PREPARE YOUR INCIDENT RESPONSE TEAM

Transcription

1 PREPARE YOUR INCIDENT RESPONSE TEAM JUNE 2015 Michael Harrington, Fidelis Cybersecurity

2 It s a big problem... The ongoing cyber-thefts from The scale of international theft the In networks 2013, the of average public cost and of American intellectual property private of cybercrime organizations, was $11.56M, including (IP) is unprecedented - hundreds Fortune with a single 500 companies, attack taking an of billions of dollars per year, on represent average of the 32 greatest days and transfer over of the order of the size of U.S. wealth $1M to in resolve. human history. exports to Asia. General 2013 Keith Cost Alexander, of Cyber US Crime Army Study, (ret), Director Ponemon of Institute the National Security Agency, Chief of the Central The Security IP Commission Service, Commander Report of the United States Cyber Command

3 With no easy answers... FIREWALL AV, NETWORK DLP INTRUSION PREVENTION NETWORK SECURITY ANALYTICS NETWORK-CONNECTED MALWARE DETECTION

4 Critical Questions Overview Incident Response Expectations Before an Incident Happens Identify the teams of fully authorized key players What Really Happens How Did You Respond Recovery Conclusion & Questions

5 Critical Questions You have been BREACHED now what? Fidelis Proprietary information

6 Critical Questions You have been BREACHED now what? Who should be involved, who should not? Fidelis Proprietary information

7 Critical Questions You have been BREACHED now what? Who should be involved, who should not? Have you TRAINED for this? Fidelis Proprietary information

8 Critical Questions You have been BREACHED now what? Who should be involved, who should not? Have you TRAINED for this? What are the FIRST steps and actions? Fidelis Proprietary information

9 Critical Questions You have been BREACHED now what? Who should be involved, who should not? Have you TRAINED for this? What are the FIRST steps and actions? Do you know your ROLE? Fidelis Proprietary information

10 Critical Questions You have been BREACHED now what? Who should be involved, who should not? Have you TRAINED for this? What are the FIRST steps and actions? Do you know your ROLE? How do you handle EVIDENCE? Fidelis Proprietary information

11 I.R. Expectations Notification and Identification

12 I.R. Expectations Notification and Identification Classification: Is this a MAJOR or MINOR incident?

13 I.R. Expectations Notification and Identification. Classification: Is this a MAJOR or MINOR incident? Know the I.R. TEAM: The People needed to respond.

14 I.R. Expectations Notification and Identification. Classification: Is this a MAJOR or MINOR incident? Know the I.R. TEAM: The People needed to respond. Know the Processes and Procedures & Legal and Regulatory Requirements.

15 I.R. Expectations Notification and Identification. Classification: Is this a MAJOR or MINOR incident? Know the I.R. TEAM: The People needed to respond. Know the Processes and Procedures & Legal and Regulatory Requirements. 3 rd Party I.R. Teams and Partners

16 Before an Incident Identify the team of fully authorized key players

17 Before an Incident Identify the team of fully authorized key players Know Everyone's Roles and Responsibilities

18 Before an Incident Identify the team of fully authorized key players Know Everyone's Roles and Responsibilities Have Executive and Legal Support for the I.R. Plan

19 Identify the Teams of Fully Authorized Players Leadership Team

20 Identify the Teams of Fully Authorized Players Leadership Team Legal Team

21 Identify the Teams of Fully Authorized Players Leadership Team Legal Team Security Operations Team

22 Identify the Teams of Fully Authorized Players Leadership Team Legal Team Security Operations Team Forensics Team

23 Identify the Teams of Fully Authorized Players Leadership Team Legal Team Security Operations Team Forensics Team Data Analysis Team

24 Before an Incident TRAIN --- TRAIN --- TRAIN

25 Before an Incident TRAIN --- TRAIN --- TRAIN *** TRAIN as a TEAM ***

26 Before an Incident TRAIN --- TRAIN --- TRAIN *** TRAIN as a TEAM *** TEST Processes and Procedures

27 Before an Incident Test Your I.R. Plan > DRILL Know Everyone's Roles and Responsibilities Have Executive and Legal Support for the I.R. Plan

28 What Really Happens

29 What Really Happens It is like a Circus!

30 What Really Happens Critical DATA is LOST! Evidence about the Intrusion could be DELETED!

31 What Really Happens Attempts are made to limit DAMAGE so the business can run.

32 What Really Happens Attempts are made to limit DAMAGE so the business can run. A BALANCE must be made between I.R. and the Business!

33 How Did You Respond?

34 How Did You Respond? TO: Heartbleed?

35 How Did You Respond? TO: ShellShock?

36 How Did You Respond Most organizations were scrambling around.

37 How Did You Respond Most organizations were scrambling around. If your security staff responded quickly and efficiently then I commend you.

38 How Did You Respond Most organizations were scrambling around. If your security staff responded quickly and efficiently then I commend you. What I saw in a number of companies was chaos!

39 How Did You Respond Most organizations were scrambling around. If your security staff responded quickly and efficiently then I commend you. What I saw in a number of companies was chaos! If you TRAINED as a TEAM and everyone knew what to do, then your 1000% better prepared than most organizations.

40 Keys for Breach Preparedness Plan Train Drill Repeat

41 Recovery Fixed it or did we really? We have seen 2 nd and 3 rd breaches on the same customer These were probably the same attackers hiding in wait and then they came back out.

42 We Know How To Eliminate Online Risk

43 `

44 QUESTIONS? THANK YOU Michael Harrington