Rapid Cyber Remediation Response Management. Using the Game-Changing Capabilities from Project Remedies Inc.



Similar documents
IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

DoD Strategy for Defending Networks, Systems, and Data

HP and netforensics Security Information Management solutions. Business blueprint

Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events

WRITTEN TESTIMONY OF

The Importance of Cybersecurity Monitoring for Utilities

Operationally Focused CYBER Training Framework

Network Management and Defense Telos offers a full range of managed services for:

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

SOLUTION WHITE PAPER. BMC Manages the Full Service Stack on Secure Multi-tenant Architecture

Reliable, Repeatable, Measurable, Affordable

Cybersecurity Enhancement Account. FY 2017 President s Budget

Best Practices for Building a Security Operations Center

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Continuous Network Monitoring

Align IT Operations with Business Priorities SOLUTION WHITE PAPER

The BMC Remedy ITSM Suite s Missing Application:

Wilhelmenia Ravenell IT Manager Eli Lilly and Company

Der Weg, wie die Verantwortung getragen werden kann!

Technical Testing. Network Testing DATA SHEET

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Triangle InfoSeCon. Alternative Approaches for Secure Operations in Cyberspace

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

The Comprehensive National Cybersecurity Initiative

Middle Class Economics: Cybersecurity Updated August 7, 2015

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

A Biologically Inspired Approach to Network Vulnerability Identification

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

WHITE PAPER: THREAT INTELLIGENCE RANKING

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Defending Against Cyber Attacks with SessionLevel Network Security

Managed Security Services D e l i vering real-time protection to help organizations st r e n g t h e n their security posture in the face of today s

Accelerating Software Security With HP. Rob Roy Federal CTO HP Software

BMC Cloud Management Functional Architecture Guide TECHNICAL WHITE PAPER

Predictive Intelligence: Identify Future Problems and Prevent Them from Happening BEST PRACTICES WHITE PAPER

Bridging the gap between COTS tool alerting and raw data analysis

CYBER SECURITY, A GROWING CIO PRIORITY

Automated IT Asset Management Maximize organizational value using BMC Track-It! WHITE PAPER

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

Statement for the Record. Martin Casado, Senior Vice President. Networking and Security Business Unit. VMware, Inc. Before the

A Comprehensive Cyber Compliance Model for Tactical Systems

Protecting against cyber threats and security breaches

The Emergence of Security Business Intelligence: Risk

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE

Extreme Networks Security Analytics G2 Risk Manager

Why ActionProgram Manager Plus!

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

Security Awareness Training Solutions

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

HP ENTERPRISE SECURITY. Protecting the Instant-On Enterprise

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

The Sophos Security Heartbeat:

Business white paper. Top ten reasons to automate your IT processes

MANAGED SERVICES PROVIDER. Dynamic Solutions. Superior Results.

ENTERPRISE COMPUTING ENVIRONMENT. Creating connections THROUGH SERVICE & WORKFORCE EXCELLENCE

Compliance Risk Management IT Governance Assurance

Enterprise Software Security Strategies

How To Create An Insight Analysis For Cyber Security

SOLUTION WHITE PAPER. Align Change and Incident Management with Business Priorities

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Extreme Networks Security Analytics G2 Vulnerability Manager

Cisco Security Optimization Service

Internet Voting System Security Auditing from System Development through Implementation: Best Practices from Electronic Voting Deployments

Threat Intelligence. Benefits for the enterprise

BSM for IT Governance, Risk and Compliance: NERC CIP

Introduction to ITIL: A Framework for IT Service Management

HP Application Security Center

Applying ITIL v3 Best Practices

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Data- Centric Enterprise Approach to Risk Management Gregory G. Jackson, Sr. Cyber Analyst Cyber Engineering Division Dynetics Inc.

Cyber Security Management

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Vulnerability Management

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Strategic Plan On-Demand Services April 2, 2015

The Path Ahead for Security Leaders

BlacKnight. Cyber Security international A BUSINESS / MARKETING PRESENTATION

The SIEM Evaluator s Guide

TLP WHITE. Denial of service attacks: what you need to know

CBEST FAQ February 2015

White Paper. Advantage FireEye. Debunking the Myth of Sandbox Security

IBM Unica and Cincom Synchrony : A Smarter Partnership

Things To Do After You ve Been Hacked

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Accenture Cyber Security Transformation. October 2015

Requirements When Considering a Next- Generation Firewall

CLOSING THE GAP ON BREACH READINESS INSIGHTS FROM THE SECURITY FOR BUSINESS INNOVATION COUNCIL

Integrating MSS, SEP and NGFW to catch targeted APTs

Transcription:

Rapid Cyber Remediation Response Management Using the Game-Changing Capabilities from Project Remedies Inc. A White Paper from Project Remedies Inc. January 2014

Abstract Rapid Cyber Remediation Response optimizes the time and people resources needed to manage and remediate the cyber attacks, vulnerabilities, and failures in an Information System. The inability to manage complex and multiple remediation efforts simultaneously creates its own set of system risks. Project Remedies brings mature capabilities to solve this constant and evolving problem of complex and rapid remediation response with limited resources, and affords a degree of situational awareness previously unavailable. The Need for Rapid Cyber Remediation Response Management The Network enables Military Operational speed, precision and lethality around the globe and is increasingly the backbone of commerce and technology development. Cyber attacks are escalating on an increasingly more valuable set of targets. For example, Next Gov 2013 reports: British energy company BP says it suffers 50,000 cyber intrusion attempts per day. The Pentagon reports getting 10 million attempts per day. The National Nuclear Security Administration, an arm of the Energy Department, also records 10 million hacks per day. A huge rush of technologies is moving forward to monitor and analyze the networks looking for bad actors and other risks. Much of this technology is quite good and effective. But -- once an attack penetrates the firewalls, or a staff member unwittingly downloads malicious code, or vulnerability is discovered in a node or system, or the system goes down -- a response has to happen. Either: 1) Some responses can be handled by some available technical solutions, or 2) Many responses must be handled by a sophisticated Incident Response Team (or others) using high tech and in some cases low tech solutions to remedy the problem, which may include both fixes and preventive measures. For incidents that are complex, contain unpredictable elements, and are security-urgent, organizations must be equipped to move rapidly into coordinated, multiple smart remediation responses. Several skilled and knowledgeable specialists from independent organizations in multiple locations become an Incident Response Team. This smart team is required to execute a precisely orchestrated series of co-dependent tasks on a strict schedule. Some of these tasks can be performed in parallel, and some have sequential dependencies and take the form of a rapid-momentum Plan of Action & Milestones (POA&M). Because the Cyber Security operational tempo is so intense -- and because many organizations have become over-reliant on passive technology solutions -- the ability to maximize the human resources needed to remediate cyber events has tended to lag behind the cyber security technology curve. The speed with which a response to a cyber incident is initiated is critical to the successful remediation of the incident -Gen. Keith Alexander, USCYBERCOM Rapid Cyber Remediation Response Management 2014 Project Remedies Inc. 2

The critical elements needed in managing cyber remediation are: Speed of the cyber mediation response The right cyber remediation approach and plan The right people to execute the remediation Multiple measures of remediation status and performance Cascading problems emerge when the Incident Response Team is overwhelmed by unplanned and uncoordinated activity as they are trying to respond to multiple events, often becoming more reactive and losing the ability to be proactive and preventive. The speed with which a response to a cyber incident is initiated is critical to the successful remediation of the incident, Gen. Keith Alexander, Commander USCYBERCOM. With cyber remediation in mind, the Chairman of the Joint Chiefs of Staff published Instruction 6510.01F which covers Information Assurance (IA) and Support to Computer Network Defense (CND). This guidance details the responsibilities of each of the organizations involved with each incident within the DOD context. A key to successful Cyber Remediation Solution is to maximize and coordinate the various high-value components of each Incident Response Team s cyber remediation response. Developing A Rapid Cyber Remediation Response Solution Event detection sets in motion a number of critical steps. Managing these steps effectively over the long term requires developing a cyber remediation response concept that is rapid, structured, and agile enough to manage today s cyber security operational tempo and changing threat matrix. Diagram 1. Overview of the Generic Cyber Remediation Response Each organization will have its own processes and protocols that snap into place when called to accomplish these tasks in order to launch an effective remediation of the cyber event or vulnerability. The Core Elements for optimized Rapid Cyber Remediation Response Management are: 1. Event Entry into a Common Operational Picture (COP) 2. Remediation Prioritization 3. Launch Task Plan for Each Remediation Event 4. Remediation Staff Resource Management 5. Real-time Remediation, Status, Performance and Cost Monitoring 6. Near-Real-time Policy Updates 7. Real-time and Post Incident Learning (After Action Review) Rapid Cyber Remediation Response Management 2014 Project Remedies Inc. 3

The Project Remedies Approach Project Remedies Inc. is a 20-year old technology and services company that has created many BMC Remedy-based solutions, which can leverage legacy BMC Remedy systems. Several of these are game changing tools and processes for Cyber Remediation because they fill in the often-overlooked critical component of Cyber Remediation You have to have the right people with the right tools doing the right things at the right time. Project Remedies Inc. s Cyber Action Manager brings together the pool of incidents and vulnerabilities; defines and plans all of the tasks involved into the remediation effort for each; matches them with a pool of staff resources; and then monitors performance and cost for each task. Cyber Remediation Management is about having the right people with the right tools doing the right things at the right time. The Steps of Rapid Cyber Remediation Using the Project Remedies Approach Project Remedies Cyber Action Manager creates a Common Operational Picture (COP) for remediation effort that provides full-picture Situational Awareness of issues, staff, costing and project status of the remediation throughout the event response life cycle. Events Detected, Logged Automatically Or Manually Event Manager PRI's Cyber Action Manager BMC Remedy Asset Mgt. Event Remediation Prioritization If Large Task Plan Created Automatically Task Plan Reviewed and Approved Resources Assigned Remedy Asset Management Policy or Protocol Recommendations Tasks Worked Reports Universal Time Sheet Remediation Completed Data to Financial System Learning Session AAR Diagram 2. The Project Remedies Cyber Remediation Life Cycle Rapid Cyber Remediation Response Management 2014 Project Remedies Inc. 4

1. Event Entry into a Common Operational Picture (COP) Incidents or vulnerabilities are automatically created in Cyber Action Manager in realtime as HBSS, ArcSight, Cauldron or some other event manager or monitoring system captures them. Other events or vulnerabilities can be entered manually into BMC Remedy Action Request System (AR System). The aggregation of remediation issues into the Action Manager creates a Common Operational Picture (COP) for Cyber Remediation Response. One of the advantages of importing the event log to Cyber Action Manager is the reduction of white noise or false and redundant events. The resulting Cyber Remediation COP can then manage the whole range of cyber remediation issues and coordinate the Incident Response Team, showing the current status of all tasks performed, by all of the individuals or organizations involved, and who is available for further tasking. The entire cyber remediation life cycle can be managed across multiple organizations. 2. Remediation Prioritization Once the Cyber Remediation COP has the current cohort of issues, it is important to apply the organization s Remediation Prioritization Protocols, creating a unique spectrum of criticality for the proposed Remediation activities. By applying these decision and prioritization rules to the event list, the response to these cyber events can be structured, prioritized and planned using a number of imbedded or added decision criteria in the Cyber Action Manager. Developing the core of these decision criteria should be part of any Cyber Security Strategy. The Cyber Remediation COP can be used across multiple inter-connected organizations. Designated commanders and managers can see the status of each incident and task at any time. Because all of the data (incidents, resources, tasks and costs) are in the Remedy database tables, they can integrate and share multiple data inputs in an integrated workflow. Diagram 3. Cyber Remediation Common Operating Picture Diagram 3 shows all Active Projects (those In Process ), Proposed Projects (those not In Process ), and individual incidents. With one click, the project record opens and Rapid Cyber Remediation Response Management 2014 Project Remedies Inc. 5

offers more details to the analyst or manager. Shared access to events and event details shared across teams affords a degree of situational awareness previously unavailable. 3. Launch Task Plan for Each Remediation Event Once the event is in Cyber Action Manager and has been prioritized, a Task Plan is created automatically using standardized Work Templates that are embedded in Cyber Action Manager. Each required Remediation activity is spelled out in the Task Plan, which acts as an Express Project Plan. Task Plans using the filled-in Work Templates, act as both the tasking instruction and the ongoing project plan for the remediation activity. Task Plans can be used to rapidly coordinate multiple complex remediation responses, while reducing duplicative tasking activity. If approval is needed for additional levels of staffing or fiscal resources for the remediation, the Task Plan can act as an internal proposal and workflow for getting and tracking that approval. 4. Remediation Staff Resource Management Cyber Action Manager gives leadership the ability to match individuals or team resources to each incident and task in the remediation effort. These tasks can be standalone or grouped as larger efforts, so commanders and managers can see timelines and how busy people are over time. Diagram 4. Resource Management Chart Daily Each tasking can break down the number of hours being given to an individual or work group for the project timeline. This is critical to maximizing your staff resources and measuring performance and costs. This staffing process can also be sorted by skills, location, and organizations. Cyber Action Manager can automate notification, tasking and acceptance of the people and organizations involved. Rapid Cyber Remediation Response Management 2014 Project Remedies Inc. 6

5. Real-time Remediation Status, Performance and Cost Monitoring Once the people and organizations accept the task plan, their performance in the remediation can be tracked against timelines and time expenditure. This tracking provides important insight how long tasks take and who is available for the next task. One of the critical advantages of Cyber Action Manager s time tracking against incidents, changes and project tasks, is that it can be integrated with an Asset Management System. Integrating Cyber Action Manager with Remedy s Asset Management System, or another Asset Management system allows detailed asset costing to be brought into each task or project. All costs, time, expense and asset cost can also be seen in aggregate, so the organization s budget burn rate can be monitored. These can in turn be integrated into the organization financial control system such as electronic time cards, so a more robust costing picture can emerge. Diagram 5. Cyber Action Manager Task Plan: Project and Performance Management 6. Near Real-time Policy Updates Cyber Action Manager has the capacity for all the Incident Response Team to share and document insights in real time. As the remediation is undertaken and the problem is understood, insights develop as to how to prevent the problem using policy or protocol changes. These policy insights can be shared with the leadership who may want temporarily or permanently change policies or protocols in near real-time. Because Cyber Action Manager runs on a legacy BMC Remedy environment, informing the help desk and critical staff of proposed and in force policy changes is easy 7. Real-time and Post Incident Learning (After Action Review) One of the critical components of effective Cyber Remediation is learning as an organization. Cyber Action Manager provides the capacity for all members of the Incident Response Team to share and document insights in real time. This can be critical to managing multi-vector attacks, where insight in one area is immediately useful in others. Knowledge gained from each incident can be aggregated together with other similar incidents into a knowledge base, which can support a Post Incident Learning or After Action Review (AAR) process, so the Incident Response Team and the IT Team as a whole can get smarter, faster. With this knowledge, Work Templates can be easily modified in minutes. Rapid Cyber Remediation Response Management 2014 Project Remedies Inc. 7

Summary Gen. Alexander has said that the speed with which we respond to events is critical in winning the multiple wars in our cyberspace. When technology fails, somebody has to fix it. Rapid Remediation Response is managing the complexities of many small remediation projects, insuring the right people resources as well as the right technologies are focused on the right problems. Project Remedies Cyber Action Manager creates a Common Operational Picture (COP) for the remediation effort that provides real-time full-picture Situational Awareness of issues, staffing, costing and project status of the remediation process throughout the incident handling lifecycle. It creates real-time shared information, system policy insights and learning as the remediation is ongoing, which is critical to successfully managing the current and emerging challenges to cyber security. Project Remedies and our partners have the people, tools and experience to facilitate the implementation of Rapid Cyber Remediation Response. For more information: http://www.projectremedies.com stanf@projectremedies.com 310-230-1722 Rapid Cyber Remediation Response Management 2014 Project Remedies Inc. 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information