How To Stop Target-Like Breaches In Their Tracks
-
Upload
resilient-systems -
Category
Technology
-
view
692 -
download
0
Transcript of How To Stop Target-Like Breaches In Their Tracks
![Page 1: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/1.jpg)
How To Stop Target-Like
Breaches In Their Tracks
![Page 2: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/2.jpg)
Page 2
Agenda
• Introductions
• Today’s reality with retail breaches
• Retail breach response – the good and the bad
• Intelligent response defined
• Intelligent response demo
• Recap
• Q&A
![Page 3: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/3.jpg)
Page 3
Introductions: Today’s Speakers
• Ted Julian, CMO, Co3 Systems
• Tim Armstrong, Incident Response Specialist, Co3 Systems
• Colin Henderson, Principal Security Consultant, HP
![Page 4: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/4.jpg)
Page 4
About Co3
PREPARE
Improve Organizational
Readiness
• Appoint team members
• Fine-tune response SOPs
• Escalate from existing systems
• Run simulations (firedrills / table
tops)
MITIGATE
Document Results &
Improve Performance
• Generate reports for management,
auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
ASSESS
Identify and Evaluate
Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Correlate threat intelligence
• Track incidents, maintain logbook
• Prioritize activities based on criticality
• Generate assessment summaries
MANAGE
Contain, Eradicate, and
Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment
strategy
• Isolate and remediate cause
• Instruct evidence gathering and
handling
• Log evidence
![Page 5: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/5.jpg)
Page 5
HP Security Intelligence & Operations Consulting
Experience:
• Founded 2008
• 30+ Fortune 500 & Fed SOC Builds
• 100+ SOC Assessments
Solution Approach:
• People, Process, & Technology
Accelerated Success:
• Mature Project Methodology
• Best Practices
• Extensive Intellectual Capital
Expertise:
• 50+ Years of SOC Experience in
SIOC Leadership team alone
![Page 6: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/6.jpg)
TODAY’S
REALITY
![Page 7: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/7.jpg)
Page 7
What is so important about these numbers?
94
71
416
![Page 8: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/8.jpg)
Page 8
416 days is the average time to detect a breach
Source: Ponemon Institute
![Page 9: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/9.jpg)
Page 9
94% of breaches are reported by a 3rd party
Source: Ponemon Institute
![Page 10: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/10.jpg)
Page 10
71% more time is needed to resolve a
breach
Source: Ponemon Institute
![Page 11: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/11.jpg)
Page 11
Target Timeline – what we think we know
DOJ Contacts Target
to inform them of
the breach
Target meets
with DOJ
USSS
Target retains
investigators
More malware removed
from 25 disconnected
terminals
Target notifies payment
processors and card
brands – begins malware
removal
Public breach
notification
Hackers break in
using credentials
from PA HVAC
contractor
![Page 12: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/12.jpg)
Page 12
Target Timeline
DOJ Contacts Target
to inform them of
the breach
Hackers break in
using credentials
from PA HVAC
contractor
In the 4 weeks between the initial breach
and the DOJ call, how could you break the
kill chain?
• What would you look for?
• How would you find it?
• What would you do then?
![Page 13: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/13.jpg)
POLL
![Page 14: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/14.jpg)
RETAIL BREACH
RESPONSE
![Page 15: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/15.jpg)
Page 15
All things great and small
• Victims come in all sizes
• Some have good controls in
place, others do not
![Page 16: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/16.jpg)
Page 16
Good controls are not a guarantee
• Even companies with great
controls have been
breached
• Layered defenses and
multiple controls are
required
• Early detection should be
the goal
![Page 17: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/17.jpg)
Page 17
Good practices
• Physical separation of payment
card network & systems
• Easier monitoring
• Required by PCI
• Restrict access to data center and
corporate resources from store
locations
• Modeling business processes
• Active monitoring programs
(i.e. – SOC)
Corporate
Data Center
Stores
![Page 18: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/18.jpg)
Page 18
Bad practices
![Page 19: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/19.jpg)
Page 19
Lessons from the trenches
• Trust but verify
• Or don’t trust and verify
• You must define which
systems process payment
cards and secure them
appropriately
![Page 20: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/20.jpg)
POLL
![Page 21: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/21.jpg)
INTELLIGENT
RESPONSE DEFINED
![Page 22: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/22.jpg)
Page 22
The ecosystem
Discovery
Research
Our enterprise Their ecosystem
Infiltration
Capture
Exfiltration
![Page 23: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/23.jpg)
Page 23
The goal for security
![Page 24: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/24.jpg)
Page 24
Historical security spending trends
Perimeter Controls
Internal Controls
1X
5X
![Page 25: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/25.jpg)
Page 25
We must change our focus
Same old
results
Same old
thinking
![Page 26: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/26.jpg)
Page 26
Proactive monitoring program
Network
equipment
Vulnerability
scanning Anti-virus
Business
context
Physical
infrastructure
Identity
management
System health
information
Web
traffic
Intelligence
feeds
Directory
services
Firewalls/
VPN IDS / IPS Databases Applications
Server and
desktop OS
![Page 27: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/27.jpg)
Page 27
Maturity is a journey
Transformation
Blissful ignorance Awareness Corrective Operations excellence
Level of
Control
Risk
Establish
Security Teams
& Remit
Operational
Processes
aligned to
strong security
policy
Security tracks
and enables
business and
technology
change
Actionable
security
intelligence &
monitoring
capability
Lower total cost of ownership
![Page 28: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/28.jpg)
Page 28
SS
AE
16
TY
PE
II C
ER
TIF
IED
HO
ST
ING
FA
CIL
ITY
DA
SH
BO
AR
DS
& R
EP
OR
TIN
G
Co3’s Incident Response Management Platform
Automated Escalation Accelerate response by easily
creating incidents from the systems
you already have
Email Web Form Trouble Ticketing Entry Wizard SIEM
Instant Creation and
Streamlined Collaboration IR plans created instantly based on
regulations, best practices, and standard
operating procedure. Collaborate on plan
execution across multiple functions
Marketing
Legal &
Compliance IT
HR
Accelerated Mitigation Speed results by easily outputting results to your
management platforms
SIEM Trouble Ticketing GRC
Organizational
SOPs
Global
Privacy Breach
Regulations
Contractual
Requirements
Intelligent Correlation Determine related incidents
automatically to identify broader,
concerted attacks
Integrated Intelligence Gain valuable threat intelligence
instantly from multiple intelligence feeds
Community
Best
Practices
Industry
Standard
Frameworks
IR Plan
![Page 29: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/29.jpg)
INTELLIGENT
RESPONSE DEMO
![Page 30: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/30.jpg)
Page 30
Remember these numbers?
416 Days to detect a breach
94 % of breaches reported by a 3rd party
71 % more time is needed to
resolve a breach as compared to
2010
Hours, not days
Internal, not external
Reduce response time by
90%
![Page 31: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/31.jpg)
QUESTIONS
![Page 32: How To Stop Target-Like Breaches In Their Tracks](https://reader034.fdocuments.net/reader034/viewer/2022051618/55c69e50bb61eb90258b459f/html5/thumbnails/32.jpg)
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
“The best purchase we have ever made.”
CSO, TOP 3 FORTUNE 500 HEALTHCARE
ORGANIZATION
“Co3 has enabled the team to manage incidents
in one tenth of the time that it took previously.”
DIRECTOR OF SECURITY, USA FUNDS
“Co3 Systems has done better than a home-
run...it has knocked one out of the park.”
SC MAGAZINE – AUGUST 2013
State of Security Operations report
http://hp.com/go/StateOfSecOps
HP Security Blog
http://hp.com/go/securityproductsblog