Presentation on theme: "Agenda Introduction Today’s Threat Landscape"— Presentation transcript:
0 Incident Management Evolution of Protection Implementing a Pro-ActiveApproach to CybersecurityBenjamin Stephan, Director of Incident Management FishNet Security
1 Agenda Introduction Today’s Threat Landscape Incident Management Life CycleIncident Management FrameworkNext StepsStatistics in this presentation provided by Ponemon Institute Annual Study on Cyber Crime Costs.
2 Cybercrime has become a high stakes game… …and they are highly motivated to take your data…State sponsoredCrime syndicatesHacktivists…for a number of reasonsFinancial GainIndustrial EspionageIP TheftPolitical motivationBotnet Services
3 *Results provided by Ponemon study. Threat Trends of 2011The top trends related to a breach:NegligenceLack of CISO leadershipLack of external consulting supportFirst time offenseLost or stolen deviceMedian annualized cost of cyber crime is $5.9 million per year, with a range of $1.5 million to $36.5 million each year.Increase of 56% over 2010Average per capita cost was $284 per enterprise seatVaries by size of the organization with smaller firms incurring a greater per capita cost of $1,008 on average versus larger organizations*Results provided by Ponemon study.
4 Corporate Security Posture Related to Breach Cost *SES: Security Effectiveness Score; Developed by PGP Corporation and Ponemon Institute. The higher the score the more effective an organization is at achieving security initiatives.
5 Corporate Security Posture Related to Breach Cost *SES: Security Effectiveness Score; Developed by PGP Corporation and Ponemon Institute. The higher the score the more effective an organization is at achieving security initiatives.
6 What Are Your Challenges? Malicious traffic evading traditional perimeter security solutionsDifficulty validating alerts and determining scope of incidentLack of endpoint visibilityLack of defined incident managementand response processesUntested procedures and infrastructureInability to respond to every alertInsufficient view of network traffic
7 What Is The Impact?Difficult or impossible to truly understand and gauge riskTime to contain an event and return to a trusted state takes too longOverwhelmed with alertsSpend excessive time reducing falsepositivesIncident response is time consuming,expensive and incompletePotential loss of dataNo formalized operational procedures
8 The SolutionHow can you defend against the unknown? How can your company benefit protect it’s critical assets?
9 Solution: Incident Life Cycle, IMF, Incident Workflow
11 Incident Management Life Cycle OperationalDetect malicious traffic ‘on the wire’Identify symptoms of an attack via log analysisConfirm symptoms through automated and manual proceduresAnalyze 3rd party threat feedsEngage legal counselCapture relevant malware artifactsTacticalValidate findings against endpoint dataTriage live systems based on symptomatic evidenceDetermine scope, uncover additional informationWork with critical business units to determine risk potentialDeploy targeted analytic solutions to further quantify attack profileControl the threat to extend investigation time
12 Incident Management Life Cycle ReactionDisconnect compromised systems or networksCut C&C Communication, kill active processesEscalate drastic containment procedures for authorizationDefend sensitive and critical assetsEngage 3rd party support as necessaryWipe all identified malware and related artifactsSchedule custom scans to mitigate secondary re-infectionInoculationUpdate virus signatures where applicableImplement strong enterprise solutionsDocument findings and resultsUpdate policies and procedures to compensate for deficienciesEnsure management support of pro-active measures
13 Incident Management Framework (IMF) 2011 has been inundated with Cyber Warfare attacks from across the globe.The attackers have become more and more aggressive and sophisticated.In an effort to assist companies in defending against this onslaught of attacks; FishNet Security has architected an Incident Management Framework (IMF).The IMF is a security framework based on the “best of breed” incident response controls outlined in many known security frameworks. Such as ISO, ITIL, PCI, NIST, etc.
14 Incident Management Framework (IMF) By providing companies with a baseline framework dedicated to incident management, an entity can:Minimize product costs through strategic enterprise solutionsMitigate risk exposure through effective operational controlsImprove staff efficiency through better understanding of cyber threatsBridge the “gap” between “legal” and “IT”Implement advanced malware countermeasures to defend the corporate network
15 Incident Management Framework (IMF) CommunicationInternalWhen an incident occurs there must be defined escalation protocols to ensure the right individuals are communicated with and “kept in the loop”Reporting an event can be one of the most important initial actions. There are laws that must be considered as well as public relation issuesExternalCompanies must have established relationship with third party entities and law enforcement, prior to an incident.CollectionAcquisitionElectronically stored information (ESI) must be collected in a forensically sound manner.Chain of CustodyPhysical access to any collected information must be maintained at all times.Physical security controls must be implemented to ensure accurate accounting of physical access.Data RetentionPolicies must be defined as to how long ESI will be stored.Failure to define policies can lead to potential spoliation issues.
16 Incident Management Framework (IMF) AnalysisTechnicalOn the Host: suspicious hosts must be analyzed for malicious content, rogue file execution, compromise of sensitive data, etc.On the Wire: data traversing the network must be collected and analyzed to determine migration of viruses, transmission of sensitive data, anomalous packets, etc.OperationalOne of the key aspects of investigating an incident is determining unauthorized versus authorized access. The majority of incidents will include illegitimate use of an authorized account.Example: help desk user account access HR file sharesLogs play a key role in incident analysis. However, the quantity of information to be reviewed can be extremely large. A Security Information and Event Management (SIEM) system can help review the logs in a more efficient manor.
17 Incident Management Framework (IMF) ContainmentPrepare action plans for known “potential” threats.The plans must cite the situation or incident and then outline how the response team will react.Example:Situation: a service account is compromised and is transferring sensitive information out of the network.Reaction:Capture sensitive data traversing the networkIdentify the role of the service accountReset the password for the account or disable itDisconnect infected devices from the networkQuantify the data exfiltrated from the networkWork with legal regarding notification processesExecute analysis proceduresExecute cleanup procedures
18 Incident Management Framework (IMF) MitigationRemediationAnalyze the results of an investigation to determine what is required to clean up the results of the infection.Use 3rd party providers to identify vulnerabilities and help mitigate the risk of secondary infection.PreventionConduct a “post mortem analysis” of all investigations.Learn what went wrong and how it can be prevented in the future.Create a robust and repeatable process for vulnerability management.TestingDevelop and execute regular “table top” exercises to test the company’s ability to respond to an incident.Leverage hot, warm, and cold testing procedures.
19 Incident Management Framework (IMF) Legal CounselLitigation HoldEnsure plans are in place to disseminate, execute, and validate litigation holds.Request for DiscoveryPreparing an “ESI Profile” will significantly help minimize the impact of fulfilling on requests for discovery.LiabilityWork with internal and external counsel to ensure:Notification laws are metNon-disclosure agreements are fulfilledService level agreements are accurately definedImmediate ResponseActive: ensure there are accurate and up to date procedures in place to react to an incident.Passive: engage third party entities to provide immediate incident response support where needed.Classify sensitive data to ensure critical information is protected.
20 Incident Management Framework (IMF) DocumentationFormal PlanAll companies must have a formal Incident Management program in place. The program will outline the entity’s strategy regarding incident response and prevention.The plan must have full support of top level management.ProceduresThere must be formal and documented procedures that outline how employees are to respond in an incident.Procedures must be reviewed at least annually and kept up to date and in line with actual practices.Roles and ResponsibilitiesA formal emergency response team must be defined. The team must include both active players as well as key business stakeholders.
33 POS KeyloggerInternetPOS ServerBack OfficeProcessorPOS Server
34 POS Keylogger POS Server Reseller / Integrator uses global accounts to provide Tech support.InternetKeylogger installed on each POS device. Card Swipe readers send PAN via standard keyboard I/O.Back OfficeHacker used global remote credentials to access environmentPOS Server
35 Uncompromised endpoints ROI on Cyber DefensescopeBEFORE1st Instanceof threatSaturationDetectionContainmentTime/costUncompromised endpointsScope of compromiseResourcesEarly exposure of known unknownRapid responseFewer required resourcesRapid remediationscopeAFTER1st Instance of threatDetectionContainmentTime/cost
36 ROI on Cyber Defense (Statistics) From the point of detection to containment is referred to as the “Return To Trusted State” (RTTS)Average RTTS in 2011 was 18 daysIncrease of 4 days over 2010Average cost of $413,784 per event or $22,896 per dayIncrease of 67% over 2010The threats range in difficulty to contain (average RTTS):Malicious Insider = 45.5 days to containMalicious Code = 41.6 days to containWeb-based attacks = 23.5 days to containDOS/DDOS = 13.1 days to containStolen Devices = 10.7 days to contain
38 DEFEND YOUR NETWORK! Defining YOUR Plan What are your next steps? ACT NOW!Plan for an attack on your network.Implement enterprise grade products inyour organization.Implement a strong security framework.DEFEND YOUR NETWORK!We are here and available today to set up one on one meetings with you today! This is truly the first step in defending your Network!