Cyber Incident Response Management: Breaking Glass. Presented by Darrell Switzer Sr. Director Incident Response Services BAE Systems

Transcription

1 Cyber Incident Response Management: Breaking Glass Presented by Darrell Switzer Sr. Director Incident Response Services BAE Systems

2 About BAE Systems $25B Annual Revenue 80,000+ Employees Operates in 40+ Countries With Major Clients in Banking, Insurance, Energy/Utilities, Healthcare, Media and Government $2B Invested Annually in R&D Cyber Security Financial Crime Communications Intelligence Core Heritage in Secure Government and Agencies

3 Incident Response Money Is The Target FFIEC Overview Critical Steps To Prepare

4 WHY INCIDENT RESPONSE?

5

6 The Incident Response Life Cycle From: NIST

7 FFIEC Overview Business Continuity Planning The board & senior mgmt are responsible for business continuity planning Including assigning personnel & allocating resources BCP is divided into 4 steps: 1. Business Impact Analysis 2. Risk Assessment 3. Risk Management 4. Risk Monitoring & Testing BCP process uses the word should throughout Not backed by legislation or regulations

8 FFIEC Overview Information Security Gramm-Leach-Bliley Act of 1999 (GLBA) section 501(b) Provides enforcement if institutions establish & maintain adequate information security programs FFIEC information security process defines 5 areas: 1. Information Security Risk Assessment 2. Information Security Strategy 3. Security Controls Implementation 4. Security Monitoring 5. Security Process Monitoring and Updating

9 FFIEC Overview Information Security Security objectives: Availability Integrity Confidentiality Accountability Assurance Integrity + Accountability = Non-Repudiation

10 FFIEC Overview Chief Executive Officer Responsibilities: Develop a plan to conduct the assessment Lead employee efforts during assessment to facilitate timely responses Set target state of cyber security preparedness that aligns with the board of directors Review, approve & support plans to address risk mgmt & control weaknesses Analyze & present results for executive oversight Oversee ongoing monitoring to address evolving cyber security risk Supervise changes to maintain or increase cyber security preparedness

11 FFIEC Overview The Board Responsibilities: Engage mgmt in establishing the institution s vision, risk appetite & strategic direction Approve plans to use the assessment Review analysis of assessment results Evaluate decision of whether the institution s cyber security preparedness aligns with its risks Assess & approve plans to address risk mgmt or control weaknesses Examine results of ongoing monitoring of the institution s exposure to & preparedness for cyber threats

12 The ability to respond to an incident is only as good as an organization s ability to detect the incident.

13 Having proper analysis capabilities requires both trained personnel and the proper tools to perform the analysis.

14 Plan vs. Framework No plan of operations extends with certainty beyond the first encounter with the enemy s main strength. -Helmuth Karl Bernhard Graf von Moltke

15 Framework Authority and Scope Team Members and Responsibilities Logistics Process to Determine Severity and Escalation Post-Incident Activities Supporting Documentation

16 The most critical component in any Incident Response Practice Authority and Backing from Executive Management

17 Scope Will define what areas of the business the Incident Response Practice affects, i.e., any computing device, Wifi, etc.

18 Incident Response Team Primary Team Extended Team Third Parties

19 Primary Team Security Team Incident Response Lead Operations Team Service Desk Team

20 Extended Team Executives Legal Communications Human Resources Compliance Physical Security

21 Third Parties Outsourced IT (Help Desk, Server Support) Forensic Firms ISPs Legal Counsel Law Enforcement Public Relations Teams

22 Logistics Distribution / Call Bridge for Communication War Room Computing Equipment Evidence Locker Often Overlooked Items: Succession of Command Catering Shipment of Evidence OpTempo

23 Escalation Department/LOB/ Branch/Group of VIPs (High) Small Group of Users or VIP (Medium) Core Business Services (High) Support Services (Medium) Non-Urgent Services (Low) Critical High High Critical High Medium Single User (Low) High Medium Low

24 Post-Incident Root Cause Analysis: Determining an addressable cause that led to the incident

25 Supporting Documents Incident Tracking Forms Chain of Custody Form Indicator of Compromise Matrix

26 Building an Indicator of Compromise Matrix Firewall DNS Server Log Active Directory NetFlow IP Address X X Domain Name X Registry MD5 Username X

27 Recall Roster All members of the incident response team should have their contact information documented. For third parties, supporting information, such as PoCs, contract numbers, etc., should be included.

28 Create an Incident Response Playbook

29 Testing Incident Response High Level Audit Review of documentation Discussion based interview of capabilities Objective Based Assessment Technical tasks requested of the IR team Tabletop Exercise War Game

30 Thank You