how to stop target-like breaches in their tracks
DESCRIPTION
We all know that Target-like breaches aren't completely preventable. But does that mean we're doomed and powerless? Not even close. A decisive response effort can dramatically reduce the impact of a breach, potentially stopping attacks in their tracks before sensitive data is lost. This webinar will show you how. Using the Target breach as a case study, it will demonstrate how timely detection and threat intelligence integrated with incident response management could have stopped the attack cold. Our featured speakers for this webinar will be: - Tim Armstrong, Security Incident Response Specialist, Co3 Systems - Colin Henderson, Principal Consultant Security Intelligence & Operations, HP, Enterprise Security ProductsTRANSCRIPT
How To Stop Target-Like
Breaches In Their Tracks
Page 2
Agenda
• Introductions
• Today’s reality with retail breaches
• Retail breach response – the good and the bad
• Intelligent response defined
• Intelligent response demo
• Recap
• Q&A
Page 3
Introductions: Today’s Speakers
• Ted Julian, CMO, Co3 Systems
• Tim Armstrong, Incident Response Specialist, Co3 Systems
• Colin Henderson, Principal Security Consultant, HP
Page 4
About Co3
PREPARE
Improve Organizational
Readiness
• Appoint team members
• Fine-tune response SOPs
• Escalate from existing systems
• Run simulations (firedrills / table
tops)
MITIGATE
Document Results &
Improve Performance
• Generate reports for management,
auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
ASSESS
Identify and Evaluate
Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Correlate threat intelligence
• Track incidents, maintain logbook
• Prioritize activities based on criticality
• Generate assessment summaries
MANAGE
Contain, Eradicate, and
Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment
strategy
• Isolate and remediate cause
• Instruct evidence gathering and
handling
• Log evidence
Page 5
HP Security Intelligence & Operations Consulting
Experience:
• Founded 2008
• 30+ Fortune 500 & Fed SOC Builds
• 100+ SOC Assessments
Solution Approach:
• People, Process, & Technology
Accelerated Success:
• Mature Project Methodology
• Best Practices
• Extensive Intellectual Capital
Expertise:
• 50+ Years of SOC Experience in
SIOC Leadership team alone
TODAY’S
REALITY
Page 7
What is so important about these numbers?
94
71
416
Page 8
416 days is the average time to detect a breach
Source: Ponemon Institute
Page 9
94% of breaches are reported by a 3rd party
Source: Ponemon Institute
Page 10
71% more time is needed to resolve a
breach
Source: Ponemon Institute
Page 11
Target Timeline – what we think we know
DOJ Contacts Target
to inform them of
the breach
Target meets
with DOJ
USSS
Target retains
investigators
More malware removed
from 25 disconnected
terminals
Target notifies payment
processors and card
brands – begins malware
removal
Public breach
notification
Hackers break in
using credentials
from PA HVAC
contractor
Page 12
Target Timeline
DOJ Contacts Target
to inform them of
the breach
Hackers break in
using credentials
from PA HVAC
contractor
In the 4 weeks between the initial breach
and the DOJ call, how could you break the
kill chain?
• What would you look for?
• How would you find it?
• What would you do then?
POLL
RETAIL BREACH
RESPONSE
Page 15
All things great and small
• Victims come in all sizes
• Some have good controls in
place, others do not
Page 16
Good controls are not a guarantee
• Even companies with great
controls have been
breached
• Layered defenses and
multiple controls are
required
• Early detection should be
the goal
Page 17
Good practices
• Physical separation of payment
card network & systems
• Easier monitoring
• Required by PCI
• Restrict access to data center and
corporate resources from store
locations
• Modeling business processes
• Active monitoring programs
(i.e. – SOC)
Corporate
Data Center
Stores
Page 18
Bad practices
Page 19
Lessons from the trenches
• Trust but verify
• Or don’t trust and verify
• You must define which
systems process payment
cards and secure them
appropriately
POLL
INTELLIGENT
RESPONSE DEFINED
Page 22
The ecosystem
Discovery
Research
Our enterprise Their ecosystem
Infiltration
Capture
Exfiltration
Page 23
The goal for security
Page 24
Historical security spending trends
Perimeter Controls
Internal Controls
1X
5X
Page 25
We must change our focus
Same old
results
Same old
thinking
Page 26
Proactive monitoring program
Network
equipment
Vulnerability
scanning Anti-virus
Business
context
Physical
infrastructure
Identity
management
System health
information
Web
traffic
Intelligence
feeds
Directory
services
Firewalls/
VPN IDS / IPS Databases Applications
Server and
desktop OS
Page 27
Maturity is a journey
Transformation
Blissful ignorance Awareness Corrective Operations excellence
Level of
Control
Risk
Establish
Security Teams
& Remit
Operational
Processes
aligned to
strong security
policy
Security tracks
and enables
business and
technology
change
Actionable
security
intelligence &
monitoring
capability
Lower total cost of ownership
Page 28
SS
AE
16
TY
PE
II C
ER
TIF
IED
HO
ST
ING
FA
CIL
ITY
DA
SH
BO
AR
DS
& R
EP
OR
TIN
G
Co3’s Incident Response Management Platform
Automated Escalation Accelerate response by easily
creating incidents from the systems
you already have
Email Web Form Trouble Ticketing Entry Wizard SIEM
Instant Creation and
Streamlined Collaboration IR plans created instantly based on
regulations, best practices, and standard
operating procedure. Collaborate on plan
execution across multiple functions
Marketing
Legal &
Compliance IT
HR
Accelerated Mitigation Speed results by easily outputting results to your
management platforms
SIEM Trouble Ticketing GRC
Organizational
SOPs
Global
Privacy Breach
Regulations
Contractual
Requirements
Intelligent Correlation Determine related incidents
automatically to identify broader,
concerted attacks
Integrated Intelligence Gain valuable threat intelligence
instantly from multiple intelligence feeds
Community
Best
Practices
Industry
Standard
Frameworks
IR Plan
INTELLIGENT
RESPONSE DEMO
Page 30
Remember these numbers?
416 Days to detect a breach
94 % of breaches reported by a 3rd party
71 % more time is needed to
resolve a breach as compared to
2010
Hours, not days
Internal, not external
Reduce response time by
90%
QUESTIONS
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
“The best purchase we have ever made.”
CSO, TOP 3 FORTUNE 500 HEALTHCARE
ORGANIZATION
“Co3 has enabled the team to manage incidents
in one tenth of the time that it took previously.”
DIRECTOR OF SECURITY, USA FUNDS
“Co3 Systems has done better than a home-
run...it has knocked one out of the park.”
SC MAGAZINE – AUGUST 2013
State of Security Operations report
http://hp.com/go/StateOfSecOps
HP Security Blog
http://hp.com/go/securityproductsblog