Renault Ross CISSP, MCSE, CHSS, VCP5                                                                                         Chief Cybersecurity Business Strategist 

Ian Schmertzler                                                President 

Cyber Information Sharing

Know Your Team Under Pressure

Trust Your Eyes

Know the Supply Chain

Have Secondary Comms

Do it Right, Make it Here

FIREWALLENDPOINT

SERVERGATEWAYEmail metadata  Source email server identityWeb connection historyInbound attachmentsOutbound attachments

Administrative activityNetwork connectionsSuccessful / failed loginsSensitive docs accessedCompliance status

Security settings changesNetwork connectionsSuccessful / failed loginsSensitive docs accessedProcess behaviors

Inbound network trafficOutbound network trafficProtocol tunneling activityAdministrative activityInbound network traffic

BETTERPROTECTION+ REMEDIATION

BETTERPROTECTION+ REMEDIATION

BETTERPROTECTION+ REMEDIATION

BETTERPROTECTION+ REMEDIATION

GLOBALLY INFORMED SOLUTION SETTINGS

BENCHMARKINGACROSS PEERS

INDUSTRY‐TARGETED ATTACK CAMPAIGNS

ENDLESS USE CASES 

COLLECT

TOMORROW

TODAY

PARTNER

BUILD/ACQUIRE

INTERACTIVEANALYTICS

UNIFIED INCIDENTMGMT.

RISK ANALYSIS

INCIDENTINVESTIGATION

APP EXCHANGE

SOCIAL PLATFORM

Top Rated

C&C DetectorNova Software

Load LookLevel2 Studio

Target SweepGO Getit EX

RemotecontrolElipse Strategy

Termin8erSupercoil Software

Secure CheckSupercoil Software

Information Sharing APP Exchange

Recently Viewed

Top Rated

New Releases

By Industry

Joe Admin – InfoSec Admin,  Company 1

APPS

Developer Tool Package

Q&A

Database

Developer Zone

By Category

Logged In

Secure App News

17Sep2014“Load Look” by Level2 Studio, advances to the next level of protection.

17Sep2014 10 new compliance apps added.

16Sep2014Nova Software contributes robust C&C Detection tool.

16Sep2014 Supercoil Software enhances security prioritization and checklist features.  

?

News Archive >>

Message Board

1hCheck out our latest development utilizing aggregated risk analysis tolerance feedback – Super Coil Software

1DDashboard elite is not all it’s cracked up to be, we’ve hit snags with the custom navigation integration module. – Joe

FREE TRIAL

FREE TRIAL

Upcoming Events

Trending

Information SharingSocial Platform

Update My Status

Joe Admin

Groups

Interests

Contacts

Recommended

We are seeing a lot of instances of foo.exe on our endpoints. Where is it coming from? 

POSTAll

Lisa Andrews             Manufacturing CISOs Verified

Yes. I saw it a few weeks ago. seems to be related to the earlier attack. I’ll ask Dave to send you a source IP we have associated with that executable.

2 hours ago

Dave Admin              Manufacturing Admin Verified

Hi Joe, we have traced the origin of foo.exe to the following IP: 172.16.254.11 hours ago

Joe Admin – InfoSec Admin, Company 1

Logged In?

Joe Admin Software Developer            Verified

We are seeing a lot of instances of foo.exe on our endpoints. Where is it coming from? 3 hours ago

172.16.254.1172.16.254.1Source:Source:

IP AddressIP AddressType:Type:

Forensic results:Forensic results:

Connection from SAM_WIN8/SPY.EXE to 172.16.254.1 at 6:18:08 pm on 10/6/14Connection from SAM_WIN8/SPY.EXE to 172.16.254.1 at 6:18:08 pm on 10/6/14

Origin:Origin: UnknownUnknown

File TED_WIN7/BOT.EXE retrieved from 172.16.254.1 at 8:20:10 am  on 10/24/14File TED_WIN7/BOT.EXE retrieved from 172.16.254.1 at 8:20:10 am  on 10/24/14

172.16.254.1Source:

IP AddressType:

Forensic results:

Connection from SAM_WIN8/SPY.EXE to 172.16.254.1 at 6:18:08 pm on 10/6/14

Origin: Unknown

File TED_WIN7/BOT.EXE retrieved from 172.16.254.1 at 8:20:10 am  on 10/24/14

Connection from SALLY_ANDROID_1 to 172.16.254.1 at 4:24:08 pm on 11/6/14

STARTING POINT…CSF NIST ADOPTION

Copyright © 2017 Symantec Corporation

14

Functions

ID Identify What assets need protection? 

PR Protect What safeguards are available? 

DE Detect What techniques can identify incidents? 

RS Respond What techniques can contain impacts of incidents? 

RC Recover What techniques can restore capabilities? 

Core

CSF FUNCTIONS – BUILD PROFILE

Copyright © 2017 Symantec Corporation9

UNDERSTAND YOUR MATURITY: SELF ASSESSMENT LED

PR.ATAwareness Training

DE.CMContinuous  Monitoring

DE.AEAnomalies & 

Events

DE.DPDetection Processes

RS.IMResponse 

Improvements

RECOVER

RESPOND

DETECT

PROTECT

RS.MIResponse Mitigation

RS.ANResponse Analysis

RS.COResponse 

Communications

RS.RPResponse Planning

RC.RP Recovery Planning

PR.ACAccessControl

IDENTIFYID.BE

OrganizationID.GV

GovernanceID.RA

Risk AssessmentID.RM

Risk Strategy MgtID.AM

Asset Mgt.

PR.DSData 

Security

PR.IPInfo  Processes &, 

Procedures

RC.IMRecovery 

Improvements

RC.CORecovery 

Communications

Not At All Planned Partially Mostly In Place Optimized

WHERE AM I

Fxn. Cat. Sub. Current Profile

ID ID.AM

ID.AM‐1

ID.AM‐2

ID.AM‐3

ID.AM‐4

ID.AM‐5

ID.AM‐6

Tier 1

Tier 1

Tier 2

Unused

Tier 4

Tier 3

Fxn. Cat. Sub. Target Profile

ID ID.AM

ID.AM‐1

ID.AM‐2

ID.AM‐3

ID.AM‐4

ID.AM‐5

ID.AM‐6

Tier 2

Unused

Tier 4

Tier 3

Tier 4

Tier 4

The image part with relationship ID rId3 was not found in the file.

This image cannot currently be displayed.

Enables a prioritizedaction plan

66

Function Category Subcategory Informative References

Respond (RS)

Response Planning(RS.RP):

RS.RP‐1: Response plan is executed during 

or after an event 

• COBIT 5 BAI01.10 • CCS CSC 18 • ISA 62443‐2‐1:2009 4.3.4.5.1 • ISO/IEC 27001:2013 A.16.1.5 • NIST SP 800‐53 Rev. 4 CP‐2, CP‐10, IR‐4, IR‐8 

Core

HOW CAN I ALIGN WITH BEST PRACTICES

Copyright © 2017 Symantec Corporation10

CoreINFORMATIVE REFERENCES

Copyright © 2017 Symantec Corporation10

• Information Risk Management & Reporting

Strategic              Tactical 

• Inventory & Asset Management• Mobility & Wireless 

• .

Busine

ss Strategy

and Governa

nce

On‐Going

 Com

pliance 

and Security Ope

ratio

ns

• Security Policies and procedures

• Awareness and Training

• Security Team Structure, Roles & Responsibilities

• Information Risk Management & Reporting

• Digital Trust• High Assurance 

• Identity Management• Authentication

• Information Risk Management & Reporting

• Data Loss Controls • Data Classification

• Encryption• Electronic Discovery

• Information Risk Management & Reporting

• Configuration & Patch Management

• Sys Integrity & Lockdown

Inform

ation 

Protection

Infra

structure 

Managem

ent

• Information Risk Management & Reporting

• Logging & Monitoring • Malicious Code Protection • Security Intelligence 

• Secure Network Design• Network Perimeter Security

Infra

structure 

Protection

GRC Policy

ENC

2FAPKI CASB

Mobile EPM

LOA3Secure Info 

Access

ENTERPRISE TOOLKIT: A Mature Compliance and Security ModelBusiness Strategy and Governance driving Security Operations

Governance  

(security, priva

cy, 

complian

ce)

GRC Standards & UA GRC Dashboards 

GRC Dashboards 

GRC Dashboards 

GRC Dashboards 

GRC Dashboards 

DLPGRC Policy 

EPMHIPS

PEN TestEDRMSSPIR RetainerATP