The Incident Response Success Checklist



Similar documents
Advanced Threat Protection with Dell SecureWorks Security Services

Defensible Strategy To. Cyber Incident Response

Endpoint Threat Detection without the Pain

Things To Do After You ve Been Hacked

KEY STEPS FOLLOWING A DATA BREACH

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Attack Intelligence: Why It Matters

Information Security Services

Fighting Advanced Threats

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Carbon Black and Palo Alto Networks

Security strategies to stay off the Børsen front page

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

THE EVOLUTION OF SIEM

Evolution Of Cyber Threats & Defense Approaches

Cyber Security Management

Unified Security, ATP and more

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

Incident Response. Six Best Practices for Managing Cyber Breaches.

Performing Advanced Incident Response Interactive Exercise

EXPERT STRATEGIES FOR LOG COLLECTION, ROOT CAUSE ANALYSIS, AND COMPLIANCE

Breaking the Cyber Attack Lifecycle

I D C A N A L Y S T C O N N E C T I O N

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

White. Paper. Rethinking Endpoint Security. February 2015

How To Test For Security On A Network Without Being Hacked

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Advanced Threats: The New World Order

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

INTRUSION PREVENTION SYSTEMS: FIVE BENEFITS OF SECUREDATA S MANAGED SERVICE APPROACH

Top Considerations for Incident Response

Cisco Advanced Malware Protection for Endpoints

FACT SHEET: Ransomware and HIPAA

Integrating MSS, SEP and NGFW to catch targeted APTs

WHY DOES MY SPEED MONITORING GRAPH SHOW -1 IN THE TOOLTIP? 2 HOW CAN I CHANGE MY PREFERENCES FOR UPTIME AND SPEED MONITORING 2

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

SPEAR PHISHING AN ENTRY POINT FOR APTS

What is Penetration Testing?

Are You Ready for PCI 3.1?

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Breach Found. Did It Hurt?

Security Consultant Scenario INFO Term Project. Brad S. Brady. Drexel University

POLIWALL: AHEAD OF THE FIREWALL

The SIEM Evaluator s Guide

Next Generation Security Strategies. Marc Sarrias Regional Sales Manager

SIMULATED ATTACKS. Evaluate Susceptibility Using PhishGuru, SmishGuru, and USBGuru MEASURE ASSESS

IT Security Incident Management Policies and Practices

Requirements When Considering a Next- Generation Firewall

A New Perspective on Protecting Critical Networks from Attack:

Cisco Cyber Threat Defense - Visibility and Network Prevention

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Data Security Incident Response Plan. [Insert Organization Name]

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Sluggish Incident Response: Next-Generation Security Problems and Solutions

Best Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization.

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

A Case for Managed Security

Feedback Ferret. Security Incident Response Plan

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Cisco & Big Data Security

The Sophos Security Heartbeat:

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

First Look Trend Micro Deep Discovery Inspector

Whitepaper. Advanced Threat Hunting with Carbon Black

CORE Security and GLBA

Security Analytics for Smart Grid

How to Reduce Web Vulnerability Scanning Times

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

10 Reasons Your Existing SIEM Isn t Good Enough

The Need for Intelligent Network Security: Adapting IPS for today s Threats

Symantec Enterprise Security: Strategy and Roadmap Galin Grozev

SIEM is only as good as the data it consumes

Cyber Security Metrics Dashboards & Analytics

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

WhatWorks in Detecting and Blocking Advanced Threats:

Modern Approach to Incident Response: Automated Response Architecture

Assumption of Breach: A New Approach to Cyber Security

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Addressing the blind spots in your security strategy. BT, Venafi & Blue Coat

Software that provides secure access to technology, everywhere.

POLIWALL: AHEAD OF THE FIREWALL

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Transcription:

The Incident Response Success Checklist Nine Critical Steps Your Current Plan Lacks 2016 Cybereason Inc. All rights reserved. 1

Details matter when developing an incident response (IR) plan. But, even the most successful IR plans can lack critical information, impeding how quickly normal business operations are restored. This quick guide takes a closer look at nine of the often forgotten, but important steps that you should incorporate into your IR plan. PREPARATION ACROSS THE ENTIRE COMPANY IDENTIFY MEASUREMENTS AND MATRICES HOLD TEST RUNS CHECK THE ALERTS THAT APPEAR BENIGN CREATE A CONSOLIDATED DATA REPOSITORY DON T OVERLOOK INDUSTRIAL CONTROLS CONTAINMENT AND REMEDIATION PLAN FOR A FOLLOW-UP BUDGET AND RESOURCES FOLLOW-UP ACROSS THE ORGANIZATION 2016 Cybereason Inc. All rights reserved. 2

1. PREPARATION ACROSS THE ENTIRE COMPANY Involving key people from every department is often an overlooked part of the preparation process. Often times, only IT and security staff participate in building a company s IR plan, since they are the individuals who deal with the situation and its consequences. However, breaches impact the entire organization, not just the departments that handle computers and servers. Good security leaders should be able to get people from across the company to help develop the IR plan. While CISOs will most likely manage the team that handles the threat, dealing with the fallout from a breach requires the efforts of the entire company. For instance, a bank handling the impact of a breach may need help from its public relations staff if the organization is legally required to publicly disclose the incident. The bank s Web development team may also need to be involved if the adversaries carried out their attack by exploiting a vulnerability in the company s website, like a WordPress flaw. Additionally, the company s human resources department may need to be contacted if employees personal information was disclosed. The bank s incident response plan should include input from all of these departments. A thorough incident response plan lays out what key personnel should be notified when a breach is detected and how information on the breach is communicated throughout the organization and externally. During the preparation phase, a communication timeline and the contact information for key staff should be added to the plan. 2016 Cybereason Inc. All rights reserved. 3

2. IDENTIFY MEASUREMENTS AND MATRICES A successful incident response plan defines in advance the key performance indicators (KPIs) that the security team will measure during the event. Some good time-related measurements to track include time to detection, time to report an incident, time to triage, time to investigate, and time to response. On the qualitative side, some figures to track include the number of false positives, the nature of the attack (malware vs. non-malware based) and the tool that spotted the incident. 3. HOLD TEST RUNS Companies should use the preparation phase to consider the various breach scenarios that could play out. These scenarios should be reviewed in activities like team training, tabletop exercises and blue team-red team exercises. Businesses should even simulate a breach so employees know their roles when a real breach occurs. This is the phase when companies identify their weak points and risk factors, figure out what activities need to be closely monitored and decide how to spend their security budgets. An IR plan should be revised yearly or more frequently if the company grows rapidly. Additionally, the incident response plan should incorporate any business regulations. 2016 Cybereason Inc. All rights reserved. 4

4. CHECK THE ALERTS THAT APPEAR BENIGN Threat detection can come from situations that initially appear benign and not related to security. An IT investigation into a slow computer could reveal that the machine is infected with malware, for example, prompting fears of phishing attacks and an investigation to see if anyone clicked on a suspect link. IT professionals should always check for signs of compromise when looking into a tech issue, even if the incident doesn t seem to be connected to security. A company best defense against adversaries is well-trained users who, for instance, know to contact security after receiving an email with an odd link. Additionally, IT and security teams shouldn t disregard a user s suspicions. Always investigate a hunch, since a person s intuition can provide a lead that results in a breach being detected. 5. CREATE A CONSOLIDATED DATA REPOSITORY Whatever methods companies use to detect threats, an important step is consolidating all incidents into a central repository. Companies typically use SIEMs for this but sometimes these aren t enough to get a comprehensive view across an IT environment. Incident response teams will often try to build a view of everything that was going on in the environment in hindsight. At this point, it is often too late to construct a comprehensive view and what the incident response team ends up with is too partial to be of any value. Building and maintaining a data repository that has continuous and a broad visibility across the full environment is not just essential for regulatory requirements. It is crucial for accelerating investigation and response. 2016 Cybereason Inc. All rights reserved. 5

6. DON T OVERLOOK INDUSTRIAL CONTROLS Many organizations have facilities that run industrial systems, such as an oil refinery or a factory that manufactures drugs. However, companies may not think attackers will target these locations and not closely monitor them for malicious activity. In other cases, a department other than IT or security manages the industrial control system infrastructure. The personnel in this department may lack the knowledge needed to closely monitor these systems, potentially leading to security being neglected. 7. CONTAINMENT AND REMEDIATION A thorough containment and remediation process that stops an entire campaign instead of only solving a symptom of the attack is essential. However, security teams usually provide a specific solution to a very broad problem, leaving ample opportunity for the same attack to re-occur. The containment and remediation plan must be based on the findings of the security team s investigation of the incident. Often times, the plan that s developed relies on information only gathered during the preliminary detection. For example, if a SIEM detected a malicious connection to C2 server, the typical solution would be to kill the process creating the communication and block the IP address in the firewall. But if the malware is persistent, it will reload when the computer reboots, perhaps with a different process name, and communicate with a different server. The security team then enters an endless loop of detection, containment and eradication for the same threat. On the other hand, if the team was investigating the malware s techniques and infection vector, it would have a better eradication plan and may have developed a prevention plan. 2016 Cybereason Inc. All rights reserved. 6

8. PLAN FOR A FOLLOW-UP BUDGET AND RESOURCES Follow-up is critical to preventing a security incident from reoccurring. However, companies often don t fully follow through with this step. Some recommendations that come out of the follow-up process entail spending money, making such steps unpalatable to organizations with budget constraints. Less costly options include adding new detection rules to a SIEM, while some of the more expensive follow-up steps entail hiring additional security analysts or purchasing technology to detect attacks. The follow-up phase is also when an organization reviews the performance of its KPIs and determines if they need to be adjusted. A security team, for example, could determine that the detection rules caused excessive false positives, impeding its ability to swiftly respond to the incident. Then, it can go and improve the set of detection rules it has, or upgrade to a different detection systems with better capabilities. The security team could also decide to add a detection rule based on an incident that was reported by a user instead of being detected by the SIEM. Whether an enterprise goes on an analyst hiring spree or considers a more frugal option, the changes a company makes during the follow-up stage will affect how it prepares for attacks and detects threats. All of these steps are tied together, a point often missed by organizations. Having more analysts and purchasing a next-generation endpoint detection technology can bolster a company s ability to unearth threats, for instance. 2016 Cybereason Inc. All rights reserved. 7

9. FOLLOW-UP ACROSS THE ORGANIZATION Organizations should get ready to spend time and money to learn and improve after a breach. It is also crucial that the learning and improvement process not only includes IT and security. Similar to the preparation phase, often times, follow-up only focuses on what the security team handles, which is typically containment and detection. Limiting follow-up to the security team s duties makes managing the process easier, but fails to take into account how other departments in a company should get involved to improve their ability to can better react to a security incidents in the future. Incident response requires the cooperation of an entire organization, not just the IT and security departments. 2016 Cybereason Inc. All rights reserved. 8

Join our community and subscribe to Cybereason s Blog to receive content delivered right to your inbox. SUBSCRIBE TO OUR BLOG Cybereason was founded in 2012 by a team of ex-military cyber security experts to revolutionize detection and response to cyber attacks. The Cybereason Malop Hunting Engine identifies signature and non-signature based attacks using big data, behavioral analytics, and machine learning. The Incident Response console provides security teams with an at-your-fingertip view of the complete attack story, including the attack s timeline, root cause, adversarial activity and tools, inbound and outbound communication used by the hackers, as well as affected endpoints and users. This eliminates the need for manual investigation and radically reduces response time for security teams. Cybereason is privately held and headquartered in Boston, MA with offices in Tel Aviv, Israel and Tokyo, Japan. 2016 Cybereason Inc. All rights reserved. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information