predrag zivic - mike lecky - structured incident types to streamline incident response
DESCRIPTION
TRANSCRIPT
Structured Incident Types to Streamline Incident Response
Predrag Zivic Mike Lecky
AgendaAgenda• Introduction• Incident Type Definition• Function Based Alerting• Asset Classification• Streamlined Ticket and Severity• Steps to Function Based Alerting• Streamline Incident Response• Benefits• Conclusion
IntroductionIntroduction
AVIDSHIDS
FIMProxy/Firewall
Platforms
SIEM
SCM
y/
VA
Dashboard
Proactive Reactive
Typical Integrated Security Monitoring System
IntroductionIntroduction
The ProblemThe Problem• Number of security tools
b f l f l i• Large number of rules for alerting• Uncertainty about incident severity level• Inconsistent alerting thresholds• Spotty coverageSpotty coverage• Complexity of tool integration
IntroductionIntroduction
S Aft X
Send Ticket to Windows Support
Windows Platform Alert
Success After X Failed Logins from
IP
Server XNXYYSeverity ??
The Problem Scenario
Incident Ticket – Identified Security Incident
• First responders confused• Ticket sent to Windows group – after few days
t t S it O tisent to Security Operations• Security operations confused where this came from and what severity is anywayfrom and what severity is anyway
Incident Type DefinitionIncident Type Definition
Criteria for defining incident types to achieve C te a o de g c de t types to ac e estreamlined incident response
• Following industry guidelines g y g– NIST, Carnegie Mellon, SANS
• Understandable• Reportable• Comprehensive set ‐ but not too many!• Easily applied to security tools• Manageable
Incident Type DefinitionIncident Examples Security or Privacy Breach Notes
Unauthorized Access
CORPORATE personnel gain logical or physical access without permission to network, system, application, data, facilities or other resource e.g. Hacking CORPORATE managed systems or third party managed systems; lost Blackberry or laptop.
External agent gains logical or physical access without
Compromise:
Theft/ Removal Destruction Modification Copying
All unauthorized access incidents should be handled using prescribed CORPORATE incident response operational processes.
In such event, internal processes for investigation and possible disciplinary or External agent gains logical or physical access without
permission to network, system, application, data, facilities or other resource. e.g. hacker, intruder.
Use criminal charges may apply.
Unauthorized Disclosure
CORPORATE employee (IT or non-IT personnel) disclose sensitive data to unauthorized persons – may be in any form of correspondence including oral.
CORPORATE client (IT or business personnel) discloses
Compromiseo Theft/ Removalo Destructiono Modification
In the case of unauthorized disclosure by a CORPORATE employee, internal processes for investigation and possible disciplinary action may apply.
confidential data to unauthorized CORPORATE employees.
CORPORATE client (IT or business personnel) discloses confidential data to third parties.
Granting read, write or delete privileges to individuals whose duties do not require such privileges.
o Copyingo Use
Disclosure of financial, finance reports, credit card related and personal information
There might be insufficient restrictions on access privileges for financial, finance reports, credit card related and personal information,
Unauthorized Collection
CORPORATE application uses data matching or other process to collect financial, finance reports, credit card related and personal information without consent or knowledge of information owner
CORPORATE non-IT personnel: collection or use of financial or personal information purposes other than
ifi ti
Collecting financial, finance reports, credit card related and personal information without identifying the purpose
Potential problem normally identified in SRA or audit. Process controls should be corrected once incident is identified.
verification External agent collecting the information from logical or
physical CORPORATE infrastructureUnauthorized Disposal
Information such as financial or required finance reporting information not retained in accordance with CORPORATE standard requirements.
Unavailability of financial or required restricted and confidential information
Unavailability of personal
Policy and process for retention and disposal schedules is required.
Unavailability of personal information
Unauthorized Use
CORPORATE application or a user uses data mining or other process for purposes other than those defined.
Unauthorized correlation of information CORPORATE non-IT personnel: use of financial or
personal information for purposes other defined.
Use of financial, finance reports, credit card related, personal information and any other confidential or restricted information
Policy should be defined for application function should be enumerated
Incident Type DefinitionIncident Examples Security or Privacy Breach NotesIncident Examples Security or Privacy Breach Notes
Infrastructure Attack
An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources, e.g. distributed denial of service attack or active WLAN attack.
Unavailability Unavailability of financial, finance reports, credit card related and personal information must be reported and notification take place in accordance with CORPORATE standard requirements. SLAs should identify reporting requirements.
Malicious Code and Malware
A code-based malicious entity (virus, worm, trojan horse, malformed applet, rootkit, time-bombs etc) that infect or destroy a host.
Compromise
o Theft/ Removalo Destruction
See above - corruption or compromise of financial, credit card and personal information requires detection and
tio Destructiono Modificationo Copyingo Use
Unavailability
reporting.
Infrastructure Vulnerabilities(found during vulnerability management
)
Any found critical vulnerabilities that expose critical financial and personal information
May cause unavailability , or loss of financial or personal information that is deemed confidential or restricted
Possible unavailability of financial, finance reports, credit card related and personal information must be dealt with promptly.
process)
Compliance Specific
CEO&CFO Key controls and PCI key controls that could not be classified as one of the incident type categories specified in this matrix
CORPORATE exposed to not compliant environment and may incur penalties
Impact to financial bottom line and possible executive prosecution.
System Health Specific to each operational tool with specific health Security monitoring unavailable Impact to security group ability to detect
Specific incidents. Security tools can have specific issues that may impact security monitoring
incidents and increased risk to organization. Business is not impacted, but monitoring must be restored as soon as possible.
Function Based AlertingIncident Type Alert Scenario Events
Unauthorized Access x failed logins by a user in y mins Windows failed login attempts
AIX failed login attemptsHP-UX failed login attemptsDB failed login attempts
ACS failed login attemptsACS failed login attemptsSecurity Tools NIC failed login attempts
Checkpoint FW failed login attempts
Mainframe failed login attemptsWireless S itch failed login attemptsWireless Switch failed login attempts
Success after X failed logins by IP Windows failed login attemptsAIX failed login attemptsHP-UX failed login attemptsDB failed login attemptsRADIUS failed login attemptsSecurity Tools NIC failed login attempts
Checkpoint FW failed login attempts
Mainframe failed login attemptsWireless Switch failed login attempts
Successful Login as the built-in administrator account has been detected
Windows login AIX login HP-UX login DB login gRADIUS login Security Tools login Checkpoint FW loginMainframe login Wireless Switch login
Asset Classification
Asset GroupImportance (Availability)
Integrity Confidentiality Vulnerability
10 10 10 1CKA & PCI
10 10 10 1
CKA8 8 8 1
PCI8 8 8 1
Production6 6 6 1
QA3 3 3 1
3 3 3 1Development
3 3 3 1
Low 1-3
LEGEND:
Medium 4-6
High 7-8
Very High 9-10
Align incident response urgency to the business for resolution
Streamline Incident Ticket & SeverityStreamline Incident Ticket & Severity
S XNXX
Severity Level 2
Unauthorized Access
Success After X Failed Logins per IP Windows Platform
Server XNXX Classified –10 CIA V1
Incident Ticket – Identified Security Incident
The Efficient Scenario of Function Based Alerting• First responders know what type of ticket it is• Ticket sent to Security Operations with proper
it l lseverity level• Security operations understand server classification and take appropriate actionclassification and take appropriate action
Streamline Incident Ticket & SeverityStreamline Incident Ticket & SeverityUnauthorized
AccessSuccess After X
Failed Logins per IP Windows PlatformServer XNXX Classified –10 CIA V110 CIA V1
Unauthorized Access
Success After X Failed Logins per IP UNIX Platform
Server UNYY Classified –10 CIA V1
Severity Level 1
Incident Tickets – Identified Multiple Security Incidents
10 CIA V1
The Real Life Benefit of Function Based Alerting• First responders saw two severity 2 alerts and one severity
1 alerts from SEIM – Automatic escalation • Alert escalated to Security Operations with proper severity
level• Security operations take incident seriously and engageSecurity operations take incident seriously and engage
severity 1 level response team
Steps to Function Based Alerting• Align incident types and function based alerting across all security toolsalerting across all security toolsStart first with: SEIM then add IDS, HIDSAlign vulnerability tools: VA, Secure ConfigurationAlign vulnerability tools: VA, Secure Configuration Management, File Integrity Management
• By aligning threat and exposure achieve y g g pquantitative operational risk metrics
• Align Risk & Governance with security g yoperational risk using same threat and vulnerability function based alerting
Streamline Incident ResponseStreamline Incident ResponseStandardized approach for incident investigation, containment and resolution is achieved by:containment and resolution is achieved by:
Function Based AlertingFunction Based Alerting
Detailed, standardized information supporting 1st and n‐l l dlevel responders
Enabling efficient and effective security operations• Consistent severity assignmentConsistent severity assignment• Consistent investigation• Consistent resolution
BenefitsBenefits• Aligned security incident types to actions by incident
dresponders• Structured incident types approach enables completeness
check on alert set• Efficient and streamlined security incident detection and
response• Minimizes gaps in detection capability across security toolsg p p y y• Standardized baseline approach for statistical incident
analysis• Structured approach to threat modellingStructured approach to threat modelling• Facilitates identification of new and enhanced security
controls
Conclusion• Statistical analysis of incidents• Straightforward threat modeling g g• Consistent operational security reporting• Foundation for enhanced:Foundation for enhanced:
– Preventative controls– Detective controls
Improve Incident
PROACTIVE REACTIVE
pPosture Response
Balance Investment Against Risk Appetite
Questions?
Predrag Zivic Mike LeckyPredrag [email protected] [email protected]