sophisticated incident response requires sophisticated activity monitoring
TRANSCRIPT
© 2015 Imperva, Inc. All rights reserved.
Sophisticated Incident Response Requires Sophisticated Activity Monitoring Mike Sanders, Principal SE and Team Lead, Imperva Bryan Orme, Principal, GuidePoint Security
July 29, 2015
© 2015 Imperva, Inc. All rights reserved.
Speakers
2
Bryan Orme Principal, GuidePoint Security
Mike Sanders Principal SE and Team Lead, Imperva
3
“There are two kinds of companies in the world: those that know they’ve been hacked, and those that have been hacked and don’t yet know it.”
– Every Quotable Security Professional
© 2015 Imperva, Inc. All rights reserved.
Agenda
4
1. Need for an audit solution 2. Incident response point of view 3. Log collection is key 4. Compliance and log retention time 5. Think without a box
© 2015 Imperva, Inc. All rights reserved.
Need for an audit solution
Collecting the needles and the haystack 1
5
© 2015 Imperva, Inc. All rights reserved.
Audit tips
6
1. Have a good plan
2. Know the data
3. Start with your results in mind
4. Use a global platform
5. Audit what matters
6. Don’t audit what doesn’t matter 7. Don’t forget YOUR data
8. Constantly think security
9. Make sure it all works 10. Look to the future
Top 10 Tips�
© 2015 Imperva, Inc. All rights reserved.
Making audit work for you and your IR team
7
• Central repository
• What to collect and what not to collect
• Test it all out
© 2015 Imperva, Inc. All rights reserved.
Central repository
8
• Global platform across multiple DB vendors • Long-term data retention • Varying degrees of verbosity
© 2015 Imperva, Inc. All rights reserved.
What to collect and what not to collect
• You need the needles and the haystack – You don’t know what you don’t know prior to an incident
• Abnormal behavior is key • Don’t leave out secondary data
– Employee data (PII) – Intellectual property
9
© 2015 Imperva, Inc. All rights reserved.
Test it all out
• Test high availability / disaster recovery • Validate access to archive data • Run sample investigation reports
10
© 2015 Imperva, Inc. All rights reserved.
Incident response point of view
Trail of needles in field of haystacks 2
11
© 2015 Imperva, Inc. All rights reserved.
Incident response point of view
• Logs are crucial to the incident response investigation • When incident response team is called
– APT has infiltrated the network infrastructure for 6+ months
• Commonly APT will gain access via service provider or contractor – Agreements with service providers, contractors, and such should include language to
collect logs upon request.
• Common log sources beneficial to incident response – Web, proxies, IDS, IPS, database, firewall (outgoing)
• http://www.imperva.com/Products/DatabaseFirewall
12
© 2015 Imperva, Inc. All rights reserved.
Incident response point of view
• Incident response goal – Investigation – Story / background – Systems impacted – Containment
• Prevent further damage – Remediation
• Correcting related vulnerabilities
– Data analysis – quantify data loss
– Litigation support
13
Incident Story
Systems Impacted
Quantify Data Loss
Identify APT
Litigation Support
© 2015 Imperva, Inc. All rights reserved.
Collection is key
Focus initial resources on collection over correlation 3
14
© 2015 Imperva, Inc. All rights reserved.
Log collection and retention is key
• Focus budget on log collection and retention first – Secondary feed correlation as next step (SIEM integration)
• Advantages of extensive log collection – Increases probability of detecting APT early – Increased probability of defining (detailing / identify) specific data loss – Increased probability of identifying APT for restitution purposes
• Disadvantage – Resource intensive / expensive
15
© 2015 Imperva, Inc. All rights reserved.
Log collection and retention is key
16
• Web applications • Directory Services manipulation • Lateral movement in infrastructure • Database attacks • Backdoors and malware • Lack of logs hinder investigation, or prevent detection
– Collect as much as possible
© 2015 Imperva, Inc. All rights reserved.
Log collection and retention is key
• Start with collecting logs to a central location – Global platform for all database vendors – Track abnormal behavior
• As team and functionality grows – Incorporate log correlation / SIEM – Gain better insight into audit logs
17
© 2015 Imperva, Inc. All rights reserved.
Compliance and log retention time
3 months immediately available with 6 months capable 9 months archived
4
18
© 2015 Imperva, Inc. All rights reserved.
Compliance and log retention time
• Most compliance vague in log retention time – NIST Cyber Security Framework – NIST 800-92 – ISO 27001:2013 A.12.4 – HIPAA ...
• Incident response tends to align with PCI DSS – Minimum 3 months immediately available – Minimum 9 months archived
• Consider capability of 6 months immediately available, but use only 3 months – Provides buffer to retain all logs during investigation – Increases probability of recovering deleted logs
19
© 2015 Imperva, Inc. All rights reserved.
Think without a box 5
20
© 2015 Imperva, Inc. All rights reserved.
Think without a box
21
• Instead of thinking outside the box think without a box
• Don’t limit your logging data because you think it is not needed – Dynamic nature of Information Security results in unknown attack
vectors – Non-security log sources are important too (System, PowerShell, and
Application logs provide evidence of lateral movement)
• Minimum Retention – 3 months immediately available logs with capacity of 6 months – 9 months archived logs
© 2015 Imperva, Inc. All rights reserved.
Imperva +1(866) 926-4678 – Americas +44 01189 497 130 – EMEA [email protected] GuidePoint Security +1(877) 889-0132 [email protected]
22
23