today's breach reality, the ir imperative, and what you can do about it
DESCRIPTION
Despite changing threats and the near certainty of compromise, most IT security programs are much the same as they were a decade ago. How have attacker motivations and tactics changed, and why? What does this mean for IT security departments, and how must they adapt? This webinar will detail the security challenges organizations face today, the implications of changes in attacker tactics and motivations, and what firms can do to better align their security program with today's reality. Our featured speakers for this webinar will be: - Ted Julian, Chief Marketing Officer, Co3 Systems - Colby Clark, Director of Incident Management, Fishnet SecurityTRANSCRIPT
1
“Co3 makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”
– PC Magazine, Editor’s Choice
“Co3…defines what software packages for privacy look like.”
– Gartner
“Platform is comprehensive, user friendly, and very well designed.”
– Ponemon Institute
“One of the most important startups in security…”
– Business Insider
“One of the hottest products at RSA…”
– Network World
“...an invaluable weapon when responding to security incidents.”
– Government Computer News
“Co3 has done better than a home-run... it has knocked one out of the park.”
– SC Magazine
“Most Innovative Security Startup.”
– RSA Conference
We’ll get started
in just a minute.
Today's Breach Reality, The IR
Imperative, And What You Can
Do About It
3
Agenda
Introductions
Problems We Face
The Targets
The Victims
The Motivations
Breach and Response Metrics
Key Concepts for Combating Modern Threats
The Incident Response Lifecycle
4
Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Colby Clark, Director of Incident Management, FishNet Security
5
About Co3
Prepare Improve Organizational Readiness
• Appoint team members
• Fine tune response SOPs
• Link in legacy applications
• Run simulations (fire drills, table tops)
Mitigate Document Results & Improve Performance
• Generate reports for management, auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
Assess Identify and Evaluate Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Track incidents, maintain logbook
• Automatically prioritize activities based on criticality
• Log evidence
• Generate assessment
Manage Contain, Eradicate and Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment strategy
• Isolate and remediate cause
• Instruct evidence gathering and handling
6
About FishNet
• 700+ employees dedicated to helping enterprise customers secure every aspect of their IT environment.
96% Customer Satisfaction / Best-in-Class NPS Benchmark
• Established 1996
• 29 Offices
• 9 Training Centers
• 700+ Certifications
VITAL STATS
2013 HIGHLIGHTS
• $600M Revenue
• 3,200 Customers
• 1,500 Service Engagements
7
About FishNet
• Our experts take the time to understand your business, so they can develop, implement and support solutions tailored to your environment.
SECURITY
SOLUTIONS
COMBINED
CAPABILITIES
DRIVE VALUE
PROFESSIONAL SERVICES
• 31 Strategic Services (StS)
Advisors
• 300+ Consultants
• 2 Security Operations Centers
• Frontline Support
• Network & Security Training
• 250+ Certifications
• Information Security Program
Model (ISPM)
TECHNOLOGY PRODUCTS
• 55 Sales Engineers (SE) &
Enterprise Architects (EA)
• 100+ Vendor Partnerships
• Direct Access to Vendor R&D
Teams & Advisory Panels
• Cloud-Based Testing Lab
• 450+ Certifications
• ADVISER Solutions Lifecycle
8
Problems We Face
• Waves of malware attacks per industry with malware optimized for each wave and software types
• Thousands of machines quickly infected in large environments
• Large numbers of ingress/egress points and unmanaged devices
• Polymorphism of malware per machine instead of per organization circumventing most host and network based detection methods
• Multi-vector malware in layers creating distraction and chaos while allowing unauthorized access, performing massive data exfiltration, and leading to extortion and data loss:
-W32.Changeup Zeus Cryptolocker Data Loss
-Compromise of computer + phone for financial attacks
• Ransomware encrypting drives and shares
• Long term presence within organizations
• Reconnaissance for worse activity later
9
Problems We Face
• Compromise of corporate environments to gain access to CDEs
• Sophisticated malware and botnets now in point of sale environments
• Memory resident
• Utilizes jump boxes
• Moves around
• Delayed detection of cardholder data compromise
• Obfuscation of collection
• Waiting until cards are about to expire before use
• Security devices not properly configured, tuned, and/or monitored
• Circumventing network detections through SSL and DGA
• Too much reliance on antiquated security solutions
• Attack vectors often not notable (low hanging fruit)
• Incident response programs and training not adequate
10
Problems We Face Bottom line - Security threats have evolved…
11
Problems We Face
– Nobody is immune to compliance. But it’s more than just checking a box.
• Everyone needs to be compliant
with a policy, regulation or legal
requirement: PCI Compliance,
HIPAA, GLBA, FTC, NERC,
FERC…
• Are you secure or just compliant?
• You can be completely compliant
and totally insecure.
• Promote compliance through
security. It does not come in a can
or clip board.
12
Problems We Face
– The uncomfortable truth Everyone is 0wn3d.
– How exposed are you to cyber criminals?
• You have been breached
whether you know it or not.
• Malware patiently waits in
nearly every environment
allowing clandestine command
and control, data harvesting,
and arbitrary code execution
• Hackers are like water in a
bucket. If there is a hole, they
will find it.
• Focus on solving the security
problem holistically.
POLL
14
Who are the Targets and Why?
• Everyone is a target
– Government
– Large Corporations
– Small Companies
– Private Individuals
• Every target is of interest
– Defacement for bragging rights
– PII, IP, and identity theft
– Credential stealing
– Confidential data leakage
– Customer information
– Supply chain attacks
– Adding to their botnet
– Use your network and devices as jump points
15
Victims
Recent Top News Clips – What Happened?
All were sued (Content Based on Public Knowledge):
• Zappos – Class action suit
• LinkedIn – $5M class action suit
• South Carolina - $12M settlement
• Global Payments – Class action suit
• Nationwide – Class action suit
• Wyndham – FTC Consent Order (really bad)
• Yahoo – Class action suit
• Target – Class action suit; DOJ
• Horizon Blue Cross – Class action suit
• Adobe – Class action suit
• Most recent large breaches – DOJ
16
Motivations
17
Motivations
18
Motivations
• Ransomware becoming increasingly common
• Now in corporate environments and affecting hard drives and shares
• Highly lucrative; attacks win either way
• Disaster recovery strategy is back-up or pay-up
19
Motivations
20
Breach and Response Metrics & Facts
Financial Metrics (from Ponemon 2013 Cost of Data Breach Study): • Average total cost of a breach: $5.4 Million • Average per record cost for data breach: $192 (actual costs vary per organization type) • Average per record cost reductions
– Having a strong security posture: $34 – Having an incident response plan in place: $42 – Appointing a CISO: $23 – Hiring consultants to respond to a breach: $13
Important Facts: • Attackers infiltrate and maintain persistence for about 1 year on average before detection • Antivirus is around 3-5% effective at detecting new threats • Fran Rosch, Senior Vice President of Mobility at Symantec, testifies before congress that
signature-based detection methodology is ineffective • Pentagon claimed that Chinese 2011 military spending equaled $180 billion with
sustained investment in cyberwarfare • Hacking has resulted in the largest transfer of wealth in human history
– As of July 2013, Chinese hackers have cost the US about $2 Trillion – How about others? – Russia? Middle East?
21
What Does a Trillion Dollars Look Like?
22
Key Concepts for Combatting Modern Threats
Endpoint Technology • Corporate environments
• Behavioral analysis and retrospection
• Continuous monitoring
• Least prevalence detection
• Not limited to the security perimeter
• Application restrictions to know good behavior
• Scanning for IOCs
• Enterprise forensics
• Cardholder data environments • Application whitelisting
• Application restrictions to know good behavior
• Change detection
23
Key Concepts for Combatting Modern Threats
Network Monitoring & Restrictions
• Network traffic retrospection
• SSL decryption
• Network malware analysis
• DGA
• Tunneling
• Network traffic IOCs and anomalies
• 2 factor authentication for remote access
• Restrict egress from cardholder data environment to processing only
24
Key Concepts for Combatting Modern Threats
• Data Security – Cloud, Endpoint, Repository…
– DLP + DRM
• Lock down documents so it does not matter if they are stolen
• Utilize the cloud with out concern
• Reduced fear of IP theft
• Program Development
– Incident response gap analysis
– Policy and procedure development
– Incident handling playbook development
• Training & Testing
– Provide hands-on training for all technology, playbook scenarios, and threats
– Provide tabletop testing for realistic scenarios involving stakeholders
– Practice communications and methodology
• Incident Response Retainer
– Subject matter experts on call
– Augment internal capabilities
– Contracts agreed upon ahead of time
– Rapid response – 24 hour service level agreement
POLL
26
The Incident Response Lifecycle
Prepare Improve Organizational Readiness
• Appoint team members
• Fine tune response SOPs
• Link in legacy applications
• Run simulations (fire drills, table tops)
Mitigate Document Results & Improve Performance
• Generate reports for management, auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
Assess Identify and Evaluate Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Track incidents, maintain logbook
• Automatically prioritize activities based on criticality
• Log evidence
• Generate assessment
Manage Contain, Eradicate and Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment strategy
• Isolate and remediate cause
• Instruct evidence gathering and handling
27
Prepare
• Incident response teams often include:
– IT, Legal (internal and/or external), Compliance, Audit, Privacy, Marketing, HR, Senior Executive
– Pre-define roles and responsibilities
• RACI (Responsible, Accountable, Consulted, Informed)
• SOPs can include:
– Processes to be followed by incident type
– Standardized interpretation of legal / regulatory requirements
– 3rd party contractual requirements
• Simulations
– Can range from drills to full-scale exercises
– Communications is key
• Roles, contact info, internal and external
– Gauge organization preparedness, catalyze improvement
Prepare Improve Organizational Readiness
• Appoint team members
• Fine tune response SOPs
• Link in legacy applications
• Run simulations (fire drills, table tops)
28
Assess
• Prioritize efforts
– Based on value of asset, potential for customer impact, risk of fines, and other risks
• Leverage threat intelligence
• Incident declaration matrix
– Based on category and severity level
– Can set SLAs for each
Assess Identify and Evaluate Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Track incidents, maintain logbook
• Automatically prioritize activities based on criticality
• Log evidence
• Generate assessment
29
Manage
• Iterate on your plan
• Communicate status
– Different mechanisms for different constituents
• Ensure everything is tracked
Manage Contain, Eradicate and Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment strategy
• Isolate and remediate cause
• Instruct evidence gathering and handling
30
Mitigate
• Conduct a post-mortem
– Validate investment or lobby for more
– Identify areas for improvement
• Did we hit our SLAs?
– Update playbooks
• Track incident source
– pinpoint risk to drive improvement, and/or trigger bill-back
• Update preventative and detective controls
Mitigate Document Results & Improve Performance
• Generate reports for management, auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
QUESTIONS
32
Next Up
• BlackHat 2014
– August 5-7, Las Vegas
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for
privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and
very well designed.”
PONEMON INSTITUTE
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
Colby Clark
Director of Incident Management
FishNet Security
208.553.3266