More Related Content
Similar to Modern Incident Response Program Needs
Similar to Modern Incident Response Program Needs (20)
More from Lancope, Inc. (20)
Modern Incident Response Program Needs
- 1. Needs
of
a
Modern
Incident
Response
Program
Tom
Cross
Director
of
Security
Research,
Lancope
Brandon
Tansey
Security
Researcher,
Lancope
©
2014
Lancope,
Inc.
All
rights
reserved.
1
- 2. 2
What
advantages
do
a8ackers
have?
Asymmetry
“The
defender
has
to
cover
every
vulnerability
but
the
aGacker
only
has
to
find
one.”
©
2014
Lancope,
Inc.
All
rights
reserved.
- 4. Perimeter
Security
• Much
of
the
pracMce
of
computer
security
has
to
do
with
making
sure
the
doors
are
locked.
– When
we
have
incidents
we
spend
more
money
on
prevenMon.
– We
tend
to
assume
that
if
the
bad
guys
are
in,
its
game
over.
• We’re
focusing
our
energy
where
aGackers
have
the
most
strength
4
©
2014
Lancope,
Inc.
All
rights
reserved.
4
- 5. What
advantages
do
defenders
have?
Home
Court
Advantage
• Defenders
create
the
network
environment
that
aGackers
are
trying
to
compromise
• Defenders
• Know
what
is
on
the
network
• Have
visibility
into
the
network
• AGackers
have
to
discover
the
environment
through
reconnaissance
• Defenders
can
exploit
the
aGacker’s
lack
of
knowledge
of
the
environment
in
order
to
detect
aGackers
and
waste
their
Mme
©
2014
Lancope,
Inc.
All
rights
reserved.
5
- 6. • A
sophisMcated
aGack
on
a
network
involves
a
series
of
steps
• TradiMonal
thinking
views
any
system
compromise
as
a
successful
breach
• Any
successful
acMon
taken
to
stop
an
infecMon
prior
to
data
exfiltraMon
can
be
considered
a
win
• This
is
the
Kill
Chain
concept
introduced
by
Mike
Cloppert
at
Lockheed
• Controls
should
be
put
in
place
at
each
stage
of
the
chain
©
2014
Lancope,
Inc.
All
rights
reserved.
A
Four
Dimensional
View
of
A8acker
Behavior
Recon
Exploitation
Initial
Infection
Internal
Pivot
Data
Preparation &
Exfiltration
Command
and Control
6
- 7. Factors
driving
the
change:
• The
persistent
nature
of
the
threat
• Other
organizaMons
aren’t
necessarily
experiencing
the
same
aGacks
• The
desire
to
collect
threat
intelligence
that
can
be
used
to
detect
future
incidents
• A
sophisMcated
aGack
on
a
network
involves
a
series
of
steps
©
2014
Lancope,
Inc.
All
rights
reserved.
Toward
ConJnuous
Incident
Response
Detect
RespondAnalyze
Distill
Intel
7
- 8. Sample Response Freq Pct%
Sampling frame 20,446 100%
Total returns 793 3.9%
Rejected & screened surveys 119 0.6%
Final sample 674 3.3%
A scientific sampling frame of 20,446
experienced IT and IT security
practitioners located in all regions of the
United States and United Kingdom were
selected as participants to this survey.
Ponemon
Research
Report:
2014
Cyber
Security
Incident
Response
©
2014
Lancope,
Inc.
All
rights
reserved.
8
- 9. 68%
62%
44%
36%
29%
0%
10%
20%
30%
40%
50%
60%
70%
80%
BeGer
incident
response
capabiliMes
Threat
Intelligence
or
IP
reputaMon
services
Improved
vulnerability
audits
and
assessments
Improved
patch
management
process
Higher
quality
professional
staffing
How
can
your
organizaMon
most
effecMvely
miMgate
future
security
breaches?
©
2014
Lancope,
Inc.
All
rights
reserved.
9
- 10. 34%
18%
45%
3%
How
did
this
percentage
change
over
the
past
24
months?
Increased
Decreased
Stayed
the
same
Cannot
determine
©
2014
Lancope,
Inc.
All
rights
reserved.
50%
31%
11%
5%
2%
1%
Percentage
of
security
budget
spent
on
Incident
Response
Less
than
10%
10%
to
20%
21%
to
30%
31%
to
40%
41%
to
50%
More
than
50%
Incident
Response
Budgets
10
- 14. ©
2014
Lancope,
Inc.
All
rights
reserved.
80%
76%
67%
65%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
NetFlow
/
Pcap
SIEM
IDS
/
IPS
Threat
Feeds
What
type
of
tools
are
most
effecMve
in
helping
to
detect
breaches?
14
- 19. NetFlow
vs
and
Packet
Capture
©
2014
Lancope,
Inc.
All
rights
reserved.
19
- 20. • NetFlow
– Lots
of
breadth,
less
depth
– Lower
disk
space
requirements
• Full
Packet
Capture
– Deep
but
not
broad
– Expensive
– High
disk
space
requirements
©
2014
Lancope,
Inc.
All
rights
reserved.
20
- 25. Host
Logs
©
2014
Lancope,
Inc.
All
rights
reserved.
25
- 26. ©
2014
Lancope,
Inc.
All
rights
reserved.
61%
52%
48%
36%
31%
34%
0%
10%
20%
30%
40%
50%
60%
70%
Network
Security
Devices
All
Client
PCs
All
ApplicaMon
Servers
All
IdenMty
Management
Infrastructure
All
Network
Infrastructure
We
Don't
From
where
do
you
send
informaMon
to
your
SIEM?
26
- 27. • Are
you
just
logging
informaMon
or
are
you
also
collecMng
it?
• Are
you
saving
only
‘special’
log
lines,
or
everything?
• Do
you
have
a
standard
retenMon
period
in
policy?
– Does
the
budget
control
the
period,
or
the
period
the
budget?
• If
you
have
end-‐user
managed
hosts,
are
they
subject
to
the
same
logging
policies?
©
2014
Lancope,
Inc.
All
rights
reserved.
Regardless
of
the
informaJon
source…
27
- 28. ©
2014
Lancope,
Inc.
All
rights
reserved.
Backups
-‐
the
stakes
have
been
raised!
28
- 30. ©
2014
Lancope,
Inc.
All
rights
reserved.
43%
54%
3%
0%
10%
20%
30%
40%
50%
60%
Yes
No
Unsure
Do
your
organizaMon's
incident
invesMgaMons
result
in
threat
indicators
which
are
used
to
defend
the
organizaMon
from
future
aGacks?
30
- 31. Security
Analyst
Network
Forensics
Analyst
Hard
Drive
Forensic
Analyst
Malware
Analyst
Threat
Intelligence
Analyst
Security
[OperaJons]
Engineer
OperaMons
Engineer
Sonware
Engineer
Roles
in
a
Modern
Incident
Response
Team
©
2014
Lancope,
Inc.
All
rights
reserved.
31
- 32. Staffing
12%
16%
44%
23%
5%
0%
10%
20%
30%
40%
50%
None
One
2
to
5
6
to
10
More
than
10
Number
of
team
members
in
CSIRT
45%
28%
14%
11%
2%
0%
10%
20%
30%
40%
50%
None
One
2
to
5
6
to
10
More
than
10
Number
of
team
members
fully
dedicated
to
CSIRT
©
2014
Lancope,
Inc.
All
rights
reserved.
32
- 33. ©
2014
Lancope,
Inc.
All
rights
reserved.
21%
14%
6%
12%
29%
18%
0%
5%
10%
15%
20%
25%
30%
35%
On
an
ongoing
basis
On
a
quarterly
basis
On
a
semi-‐annual
basis
On
an
annual
basis
Not
on
a
regular
schedule
Readiness
is
not
assessed
How
frequently
do
you
assess
the
readiness
of
your
Incident
Response
team?
33
- 34. • Firewall
• Web
Gateway
• Mail
Gateway
• IPS
/
IDS
• SIEM
©
2014
Lancope,
Inc.
All
rights
reserved.
Use
of
Indicators
34
- 35. ©
2014
Lancope,
Inc.
All
rights
reserved.
45%
26%
23%
15%
12%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
InformaMon
is
neither
received
nor
shared
InformaMon
is
received
from
sharing
partners
but
not
shared
with
them
InformaMon
is
shared
with
law
enforcement
or
other
government
agencies
InformaMon
is
shared
with
various
CERTs
InformaMon
is
shared
with
industry
peers
Are
you
sharing
threat
intelligence?
35
- 37. ©
2014
Lancope,
Inc.
All
rights
reserved.
23%
75%
2%
Do
you
have
a
PR
and
Analyst
RelaMons
plan
in
place
in
the
event
of
a
breach?
Yes
No
Unsure
37
- 38. ©
2014
Lancope,
Inc.
All
rights
reserved.
79%
14%
10%
36%
45%
47%
43%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
IT
Management
ExecuMve
Management
Board
of
Directors
Risk
management
Legal
Compliance
HR
What
funcMons
or
departments
are
involved
in
the
incident
response
process?
38
- 39. ©
2014
Lancope,
Inc.
All
rights
reserved.
91%
64%
51%
50%
49%
24%
20%
12%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
IT
management
Compliance
/
Audit
Legal
HR
Risk
management
Broadly
within
the
organizaMon
ExecuMve
management
Board
of
directors
Frequency
of
cyber
threat
breifings
to
various
funcMons
39
- 40. Should
your
CSIRT
make
decisions
or
recommendaMons?
©
2014
Lancope,
Inc.
All
rights
reserved.
40
- 41. • Who
can
approve
what
acMons?
– Does
the
type
of
incident
affect
the
answer?
– If
an
appropriate
person
cannot
be
reached,
can
the
incident
responder
act
on
their
own
aner
a
given
amount
of
Mme?
©
2014
Lancope,
Inc.
All
rights
reserved.
Things
to
get
in
wriJng
41
- 42. • What
are
end-‐users’
responsibiliMes
in
the
incident
response
process?
– Are
they
required
to
turn
over
machines
to
the
CSIRT?
– In
the
event
of
a
compromise
resulMng
in
a
wipe,
do
users
get
access
to
their
files?
Which
ones?
– What
happens
when
a
user
needs
something
that
the
CSIRT
has
blocked?
– Who
handles
excepMons?
©
2014
Lancope,
Inc.
All
rights
reserved.
Things
to
get
in
wriJng
42
- 43. • Can
your
CSIRT
parMcipate
in
informaMon
and
indicator
sharing
groups?
• Can
your
CSIRT
run
malware
live
on
the
internet?
– What
are
safe
handling
requirements?
• Can
your
CSIRT
interact
with
malicious
hosts
for
the
purpose
of
intelligence
gathering?
– From
the
corporate
LAN?
An
unaGributed
network?
©
2014
Lancope,
Inc.
All
rights
reserved.
Things
to
get
in
wriJng
43
- 45. § Ponemon Research Report:
2014 Cyber Security Incident Response
http://www.lancope.com/ponemon-incident-
response
§ The Forum of Incident Response & Security
Teams
www.first.org
§ CERT Division of the Software Engineering
Institute (SEI)
www.cert.org/incident-management/
Resources
©
2014
Lancope,
Inc.
All
rights
reserved.
45
- 46. Q/A
©
2014
Lancope,
Inc.
All
rights
reserved.
46