www.pwc.com How to effectively respond to an information security incident

Similar documents

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Defending Against Data Beaches: Internal Controls for Cybersecurity

Breach Found. Did It Hurt?

Information Security for the Rest of Us

How To Manage Security On A Networked Computer System

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

KEY STEPS FOLLOWING A DATA BREACH

Data Security Breach. How to Respond

Security Management. Keeping the IT Security Administrator Busy

Global Security Report 2011

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

Into the cybersecurity breach

Incident Response. Six Best Practices for Managing Cyber Breaches.

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Find the needle in the security haystack

How To Protect A Network From Attack From A Hacker (Hbss)

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Managing IT Security with Penetration Testing

5 Steps to Advanced Threat Protection

SANS Top 20 Critical Controls for Effective Cyber Defense

CSIRT Introduction to Security Incident Handling

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Getting real about cyber threats: where are you headed?

How To Create Situational Awareness

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

05.0 Application Development

RSA Security Analytics

Critical Controls for Cyber Security.

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Network/Cyber Security

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Attachment A. Identification of Risks/Cybersecurity Governance

Session 334 Incident Management. Jeff Roth, CISA, CGEIT, CISSP

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

The Incident Response Playbook for Android and ios

Chapter 1 The Principles of Auditing 1

Angel Investing in Cybersecurity: Understanding the Technology

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Advice from the Trenches: Preparing for the Challenges and Pressures of a Security Incident Investigation

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Incident Handling in the Cloud and Audit s Role

High End Information Security Services

INCIDENT RESPONSE CHECKLIST

DYNAMIC DNS: DATA EXFILTRATION

Department of Management Services. Request for Information

Anatomy of a Cloud Computing Data Breach

Logging In: Auditing Cybersecurity in an Unsecure World

A New Perspective on Protecting Critical Networks from Attack:

State of South Carolina Policy Guidance and Training

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Data Security for the Hospitality

Website Defacements. Krishna Kumar B

Guideline on Auditing and Log Management

Performing Advanced Incident Response Interactive Exercise

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Visa Data Security Alert Malicious Software and Internet Protocol Addresses

MITIGATING LARGE MERCHANT DATA BREACHES

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

Developing an Effective Incidence Response Plan

Technical breakout session

ISO COMPLIANCE WITH OBSERVEIT

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Security Controls Implementation Plan

Cyber Incident Response

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

That Point of Sale is a PoS

LogRhythm and NERC CIP Compliance

Global Partner Management Notice

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

RSA Security Anatomy of an Attack Lessons learned

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Modern Approach to Incident Response: Automated Response Architecture

Data Center Security in a World Without Perimeters

Security Policy for External Customers

U. S. Attorney Office Northern District of Texas March 2013

Alert (TA14-212A) Backoff Point-of-Sale Malware

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Evolving Threat Landscape

PCI Compliance for Cloud Applications

Evolution Of Cyber Threats & Defense Approaches

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED

The SIEM Evaluator s Guide

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Developing a robust cyber security governance framework 16 April 2015

Transcription:

www.pwc.com How to effectively respond to an information security incident

Agenda Analogy Plan Preparation Incident Handling Overview Collect & Triage Investigation Containment Eradication Recovery 2

Are you going in the water? 3

Initial incident response steps Gather documentation - Contact lists, network diagrams, etc Designate incident leads Notify proper contacts - Internal contact Legal, management, internal support leads - External contacts Legal, Vendor support, trusted third parties, law enforcement 4

Incident handling overview Based on NIST 800-61 Incident Handling - Detect and Analyze (Triage) - Containment - Collect, Preserve and Investigate - Eradication - Recovery (lessons learned) Recovery Detect and analyze Contain Eradicate Collect & Preserve 5

Detection and analysis 6

Do we have an incident? (Yes/No) How were we notified - Internal vs. External Deploy experienced people to determine if you have a real incident Is this a regulatory, legal or contractual issue? 7

Practical example ecommerce Site: - Client reported the server performance issue - Tech Support found the load too high - Developer examined the code Identified foreign code on the server, referred to security - Security began collecting data Contacted External Incident Response team 8

Practical example Incident Response Team - Examined the server - Recommended blocking IP addresses - Examined the server population - Provided a written report of the incident - Recommended Eradication - Recommended policy and procedure changes 9

Exfiltration 10

What to do next Incident Classification (DDoS, Malware, Unauthorized Access) Triage the problem follow the evidence What are my capabilities? What am I looking for? How will I accomplish what I need to do? 11

Collection and preservation 12

Evidence preservation Proper forensic collection and documentation - Collect what you need to answer the questions Malware analysis - What are we dealing with and what is it capable of? Data exfiltration Keylogger Sniffer Dumping memory 13

Data to collect Forensic images of the systems compromised Firewall Logs Web server logs Proxy server logs Netflow data Syslogs (Unix) Local Windows event logs Domain Controller event logs 14

Triage process flow Incident Handler Forensics Yes Compromised Host No Information Security Malware present No Yes Malware Analysts Hardening Monitoring 15

Containment 16

Initial containment 1-3 days Apply M&M approach (hard & crunchy on outside, soft & chewy on inside) Data characterization (add rings of security) Grab low hanging fruit - Update AV, Flag suspicious files, HIDS/HIPS, create IDS signatures, block traffic, change passwords, disable accounts - Change to manual procedures if necessary 17

What don t I know Where do I need increased visibility - Review logs, increase auditing/logging System, database, network device, etc - Process to secure, archive, collect,review logs - As the British say, Mind the gap! SQL Query logging example: 18

SQL query logging example Sophisticated attack on database - Cracked the PINS for banking cards - Used SQL injection to inject malicious executable into the database - Withdrawal limits on the cards are raised to maximize the amount that can be withdrawn - No SQL logging performed on the databases - Client using a SQL query recorder 19

Eradication & remediation 2-4 weeks Remove malware Re-image and/or rebuild systems - Consider legacy applications Delete/disable accounts System and Network device hardening Increase log monitoring 20

Longer term issues Data Flows Application Characteristics Server Characteristics Risk Factors Regulatory and Compliance Issues 21

Recovery Long term goals Implement a Information Security group with a CISO Integrate Information Security into all facets of the business Network Isolation and segmentation System hardening Annual security audits (include penetration testing) - Include 3 rd party connections Implement a Sensitive Data Program 22

Recommendations Ensure there is an incident response plan in place Know where your crown jewels are located Regular security assessments conducted by outside firm Have an incident response support team on speed dial 23

Questions Contact: Dave Nardoni 213-356-6308 Jef Dye 213-217-3976 24

2012 PricewaterhouseCoopers LLP. All rights reserved. refers to the United States member firm, and may sometimes refer to the network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.