Upload File

incident response- is there a place for automation? presented by jochanan sommerfeld – cissp/crisc

  • Home
  • Documents
  • Incident Response- Is there a place for AUTOMATION? Presented by Jochanan Sommerfeld – CISSP/CRISC
13
Incident Response Is there a place for AUTOMATION? YES, there is!!!” Presented by Jochanan Sommerfeld – CISSP/CRISC © 2015 Ayehu, Confidential and Proprietary

Upload: ayehu-software-technologies-ltd

Post on 06-Aug-2015

136 views

Category:

Documents


0 download

Report

Tags:

TRANSCRIPT

Page 1: Incident Response- Is there a place for AUTOMATION? Presented by Jochanan Sommerfeld – CISSP/CRISC

Incident ResponseIs there a place for AUTOMATION?

”YES, there is!!!”Presented by Jochanan Sommerfeld – CISSP/CRISC

©2015 Ayehu, Confidential and Proprietary

Page 2: Incident Response- Is there a place for AUTOMATION? Presented by Jochanan Sommerfeld – CISSP/CRISC

Number of incidents increased in

2013 by 48%

Number of breaches increased in

2014 by 23%

©2015 Ayehu, Confidential and Proprietary

Page 3: Incident Response- Is there a place for AUTOMATION? Presented by Jochanan Sommerfeld – CISSP/CRISC

Cyber Security Attacks aremore numerous and and more complex.

The Only Constant Is

Change

©2015 Ayehu, Confidential and Proprietary

Page 4: Incident Response- Is there a place for AUTOMATION? Presented by Jochanan Sommerfeld – CISSP/CRISC

Classic Incident

Response Lifecycle

©2015 Ayehu, Confidential and Proprietary

Page 5: Incident Response- Is there a place for AUTOMATION? Presented by Jochanan Sommerfeld – CISSP/CRISC

GOOD but not

FAST enough?

©2015 Ayehu, Confidential and Proprietary

Page 6: Incident Response- Is there a place for AUTOMATION? Presented by Jochanan Sommerfeld – CISSP/CRISC

.

.

.

What Is Common To Most Incidents?

©2015 Ayehu, Confidential and Proprietary

Incidents are left unhandledValidation takes too longMissing Security KnowledgeNo 24/7 team coverageNot prepared

No response simulationNo response testing

No lesson learned

No playbooksHuman errors Containment too lateNot properly documentedNot properly communicated

Page 7: Incident Response- Is there a place for AUTOMATION? Presented by Jochanan Sommerfeld – CISSP/CRISC

My Proposal

©2015 Ayehu, Confidential and Proprietary

Classical IR Automation

+ =Good and Fast Security IncidentResponse

Page 8: Incident Response- Is there a place for AUTOMATION? Presented by Jochanan Sommerfeld – CISSP/CRISC

Detection and

Analysis

©2015 Ayehu, Confidential and Proprietary

Analyze precursors and indicators

Correlate information

Enrich security intelligence

Categorize and prioritize

Communicate

Document evidence

Page 9: Incident Response- Is there a place for AUTOMATION? Presented by Jochanan Sommerfeld – CISSP/CRISC

Containment, Eradication and Recovery

©2015 Ayehu, Confidential and Proprietary

Acquire and preserve evidenceIdentify and mitigate vulnerabilities

Remove malware

Return system to operation

Page 10: Incident Response- Is there a place for AUTOMATION? Presented by Jochanan Sommerfeld – CISSP/CRISC

Post-Incident

Activity

©2015 Ayehu, Confidential and Proprietary

Vulnerability testingStatic Code Analysis

Dynamic Code Analysis

Page 11: Incident Response- Is there a place for AUTOMATION? Presented by Jochanan Sommerfeld – CISSP/CRISC

Detection and

Analysis

SIEM

IDPS

AV Software

File Integrity Checking

Security Intelligence

OS + App

Logs

Network Device Logs

Netflow

Vulnerability DB

©2011 Ayehu, Confidential and Proprietary

Example of

Integration

Page 12: Incident Response- Is there a place for AUTOMATION? Presented by Jochanan Sommerfeld – CISSP/CRISC

Use Case Example

© 2015 Ayehu, Confidential and Proprietary

• Possible Questions Is the user a valid user in AD? Is the user a member of a critical group? Does user have administrative privileges? Is the user currently locked? Did user reset his/her password recently?

• Possible actions Ask the person behind that user if he/she failed to login Lock/disable the account (if not already locked by DC policy) Send the host to a different VLAN using NAC/IPS Inform the user via SMS Report every step with a ticket in the ITSM system

Brute Force Attack

SIEM Alarm

Page 13: Incident Response- Is there a place for AUTOMATION? Presented by Jochanan Sommerfeld – CISSP/CRISC

Thank You!Jochanan Sommerfeld – CISSP/[email protected]

©2015 Ayehu, Confidential and Proprietary

mailto:[email protected]

Crisc prep-guide

02 Drude Sommerfeld

Crisc Part 1 the Big Picture 2011

CRISC 21 Logistique

CRISC online review course Spanish / Español (Intro)

Cisa Cism Cgeit Crisc 2011 Overview

10.4 Sommerfeld formula - Binghamton University

2. Assistent bei Arnold Sommerfeld und bei David Hilbert · 2. Assistent bei Arnold Sommerfeld und bei David Hilbert 2.1 Die Sommerfeld-Schule Arnold Sommerfeld besch¨aftigte Adolf

Isaca Crisc

Sommerfeld-mechanics of Deformable Bodies

1ngHgHy Dorine Nalo - isaca.or.ke · Ms. Elizabeth Ochieng, CISA,CGEIT,CRISC 2018 February-May CRISC Exam Ms. Elizabeth Della Akinyi Ayugi, CISA,CISM,CRISC 2018 June-September CRISC

The Sommerfeld Enhancementthep.housing.rug.nl/sites/default/files/theses/Bachelor thesis_Sam...1 The Sommerfeld enhancement 1.1 Introduction The Sommerfeld enhancement is an elementary

CRISC - GRATIS EXAM...Feb 18, 2019  · CRISC.270q Number : CRISC Passing Score : 800 Time Limit : 120 min CRISC Certified in Risk and Information

C**** in a Day - Inspiratiesessie CRISC · CRISC = Certified in Risk and Information Systems Control The CRISC professional demonstrates skills in both of the following: •Enterprise

Brochure-CRISC-Boot-Camp...CRISC certification exam is not included in this training course. Candidates interested in CRISC exarnination must submit their application directly at ISACA

Sommerfeld Method 11.10.2010.docx

La Bauhaus-casa Sommerfeld

[Arnold Sommerfeld] Lectures on Theoretical Physic(BookFi.org)

CRISC-Certificate (1)

Curriculum Vitae Peter Sommerfeld, Prof. Dr. …...Prof. Dr. Peter Sommerfeld CH-4600 Olten Tel. +41 62 957 21 38 E-Mail: [email protected] 1 / 13 Curriculum Vitae Peter Sommerfeld,

la teoría sommerfeld de los metales

Modelos atômicos böhr - sommerfeld - pauling

Isaca crisc-courseware

John R. Robles CISA, CISM, CRISC €¦ · John R. Robles CISA, CISM, CRISC [email protected] 787-647-3961

CRISC Flash Card

CRISC - ALC Group · 16 Exam prep and Review •nderstanding the structure of theU exam •Sample exam questions •Practical tips CRISC Exam Please note that the CRISC exam is not

Property Casualty Aspects Of ERM - Sommerfeld

Teori Sommerfeld

CRISC - ALC Group

CISA/CRISC/CISM/CGEIT Scheduling Guide

Panagiotis Droukas CISA, CRISC, CGEIT, COBIT 5 … · Panagiotis Droukas CISA, CRISC, CGEIT, COBIT 5 ... PIN for the SIM card as well as a ... CISA, CRISC, CGEIT, COBIT 5 Accredited

Singular Bohr–Sommerfeld Rules - UMR 5582

Lectures on Theoretical Physics - Mechanics - Sommerfeld

Aniruddha Neogi, FCA, CISA, CGEIT,CRISC

Bohr-Sommerfeld-Heisenberg Quantization of the 2 ... Introduction Intheframeworkofgeometricquantizationwehaveformulatedaquantiza-tion theory based on the Bohr-Sommerfeld quantization