Presentation on theme: "RETURN TO MAIN Identifying and Responding to Security Incidents in the Law Firm Presented by: Carlos Batista, Information Security Manager Alston & Bird."— Presentation transcript:
RETURN TO MAIN Identifying and Responding to Security Incidents in the Law Firm Presented by: Carlos Batista, Information Security Manager Alston & Bird LLP
RETURN TO MAIN Learning Objectives Understand how one law firm developed and enacted a formal Computer Incident Response Team (CIRT) Identify key stakeholders in Incident Response Identify most likely scenarios for a computer security breach Define a methodology and establish measures for how to respond to such breaches
RETURN TO MAIN About Alston & Bird: National, Full-Service Law Firm 725 Attorneys, 5 U.S. Offices 240 Servers & 2,100 Desktops Almost all IT & Security Services Hosted In-House 25% of Servers Virtualized
RETURN TO MAIN The Benefits of a Computer Incident Response Team (CIRT) Proactive approach to responding to a security breach Better prepared to collect & analyze forensic quality evidence Less downtime to impacted / breached & un- impacted systems Firms reputation is better preserved by following proper containment strategies
RETURN TO MAIN #1 Key to CIRT Planning & Success: Senior Management Support!
RETURN TO MAIN How to Form a CIRT – Key Players Core Team Information Security Manager (CIRT Team Leader) IT Infrastructure Manager Director of I.T. Information Security Analyst Facilities Manager Support Team Finance Manager BC / DR Representative H.R. Representative Business Development / Public Relations Attorney / Loss Prevention C.I.O.
RETURN TO MAIN Identify Likely Breach Scenarios There are many security breach scenarios – you need to narrow them down to a few and address how to respond to those. We chose to develop responses to four scenarios: Significant Computer or Network Equipment Theft Compromise of Firms Website Virus or Worm Outbreak on the Network Unauthorized Disclosure by Electronic Means
RETURN TO MAIN Identify a Methodology for Responding Response scenarios are typically easier to devise when an overall strategy or methodology is followed. We chose the PDCERF model (Schultz & Shumway) for incident response.
RETURN TO MAIN PDCERF Methodology Defined Preparation – Being ready to respond before an incident actually occurs. Detection – Determining that something malicious has actually occurred. Containment – Limiting the extent of an incident, preventing further damage from occurring. Eradication – Finding and eliminating the root cause or causes that made the incident possible. Recovery – Restoring the environment to its pre-incident state but protected so the incident cannot reoccur. Follow-Up – Reviewing and integrating lessons learned into your incident response plans and security operations.
RETURN TO MAIN Scenario #2 – Compromise of Firms Website
RETURN TO MAIN Preparation Determined Incident Response Posture & Obtained Approval Configured FW, IDS/IPS Optimally for Attack Detection Configured Web Server & Database Logging Created Known-Good System Backups with MD5 Hashes Synchronized Network Time across All Devices Established Relationship with Infragard (FBI) Created CIRT Calling Tree Created Maintenance Website Built Documentation on CIRT Framework and Cutover Procedures Prepare to Record Everything During an Incident (Timeline)
RETURN TO MAIN Detection Interfaced with Support Groups / Help Center to define a Notification Plan Defined SLAs for Initial Response, First Meeting, and Incident Updates to Management Defined Procedures for Initial Evidence Gathering Created Secure Repository for All Digital Evidence
RETURN TO MAIN Containment VMWare Guest Machines For Website Paused VMWare Files Copied to a Forensic Server Impacted Hosts Segmented From Rest of Network Full Disclosure Kept Strictly Confidential Help Center Instructed to Inform Others Website is Experiencing Technical Difficulties External Parties Not Contacted (Not Currently)
RETURN TO MAIN Eradication Depends Largely On The Determined Root Cause May Involve Software Updates, Software Removal, Configuration Changes, Better Change Control, Operational Security, Physical Security, etc Changes Tested in QA / Development Environment As Much as Possible
RETURN TO MAIN Recovery All Impacted Systems Are Flattened And Rebuilt Rebuilds Performed From Certified Known Good Backup (MD5) Procedures Developed for Rebuild to Minimize Possibility Of Breach Reoccurring Mitigations to Address Root Cause of Breach Implemented Validation Testing Performed Access to Fully Operational Website Re-enabled
RETURN TO MAIN Follow-Up Post-Mortem Meetings to Review the Following: Timeline Response Time Recovery Procedures Evidence Gathered Investigatory Next Steps - If Applicable Parties Involved – Should Others Be Brought In? Disposition of Evidence What Can Be Done Better? Update Scenario Response Plan
RETURN TO MAIN CIRT – Next Steps Continue Working on Scenarios – Incident Response is a Process, not a Project Implement Syslog Server Investigate using Tripwire for Integrity Check Integrate AlertFind Into CIRT Procedures Actively Test Scenarios – Challenging Because Downtime is Required
RETURN TO MAIN References Schultz & Shumway: Incident Response – A Strategic Guide to Handling System and Network Security Breaches. Mandia, Prosise & Pepe: Incident Response & Computer Forensics (2 nd Edition). SANS Institute (sans.org)
RETURN TO MAIN Questions / Comments? In God we trust…all others we virus scan. - Anonymous