Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda Introduction Today’s Threat Landscape

Similar presentations

Presentation on theme: "Agenda Introduction Today’s Threat Landscape"— Presentation transcript:

0 Incident Management Evolution of Protection
Implementing a Pro-Active Approach to Cybersecurity Benjamin Stephan, Director of Incident Management FishNet Security

1 Agenda Introduction Today’s Threat Landscape
Incident Management Life Cycle Incident Management Framework Next Steps Statistics in this presentation provided by Ponemon Institute Annual Study on Cyber Crime Costs.

2 Cybercrime has become a high stakes game…
…and they are highly motivated to take your data… State sponsored Crime syndicates Hacktivists …for a number of reasons Financial Gain Industrial Espionage IP Theft Political motivation Botnet Services

3 *Results provided by Ponemon study.
Threat Trends of 2011 The top trends related to a breach: Negligence Lack of CISO leadership Lack of external consulting support First time offense Lost or stolen device Median annualized cost of cyber crime is $5.9 million per year, with a range of $1.5 million to $36.5 million each year. Increase of 56% over 2010 Average per capita cost was $284 per enterprise seat Varies by size of the organization with smaller firms incurring a greater per capita cost of $1,008 on average versus larger organizations *Results provided by Ponemon study.

4 Corporate Security Posture Related to Breach Cost
*SES: Security Effectiveness Score; Developed by PGP Corporation and Ponemon Institute. The higher the score the more effective an organization is at achieving security initiatives.

5 Corporate Security Posture Related to Breach Cost
*SES: Security Effectiveness Score; Developed by PGP Corporation and Ponemon Institute. The higher the score the more effective an organization is at achieving security initiatives.

6 What Are Your Challenges?
Malicious traffic evading traditional perimeter security solutions Difficulty validating alerts and determining scope of incident Lack of endpoint visibility Lack of defined incident management and response processes Untested procedures and infrastructure Inability to respond to every alert Insufficient view of network traffic

7 What Is The Impact? Difficult or impossible to truly understand and gauge risk Time to contain an event and return to a trusted state takes too long Overwhelmed with alerts Spend excessive time reducing false positives Incident response is time consuming, expensive and incomplete Potential loss of data No formalized operational procedures

8 The Solution How can you defend against the unknown? How can your company benefit protect it’s critical assets?

9 Solution: Incident Life Cycle, IMF, Incident Workflow

10 Incident Management Lifecycle

11 Incident Management Life Cycle
Operational Detect malicious traffic ‘on the wire’ Identify symptoms of an attack via log analysis Confirm symptoms through automated and manual procedures Analyze 3rd party threat feeds Engage legal counsel Capture relevant malware artifacts Tactical Validate findings against endpoint data Triage live systems based on symptomatic evidence Determine scope, uncover additional information Work with critical business units to determine risk potential Deploy targeted analytic solutions to further quantify attack profile Control the threat to extend investigation time

12 Incident Management Life Cycle
Reaction Disconnect compromised systems or networks Cut C&C Communication, kill active processes Escalate drastic containment procedures for authorization Defend sensitive and critical assets Engage 3rd party support as necessary Wipe all identified malware and related artifacts Schedule custom scans to mitigate secondary re-infection Inoculation Update virus signatures where applicable Implement strong enterprise solutions Document findings and results Update policies and procedures to compensate for deficiencies Ensure management support of pro-active measures

13 Incident Management Framework (IMF)
2011 has been inundated with Cyber Warfare attacks from across the globe. The attackers have become more and more aggressive and sophisticated. In an effort to assist companies in defending against this onslaught of attacks; FishNet Security has architected an Incident Management Framework (IMF). The IMF is a security framework based on the “best of breed” incident response controls outlined in many known security frameworks. Such as ISO, ITIL, PCI, NIST, etc.

14 Incident Management Framework (IMF)
By providing companies with a baseline framework dedicated to incident management, an entity can: Minimize product costs through strategic enterprise solutions Mitigate risk exposure through effective operational controls Improve staff efficiency through better understanding of cyber threats Bridge the “gap” between “legal” and “IT” Implement advanced malware countermeasures to defend the corporate network

15 Incident Management Framework (IMF)
Communication Internal When an incident occurs there must be defined escalation protocols to ensure the right individuals are communicated with and “kept in the loop” Reporting an event can be one of the most important initial actions. There are laws that must be considered as well as public relation issues External Companies must have established relationship with third party entities and law enforcement, prior to an incident. Collection Acquisition Electronically stored information (ESI) must be collected in a forensically sound manner. Chain of Custody Physical access to any collected information must be maintained at all times. Physical security controls must be implemented to ensure accurate accounting of physical access. Data Retention Policies must be defined as to how long ESI will be stored. Failure to define policies can lead to potential spoliation issues.

16 Incident Management Framework (IMF)
Analysis Technical On the Host: suspicious hosts must be analyzed for malicious content, rogue file execution, compromise of sensitive data, etc. On the Wire: data traversing the network must be collected and analyzed to determine migration of viruses, transmission of sensitive data, anomalous packets, etc. Operational One of the key aspects of investigating an incident is determining unauthorized versus authorized access. The majority of incidents will include illegitimate use of an authorized account. Example: help desk user account access HR file shares Logs play a key role in incident analysis. However, the quantity of information to be reviewed can be extremely large. A Security Information and Event Management (SIEM) system can help review the logs in a more efficient manor.

17 Incident Management Framework (IMF)
Containment Prepare action plans for known “potential” threats. The plans must cite the situation or incident and then outline how the response team will react. Example: Situation: a service account is compromised and is transferring sensitive information out of the network. Reaction: Capture sensitive data traversing the network Identify the role of the service account Reset the password for the account or disable it Disconnect infected devices from the network Quantify the data exfiltrated from the network Work with legal regarding notification processes Execute analysis procedures Execute cleanup procedures

18 Incident Management Framework (IMF)
Mitigation Remediation Analyze the results of an investigation to determine what is required to clean up the results of the infection. Use 3rd party providers to identify vulnerabilities and help mitigate the risk of secondary infection. Prevention Conduct a “post mortem analysis” of all investigations. Learn what went wrong and how it can be prevented in the future. Create a robust and repeatable process for vulnerability management. Testing Develop and execute regular “table top” exercises to test the company’s ability to respond to an incident. Leverage hot, warm, and cold testing procedures.

19 Incident Management Framework (IMF)
Legal Counsel Litigation Hold Ensure plans are in place to disseminate, execute, and validate litigation holds. Request for Discovery Preparing an “ESI Profile” will significantly help minimize the impact of fulfilling on requests for discovery. Liability Work with internal and external counsel to ensure: Notification laws are met Non-disclosure agreements are fulfilled Service level agreements are accurately defined Immediate Response Active: ensure there are accurate and up to date procedures in place to react to an incident. Passive: engage third party entities to provide immediate incident response support where needed. Classify sensitive data to ensure critical information is protected.

20 Incident Management Framework (IMF)
Documentation Formal Plan All companies must have a formal Incident Management program in place. The program will outline the entity’s strategy regarding incident response and prevention. The plan must have full support of top level management. Procedures There must be formal and documented procedures that outline how employees are to respond in an incident. Procedures must be reviewed at least annually and kept up to date and in line with actual practices. Roles and Responsibilities A formal emergency response team must be defined. The team must include both active players as well as key business stakeholders.

21 Incident Management Workflow
Incident Management Life Cycle + Incident Management Framework = Incident Management Workflow


23 Attack Scenarios

24 Scenario #1

25 Web Server Compromise & Pivot
Website Root Kit Uploaded using SQL injection Attacker

26 Root Kit

27 Reverse Proxy Attacker Reverse Proxy Installed on server
Using Root Kit Attacker RDP Traffic

28 Scenario #2

29 Online Banking Fraud SQL injection Exploit to embed Attacker Website
XSS code Attacker Website

30 Online Banking Fraud Victimized Site Hacker Site Consumer Keylogger
Embedded XSS Hacker Site Consumer Keylogger Consumer Consumer Consumer

31 Online Banking Fraud Consumers Online Banking Consumer
Hacker logs into Online banking site and creates fraudulent transactions. Online banking credentials Sent to hacker Attacker

32 Scenario #3

33 POS Keylogger Internet POS Server Back Office Processor POS Server

34 POS Keylogger POS Server
Reseller / Integrator uses global accounts to provide Tech support. Internet Keylogger installed on each POS device. Card Swipe readers send PAN via standard keyboard I/O. Back Office Hacker used global remote credentials to access environment POS Server

35 Uncompromised endpoints
ROI on Cyber Defense scope BEFORE 1st Instance of threat Saturation Detection Containment Time/cost Uncompromised endpoints Scope of compromise Resources Early exposure of known unknown Rapid response Fewer required resources Rapid remediation scope AFTER 1st Instance of threat Detection Containment Time/cost

36 ROI on Cyber Defense (Statistics)
From the point of detection to containment is referred to as the “Return To Trusted State” (RTTS) Average RTTS in 2011 was 18 days Increase of 4 days over 2010 Average cost of $413,784 per event or $22,896 per day Increase of 67% over 2010 The threats range in difficulty to contain (average RTTS): Malicious Insider = 45.5 days to contain Malicious Code = 41.6 days to contain Web-based attacks = 23.5 days to contain DOS/DDOS = 13.1 days to contain Stolen Devices = 10.7 days to contain

37 ROI on Cyber Defense (Statistics)

38 DEFEND YOUR NETWORK! Defining YOUR Plan What are your next steps?
ACT NOW! Plan for an attack on your network. Implement enterprise grade products in your organization. Implement a strong security framework. DEFEND YOUR NETWORK! We are here and available today to set up one on one meetings with you today! This is truly the first step in defending your Network!

39 Questions

40 Director, Incident Management
Thank You Benjamin Stephan Director, Incident Management FishNet Security

Download ppt "Agenda Introduction Today’s Threat Landscape"

Similar presentations

Ads by Google