incident response: security's special teams

Incident Response: Security’s Special Teams

Introductions: Today’s Speakers

• Ted Julian, Chief Marketing Officer, Co3 Systems• Ted is a serial entrepreneur who has launched four companies during

his ~20 years in the security / compliance industry.

• Andrew Jaquith, Chief Technology Officer & SVP Cloud Strategy, SilverSky• Andy is a thought-leader with ~20 years experience in the security

industry. He has helped shape the security industry as an enterpreneur at SilverSky and @stake and as an industry analyst at Forrester Research and Yankee Group.

Agenda

• Introductions• IR: The Next Security Discipline• Enhancing Your IR Capability

• Technology• People• Process

• Final Thoughts / Recommendations• Q&A

Co3 Automates Incident Response

PREPARE

Improve Organizational Readiness• Assign response team• Describe environment• Simulate events and incidents• Focus on organizational gaps

REPORT

Document Results and Track Performance• Document incident results• Track historical performance• Demonstrate organizational

preparedness• Generate audit/compliance reports

ASSESS

Quantify Potential Impact, Support Privacy Impact Assessments• Track events• Scope regulatory requirements• See $ exposure• Send notice to team• Generate Impact Assessments

MANAGE

Easily Generate Detailed Incident Response Plans• Escalate to complete IR plan• Oversee the complete plan• Assign tasks: who/what/when• Notify regulators and clients• Monitor progress to completion

SilverSky simplifies how customers secure information

MANAGEemail,

messaging and collaboration

SECUREdata with our

security software

MONITOR networks for

intrusions 24x7

Exchange

Lync

SharePoint

Email Security

Mobile devicemanagement

Email DLP

Email Encryption

Email Archive

Email Continuity

Log management

Vulnerabiitymanagement

Brand protection

UTM management

Event monitoringand response

Managed BlackBerry

By tirelessly safeguarding our customers’ most important information, SilverSky enables growth-minded leaders to pursue their business ambitions without security worry. SilverSky protects $525 billion in banking and credit union assets. Each month, we analyze 15 billion raw security events and investigate 140,000 alerts.

By Mike Kaplan [Public domain], via Wikimedia Commons

Offense

By U.S. Navy photo by Mass Communication Specialist David P. Coleman [Public domain], via Wikimedia Commons

Defense

By U.S. Navy photo by Lt. Cmdr. Scott Allen. [Public domain], via Wikimedia Commons

Special Teams

Information security has three phases too

Prevention Detection Response

• Stop malicious threats

• Secure endpoints, networks, and servers

• Maintain secure and compliant configurations

• Identify anomalous behavior

• Detect compromises

• Discover data leaks & potential breaches

• Have a plan

• Assess events

• Escalate to incidents

• Manage

• Report

Why Incident Response Matters

Compromisedasset

No damage

Budget

IDS, AV or other control repels an attack

Attacker infects a workstation

Attacker “pivots” to gains control over sensitive systems

Analogy Damage

“Preventativecare”

“Infection”

“Disease”

millions

000s

0

0

000s

millionsMultiple

compromised assets

Chain of events

Compromises are the new reality

SilverSky analyzed security incidents based on data from 861 financial institutions for the second half of 2012

We found:

• 1,628 likely and confirmed customer compromises

• 441 institutions affected

• 51% of our financial customers experienced at least one incident

SilverSky blocked 1/3 of incidents

Traffic analysis detected the rest

Size ofinstitution ($assets)

Average # of

incidents

Small (<$25 million) 3

Mid-sized (<$1 Bm) 4

Large (>$1 Bn) 7

Source: SilverSky 2012 2H Financial Institutions Threat Report. (Base: 861 SilverSky customers)

Guess where most IT security budgets go?

By victor vic (all in, tapis) [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons

Prevention + Detection Dominate Security Spend

Segment 2012 revenue

Prevention / Detection Products $27B*

Prevention / Detection Services $29B*

Response Services $6B**

Response Products < $1B***

* Gartner ** ABI Research ***Co3 estimate

89%

11%

Public Domain Pictures.net - Eggs In The Grass by Ed Hoskins

There is a metaphor for this strategy…

IR Demands Investment

“If you are going to invest in one thing - it should be incident response.”GARTNER – JUNE 2013

“You can’t afford ineffective incident response.”FORRESTER – APRIL 2013

POLL

How many incidents do you manage on average each month?

Is This IR?

By ErrantX. [Public domain], via Wikimedia Commons

Is This IR?

The Incident Response Lifecycle

PREPARE


REPORT



ASSESS

Quantify Potential Impact, Support Privacy Impact Assessments• Track events• Scope regulatory requirements• Calculate $ exposure• Notify team• Generate Impact Assessments

MANAGE


IR Is More Than Just Forensics

Forensics

Security Tools

Threat Intelligence

Partners / Providers

Law Enforcement

IT / Security Controls

Service Providers

Law Enforcement

Partner

Perpetrator(s)

Internal Staff

Customers

Detection

Investigation

IT / Security Controls

Service Providers

Law Enforcement

Partners

Internal Staff

Response

IRTeam

POLL

How often do you run IR fire drills / tabletop exercises?

• IT• Legal• Compliance• Audit• Privacy• Marketing• HR• Senior Executives

INTERNAL

• Legal• Consultants• Audit• Law Enforcement• Partners

EXTERNAL

DON’T FORGET TO:• Communicate• Practice• Train

Incident Response People

Incident Response Process

PREPARE


REPORT



ASSESS

Quantify Potential Impact, Support Privacy Impact Assessments• Track events• Scope regulatory requirements• Calculate $ exposure• Notify team• Generate Impact Assessments

MANAGE


BE SURE TO INCLUDE:• Regulatory Requirements

• State, Federal, and Trade• Industry Standard Frameworks

• NIST, CERT, SANS• Organization Standards / Best Practices• Contractual Requirements

Incident Response Technology

This?

By KoS. [Public domain], via Wikimedia Commons


This?

By Rens ten Hagen. [Public domain], via Wikimedia Commons


This?


SYSTEM REQS• Secure• Distinct• Available• Integrated with

related systems

• Prescriptive• Cognizant of regulations,

best practices, threats• Easy to use• Built-in workflow

• Built-in reporting / dashboards

• Always up to date• Linked to threat

intelligence

• Faster response time• Staff augmentation• Consistency• Repeatability• Ensure compliance

• Foster collaboration• Simplify reporting / status updates• Improved threat context /

correlation

OBJECTIVES

FUNCTIONAL REQUIREMENTS

QUESTIONS

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

Andrew JaquithChief Technology Officer & SVP Cloud [email protected]

“One of the most important startups in security…”

BUSINESS INSIDER – JANUARY 2013

“One of the hottest products at RSA…”

NETWORK WORLD – FEBRUARY 2013

“an invaluable weapon when responding to security incidents.”

GOVERNMENT COMPUTER NEWS

“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

incident response: security's special teams

Technology

security industry

information security

raw security events

security discipline

security worry

security compliance

incident response matters

prevention detection