© 2017 SPLUNK INC.© 2017 SPLUNK INC.

Why is the IR Plan Important?

True Stories of Incident

Response

NCHICA Incident Response 101

Matt Portnoy | Senior Systems Engineer - Splunk

August 2, 2019

© 2017 SPLUNK INC.

Preparation Identification Containment Eradication Recovery

Six Phases of the Incident Response Process

Lessons Learned

© 2017 SPLUNK INC.

Ripped From the Headlines

From The New York Times – July 29, 2019

© 2017 SPLUNK INC.

“Already this year, there have been 3,494 successful cyberattacks against financial institutions.

“Mastercard, for example, combats some 460,000 intrusion attempts in a typical day, up 70 percent from a year ago.

“The average cost of a security breach in the United States has escalated in recent years to $8.2 million, according to a study by IBM Security and the Ponemon Institute.

Some Related Statistics: part 1Large companies have to thwart hundreds of thousands of cyberattacks every

single day. Data thieves have to get lucky only once.

© 2017 SPLUNK INC.

“More than 11 billion records are known to have been exposed in data breaches since 2005, according to a tracker maintained by the Privacy Rights Clearinghouse.

“JPMorgan Chase spends nearly $600 million a year on security, and Bank of America’s chief executive has said the bank’s security team has a “blank check” for its spending.

“But attackers keep slipping through.

“Capital One learned about the attack from an outsider about three months after it happened.

Some Related Statistics: part 2

© 2017 SPLUNK INC.

Not ‘If’ but ‘When’No one is immune

© 2017 SPLUNK INC.

▶ This is difficult to prevent.

▶ More data is stored online for availability, convenience, and speed.

▶ Bad actors are constantly changing and leveling up their tactics.

▶ Organizations are challenged with cost pressures and shifting priorities.

▶ Organizational change is hard.

▶ We know what to do, but…

Why does this keep happening?In security, trust is not always a good thing.

© 2017 SPLUNK INC.

The Stories are True. The Names have(n’t)

been changed…

© 2017 SPLUNK INC.

The Equifax breach in 2017 affected 147.9 million users, compromising personal information like social security numbers, personal dispute data, and credit card numbers. The breach was the result of negligence. Equifax had failed to patch a two-month old known bug. Shortly after the breach went public, an independent IT security firm uncovered another vulnerability, this time affecting operations in Argentina. It was revealed that an online employee tool used in the country could be accessed using “admin” as both the username and password, granting access to customer data including national identity numbers.

Equifax

© 2017 SPLUNK INC.

A vulnerability in Panera Bread’s online order portal triggered the leak of customer data, to the tune of 37 million, including names, usernames, email addresses and phone numbers. The vulnerability was reported eight months prior to the breach by security researcher Dylan Houlihan. Panera Bread’s inaction, led Houlihan to involve Brian Krebs, a cybercrime investigative reporter who publicly broke the news in this post. Panera Bread responded by taking down their site for an hour. They claimed that they fixed the issue, and that it only affected 10 thousand customers. However, Krebs found that the issue was not fully addressed, and the same vulnerability existed in their catering application.

Panera Bread

© 2017 SPLUNK INC.

Hackers breached Under Armour’s MyFitnessPal app in late February, compromising usernames, email addresses, and the passwords of roughly 150 million users. Even though the passwords were hashed, Under Armour admitted that only a portion of them were hashed using the robust function called Bcrypt. Everything else was protected with a weaker hashing scheme SHA-1.

PumpUp, a fitness app, left a backend server on Amazon Cloud exposed without a password, revealing health data and private messages of six million users. In some cases, even unencrypted credit card data including card numbers, expiry dates and card verification values were revealed.

Under Armour

© 2017 SPLUNK INC.

“Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network.” Using these employee log-ins, the attackers attempted to steal sensitive customer data.

However, as reported in The Washington Post article, “No financial information, including credit card numbers, were stolen.” Thankfully, relatively fast notification of affected customers gave them the chance to change their account passwords and (hopefully) avoid having their accounts abused.

eBay

© 2017 SPLUNK INC.

According to a CNN Business article, the “data breach at Yahoo in August 2013 affected every single customer account that existed at the time, Yahoo parent company Verizon said on Tuesday. That's three billion accounts.”

The worst part? The actual number of breached accounts was severely under-reported for years. It wasn’t until 2017 that it was found that the number of breached accounts was 3 billion—up to that point, it was assumed to be “only” 1 billion.

Yahoo!

© 2017 SPLUNK INC.

The Never-Ending Battle for…

There is hope

© 2017 SPLUNK INC.

Preparation Identification Containment Eradication Recovery

Six Phases of the Incident Response Process

Lessons Learned

© 2017 SPLUNK INC.

(Part of ) An Incident Response Plan

© 2017 SPLUNK INC.

1. Basic hygiene is fundamental. Don’t skip the obvious or the easy things.

2. Have a serious plan. That everyone owns. During an incident follow the plan.

3. Evolve. Opponents are evolving. If you don’t keep up…

This is where the subtitle goes

SomeKey

Takeaways

© 2017 SPLUNK INC.

Q&A

Matt Portnoy – Senior System Engineer - Splunk

© 2017 SPLUNK INC.© 2017 SPLUNK INC.

Thank You