Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identifying and Responding to Security Incidents in the Law Firm

Similar presentations

Presentation on theme: "Identifying and Responding to Security Incidents in the Law Firm"— Presentation transcript:

1 Identifying and Responding to Security Incidents in the Law Firm
Presented by: Carlos Batista, Information Security Manager Alston & Bird LLP

2 Learning Objectives Understand how one law firm developed and enacted a formal Computer Incident Response Team (CIRT) Identify key stakeholders in Incident Response Identify most likely scenarios for a computer security breach Define a methodology and establish measures for how to respond to such breaches

3 About Alston & Bird: National, Full-Service Law Firm
725 Attorneys, 5 U.S. Offices 240 Servers & 2,100 Desktops Almost all IT & Security Services Hosted In-House 25% of Servers Virtualized

4 The Benefits of a Computer Incident Response Team (CIRT)
Proactive approach to responding to a security breach Better prepared to collect & analyze forensic quality evidence Less downtime to impacted / breached & un-impacted systems Firm’s reputation is better preserved by following proper containment strategies

5 #1 Key to CIRT Planning & Success:
Senior Management Support!

6 How to Form a CIRT – Key Players
Core Team Information Security Manager (CIRT Team Leader) IT Infrastructure Manager Director of I.T. Information Security Analyst Facilities Manager Support Team Finance Manager BC / DR Representative H.R. Representative Business Development / Public Relations Attorney / Loss Prevention C.I.O.

7 Identify Likely Breach Scenarios
There are many security breach scenarios – you need to narrow them down to a few and address how to respond to those. We chose to develop responses to four scenarios: Significant Computer or Network Equipment Theft Compromise of Firm’s Website Virus or Worm Outbreak on the Network Unauthorized Disclosure by Electronic Means

8 Identify a Methodology for Responding
Response scenarios are typically easier to devise when an overall strategy or methodology is followed. We chose the PDCERF model (Schultz & Shumway) for incident response.

9 PDCERF Methodology Defined
Preparation – Being ready to respond before an incident actually occurs. Detection – Determining that something malicious has actually occurred. Containment – Limiting the extent of an incident, preventing further damage from occurring. Eradication – Finding and eliminating the root cause or causes that made the incident possible. Recovery – Restoring the environment to its pre-incident state but protected so the incident cannot reoccur. Follow-Up – Reviewing and integrating “lessons learned” into your incident response plans and security operations.

10 Scenario #2 – Compromise of Firm’s Website

11 Preparation Determined Incident Response Posture & Obtained Approval
Configured FW, IDS/IPS Optimally for Attack Detection Configured Web Server & Database Logging Created Known-Good System Backups with MD5 Hashes Synchronized Network Time across All Devices Established Relationship with Infragard (FBI) Created CIRT Calling Tree Created “Maintenance” Website Built Documentation on CIRT Framework and Cutover Procedures Prepare to Record Everything During an Incident (Timeline)

12 Detection Interfaced with Support Groups / Help Center to define a Notification Plan Defined SLAs for Initial Response, First Meeting, and Incident Updates to Management Defined Procedures for Initial Evidence Gathering Created Secure Repository for All Digital Evidence

13 Containment VMWare Guest Machines For Website Paused
VMWare Files Copied to a Forensic Server Impacted Hosts Segmented From Rest of Network Full Disclosure Kept Strictly Confidential Help Center Instructed to Inform Others Website is Experiencing “Technical Difficulties” External Parties Not Contacted (Not Currently)

14 Eradication Depends Largely On The Determined Root Cause
May Involve Software Updates, Software Removal, Configuration Changes, Better Change Control, Operational Security, Physical Security, etc Changes Tested in QA / Development Environment As Much as Possible

15 Recovery All Impacted Systems Are Flattened And Rebuilt
Rebuilds Performed From Certified Known Good Backup (MD5) Procedures Developed for Rebuild to Minimize Possibility Of Breach Reoccurring Mitigations to Address Root Cause of Breach Implemented Validation Testing Performed Access to Fully Operational Website Re-enabled

16 Follow-Up Post-Mortem Meetings to Review the Following: Timeline
Response Time Recovery Procedures Evidence Gathered Investigatory Next Steps - If Applicable Parties Involved – Should Others Be Brought In? Disposition of Evidence What Can Be Done Better? Update Scenario Response Plan

17 CIRT – Next Steps Continue Working on Scenarios – Incident Response is a Process, not a Project Implement Syslog Server Investigate using Tripwire for Integrity Check Integrate AlertFind Into CIRT Procedures Actively Test Scenarios – Challenging Because Downtime is Required

18 References Schultz & Shumway: Incident Response – A Strategic Guide to Handling System and Network Security Breaches. Mandia, Prosise & Pepe: Incident Response & Computer Forensics (2nd Edition). SANS Institute (

19 “In God we trust…all others we virus scan.” 
Questions / Comments? “In God we trust…all others we virus scan.”  - Anonymous

Download ppt "Identifying and Responding to Security Incidents in the Law Firm"

Similar presentations

Ads by Google