Incident Response from a Global Enterprise Perspective Public Siemens AG 2015. All rights reserved



Similar documents
Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Developing Cyber Threat Intelligence or not failing in battle.

Ty Miller. Director, Threat Intelligence Pty Ltd

Critical Controls for Cyber Security.

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Challenges in Industrial IT-Security Dr. Rolf Reinema, Head of Technology Field IT-Security, Siemens AG Siemens AG All rights reserved

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Can We Become Resilient to Cyber Attacks?

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Intelligence Driven Security

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Global Cyber Security Industry Report 2015

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

Cyber Security Metrics Dashboards & Analytics

IT Security and OT Security. Understanding the Challenges

How To Buy Nitro Security

ORGANIZADOR: APOIANTE PRINCIPAL:

Solera Networks, A Blue Coat Company SOLERA NETWORKS BIG DATA SECURITY ANALYTICS

Security Analytics for Smart Grid

Cyber Security nei prodotti di automazione

Industrial Cyber Security 101. Mike Spear

WHITE PAPER: THREAT INTELLIGENCE RANKING

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

Cymon.io. Open Threat Intelligence. 29 October 2015 Copyright 2015 esentire, Inc. 1

The SIEM Evaluator s Guide

Eight Essential Elements for Effective Threat Intelligence Management May 2015

State of the Market for Security Information Event Management and Log File Management Solutions

The Electronic Arms Race of Cyber Security 4.2 Lecture 7

The Art of Modern Threat Defense. Paul Davis Director, Advanced Threats Security Solution Architects

Incident Response & Handling

IBM Security Intelligence Strategy

Practical Steps To Securing Process Control Networks

Cyber intelligence in an online world

IBM SECURITY QRADAR INCIDENT FORENSICS

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Unified Security, ATP and more

Protecting critical infrastructure from Cyber-attack

SANS Top 20 Critical Controls for Effective Cyber Defense

Windows Server 2003 End of Support. What does it mean? What are my options?

Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015

Frost & Sullivan s. Aerospace, Defence & Security Practice. Global Industrial Cyber Security Trends

Cyber security tackling the risks with new solutions and co-operation Miikka Pönniö

ObserveIT User Activity Monitoring

Palo Alto Networks. October 6

Symantec Enterprise Security: Strategy and Roadmap Galin Grozev

Detect & Investigate Threats. OVERVIEW

Next Generation IPS and Reputation Services

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

What is Security Intelligence?

Security Information & Event Management (SIEM)

Gaining and Maintaining Support for a SOC. Jim Goddard Executive Director, Kaiser Permanente

Cyber Watch. Written by Peter Buxbaum

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Data Driven Assessment of Cyber Risk:

IBM QRadar Security Intelligence April 2013

Splunk Company Overview

Modern Approach to Incident Response: Automated Response Architecture

Security Coordination with IF-MAP

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

Concierge SIEM Reporting Overview

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Cyber Security for NERC CIP Version 5 Compliance

Triangle InfoSeCon. Alternative Approaches for Secure Operations in Cyberspace

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

INCIDENT RESPONSE CHECKLIST

RSA Security Anatomy of an Attack Lessons learned

Discover & Investigate Advanced Threats. OVERVIEW

Managed Services OVERVIEW

Fidelis XPS Power Tools. Gaining Visibility Into Your Cloud: Cloud Services Security. February 2012 PAGE 1 PAGE 1

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Q1 Labs Corporate Overview

All Information is derived from Mandiant consulting in a non-classified environment.

Future Threat Landscape - How will technology evolve and what does it mean for cyber security?

Government of Canada Managed Security Service (GCMSS) Annex A-7: Statement of Work - Security Information and Event Management (SIEM)

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

CLOUD MANAGED SERVICES FRAMEWORK E-BOOK

Strategic Plan On-Demand Services April 2, 2015

Caretower s SIEM Managed Security Services

What s New in Security Analytics Be the Hunter.. Not the Hunted

How Aviation Security can benefit from policies, standards and best practices in other domains. 5 November 2014 marc.sel@be.pwc.

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

QRadar SIEM and FireEye MPS Integration

Everything You Always Wanted to Know About Log Management But Were Afraid to Ask. August 21, 2013

Phone: Fax:

IBM Security Strategy

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

Trend Micro. Advanced Security Built for the Cloud

Are you prepared to be next? Invensys Cyber Security

Security Intelligence Services. Cybersecurity training.

Continuous Network Monitoring

Company Profile S Flores #205 San Antonio, TX

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

CyberReady Solutions. Integrated Threat Intelligence and Cyber Operations MONTH DD, YYYY SEPTEMBER 8, 2014

Security Camp Conference Fine Art of Balancing Security & Privacy

Security Business Intelligence Big Data for Faster Detection/Response

Transcription:

eco, From Detection to Response, Thomas Schreck, 19.02.2015 Incident Response from a Global Enterprise Perspective

Siemens Page 2 February 2015 Corporate Technology

Corporate Technology - RTC Software Architecture Development IT Platforms IT Security Business Analytics & Monitoring Automation & Control Networks & Communication Software architecture Software test and system qualities Development efficiency Product lines and SW Ecosystems SW / System integration Middleware, cloud Enterprise IT Security architecture & lifecycle CERT services Embedded security Decision support Knowledge discovery Condition monitoring Modeling & simulation Engineering Runtime & optimization Solutions Wireless & industrial networks Internet of things HQ 1) : Munich RGs 2) : 8 Systems Engineering 3) HQ: Munich RGs: 10 Imaging & Computer Vision HQ: Munich RGs: 8 Materials HQ: Munich RGs: 9 Electronics HQ: Princeton, US RGs: 12 Sensor Technologies HQ: Munich RGs: 6 Power & Energy Technologies Usability design Engineering Reliability Manufacturing solutions Process support Image reconstruction and visualization Computer vision Image processing & video analytics Cardiovascular, onco and neuro imaging Interventional imaging Computational imaging Innovative materials and coatings Advanced manufacturing technologies Analytics Electronic design & processing Radio frequency solutions Integrated technologies Manufacturing technologies Sensor devices & system integration Inspection & test Power management Switching Power electronics Energy storage Electromagnetic systems & mechatronics Energy & industrial processes HQ: Munich RGs: 12 HQ: Princeton, US RGs: 13 HQ: Berlin RGs: 8 HQ: Munich RGs: 8 HQ: Erlangen RGs: 8 HQ: Erlangen RGs: 12 Page 3 February 2015 Corporate Technology

IT security covered by the eight research groups of the technology field Technology Field IT-Security Head: Dr. Rolf Reinema Corporate CERT Services Udo Schweigert Incident handling and technical policies on behalf of CIT ProductCERT Services Udo Schweigert Incident handling and vulnerability monitoring for Siemens products and solutions CERT Security Assessments Sven Lehmberg Friendly hacking and assessments of products, solutions, applications and processes Cyber Security for the Americas Dr. Martin Otto Regional Support for the Americas Regional Security topics, e.g., NERC-CIP, HIPAA, DIACAP Security Lifecycle Dr. Holger Dreger Sustainable integration of systematic security activities into product and solution lifecycle processes Security Architecture Uwe Blöcher Domain specific security architectures. Best practice use of COTS and Open Source security Security for Embedded Systems Dr. Wolfgang Klasen Design, integrate, and realize security for embedded systems, customize algorithms and protocols Add-on IT Security China Dr. Ming Zhu Li Regional Support for China Regional Security topics, e.g., Industrial Control Systems Security Page 4 February 2015 Corporate Technology

CERTs @ Siemens CERT ProductCERT Security Checklists Security Hardening Vulnerability Alerting Incident Response Forensic Analysis Threat Monitoring Vulnerability Handling Vulnerability Monitoring Security Testing Threat Alerting Page 5 February 2015 Corporate Technology

CERT Services Proactive Services Alerts and Warning Announcements Configuration and maintenance of security tools, applications, and infrastructure Press and Media monitoring etc. Reactive Services Incident Handling Artifact Analysis Abuse Handling Threat Intelligence etc. Security Quality management services Risk Analysis Education/training Product evaluation Long Term resiliency services Knowledge sharing for critical infrastructure Research and education Point of contact Page 6 February 2015 Corporate Technology

Incident Response Process Page 7 February 2015 Corporate Technology

Kill-Chain-Model Page 8 February 2015 Corporate Technology

Incident Response Firewall Proxies Email Shadowserver DNS DHCP Scripts for Automation Monitoring Solution pdns Malware Analysis various data sources Analysis Forensic various scripts etc. Lessons Learned Analyst Threat Intelligence Platform Internal & External Intelligence Sharing Indicators Threat Intelligence Cleaning up Ticketing Abuse Reporting etc. Incident Handling Ticketsytem (RT, OTRS, Jira) Wiki (Mediawiki, Confluence) Emailing (PGP, SMIME) Page 9 February 2015 Corporate Technology

Threat Intelligence Threat Intelligence Cyber Threat Intelligence add to threat intel Incident Cyber Incident Incident analysis requires interactive search in log data drives automated processing of log data SIEM Investigation Big Data Analytics Investigation Log Management Log Management solutions offer log archiving, Google-like search and interface with SIEM tools and big-data analytics perimeter logs Page 10 February 2015 Corporate Technology DNS Netflow AD logs IDS logs

Recommendations 1. Team members Skills in all technologies used within the company People with broad security know how and deep technical skills ability to think out of the box Communication and Management skills important during incident response 2. Team Good connections to various operational IT departments Very good team spirit is essential Contacts to various other companies and communities essential 3. Infrastructure Abuse Handling must be automated Broad tool landscape must be installed and regularly used Running our own IT infrastructure helps Page 11 February 2015 Corporate Technology

External Contacts Trusted Groups FIRST Trusted Introducer/ TF-CSIRT CERT-Verbund Honeynet Project I4 AkSiGro German Cyber Security Alliance Various OpSec Groups (invited only e.g., ops-trust) Public Info Sources Sec. Mailinglists (full-disc.) Sec. Blogs Twitter Pastebin SANS Various websites, e.g. XSSed, Zone-h, DNS and Malware Blacklists (about 110 different blacklists in total) Sec. Companies Trend Micro Kaspersky Symantec BFK CSIS Security Group Team Cymru Lastline Context Security Crowdstrike Arbor Networks Internet Software Cons./Farsight Page 12 February 2015 Corporate Technology Siemens CERT/ ProductCERT Governance BSI / BMI / BND / BMWi / Verfassungsschutz CERT-EU / ENISA Various European GOV- CERTs (e.g., NCSC.NL, CIRCL, UK-CERT,CERT.at) CERT/CC, US CERT/DHS INL ICS-CERT CN-CERT Crime Monitoring In cooperation with TM Global Threat Research Kaspersky GReAT Symantec Research Interpol/Europol Active TI Sharing Vendors Google Microsoft CISCO Amazon Juniper SAP ORACLE SuSE/Red Hat Intel IBM DoD CRADA Program DHS: CISCP ICS Microsoft MAPP for Responder CTISRP (European Initiative) German APT WG Science University of California, Santa Barbara Northeastern University Boston iseclab Ruhr-Universität Bochum Friedrich-Alexander- Universität Fraunhofer AISEC/SIT/FKIE Technische Universität München RWTH Aachen

Contact Thomas Schreck Senior Key Expert CT RTC ITS CSI-DE / Siemens CERT Otto-Hahn-Ring 6 81739 Munich E-mail: t.schreck@siemens.com https://www.siemens.com/cert Page 13 February 2015 Corporate Technology

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information