Today's Breach Reality, The IR Imperative, And What You Can Do About It

1

“Co3 makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”

– PC Magazine, Editor’s Choice

“Co3…defines what software packages for privacy look like.”

– Gartner

“Platform is comprehensive, user friendly, and very well designed.”

– Ponemon Institute

“One of the most important startups in security…”

– Business Insider

“One of the hottest products at RSA…”

– Network World

“...an invaluable weapon when responding to security incidents.”

– Government Computer News

“Co3 has done better than a home-run... it has knocked one out of the park.”

– SC Magazine

“Most Innovative Security Startup.”

– RSA Conference

We’ll get started

in just a minute.

Today's Breach Reality, The IR

Imperative, And What You Can

Do About It

3

Agenda

Introductions

Problems We Face

The Targets

The Victims

The Motivations

Breach and Response Metrics

Key Concepts for Combating Modern Threats

The Incident Response Lifecycle

4

Introductions: Today’s Speakers

• Ted Julian, Chief Marketing Officer, Co3 Systems

• Colby Clark, Director of Incident Management, FishNet Security

5

About Co3

Prepare Improve Organizational Readiness

• Appoint team members

• Fine tune response SOPs

• Link in legacy applications

• Run simulations (fire drills, table tops)

Mitigate Document Results & Improve Performance

• Generate reports for management, auditors, and authorities

• Conduct post-mortem

• Update SOPs

• Track evidence

• Evaluate historical performance

• Educate the organization

Assess Identify and Evaluate Incidents

• Assign appropriate team members

• Evaluate precursors and indicators

• Track incidents, maintain logbook

• Automatically prioritize activities based on criticality

• Log evidence

• Generate assessment

Manage Contain, Eradicate and Recover

• Generate real-time IR plan

• Coordinate team response

• Choose appropriate containment strategy

• Isolate and remediate cause

• Instruct evidence gathering and handling

6

About FishNet

• 700+ employees dedicated to helping enterprise customers secure every aspect of their IT environment.

96% Customer Satisfaction / Best-in-Class NPS Benchmark

• Established 1996

• 29 Offices

• 9 Training Centers

• 700+ Certifications

VITAL STATS

2013 HIGHLIGHTS

• $600M Revenue

• 3,200 Customers

• 1,500 Service Engagements

7

About FishNet

• Our experts take the time to understand your business, so they can develop, implement and support solutions tailored to your environment.

SECURITY

SOLUTIONS

COMBINED

CAPABILITIES

DRIVE VALUE

PROFESSIONAL SERVICES

• 31 Strategic Services (StS)

Advisors

• 300+ Consultants

• 2 Security Operations Centers

• Frontline Support

• Network & Security Training


• Information Security Program

Model (ISPM)

TECHNOLOGY PRODUCTS

• 55 Sales Engineers (SE) &

Enterprise Architects (EA)

• 100+ Vendor Partnerships

• Direct Access to Vendor R&D

Teams & Advisory Panels

• Cloud-Based Testing Lab


• ADVISER Solutions Lifecycle

8

Problems We Face

• Waves of malware attacks per industry with malware optimized for each wave and software types

• Thousands of machines quickly infected in large environments

• Large numbers of ingress/egress points and unmanaged devices

• Polymorphism of malware per machine instead of per organization circumventing most host and network based detection methods

• Multi-vector malware in layers creating distraction and chaos while allowing unauthorized access, performing massive data exfiltration, and leading to extortion and data loss:

-W32.Changeup Zeus Cryptolocker Data Loss

-Compromise of computer + phone for financial attacks

• Ransomware encrypting drives and shares

• Long term presence within organizations

• Reconnaissance for worse activity later

9

Problems We Face

• Compromise of corporate environments to gain access to CDEs

• Sophisticated malware and botnets now in point of sale environments

• Memory resident

• Utilizes jump boxes

• Moves around

• Delayed detection of cardholder data compromise

• Obfuscation of collection

• Waiting until cards are about to expire before use

• Security devices not properly configured, tuned, and/or monitored

• Circumventing network detections through SSL and DGA

• Too much reliance on antiquated security solutions

• Attack vectors often not notable (low hanging fruit)

• Incident response programs and training not adequate

10

Problems We Face Bottom line - Security threats have evolved…

11

Problems We Face

– Nobody is immune to compliance. But it’s more than just checking a box.

• Everyone needs to be compliant

with a policy, regulation or legal

requirement: PCI Compliance,

HIPAA, GLBA, FTC, NERC,

FERC…

• Are you secure or just compliant?

• You can be completely compliant

and totally insecure.

• Promote compliance through

security. It does not come in a can

or clip board.

12

Problems We Face

– The uncomfortable truth Everyone is 0wn3d.

– How exposed are you to cyber criminals?

• You have been breached

whether you know it or not.

• Malware patiently waits in

nearly every environment

allowing clandestine command

and control, data harvesting,

and arbitrary code execution

• Hackers are like water in a

bucket. If there is a hole, they

will find it.

• Focus on solving the security

problem holistically.

POLL

14

Who are the Targets and Why?

• Everyone is a target

– Government

– Large Corporations

– Small Companies

– Private Individuals

• Every target is of interest

– Defacement for bragging rights

– PII, IP, and identity theft

– Credential stealing

– Confidential data leakage

– Customer information

– Supply chain attacks

– Adding to their botnet

– Use your network and devices as jump points

15

Victims

Recent Top News Clips – What Happened?

All were sued (Content Based on Public Knowledge):

• Zappos – Class action suit

• LinkedIn – $5M class action suit

• South Carolina - $12M settlement

• Global Payments – Class action suit

• Nationwide – Class action suit

• Wyndham – FTC Consent Order (really bad)

• Yahoo – Class action suit

• Target – Class action suit; DOJ

• Horizon Blue Cross – Class action suit

• Adobe – Class action suit

• Most recent large breaches – DOJ

16

Motivations

17

Motivations

18

Motivations

• Ransomware becoming increasingly common

• Now in corporate environments and affecting hard drives and shares

• Highly lucrative; attacks win either way

• Disaster recovery strategy is back-up or pay-up

19

Motivations

20

Breach and Response Metrics & Facts

Financial Metrics (from Ponemon 2013 Cost of Data Breach Study): • Average total cost of a breach: $5.4 Million • Average per record cost for data breach: $192 (actual costs vary per organization type) • Average per record cost reductions

– Having a strong security posture: $34 – Having an incident response plan in place: $42 – Appointing a CISO: $23 – Hiring consultants to respond to a breach: $13

Important Facts: • Attackers infiltrate and maintain persistence for about 1 year on average before detection • Antivirus is around 3-5% effective at detecting new threats • Fran Rosch, Senior Vice President of Mobility at Symantec, testifies before congress that

signature-based detection methodology is ineffective • Pentagon claimed that Chinese 2011 military spending equaled $180 billion with

sustained investment in cyberwarfare • Hacking has resulted in the largest transfer of wealth in human history

– As of July 2013, Chinese hackers have cost the US about $2 Trillion – How about others? – Russia? Middle East?

21

What Does a Trillion Dollars Look Like?

22

Key Concepts for Combatting Modern Threats

Endpoint Technology • Corporate environments

• Behavioral analysis and retrospection

• Continuous monitoring

• Least prevalence detection

• Not limited to the security perimeter

• Application restrictions to know good behavior

• Scanning for IOCs

• Enterprise forensics

• Cardholder data environments • Application whitelisting

• Application restrictions to know good behavior

• Change detection

23


Network Monitoring & Restrictions

• Network traffic retrospection

• SSL decryption

• Network malware analysis

• DGA

• Tunneling

• Network traffic IOCs and anomalies

• 2 factor authentication for remote access

• Restrict egress from cardholder data environment to processing only

24


• Data Security – Cloud, Endpoint, Repository…

– DLP + DRM

• Lock down documents so it does not matter if they are stolen

• Utilize the cloud with out concern

• Reduced fear of IP theft

• Program Development

– Incident response gap analysis

– Policy and procedure development

– Incident handling playbook development

• Training & Testing

– Provide hands-on training for all technology, playbook scenarios, and threats

– Provide tabletop testing for realistic scenarios involving stakeholders

– Practice communications and methodology

• Incident Response Retainer

– Subject matter experts on call

– Augment internal capabilities

– Contracts agreed upon ahead of time

– Rapid response – 24 hour service level agreement

POLL

26

The Incident Response Lifecycle









• Update SOPs

• Track evidence








• Log evidence








27

Prepare

• Incident response teams often include:

– IT, Legal (internal and/or external), Compliance, Audit, Privacy, Marketing, HR, Senior Executive

– Pre-define roles and responsibilities

• RACI (Responsible, Accountable, Consulted, Informed)

• SOPs can include:

– Processes to be followed by incident type

– Standardized interpretation of legal / regulatory requirements

– 3rd party contractual requirements

• Simulations

– Can range from drills to full-scale exercises

– Communications is key

• Roles, contact info, internal and external

– Gauge organization preparedness, catalyze improvement






28

Assess

• Prioritize efforts

– Based on value of asset, potential for customer impact, risk of fines, and other risks

• Leverage threat intelligence

• Incident declaration matrix

– Based on category and severity level

– Can set SLAs for each






• Log evidence


29

Manage

• Iterate on your plan

• Communicate status

– Different mechanisms for different constituents

• Ensure everything is tracked







30

Mitigate

• Conduct a post-mortem

– Validate investment or lobby for more

– Identify areas for improvement

• Did we hit our SLAs?

– Update playbooks

• Track incident source

– pinpoint risk to drive improvement, and/or trigger bill-back

• Update preventative and detective controls




• Update SOPs

• Track evidence



QUESTIONS

32

Next Up

• BlackHat 2014

– August 5-7, Las Vegas

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a

nightmare scenario as painless as possible,

making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for

privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and

very well designed.”

PONEMON INSTITUTE

“One of the hottest products at RSA…”

NETWORK WORLD – FEBRUARY 2013

Colby Clark

Director of Incident Management

FishNet Security

[email protected]

208.553.3266

mailto:[email protected]