Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Professional Incident.

Similar presentations


Presentation on theme: "© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Professional Incident."— Presentation transcript:

1 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Professional Incident Response Brooks Garrett / October 16, 2014

2 Overview

3 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Brooks Garrett Operations Architect, HP Fortify on Demand, 3 years – CISSP Volunteer Firefighter, Georgia, 5 years – Firefighter I National Professional Qualification – Hazardous Materials Awareness – Emergency Medical Responder Husband and father Rugby, programming, and tinkering

4 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Fortify on Demand Cloud based Application Security as a Service – Static – Dynamic – Mobile Globally distributed deployments – 8 environments – 3 teams – 5 countries Coordination when responding isn’t trivial – Language – Culture – Time zones

5 Incident Response

6 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. “Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident).” Margaret Rouse, WhatIs.com Editorial Director

7 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. What is an incident? A single virus on a single computer A million viruses on a single computer A single worm on all the computers A single worm on all the computers on 3 continents Your database anywhere it shouldn’t be Heartland, Target, TJX

8 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Incident Response Program 5 phases of incident response Framework for managing incidents and resources Framework for improving incident response System of reporting on incidents Incident Response Plan

9 Building by copying

10 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Incident response is hard Framework must scale – One member team – 20 teams of 5 members each – One virus – All the viruses Organizations that have plans ignore them until “The Big One” – Too little, too late

11 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Who can we copy? Firefighters

12 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Professional Responders FireRescueMedical

13 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Diverse incidents SmallLargeChaotic

14 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Sound familiar? Very little information at start of incident Incidents occur at random intervals Incidents can be small (cat up a tree, single virus) or massive (Texas fertilizer plant, Target) Car crash? – Crashing daemons. Building on fire? – Servers on fire.

15 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2 3 Preparation Response Recovery 1 Incident Response

16 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Preparation Largest portion of time is in preparation – 100’s of hours preparing for 10 minutes of chaos Training and Certification – GIAC GCIH – FEMA ICS – Know the plan (or at least where the plan is located) Pre-incident planning – Your chance for mulligans – Build a plan of action for broadly defined events Rehearsal – Dry run pre-incident plans – Tabletop simulation of attacks – It’s like role playing, just nerdier

17 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2 3 Preparation Response Recovery 1 Incident Response

18 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Training Planning Rehearsal Response Phases – Fire / Rescue DispatchSize upOperations Alerting Monitoring Isolation Attack plan Initial response Elimination Overhaul Collection of evidence Return to normal operation After action report Preparation Return to Service Response

19 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Training Planning Rehearsal Response Phases - IT IdentificationContainmentEradication Alerting Monitoring Isolation Initial response Elimination Collection of evidence Return to normal operation After action report PreparationRecovery Response

20 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Identification Must have “incident” defined Dispatch is a must First alert must be uniform for all events, incidents, and disasters Provides a central place where all information is collected and dispensed – SOC – SIEM – Grepping Syslog – EMail

21 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Incident Command System (ICS) Hierarchal structure providing a clear chain of command Framework providing clear procedures for management of command and delegation of responsibilities We can steal this and get free training

22 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Incident Command System

23 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Role: Incident Command Ultimate authority during an incident Also ultimate responsibility for incident response Must be able to coordinate resources, delegate responsibility, and manage the overall response 10K foot view

24 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Role: Information Officer The information officer is critical One voice to both internal and external parties One simple rule: Are you the Information Officer? – YES, I can talk to people about this incident as authorized by command – NO, I can’t talk to people

25 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Role: Section Each section is responsible for their assigned area Receives delegated responsibilities from command Operates at ground level

26 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Adapting ICS First responder is “Command” and controls the incident Command can be transferred to other resources as they respond Who has command isn’t about rank – Can be anyone at anytime – Should be based on who is most capable of managing the incident – Transfer of command must be communicated to all resources Freelancing gets people killed, don’t do it – Not even once

27 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Adapting ICS We don’t need a safety officer – Unless you have systems that sustain, protect, or threaten human life We don’t need a liason officer – Unless you will be interfacing with law enforcement, banks, etc. Add or remove roles as incident size and organizational goals/requirements demand

28 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Scaling response within ICS One person can be all roles for small incidents Assign officers as needed – Breach of PII data? You may want a Finance Officer (credit monitoring is expensive) Roles may be added an removed during the incident as the situation demands

29 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2 3 Preparation Response Recovery 1 Incident Response

30 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. After action reports Consistency is key Incident Report – Incident ID – Date – Type – Assets involved – Resources involved – Narrative Response Report – What worked – What needs improvement – Should include the Incident ID for cross reference

31 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Reporting Templates US CERT National Incident Management System – ICS Forms Booklet

32 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank you Brooks Garrett E: brooks.garrett@hp.com W: http://www.brooksgarrett.com T: @brooksgarrett

33 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Credits Title slide image – Accessed: 6 Oct 2014 – WikiMedia Commons – http://v.gd/ul4owW Slide 12 image – Accessed: 6 Oct 2014 – WikiMedia Commons – http://v.gd/jxjvz5 Slide 13 – Fire – Accessed: 6 Oct 2014 – WikiMedia Commons – http://v.gd/hVMFcr Slide 13 - Rescue – Accessed: 6 Oct 2014 – WikiMedia Commons – http://v.gd/CEXxxoHP Slide 13 - Medical – Accessed: 6 Oct 2014 – WikiMedia Commons – http://v.gd/CEXxxoHP Slide 14 - Small – Accessed: 6 Oct 2014 – Pixabay – http://v.gd/XvUDvt Slide 14 - Large – Accessed: 6 Oct 2014 – Reuters – http://v.gd/ChtCxm Slide 14 - Chaotic – Accessed: 6 Oct 2014 – Getty Images – http://v.gd/xrtAJt Slide 12 - Rescue – Accessed: 6 Oct 2014 – WikiMedia Commons – http://v.gd/CEXxxoHP

34 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Resources SANS Incident Handler Handbook – Accessed: 6 Oct 2014 – http://v.gd/u9UVvG FEMA ICS Training – Accessed: 16 Oct 2014 – http://v.gd/TqNdUl


Download ppt "© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Professional Incident."

Similar presentations


Ads by Google