How To Build An Incident Response Function

How To Build An Incident Response Function

2

Introductions: Today’s Speakers

• Ted Julian, Chief Marketing Officer, Co3 Systems

• Richard White, MBA CISP CHP/CHSS, Solutions Principal, HP Security Intelligence and Operational Consulting

3

Agenda

• The Four Pillars of an Incident Response function:– Pillar 1: Identifying Critical Assets and Risks

– Pillar 2: Scope the potential impact to the organization

– Pillar 3: Understand your capabilities

– Pillar 4: Know your threats and prepare

• Questions

4

About Co3’s Incident Response Management System

MITIGATEDocument Results &

Improve Performance• Generate reports for management, auditors, and authorities • Conduct post-mortem• Update SOPs• Track evidence• Evaluate historical performance• Educate the organization

ASSESSIdentify and Evaluate Incidents• Assign appropriate team members• Evaluate precursors and indicators• Correlate threat intelligence• Track incidents, maintain logbook• Prioritize activities based on criticality• Generate assessment summaries

PREPAREImprove Organizational Readiness• Appoint team members• Fine-tune response SOPs • Escalate from existing systems• Run simulations (firedrills / table tops)

MANAGEContain, Eradicate, and Recover• Generate real-time IR plan• Coordinate team response• Choose appropriate containment strategy• Isolate and remediate cause• Instruct evidence gathering and handling• Log evidence

5

Security Intelligence & Operations Consulting

ESPServices

Founded: 2007

Experience:• 30+ SOC Builds• 90+ SOC Assessments • 30+ SIOC Consultants worldwide

Solution Approach: • People, Process, & Technology

Accelerated Success: • Mature Project Methodology• Best Practices• Extensive Intellectual Capital

Purpose:

Ensure our customers are successful with ESP products by providing the right People, building the right Processes and delivering effective Technology.

6

HP’s industry-leading scale

Monthly security events

2.3billion

HP Secured User Accounts47m

HP Security Professionals5000+

10 out of 10Top telecoms

9 out of 10

Major banks

Global Security Operations Centers

8 Global SOCPlanned regional SOC

HP managed security customers900+

All major branchesUS Department of Defense

9 out of 10Top software companies

IDENTIFYING CRITICAL ASSETS AND RISKS

PILLAR 1

8

Pillar 1: Identifying Critical Assets and Risks

Create an Asset and Threat Inventory• Asset Inventory – what are you trying to

protect (people, processes, physical, data)

• Threat Inventory – what are the threats (Cyber, Weather, Infrastructure, etc…)

Asset Description Owner Category BU Date Vendor Qty Value Model No. Serial No.Marketing database

Marketing database, customer list

Bob ratchet Data ME Dept. 4/17/14 Oracle 1 $ 25,000

Web Server Linuc Serv er, apache web server;

Debbie Thompson

Hardware/Software/Data

Operations 9/3/14 Multiple 4 $1,200,000

$ -

Name Host Name IP Address MAC Address Static Addressing Category URI

WMServer1 WMServer1 10.100.4.128 00:AE:FE:01:08 10.100.4.128 /All Asset Categories/Prod

WMServer2 WMServer2 10.100.4.130 01:AF:CB:02:09 10.100.4.130 /All Asset Categories/ProdWMServer3 WMServer3 10.100.4.127 00:AE:FE:01:08 10.100.4.127 /All Asset Categories/ProdWMServer4 WMServer4 10.100.4.125 01:AF:CB:02:11 10.100.4.125 /All Asset Categories/ProdWMServer10 WMServer10 10.100.4.121 00:AE:FE:01:00 10.100.4.121 /All Asset Categories/ProdDBServer3 DBServer3 10.101.4.99 01:AF:CB:02:21 10.101.4.99 /All Asset Categories/Prod

9

Pillar 1: Identifying Critical Assets and Risks

• Identify the assets at a high level and work down– What is critical?

– What is its value if lost?

• Replacement cost, additional staffing, resource expenses, manual processing costs.

• Lost revenue.

– What are the dependencies and interdependencies.

• Impact to people?

• How will processes will be affected in other areas

10

Pillar 1: Identifying Critical Assets and Risks

• Get the business partners involved in the data collection process

– What is mission critical?

– Where is critical or sensitive information stored or processed?

– What locations are mission critical or high value?

– Assess the impact on the organizations critical functions, operations, and customer.

• Collect the information: Questionnaires/Interviews/workshops

11

Threat

• Fire

• Flood

• Cyber Attacks

• Insider Fraud

• Failed Backup

• HVAC Failure

• Hurricane

• Terrorism

• Data Theft

• PII Disclosure

• Power Failure

• Phishing Attack

• Loss of Key Staff

• Virus Outbreak

• Pandemic

• Lawsuits

Pillar 1: Identifying Critical Assets and Risks

12

Risk Distribution

Threat No.

Fire R01

Flood R02

Cyber Attacks R03

Insider Fraud R04

Failed Backup R05

Virus Outbreak R06

HVAC Failure R07

Data Theft R08

PII Disclosure R09

Power Failure R10

Phishing Attack R11

Loss of Key Staff R12

Low-HighMedium-

HighHigh

Low-Medium MediumHigh-

Medium

Low Medium-Low High-Low

1005010

2505

0501

R04

R03

R02

R01

R06

R08

R12

R11R0

9

R10

R07

R05

10

50

Do you have an accurate asset inventory categorized by risk?

POLL

SCOPE THE POTENTAIL IMPACT TO THE ORGANIZATION

PILLAR 2

15

Pillar 2: Scope the Potential Impact to the Organization

PriorityAsset/Business

ProcessRecovery Time

Objective (RTO)

Maximum Tolerable

Downtime (MTD)

Recovery Point Objective (RPO)

1 Point of Sale 15 minutes 30 minutes 4 hours

2 Email 12 hours 48 hours 24 hours

2 Employee payroll 48 hours 96 hours 12 hours

Priority Severe Moderate Minimal

Loss of revenue, overtime costs, loss of customer loyalty, data

loss

Some revenue loss, overtime costs, customer

annoyanceLoss of revenue

Greater that 300k per hour

100-150k per hour <25k per hour

3% 22% 60%

Point of Sale

16

Pillar 2: Scope the Potential Impact to the Organization

Understand what has a negative impact on the business

• Loss of data.• Reputation.• Legal requirements.• What’s the cost of a severe, moderate or minimal incident?

• How long can we be down and survive?

• Who will be impacted the most?

UNDERSTAND YOUR CAPABILITIES

PILLAR 3

18

Pillar 3: Understand your Capabilities

A IR function consists of People, Processes and Technology

The team must consist of individuals with the appropriate skills/experience for the incident response team. The effectiveness of the team depends on the technical skills and critical thinking abilities of its members.

Create an incident response policy. The incident response policy is the foundation of the incident response function. As an important first step it defines what is considered an incident, establishes the organizational structure for incident response, defines roles and responsibilities and defines the reporting requirements.

Identify the security technology defenses, logging and detection tools, forensics tools, system monitoring and communication platforms.

19

Pillar 3: Understand Your Capabilities

Team Roles

• Executive Sponsor – Incident Response Owner and accountable for the IR function. Typically an officer of the company or CISO.

• Incident Commander – Leads the team; Activates the team, trains the team, maintaining communication with stake holders.

• Subject Matter Experts – Individuals with expertise, system access, training and experience with responding to incidents.

20

Pillar 3: Understand Your Capabilities

Who is on the team

• Ensure that all members and their management understand their roles and responsibilities.

• Education and training are critical.

• Have a well defined Mission statement.

• Identify other groups within and outside the organization that may need to participate in incident handling.

• Identify 3rd parties that may be needed for expertise that is not normally available.

21

Pillar 3: Understand Your Capabilities

Processes

• Incident response policy.

• Incident response plan based on the incident response policy

• Develop incident response procedures based on all threats not just based on likelihood.

• Communication plan – the company directory is not adequate

• Disaster recovery planning

22

Pillar 3: Understand Your Capabilties

Technological capabilities• Work with the SME’s• IDS/IPS• SIEM• AV/Malware• FIPS/FIDS• Monitoring tools• OS/Application logs• Network tools/logs• Network Flows• Vulnerability scanners• Forensic tools• Encryption tools• Database• Research tools

Have you identified team members, rolls, and capabilities?

POLL

KNOW YOUR THREATS AND PREPARE

PILLAR 4

25

Pillar 4: Know Your Threats and Prepare

When asked why he robbed banks, Willie Sutton said “Because that is where all the money is…”

26

• What would an attacker gain by attacking you?• Monetary

• Political

• Prestige

• Data

• Control of infrastructure

• Etc..

• What kind of attacker would attack you?• Insider threat/Disgruntled

employee

• State Sponsored

• Hactivist

• Hacker

• Malicious vs. Non-malicious threats

Pillar 4: Know Your Threats and Prepare

27

Pillar 4: Know Your Threats and Prepare

• Drills

• Desktop exercises

• Functional Exercises

• Full scale exercises

The exercise scenarios are designed to simulate technical, operational, communication and/or strategic responses to incidents with a view to reviewing and refining current capabilities.

Preparation

Detection and Analysis

ContainmentEradication

Recovery

28

Pillar 4: Know Your Threats and Prepare

• Overall goals– Examine information sharing– Assess decision making– Evaluate roles and responsibilities within the organization

• Multi-group participation allows us to

– Understand incident management across multiple departments and entities

– Evaluate threat information sharing among the whole community

– Understand roles and responsibilities

– Test and evaluate Incident Response coordination

29

Resources

• Cyber Incident Response: Are business leaders ready?

http://www.arbornetworks.com/news-and-events/press-releases/recent-press-releases/5160-economist-intelligence-unit-and-arbor-networks-research-show-83-percent-of-businesses-are-not-fully-prepared-for-an-online-security-incident

• NIST Computer Security Incident Handling Guide

http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

• State of Security Operations – HP

https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-0501enw.pdf

• 5 stages of defense: Understanding the kill chain

http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/jul/5-stages-of-defense--understanding-the-kill-chain_1307229.html

■ QUESTIONS

31

Upcoming Co3 Events

• “Encryption: Who, What, When, Where, and Why It's Not a Panacea”

– Webinar with Morrison Foerster: October 2, 2014, 1-2 pm

– https://www4.gotomeeting.com/register/525395863

• Cyber IP Expo, London, UK: October 8-9, 2014

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“One of the hottest products at RSA…”

NETWORK WORLD – FEBRUARY 2013

“Co3…defines what software packages for privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and very well designed.”

PONEMON INSTITUTE

Richard White MBA CISSP CHP/CHSSPrincipal, Security Intelligence and [email protected]