Aujas incident management webinar deck 08162016
-
Upload
karl-kispert -
Category
Technology
-
view
103 -
download
1
Transcript of Aujas incident management webinar deck 08162016
2
Copyright @2016 Aujas Information Risk Services
Typical Security IncidentOne Day at a Utilities Company
Customers calling
about slow network(Discovery of large
amounts of suspicious
traffic)
7:00 AM
Normal business
disrupted(Unknown malware
discovered. Wave of
DDOS attacks)
8:00AM
Attack on internal
systems. Data Breach.(Malware and DDOS was
just a distraction for
backdoor entry)
12:30 PM
Story in media as the
attacks continue and
spreads to partners.(Incident response team
still struggling to restore
services)
2:30 PM
All business operations
grinds to halt(Real-time applications
down. Remote employees
disconnected. Connection
to DB lost …)
5:00 PM
Every attempt to
recover - unsuccessful(Lack of a unified and
tested incident response
process is expensive)
7:00 PM
3
Copyright @2016 Aujas Information Risk Services
Design documents and source codes
of company’s flagship products have
been stolen.
Business partners can also be
impacted by the attack.
The organization’s reputation is in
jeopardy.
Clients and business partners are
angry and decide to terminate
contracts.
Law enforcement and regulators
start investigations.
Claims that cyber attackers are
taking down the organization are
spreading throughout media channels.
Sensitive client information is posted
to public domains.
Password list is stolen and made
public.
Production databases have been
deleted.
Internal communications and other
critical applications are down.
12-Hours Can Become Devastative
4
Copyright @2016 Aujas Information Risk Services
Best DefenseEarly Detection and Rapid Response !
Source: Verizon Data Breach Report
It just takes minutes to
compromise and steal data.
But it takes weeks to months to
discover and contain.
How can you reduce the
gap ?
5
Copyright @2016 Aujas Information Risk Services
IS-IM Governance
Creation of cross functional
teams, interaction models,
reporting and defining their
roles and responsibilities.
Use FrameworkGo for a framework based approach
IS-IM Policies &
Procedures
Policies and procedure for
operating IS-IM model.
Incident Database Knowledge base of response for
common scenarios based on
knowledge, as well as actual
incident learning.
Training & Awareness
Operation process training, create
awareness of applicable
organization policies, and do
simulations.
Emergency
Response Service
Coverage for emergency
response with specialization,
assistance and forensics.
.
Monitoring & Reporting
Reactive and proactive
monitoring services.
Technology Integration
Integration with event/log
correlation tools and threat
intelligence tools.
6
Copyright @2016 Aujas Information Risk Services
Incident MonitoringUpgrade SOC Competency
Internal Threat
Intelligence
Visualize assets based on criticality, and vulnerabilities to those assets.Threat intelligence feeds and SIEM alerts to take a risk based view on prioritization of risk mitigation. Adding reverse malware analysis and forensics as capabilities.
Go beyond reputation (IP/URLs) and focus on customization based on industry feeds, company URL and profile of people.Indicators of compromise based on reverse malware analysis for scanning, infection and information about zero day vulnerabilities.
Behavioral profiling for users and systems.Database searches and statistical modeling, reporting and visualization.
External Threat
IntelligenceStrength of
Analytics
Context and enrichment. Post correlation, joining the dots to see the attack chain.Visibility. Visualization to the state of security.
Situational
Awareness
7
Copyright @2016 Aujas Information Risk Services
Situational
Awareness
Ability to identify what is
happening in the network.
Weaponization
and Delivery
Transmission or Injection of
malicious payload into the
target.
Reconnaissance
Identification and selection
of the target/s host or
network by active scanning.Lateral Movement
Detect, exploit and
compromise other
vulnerable hosts.
Kill ChainMilitary Strategy: A model for stages of attack, and very valuable for prevention of attack.
Data Exfiltration
Steal and transfer data
outside.
Corporate Policy Violation
Do not comply with security
policy.
Persistency
Establish a foothold in the
corporate network.
8
Copyright @2016 Aujas Information Risk Services
Incident ResponseSOC 2.0 Operations – Incident response based on kill chain
Know your adversaries and their methods
Detect threat activity in kill chain
Disrupt the kill chain and stop the attack
Eradicate threat agent and remove the threat
Threat Intelligence
Security Operation
Incident Response
Response StrategyThreat Indicators
9
Copyright @2016 Aujas Information Risk Services
Advanced SOC
Strategy and Roadmap SIEM Optimization SOC GovernanceSOC Processes and
Workflows
1 2 3 4
• Maturity assessment across governance, operation, technology and integration and processes
• Strategy development from Current State and Future State
• Roadmap with milestone and financial budgeting
• Use Case Fine tuning and framework
• New use case creation
• Response run book
• Log source integration
• Reporting and visualization
• SOC Organization
• Roles and Responsibilities and RACI
• Performance indicator and management
• Skill Analysis, metrics & Training
• Roster management
• Incident Management –Monitoring, Validation, Analysis, Triage, Escalation, Response and Resolution
• Problem Management
• Forensics Process
• Device on-boarding
SOC Reporting and Analytics
SOC Operations
5
• SOC Advanced Reporting
• Visualization
• Analytical Reporting and Dashboards
L - 1Monitoring and
Validation
L - 2
Triage and Escalation
L – 3Response and Coordination
Security IntegrationVulnerability MgmtAsset ManagementIdentity Mgmt,Data Security
Incident /ticketing tool
Security Analytics & Incident Reporting
SIEM Architecture
SOC EngineeringRule Dev/TuningTool Integration
Device Mgmt
SIRT
Incident Handling
Forensic Handling
Security 2.0 Operations
Incident Monitoring
IOC Management
SIEM Rules and Use Case
Response Playbooks
Threat HuntingSimulations and Stress Test
6
Q1. What is a Threat Pursuit team? How can it help?
Threat pursuit teams are critical component for next generation SOCs and their main job is to watch out for threats
proactively. It ideally consist of 1-2 people with “hunter” skills, defined as below:
This team is typically responsible for the following:
Review and analyze external threat intelligence feeds from industry, open source and security partners.
Evaluate emerging threats.
Internal proactive analysis of events, offenses and exploits.
Proactive risk mitigation and analysis of emerging threats relevant to the organization.
Operationalize threat detection and threat response based on intelligence feeds.
Research, create, modify use cases/rules.
Provide actionable to respective resolutions team.
Create hypothesis for hunts and hunt missions.
Test hypothesis and identify patterns.
Provide actionable inputs.
Q2. How do we know there is an attack? How important is SOC here?
There are 3 ways to know if you are already under attack.
1. By leveraging IoC tools like RSA ECAT which has large database of indicators of compromise and scans all end points to
look for those indicator of compromise.
2. By hunting for threats. This is possible by two mechanisms. One is to look for threat indicators either coming from threat
intelligence feeds or your hypothesis which is being tested and second method is behavior anomalies which might point
to compromise. Popular tools in these domains are cyber reason and SQRRL.
3. By using Kill Chain based SIEM rules which are chained to identify attacks in the cycle and identify.
All three models are considered as next generation SOC and SOCs do play a critical role in threat hunting and cyber security
attack detection. Once detected, then the work of containment and eradication is done by respective resolver groups from
systems, applications, network and database which typically form the CERT/ ISIRT teams.
Q3. How to make use of Threat Intelligence feeds to detect Cyber attacks pro-actively?
Threat intelligence is very valuable in preventing cyber attacks, and can be used both manually and in an automated
manner in an SOC.
A. Threat hunter can use the threat intelligence feed to view, validate and research the vulnerabilities, applicability of the
malwares, bad IPs, URLs and map to organization’s assets etc. to proactively protect the systems.
B. The automated process is via STIX/TAXII compliant ingestion and acting for auto blocking bad IP and URLs, file names
and checksums etc.
Q4. What are some of the best practices to track employee network behavior without
infringing on privacy? Example: social media activities.
There are policies to track user behavior which provide exceptions to monitor employee financial transactions and related
traffic. Some of the advanced threat hunting platforms can pull everything from network traffic, logs, authentication
information to full packet capture but they are useful in big data and machine learning scenarios to identify anomalies and not
really to look into details of individual transactions.
As far as forensics is concerned, private information is still obfuscated and only relevant information is searched that is
needed for data security breaches.
Q5. Can you share case details related to specific industries. E.g. BFSI, Telecom, Utilities, etc.
Given that we have worked with many popular companies in the various industries, we get to know of specific cases, but
would definitely not be sharing the details with others from a privacy perspective. Having said that, we can always share
industry best-practices, and can provide specific suggestions on case-specific basis. You can reach us at www.aujas.com
Q6. What to do in the case of Zero Day attack, when the patch is yet to be made available?
All attacks follow the incident lifecycle of detection, validation, containment and eradication. In case of zero day attack, if
detected via threat intelligence/ behavior analysis, and the patch is yet to be made available, than you should figure out
complementary and monitoring controls.
For example, if you see a zero day attack for SSL connection and you do not have any patch and you cannot stop SSL as
that is the primary source of connection but there is a risk of getting sniffed then you start monitoring connection for anomaly
by SSL offloading and full packet inspection and in case you do not have that capability, then you just monitor packet size as
normal HTTP request and response size is 4 to 5KB and it meets that criteria.
SOC Organization Structure Template (Ideal Scenario)
1. One SOC Manager
2. Three L3 resources, one specializing in Network, Second in OS and third in Applications for expertise and quick triage
and validation.
3. Three L3 resources with experience in OS, Web App and Network security and each resource to have additional
knowledge and experience in Steal watch, DLP, DRM, DAM and Firewall/ IPS.
4. Eight L1 resources with combination of skills in Network, OS and Application knowledge.
5. Two SIEM administrators; one specializing in customization of connectors and use case configurations while the other
will perform day to day operations like user and group management, reporting and dashboards.
6. One Threat Analyst/ Hunter.
Q7. What is the mix of skill-sets required for an ideal SOC?
One should have a good mix of monitoring, triage, incident response, threat hunter, SIEM administrator and a forensic expert
in the SOC.
If possible, you should cross train few people to hold multiple responsibilities. A SOC Manager to manage skill inventory,
roster, and career progression is recommended.
Defined Cyber Risk Governance – Governance framework is vital for managing cyber risks, it is important to establish
various teams with clear roles and responsibilities along with integrations with other teams like Business Continuity, Disaster
Recovery and Crisis Management.
Understand Organization Cyber Landscape – Organization should understand cyber vulnerabilities for multiple locations
where data is stored, transmitted or accessed by various stakeholders (internal employees, partners, clients etc.).
Identify Critical Processes and Assets – Identify most critical revenue generating “Organization unit”, processes and
assets. Understand where they are located and how they are accessed and by whom.
Identify Cyber Threats – Analyze and consolidate the applicable cyber threats which the organization wants to manage.
Robust threat-analysis capability to be established based on internal and external sources.
Plan & Respond – Clear and defined procedures in form of playbook aids in effective cyber risk management. These
procedures needs to clearly define the incident lifecycle, teams to be involved with their roles & responsibility, escalation
mechanism and time to resolve/escalate. Monitoring team should effectively identify, analyze and report the cyber incidents
to the respective team for their action and responses.
Q8. What specific steps you recommend for BFSI to minimize cyber risk?
Define Cyber Risk
Governance
Understand Organization
Cyber Landscape
Identify Critical
Processes and Assets
Identify Cyber Threats
Plan & Respond
Aujas
Information Risk Management
We help organizations manage information security risks by protecting data, software, people and identities in line with compliance requirements and best practices; we also help strengthen security governance and intelligence frameworks.
Global Delivery
Model
Lifecycle Services
Approach
Accelerators for
Customers
Strong Project
Management
Investors: IDG,
IvyCap, RVCF
Professionals
38022
Countries
400Customers
www.aujas.com
Security Analytics &
Visualization Platform
Security Portfolio
Risk Advisory
Identity & Access
Threat
Management
Security Intel & Ops
Digital Security
Vulnerability Intel
Co-Managed
Security
Vendor Risk
Data Protection
Services
Platform as a Service
(PaaS)
US. UAE. India | www.aujas.com Copyright @2016 Aujas Information Risk Services
Functional Practices