when a data breach happens, what's your plan?

of 11 ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 1

When a Data Breach Happens, What’s Your Plan ?

Edge PereiraES2 Solutions [email protected]: @superedge

Stuart MillsES2 [email protected] 2015


Our Plan for Today

• Making Sense of Threats• Cloud Breaching Incident Plan• What to do After the Incident?• Recommendations• Q & A


Making Sense of Threats

Outsider

End User

Insider

Prevent Breach

Customer Controls

Secure DesignSecure CodeProtections against attacks

Assume BreachContain AttackersDetect Attackers Remediate Attacks

Built controlsDLP, Encryption, etc.Auditing


Internet cafes in vacation spots

Every time you connect to the internet

Wonderful Internet Services

Ideological Movements

OrganizedCrime

NationStates


Hacking in the Good Old Days


Data Breaches

2005 20152007 2009 2011 2013 2014

Source: Liam Clearly BRK2142 Microsoft Ignite


Numerous, Active, and Evolving Threats…


…Very Active Threats

Social media giants Facebook, LinkedIn, among others, get hacked… repeatedly.


“The personal details of world leaders – including David Cameron, Barack Obama and Vladimir Putin – have been accidentally revealed in an embarrassing privacy breach.”It has been discovered that an employee at the Australian immigration department mistakenly sent personal information of all world leaders attending the G20 Summit to organisers of the Asian Cup football tournament.

And the heads of government were kept in the dark about the employee’s blunder.

The passport numbers and visa details of United States president, Barack Obama, the Russian president, Vladimir Putin, the German chancellor, Angela Merkel, the Chinese president, Xi Jinping, the Indian prime minister, Narendra Modi, the Japanese prime minister, Shinzo Abe, the Indonesian president, Joko Widodo, and the British prime minister, David Cameron, were all exposed.Source: http://www.independent.co.uk/news/world/personal-details-of-obama-putin-cameron-and-merkel-sent-to-wrong-email-address-by-g20-summit-organiser-10142539.html

Leaks and Training


Source: http://www.canberratimes.com.au/national/public-service/federal-privacy-authorities-called-in-over-centrelink-breach-20140818-105hjw

Leaks and Training


The Evolution of Attacks

Targeting

Soph

istica

tion

Volume and impact

Script kiddiesBLASTER, SLAMMER

Motive: mischief

2003–2004



2005–PRESENT

Organized crime

RANSOMWARE,

CLICK-FRAUD, IDENTITY

THEFT

Motive: profitScript kiddiesBLASTER, SLAMMER

Motive: mischief

2003–2004

Soph

istica

tion

Targeting



2005–PRESENT

Organized crime

RANSOMWARE,

CLICK-FRAUD, IDENTITY

THEFT

Motive: profitScript kiddiesBLASTER, SLAMMER

Motive: mischief

2012–BEYOND

Nation states,

activists, terror groups

BRAZEN, COMPLEX, PERSISTENT

Motives:IP theft,damage,disruption

2003–2004

Soph

istica

tion

Targeting


Defining Risk

Vulnerability Threat Consequenc

eRisk

The U .S. Department of Homeland Security (DHS) defines risk as a vulnerability coupled with a threat that creates a consequence


Writing a Cloud Breach Incident Plan

• What is the problem you are solving?• No executive sponsor? No worries• Advisory committee• Know your audience


Sample Plan

• Foreword• Objective• Scope• Assumptions• Ownership• Execution command topologies• Plan structure


Plan Structure

17

Preparation

Detection &

analysis

Declaration &

mobilization

Technical actions

Supporting actions

Incident containment

Post inciden

t

Plan Maintenance


Incident Preparation

• Crystal ball exercise• What kind of information could you share with 3rd party or

law enforcement?• If you loose PCI or PII data, how would you notify them?

Who in the community can help you?• For credit monitoring, what would be the services, costs

involved, and to whom?• Compile these into one or more documents. Label it crisis

response.


Incident Detection and Analysis

• Sources of information• Define what is an “incident”, “alert”, “suspicious events”• Define severities• Peer-review with IT, InfoSec and Legal


Incident Response

• “Who does what when”• Tiger team and decision making structure• Battle rhythm. Everyone needs to know what to do and not

wait.• Time to make decisions not longer than executing

• Declaration of end of incident


Incident Response - Tiger Team

Team Leader•Oversee all team work

•Keep team focused on damage containment

Lead Investigator•Collect & Analyzes evidence

•Root cause•Manages the business continuity plan

Comms Lead•Messaging for all audiences

• Inside and outside the company

Documentation and Timeline Leader• Investigations•Discovery and recovery

•Documents timeline events

HR/Legal Leader•Criminal charges developments


Plan Post-Incident

• Lessons learned• Recommendation #1: test the plan once an year


Recommendations• Expand the use of Encryption• Workforce training and awareness programs• Strengthening of perimeter controls• Implement identity and access management solutions (privileged

access first)• Strong endpoint security solutions• Implement data loss prevention solutions• Get a security certification or independent audit

How to Mitigate the Risk and Consequences of a Data Breach


Q & A


Recap

• Making Sense of Threats• Cloud Breaching Incident Plan• What to do After the Incident?• Recommendations• Q & A


Learn More

• Office 365 Trust Portal• ES2 website www.es2.com.au• Computer Incident Response, NK McCarthy• BRK2159 Office 365 today and beyond, TechEd NA• www.superedge.net

Useful Material and Links


Hour of Code - https://code.org/learn

https://code.org/learn

https://code.org/learn


Thank You

Perth Head Office“The Factory” 69 King StreetPerth, WA 6000 Perth Business CentreLevel 27, 44 St Georges TerracePerth, WA 6000

Brisbane Business CentreLevel 18, 123 Eagle Street, Brisbane, QLD, 4000

Sydney Business CentreLevel 12, 95 Pitt Street, Sydney NSW, 2000

Paris Business Centre4 rue Neuve de la Chardonnière, 75018, Paris, FRANCE

www.es2.com.au


Additional Slides


Common Myths About the Cloud

Myths• On-premises is more secure• Data is used for mining (i.e.. Advertising)• It’s not compliant with industry regulations• Control of data in the cloud is lost

Office 365• Built to provide a level of security that exceeds

most customers on infrastructure and scale• The first to comply with ISO/IEC 27018. Prohibits

use of PII for ads and marketing• Compliant with HIPAA, FISMA, MPAA etc

(industries and governments)• Designed for complete customer data control.

• You own the data, MS manages it for you.


Government Access to Cloud Data

Microsoft will not…• Provide any government with direct or

unfettered access to customer data• Assist any government’s efforts to break

cloud encryption• Provide any government with encryption

keys• Engineer back doors into the cloud products

(MS will take steps to ensure governments can independently verify this)

• If governments are engaging in broader surveillance of communications, MS is not involved and it is taking steps to enhance the security of customer’s data

Microsoft will…

http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/

• Disclose enterprise customer data only by a valid legal order and only for the data required

• Publish a law enforcement request report every six months

20.8%

7.84%

71.36%

Disclosed content

Only subscriber/transactional data

No data found

Rejected

Australia


Security Innovation

• Continuous investigation• Advanced tactics

• “Penetration games”

• World-class security experts


Encryption at Rest and In-Transit

• Data Loss Prevention• Search

• Insights

• Content analysis


Controls Implemented After a Data Breach

35

Use of

encry

ption

Additio

nal m

anua

l proc

edure

s and

contr

ols

Traini

ng an

d aware

ness

progra

ms

Stren

ghten

ing pe

rimete

r con

trols

Identi

ty an

d acce

ss man

agem

ent s

olutio

ns

Other s

ystem

contr

ol pra

ctice

s

Endp

oint s

ecuri

ty so

lution

s

Secu

rity in

tellig

ence

solut

ions

Data lo

ss pre

venti

on so

lution

s

Secu

rity ce

rtifica

tion o

r aud

it0

10

20

30

40

50

60

48 4640

3527 26 25 23 21 18

4841 43

2622 23

30

19 18 21

52

3542

2319 20

32 34

14 15

2013 2014 2015