Sophisticated Incident Response Requires Sophisticated Activity Monitoring

© 2015 Imperva, Inc. All rights reserved.

Sophisticated Incident Response Requires Sophisticated Activity Monitoring Mike Sanders, Principal SE and Team Lead, Imperva Bryan Orme, Principal, GuidePoint Security

July 29, 2015

© 2015 Imperva, Inc. All rights reserved.

Speakers

2

Bryan Orme Principal, GuidePoint Security

Mike Sanders Principal SE and Team Lead, Imperva

3

“There are two kinds of companies in the world: those that know they’ve been hacked, and those that have been hacked and don’t yet know it.”

–  Every Quotable Security Professional

© 2015 Imperva, Inc. All rights reserved.

Agenda

4

1.  Need for an audit solution 2.  Incident response point of view 3.  Log collection is key 4.  Compliance and log retention time 5.  Think without a box

© 2015 Imperva, Inc. All rights reserved.

Need for an audit solution

Collecting the needles and the haystack 1

5

© 2015 Imperva, Inc. All rights reserved.

Audit tips

6

1.  Have a good plan

2.  Know the data

3.  Start with your results in mind

4. Use a global platform

5. Audit what matters

6. Don’t audit what doesn’t matter 7.  Don’t forget YOUR data

8.  Constantly think security

9. Make sure it all works 10.  Look to the future

Top 10 Tips�

© 2015 Imperva, Inc. All rights reserved.

Making audit work for you and your IR team

7

•  Central repository

•  What to collect and what not to collect

•  Test it all out

© 2015 Imperva, Inc. All rights reserved.

Central repository

8

•  Global platform across multiple DB vendors •  Long-term data retention •  Varying degrees of verbosity

© 2015 Imperva, Inc. All rights reserved.

What to collect and what not to collect

•  You need the needles and the haystack –  You don’t know what you don’t know prior to an incident

•  Abnormal behavior is key •  Don’t leave out secondary data

–  Employee data (PII) –  Intellectual property

9

© 2015 Imperva, Inc. All rights reserved.

Test it all out

•  Test high availability / disaster recovery •  Validate access to archive data •  Run sample investigation reports

10

© 2015 Imperva, Inc. All rights reserved.

Incident response point of view

Trail of needles in field of haystacks 2

11

© 2015 Imperva, Inc. All rights reserved.

Incident response point of view

•  Logs are crucial to the incident response investigation •  When incident response team is called

–  APT has infiltrated the network infrastructure for 6+ months

•  Commonly APT will gain access via service provider or contractor –  Agreements with service providers, contractors, and such should include language to

collect logs upon request.

•  Common log sources beneficial to incident response –  Web, proxies, IDS, IPS, database, firewall (outgoing)

•  http://www.imperva.com/Products/DatabaseFirewall

12

© 2015 Imperva, Inc. All rights reserved.

Incident response point of view

•  Incident response goal –  Investigation –  Story / background –  Systems impacted –  Containment

•  Prevent further damage –  Remediation

•  Correcting related vulnerabilities

–  Data analysis – quantify data loss

–  Litigation support

13

Incident Story

Systems Impacted

Quantify Data Loss

Identify APT

Litigation Support

© 2015 Imperva, Inc. All rights reserved.

Collection is key

Focus initial resources on collection over correlation 3

14

© 2015 Imperva, Inc. All rights reserved.

Log collection and retention is key

•  Focus budget on log collection and retention first –  Secondary feed correlation as next step (SIEM integration)

•  Advantages of extensive log collection –  Increases probability of detecting APT early –  Increased probability of defining (detailing / identify) specific data loss –  Increased probability of identifying APT for restitution purposes

•  Disadvantage –  Resource intensive / expensive

15

© 2015 Imperva, Inc. All rights reserved.

Log collection and retention is key

16

•  Web applications •  Directory Services manipulation •  Lateral movement in infrastructure •  Database attacks •  Backdoors and malware •  Lack of logs hinder investigation, or prevent detection

–  Collect as much as possible

© 2015 Imperva, Inc. All rights reserved.

Log collection and retention is key

•  Start with collecting logs to a central location –  Global platform for all database vendors –  Track abnormal behavior

•  As team and functionality grows –  Incorporate log correlation / SIEM –  Gain better insight into audit logs

17

© 2015 Imperva, Inc. All rights reserved.

Compliance and log retention time

3 months immediately available with 6 months capable 9 months archived

4

18

© 2015 Imperva, Inc. All rights reserved.

Compliance and log retention time

•  Most compliance vague in log retention time –  NIST Cyber Security Framework –  NIST 800-92 –  ISO 27001:2013 A.12.4 –  HIPAA ...

•  Incident response tends to align with PCI DSS –  Minimum 3 months immediately available –  Minimum 9 months archived

•  Consider capability of 6 months immediately available, but use only 3 months –  Provides buffer to retain all logs during investigation –  Increases probability of recovering deleted logs

19

© 2015 Imperva, Inc. All rights reserved.

Think without a box 5

20

© 2015 Imperva, Inc. All rights reserved.

Think without a box

21

•  Instead of thinking outside the box think without a box

•  Don’t limit your logging data because you think it is not needed –  Dynamic nature of Information Security results in unknown attack

vectors –  Non-security log sources are important too (System, PowerShell, and

Application logs provide evidence of lateral movement)

•  Minimum Retention –  3 months immediately available logs with capacity of 6 months –  9 months archived logs

© 2015 Imperva, Inc. All rights reserved.

Imperva +1(866) 926-4678 – Americas +44 01189 497 130 – EMEA [email protected] GuidePoint Security +1(877) 889-0132 [email protected]

22

23