you've been breached: how to mitigate the incident
TRANSCRIPT
You’ve Been Breached: How to Mitigate the Incident
WEBINAR
We’ll Get Started Shortly
You’ve Been Breached: How to Mitigate the Incident
WEBINAR
Slide 3
Agenda
I. Introductions
II. Who Are We
III. The Incident Response Lifecycle
IV. Objectives of Mitigation
V. Effective Paths to Mitigation
VI. Reactive Mitigation Strategies
VII. Proactive Mitigation Strategies
VIII.Close
Slide 4
Introductions
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Stephen Brennan, Global Technical Consulting Lead, CSC
Slide 5
About Co3 – Incident Response Management
MITIGATEDocument Results &
Improve Performance• Generate reports for management, auditors, and authorities • Conduct post-mortem• Update SOPs• Track evidence• Evaluate historical performance• Educate the organization
ASSESSIdentify and Evaluate Incidents• Assign appropriate team members• Evaluate precursors and indicators• Correlate threat intelligence• Track incidents, maintain logbook• Prioritize activities based on criticality• Generate assessment summaries
PREPAREImprove Organizational Readiness• Appoint team members• Fine-tune response SOPs • Escalate from existing systems• Run simulations (firedrills / table tops)
MANAGEContain, Eradicate, and Recover• Generate real-time IR plan• Coordinate team response• Choose appropriate containment strategy• Isolate and remediate cause• Instruct evidence gathering and handling• Log evidence
Slide 6
• 5+ Integrated Global Security Operations Centers
• 15+ Global Alliance Partners Providing Security Expertise
• 35+ Years Providing Cybersecurity Services
• 2000+ Global Cybersecurity Professionals
Who is CSC?
T R U S T E DINTEGRATED EFFICIENT
Slide 7
Recognized Industry Leader:
• Commitment to Growth
• Recent Acquisitions
• Alliance Partnerships
• IDC named CSC a “Leader” in the inaugural IDC MarketScape: Worldwide Managed Security Services 2014 Vendor Assessment.
• The IDC analysis and buyer perception study results placed CSC as the leading provider in the “strategies” axis, and as one of the firms with the greatest capability in delivering global managed security services (MSS).
Who is CSC?
Slide 8
The Incident Response Lifecycle
Does your org have a formal process for mitigating incidents?
POLL QUESTION #1
Slide 10
Objectives of Mitigation
Generate reports for management, auditors, and authorities
Conduct post-mortem
Update SOPs
Track evidence
Evaluate historical performance
Educate the organization
Slide 11
Effective Paths to Mitigation
Source: NIST Preliminary Cybersecurity Framework
Has your org defined a path of mitigation for handling each of the three types of events/incidents?
POLL QUESTION #2
Slide 13
Reactive Mitigation Strategies
• Repair systems
• Eliminate attack vectors
• Mitigate exploitable vulnerabilities
• Validation of the repair process
• Test systems to ensure compliance with policy and risk mitigation
• Perform additional repairs to resolve all current vulnerabilities
Slide 14
Proactive Mitigation Stratergies
• Determine the attack vector and scope of incident
• Know the enemy—identify their tools and tactics
• Collaboratively design a containment strategy and document it
• Create a task list based on containment plan
• Delegate and monitor tasks until containment is achieved
• Restrict Administrative Privileges
• Application Whitelisting
• Patch and Deploy Current Applications and Operating Systems
• Strengthen workstation defences
• Enforce strong user authentication
• Protect your email service
• Defend the web gateway and harden web applications
• Monitor your system infrastructure
• Monitor your network
• Educate users about social engineering
Is your firm practicing both reactive and proactive means of mitigating incidents?
POLL QUESTION #3
Slide 16
Mitigation Example – Pass The Hash
• High privilege domain accounts are used to log on to workstations and servers.
• Applications or services run with high privilege accounts.
• Scheduled tasks run with high privilege accounts.
• Ordinary user accounts (Local or Domain) are granted membership to the local
• Administrators group on their workstations.
• Highly privileged user accounts can be used to directly browse the Internet from workstations, domain controllers, or servers.
• The same password is configured for the built-in local Administrator account on most or all workstations and servers.
Source: Trustworthy Computing
Slide 17
Mitigation Example – Pass The Hash (cont.)
• Restrict and protect high privileged domain accounts
• Restrict and protect local accounts with administrative privileges
• Remove standard users from the local Administrators group.
• Configure outbound proxies to deny Internet access to privileged accounts.
• Ensure administrative accounts do not have email accounts or mailboxes associated with them.
Source: Trustworthy Computing
■ Questions?
Slide 19
Upcoming Co3 Events
• IT-Defense 2015 Leipzig, Germany, Feb 4-6, 2015
Our CTO Bruce Schneier will be delivering a keynote on the "Future of Incident Response" on Thursday, February 5th at 2pm.
• IAPP Global Privacy Summit, Washington D.C., March 4-6, 2015
• RSA Conference 2015, San Francisco, April 20-24, 2015
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
“Co3…defines what software packages for privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and very well designed.”
PONEMON INSTITUTE
Stephen BrennanGlobal Technical Consulting Lead CSC
For a free consultation, please visit: info.co3sys.com/free-consultation
Slide 21
“Co3 makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”
– PC Magazine, Editor’s Choice
“Platform is comprehensive, user friendly, and very well designed.”
– Ponemon Institute
“One of the most important startups in security…”
– Business Insider
“One of the hottest products at RSA…”– Network World
“...an invaluable weapon when responding to security incidents.”
– Government Computer News
“Co3 has done better than a home-run...it has knocked one out of the park.”
– SC Magazine
Most Innovative Product