Presentation on theme: "Identifying and Responding to Security Incidents in the Law Firm"— Presentation transcript:
1 Identifying and Responding to Security Incidents in the Law Firm Presented by:Carlos Batista, Information Security ManagerAlston & Bird LLP
2 Learning ObjectivesUnderstand how one law firm developed and enacted a formal Computer Incident Response Team (CIRT)Identify key stakeholders in Incident ResponseIdentify most likely scenarios for a computer security breachDefine a methodology and establish measures for how to respond to such breaches
3 About Alston & Bird: National, Full-Service Law Firm 725 Attorneys, 5 U.S. Offices240 Servers & 2,100 DesktopsAlmost all IT & Security Services Hosted In-House25% of Servers Virtualized
4 The Benefits of a Computer Incident Response Team (CIRT) Proactive approach to responding to a security breachBetter prepared to collect & analyze forensic quality evidenceLess downtime to impacted / breached & un-impacted systemsFirm’s reputation is better preserved by following proper containment strategies
6 How to Form a CIRT – Key Players Core TeamInformation Security Manager (CIRT Team Leader)IT Infrastructure ManagerDirector of I.T.Information Security AnalystFacilities ManagerSupport TeamFinance ManagerBC / DR RepresentativeH.R. RepresentativeBusiness Development / Public RelationsAttorney / Loss PreventionC.I.O.
7 Identify Likely Breach Scenarios There are many security breach scenarios – you need to narrow them down to a few and address how to respond to those.We chose to develop responses to four scenarios:Significant Computer or Network Equipment TheftCompromise of Firm’s WebsiteVirus or Worm Outbreak on the NetworkUnauthorized Disclosure by Electronic Means
8 Identify a Methodology for Responding Response scenarios are typically easier to devise when an overall strategy or methodology is followed.We chose the PDCERF model (Schultz & Shumway) for incident response.
9 PDCERF Methodology Defined Preparation – Being ready to respond before an incident actually occurs.Detection – Determining that something malicious has actually occurred.Containment – Limiting the extent of an incident, preventing further damage from occurring.Eradication – Finding and eliminating the root cause or causes that made the incident possible.Recovery – Restoring the environment to its pre-incident state but protected so the incident cannot reoccur.Follow-Up – Reviewing and integrating “lessons learned” into your incident response plans and security operations.
11 Preparation Determined Incident Response Posture & Obtained Approval Configured FW, IDS/IPS Optimally for Attack DetectionConfigured Web Server & Database LoggingCreated Known-Good System Backups with MD5 HashesSynchronized Network Time across All DevicesEstablished Relationship with Infragard (FBI)Created CIRT Calling TreeCreated “Maintenance” WebsiteBuilt Documentation on CIRT Framework and Cutover ProceduresPrepare to Record Everything During an Incident (Timeline)
12 DetectionInterfaced with Support Groups / Help Center to define a Notification PlanDefined SLAs for Initial Response, First Meeting, and Incident Updates to ManagementDefined Procedures for Initial Evidence GatheringCreated Secure Repository for All Digital Evidence
13 Containment VMWare Guest Machines For Website Paused VMWare Files Copied to a Forensic ServerImpacted Hosts Segmented From Rest of NetworkFull Disclosure Kept Strictly ConfidentialHelp Center Instructed to Inform Others Website is Experiencing “Technical Difficulties”External Parties Not Contacted (Not Currently)
14 Eradication Depends Largely On The Determined Root Cause May Involve Software Updates, Software Removal, Configuration Changes, Better Change Control, Operational Security, Physical Security, etcChanges Tested in QA / Development Environment As Much as Possible
15 Recovery All Impacted Systems Are Flattened And Rebuilt Rebuilds Performed From Certified Known Good Backup (MD5)Procedures Developed for Rebuild to Minimize Possibility Of Breach ReoccurringMitigations to Address Root Cause of Breach ImplementedValidation Testing PerformedAccess to Fully Operational Website Re-enabled
16 Follow-Up Post-Mortem Meetings to Review the Following: Timeline Response TimeRecovery ProceduresEvidence GatheredInvestigatory Next Steps - If ApplicableParties Involved – Should Others Be Brought In?Disposition of EvidenceWhat Can Be Done Better?Update Scenario Response Plan
17 CIRT – Next StepsContinue Working on Scenarios – Incident Response is a Process, not a ProjectImplement Syslog ServerInvestigate using Tripwire for Integrity CheckIntegrate AlertFind Into CIRT ProceduresActively Test Scenarios – Challenging Because Downtime is Required
18 ReferencesSchultz & Shumway: Incident Response – A Strategic Guide to Handling System and Network Security Breaches.Mandia, Prosise & Pepe: Incident Response & Computer Forensics (2nd Edition).SANS Institute (sans.org)
19 “In God we trust…all others we virus scan.” Questions / Comments?“In God we trust…all others we virus scan.” - Anonymous