Seccuris is North America’s premier Information Assurance integrator. We enable organizations to achieve business goals through effective management of information risk.

We are agile, innovative, flexible, and responsive. We assist your organization in managing all aspects of information risk. We specialize in end-to-end services, comprehensive solutions, and tailored programs.

What makes a Security Incident different from other IT incidents?

Break and Enter

• Lets apply our standard IT Incident Management Methodology to a simple ‘real world’ example:

A Break and Enter into a home…

Preparation Detection Diagnosis Repair Recovery Resolution

Break and Enter

• Preparation - Monitored House Alarm, Heavy Door, Video Surveillance, Neighbourhood Watch

• Detection - Alarm Trips, Phone call is made

• Diagnosis - House has been broken into. Door was smashed, items were stolen, house was rummaged.

Break and Enter

• Repair - Door is fixed, clean up glass, clean house, call insurance.

• Recovery - Stolen items are replaced.

• Resolution - All is done, issues have been dealt with. Life is back to normal

Break and Enter

• What is wrong with this approach?• Has information been gathered by the

thief?• What ‘intangibles’ have been stolen?

• Why is this methodology not suitable for IT Security Events?

Break and Enter

EVIDENCE HAS BEEN DESTROYED:

Conventional IT Incident Management processes are insufficient and sometimes even harmful to the chain of custody.

Break and Enter

The goal of incident management is to restore the status quo.

However, with Information Security Incidents there's a higher likelihood of collateral damage:

- the beginning of a systemic outbreak- an all-out outage- important data has left the environment

5 Reasons why we shouldn’t follow the same methodology for Security Incidents as regular incidents.

At what phase is an incident identified as a Security Incident?

How do we best integrate the outcome of an incident handling effort into the change control processes?

The Future: Short-Term and Long-term

Agenda:

Break and Enter

Break and Enter

Most Typical Information Security Incident Outcomes are:

a. Denial of Serviceb. Unauthorized use of IT Resourcesc. Credential/Data Theft

5 Reasons why we can't follow the same methodology for Security Incidents as regular incidents.

5 Main Reasons – Threat Agents

Reason #1 – Threat Agents

Security Incidents always have a threat agent.

5 Main Reasons – Threat Agents

Reason #1 – Threat AgentsThey can be:

Non-Target Specific: viruses, worms, trojansEmployees: Staff, contractors, operational/maintenance staffOrganized Crime and Criminals: mostly looking for $Corporations/Government: mostly looking for competitive advantageHuman, Intentional: Insider, outsider, hacktivists,etc

5 Reasons - Containment

Reason #2 – Containment

Security Incidents Incidents

Preparation Preparation

Detection Detection

Containment ?

Analysis Diagnosis

Eradication Repair

Recovery Recovery

Follow-up Resolution

5 Reasons – Service Levels

Reason #3 – Service Levels

Information Security events are much like a Hospital Emergency Room, where the goal is not to measure

resolution

5 Reasons – Service Levels

TIME

EFFORTCONTAINMENT

RESOLUTION

‘exposed till we fix it’

5 Reasons – Impact not readily known

Reason #4 – Impact not readily known

In some cases there’s no visible impact at all

5 Reasons – Impact not readily known

Incidents are classified by: Service Disruption

5 Reasons - Communication

Reason #5 – Communication

Incidents are shared on a “who can help” basis

Security Incidents are shared on a “need to know” basis

5 Reasons – Communication

Reason #5 – Communication

Who do you communicate with? (internal/external)

What do you communicate?When do you communicate?

The differentiation between an incident and security incident must

be clear and definite.

5 Reasons – Bottom Line

However, they can be mutually complementary if defined and

managed properly.

At what phase is an incident identified as a Security Incident?

Preparation

Detection

Diagnosis

Repair

Recovery

Resolution

Best Case

Sometimes

Most CommonlyToo Late Or not at all

What is the most effective way to detect these Security Incidents?

Systems?

People?

Both.

Our most common sources of detection:- Security Device Logs- Non-Security Device Logs- Help Desk- Users

how do we know what’s important

How do we best integrate the outcome of an incident handling effort into the change control processes ?

ALIGN and INTEGRATE as part of detection and analysis

Key Factors for Integration:Preparation and Detection!

• Create and Maintain a Security Incident Handling Policy

• Define a Security Incident Handling Team• Develop a communications plan• Educate• Establish Detection Services

Key Factors for Integration:Containment!

• Determine the risk of continuing operations

• Outsmart your Threat Agents• Avoid potentially compromised code• Forensic image of the system• Get help

What does the future look like?

Long Term:- Security Incidents are handled by help

desk analysts- All necessary information is available when

an event occurs- All analysts have enough Information

Security know-how to handle day-by-day events

- Impact is readily known - System Forensics is automatically engaged

What does the future look like?

Short Term:- Integrate Detection in Help Desk processes- Start to integrate Information Security

tasks into day-to-day processes- Engage Information Security Analysts

and/or Consultants to aid in Security Incidents

- Begin cross-training all analysts in handling security incidents

• Software as a Service Information Security capability for comprehensive threat protection

• OneStone is purpose-built by Seccuris built to easily incorporate human analysis, review, and incident handling assistance

• Assisted and accelerated implementation, with a scalable, flexible architecture

• Provides customers a choice of Self-Managing or Managed security services

• Straight forward, easy to use dashboards provide a visibility into security issues, vulnerabilities

• Security Operation Center (SOC) analysts available 24x7

What is OneStone

Current Services

Threat Management

Vulnerability Management

Log Management

Device Management

Security Incident Handling

Forensics

Why OneStone?

• Allows your staff to concentrate on higher value activities

• Uses a combination of technology and security analysts to reduce the number of events staff needs to investigate

• Improved network visibility and threat protection 24x7

• Enabling risk management through a business relevant prioritized action plan

• We provide assistance on remediation or forensics from information security analysts (ISAs) who understand the current threat landscape

• Relevant reporting capabilities for various business roles

Q&A

Ivo Wiens Manager, Security Engineeringiwiens@seccuris.com

Gus BurneauInformation Security Sales Specialistgburneau@seccuris.com