incident response: security's special teams
DESCRIPTION
In football, special teams - the groups that do field goals, kick-offs, etc. - don't spend a ton of time on the field. But they routinely win (or lose) games. For this reason, even though special teams is a part-time job for many of the players, they are nonetheless thoroughly conditioned, trained, briefed, and otherwise prepared for this crucial role. Incident response (IR) teams serve a similar function for enterprise IT organizations. Many team members don't work full-time on IR. Yet when they are needed, the stakes couldn't be higher for the IT department. As such, it is absolutely crucial that the IR team is on top of its game. This webinar will review the factors driving the ascendence of IR as the next crucial discipline for IT in general and the CIO / CSO in particular. It will then highlight the crucial components of an effective IR capability with particular emphasis on what leading organizations are doing to upgrade their IR function. Our featured speakers for this timely webinar will be: -Andrew Jaquith, Chief Technology Officer & SVP Cloud Strategy, SilverSky -Ted Julian, Chief Markting Officer, Co3 SystemsTRANSCRIPT
Incident Response: Security’s Special Teams
Page 2
Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems• Ted is a serial entrepreneur who has launched four companies during
his ~20 years in the security / compliance industry.
• Andrew Jaquith, Chief Technology Officer & SVP Cloud Strategy, SilverSky• Andy is a thought-leader with ~20 years experience in the security
industry. He has helped shape the security industry as an enterpreneur at SilverSky and @stake and as an industry analyst at Forrester Research and Yankee Group.
Page 3
Agenda
• Introductions• IR: The Next Security Discipline• Enhancing Your IR Capability
• Technology• People• Process
• Final Thoughts / Recommendations• Q&A
Page 4
Co3 Automates Incident Response
PREPAREImprove Organizational Readiness• Assign response team• Describe environment• Simulate events and incidents• Focus on organizational gaps
REPORTDocument Results and Track Performance• Document incident results• Track historical performance• Demonstrate organizational
preparedness• Generate audit/compliance reports
ASSESSQuantify Potential Impact, Support Privacy Impact Assessments• Track events• Scope regulatory requirements• See $ exposure• Send notice to team• Generate Impact Assessments
MANAGEEasily Generate Detailed Incident Response Plans• Escalate to complete IR plan• Oversee the complete plan• Assign tasks: who/what/when• Notify regulators and clients• Monitor progress to completion
Page 5
SilverSky simplifies how customers secure information
MANAGEemail,
messaging and collaboration
SECUREdata with our
security software
MONITOR networks for
intrusions 24x7
ExchangeLync
SharePoint
Email Security
Mobile devicemanagement
Email DLP
Email Encryption
Email Archive
Email Continuity
Log managementVulnerabiity
managementBrand protection
UTM managementEvent monitoring
and response
Managed BlackBerry
By tirelessly safeguarding our customers’ most important information, SilverSky enables growth-minded leaders to pursue their business ambitions without security worry. SilverSky protects $525 billion in banking and credit union assets. Each month, we analyze 15 billion raw security events and investigate 140,000 alerts.
Page 6By Mike Kaplan [Public domain], via Wikimedia Commons
Offense
Page 7By U.S. Navy photo by Mass Communication Specialist David P. Coleman [Public domain], via Wikimedia Commons
Defense
Page 8By U.S. Navy photo by Lt. Cmdr. Scott Allen. [Public domain], via Wikimedia Commons
Special Teams
Page 9
Information security has three phases too
Prevention Detection Response
• Stop malicious threats• Secure endpoints,
networks, and servers• Maintain secure and
compliant configurations
• Identify anomalous behavior
• Detect compromises• Discover data leaks &
potential breaches
• Have a plan• Assess events• Escalate to incidents• Manage• Report
Page 10
Why Incident Response Matters
Compromisedasset
No damage
Budget
IDS, AV or other control repels an attack
Attacker infects a workstation
Attacker “pivots” to gains control over sensitive systems
Analogy Damage
“Preventativecare”
“Infection”
“Disease”
millions
000s
0
0
000s
millionsMultiple compromised
assets
Chain of events
Page 11
Compromises are the new reality
SilverSky analyzed security incidents based on data from 861 financial institutions for the second half of 2012We found:• 1,628 likely and confirmed
customer compromises• 441 institutions affected• 51% of our financial customers
experienced at least one incident
SilverSky blocked 1/3 of incidentsTraffic analysis detected the rest
Size ofinstitution ($assets)
Average # of
incidentsSmall (<$25 million) 3Mid-sized (<$1 Bm) 4Large (>$1 Bn) 7Source: SilverSky 2012 2H Financial Institutions Threat Report. (Base: 861 SilverSky customers)
Page 12
Guess where most IT security budgets go?
By victor vic (all in, tapis) [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons
Page 13
Prevention + Detection Dominate Security Spend
Segment 2012 revenue
Prevention / Detection Products $27B*
Prevention / Detection Services $29B*
Response Services $6B**
Response Products < $1B***
* Gartner ** ABI Research ***Co3 estimate
89%
11%
Page 14
Public Domain Pictures.net - Eggs In The Grass by Ed Hoskins
There is a metaphor for this strategy…
Page 15
IR Demands Investment
“If you are going to invest in one thing - it should be incident response.”GARTNER – JUNE 2013
“You can’t afford ineffective incident response.”FORRESTER – APRIL 2013
POLLHow many incidents do you manage on average each month?
Page 17
Is This IR?
By ErrantX. [Public domain], via Wikimedia Commons
Page 18
Is This IR?
Page 19
The Incident Response Lifecycle
PREPAREImprove Organizational Readiness• Assign response team• Describe environment• Simulate events and incidents• Focus on organizational gaps
REPORTDocument Results and Track Performance• Document incident results• Track historical performance• Demonstrate organizational
preparedness• Generate audit/compliance reports
ASSESSQuantify Potential Impact, Support Privacy Impact Assessments• Track events• Scope regulatory requirements• Calculate $ exposure• Notify team• Generate Impact Assessments
MANAGEEasily Generate Detailed Incident Response Plans• Escalate to complete IR plan• Oversee the complete plan• Assign tasks: who/what/when• Notify regulators and clients• Monitor progress to completion
Page 20
IR Is More Than Just Forensics
ForensicsSecurity ToolsThreat IntelligencePartners / ProvidersLaw Enforcement
IT / Security ControlsService ProvidersLaw EnforcementPartnerPerpetrator(s)Internal StaffCustomers
Detection
Investigation
IT / Security ControlsService ProvidersLaw EnforcementPartnersInternal Staff
Response
IRTeam
POLLHow often do you run IR fire drills / tabletop exercises?
Page 22
• IT• Legal• Compliance• Audit• Privacy• Marketing• HR• Senior Executives
INTERNAL• Legal• Consultants• Audit• Law Enforcement• Partners
EXTERNAL
DON’T FORGET TO:• Communicate• Practice• Train
Incident Response People
Page 23
Incident Response Process
PREPAREImprove Organizational Readiness• Assign response team• Describe environment• Simulate events and incidents• Focus on organizational gaps
REPORTDocument Results and Track Performance• Document incident results• Track historical performance• Demonstrate organizational
preparedness• Generate audit/compliance reports
ASSESSQuantify Potential Impact, Support Privacy Impact Assessments• Track events• Scope regulatory requirements• Calculate $ exposure• Notify team• Generate Impact Assessments
MANAGEEasily Generate Detailed Incident Response Plans• Escalate to complete IR plan• Oversee the complete plan• Assign tasks: who/what/when• Notify regulators and clients• Monitor progress to completion
BE SURE TO INCLUDE:• Regulatory Requirements
• State, Federal, and Trade• Industry Standard Frameworks
• NIST, CERT, SANS• Organization Standards / Best Practices• Contractual Requirements
Page 24
Incident Response Technology
This?
By KoS. [Public domain], via Wikimedia Commons
Page 25
Incident Response Technology
This?
By Rens ten Hagen. [Public domain], via Wikimedia Commons
Page 26
Incident Response Technology
This?
Page 27
Incident Response Technology
SYSTEM REQS• Secure• Distinct• Available• Integrated with
related systems
• Prescriptive• Cognizant of regulations,
best practices, threats• Easy to use• Built-in workflow
• Built-in reporting / dashboards
• Always up to date• Linked to threat
intelligence
• Faster response time• Staff augmentation• Consistency• Repeatability• Ensure compliance
• Foster collaboration• Simplify reporting / status updates• Improved threat context /
correlation
OBJECTIVES
FUNCTIONAL REQUIREMENTS
QUESTIONS
One Alewife Center, Suite 450Cambridge, MA 02140 PHONE 617.206.3900
WWW.CO3SYS.COM
Andrew JaquithChief Technology Officer & SVP Cloud [email protected]
“One of the most important startups in security…”BUSINESS INSIDER – JANUARY 2013
“One of the hottest products at RSA…”NETWORK WORLD – FEBRUARY 2013
“an invaluable weapon when responding to security incidents.”GOVERNMENT COMPUTER NEWS
“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”PC MAGAZINE, EDITOR’S CHOICE