3: Understand Your Capabilities
Team Roles
• Executive Sponsor – Incident Response Owner and accountable for the IR function. Typically an officer of the company or CISO.
• Incident Commander – Leads the team; Activates the team, trains the team, maintaining communication with stake holders.
• Subject Matter Experts – Individuals with expertise, system access, training and experience with responding to incidents.
20
Pillar 3: Understand Your Capabilities
Who is on the team
• Ensure that all members and their management understand their roles and responsibilities.
• Education and training are critical.
• Have a well defined Mission statement.
• Identify other groups within and outside the organization that may need to participate in incident handling.
• Identify 3rd parties that may be needed for expertise that is not normally available.
21
Pillar 3: Understand Your Capabilities
Processes
• Incident response policy.
• Incident response plan based on the incident response policy
• Develop incident response procedures based on all threats not just based on likelihood.
• Communication plan – the company directory is not adequate
• Disaster recovery planning
22
Pillar 3: Understand Your Capabilties
Technological capabilities• Work with the SME’s• IDS/IPS• SIEM• AV/Malware• FIPS/FIDS• Monitoring tools• OS/Application logs• Network tools/logs• Network Flows• Vulnerability scanners• Forensic tools• Encryption tools• Database• Research tools
25
Pillar 4: Know Your Threats and Prepare
When asked why he robbed banks, Willie Sutton said “Because that is where all the money is…”
26
• What would an attacker gain by attacking you?• Monetary
• Political
• Prestige
• Data
• Control of infrastructure
• Etc..
• What kind of attacker would attack you?• Insider threat/Disgruntled
employee
• State Sponsored
• Hactivist
• Hacker
• Malicious vs. Non-malicious threats
Pillar 4: Know Your Threats and Prepare
27
Pillar 4: Know Your Threats and Prepare
• Drills
• Desktop exercises
• Functional Exercises
• Full scale exercises
The exercise scenarios are designed to simulate technical, operational, communication and/or strategic responses to incidents with a view to reviewing and refining current capabilities.
Preparation
Detection and Analysis
ContainmentEradication
Recovery
28
Pillar 4: Know Your Threats and Prepare
• Overall goals– Examine information sharing– Assess decision making– Evaluate roles and responsibilities within the organization
• Multi-group participation allows us to
– Understand incident management across multiple departments and entities
– Evaluate threat information sharing among the whole community
– Understand roles and responsibilities
– Test and evaluate Incident Response coordination
29
Resources
• Cyber Incident Response: Are business leaders ready?
http://www.arbornetworks.com/news-and-events/press-releases/recent-press-releases/5160-economist-intelligence-unit-and-arbor-networks-research-show-83-percent-of-businesses-are-not-fully-prepared-for-an-online-security-incident
• NIST Computer Security Incident Handling Guide
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
• State of Security Operations – HP
https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-0501enw.pdf
• 5 stages of defense: Understanding the kill chain
http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/jul/5-stages-of-defense--understanding-the-kill-chain_1307229.html
31
Upcoming Co3 Events
• “Encryption: Who, What, When, Where, and Why It's Not a Panacea”
– Webinar with Morrison Foerster: October 2, 2014, 1-2 pm
– https://www4.gotomeeting.com/register/525395863
• Cyber IP Expo, London, UK: October 8-9, 2014
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
“Co3…defines what software packages for privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and very well designed.”
PONEMON INSTITUTE
Richard White MBA CISSP CHP/CHSSPrincipal, Security Intelligence and [email protected]