SlideShare a Scribd company logo

Modern Incident Response Program Needs

Lancope, Inc.
Lancope, Inc.
Technology
1 of 46
Download to read offline
Needs  of  a   Modern  Incident   Response   Program   Tom  Cross   Director  of  Security  Research,  Lancope     Brandon  Tansey   Security  Researcher,  Lancope   ©  2014  Lancope,  Inc.      All  rights  reserved.         1  
2   What  advantages  do  a8ackers  have?   Asymmetry     “The  defender  has  to  cover  every   vulnerability  but  the  aGacker  only   has  to  find  one.”       ©  2014  Lancope,  Inc.      All  rights  reserved.        
A8ackers  Can  O>en  Evade  Defenses   ©  2014  Lancope,  Inc.      All  rights  reserved.         3  
Perimeter  Security   •  Much  of  the  pracMce  of  computer  security  has  to  do  with   making  sure  the  doors  are  locked.     –  When  we  have  incidents  we  spend  more  money  on  prevenMon.   –  We  tend  to  assume  that  if  the  bad  guys  are  in,  its  game  over.     •  We’re  focusing  our  energy  where  aGackers  have  the  most   strength     4  ©  2014  Lancope,  Inc.      All  rights  reserved.         4  
What  advantages  do  defenders  have?   Home  Court  Advantage   •  Defenders  create  the  network  environment  that   aGackers  are  trying  to  compromise   •  Defenders   •  Know  what  is  on  the  network   •  Have  visibility  into  the  network   •  AGackers  have  to  discover  the  environment  through   reconnaissance   •  Defenders  can  exploit  the  aGacker’s  lack  of   knowledge  of  the  environment  in  order  to  detect   aGackers  and  waste  their  Mme   ©  2014  Lancope,  Inc.      All  rights  reserved.         5  
•  A  sophisMcated  aGack  on  a  network  involves  a  series  of  steps   •  TradiMonal  thinking  views  any  system  compromise  as  a  successful  breach   •  Any  successful  acMon  taken  to  stop  an  infecMon  prior  to  data  exfiltraMon  can  be  considered  a   win   •  This  is  the  Kill  Chain  concept  introduced  by  Mike  Cloppert  at  Lockheed   •  Controls  should  be  put  in  place  at  each  stage  of  the  chain     ©  2014  Lancope,  Inc.      All  rights  reserved.         A  Four  Dimensional  View  of  A8acker  Behavior   Recon Exploitation Initial Infection Internal Pivot Data Preparation & Exfiltration Command and Control 6  
Factors  driving  the  change:     •  The  persistent  nature  of  the  threat   •  Other  organizaMons  aren’t  necessarily   experiencing  the  same  aGacks   •  The  desire  to  collect  threat  intelligence   that  can  be  used  to  detect  future  incidents   •  A  sophisMcated  aGack  on  a  network   involves  a  series  of  steps   ©  2014  Lancope,  Inc.      All  rights  reserved.         Toward  ConJnuous  Incident  Response   Detect RespondAnalyze Distill Intel 7  
Sample Response Freq Pct% Sampling frame 20,446 100% Total returns 793 3.9% Rejected & screened surveys 119 0.6% Final sample 674 3.3% A scientific sampling frame of 20,446 experienced IT and IT security practitioners located in all regions of the United States and United Kingdom were selected as participants to this survey. Ponemon  Research  Report:   2014  Cyber  Security  Incident  Response   ©  2014  Lancope,  Inc.      All  rights  reserved.         8  
68%   62%   44%   36%   29%   0%   10%   20%   30%   40%   50%   60%   70%   80%   BeGer  incident  response  capabiliMes   Threat  Intelligence  or  IP  reputaMon  services   Improved  vulnerability  audits  and   assessments   Improved  patch  management  process   Higher  quality  professional  staffing   How  can  your  organizaMon  most  effecMvely   miMgate  future  security  breaches?   ©  2014  Lancope,  Inc.      All  rights  reserved.         9  
34%   18%   45%   3%   How  did  this  percentage  change   over  the  past  24  months?   Increased   Decreased   Stayed  the  same   Cannot  determine   ©  2014  Lancope,  Inc.      All  rights  reserved.         50%   31%   11%   5%   2%   1%   Percentage  of  security  budget   spent  on  Incident  Response   Less  than  10%   10%  to  20%   21%  to  30%   31%  to  40%   41%  to  50%   More  than  50%   Incident  Response  Budgets   10  
©  2014  Lancope,  Inc.      All  rights  reserved.         11  
©  2014  Lancope,  Inc.      All  rights  reserved.   12  
©  2014  Lancope,  Inc.      All  rights  reserved.         13  
©  2014  Lancope,  Inc.      All  rights  reserved.         80%   76%   67%   65%   0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   NetFlow  /  Pcap   SIEM   IDS  /  IPS   Threat  Feeds   What  type  of  tools  are  most  effecMve  in  helping  to   detect  breaches?   14  
©  2014  Lancope,  Inc.      All  rights  reserved.         15  
©  2014  Lancope,  Inc.      All  rights  reserved.         16  
©  2014  Lancope,  Inc.      All  rights  reserved.         Network   Services   Hosts   17  
©  2014  Lancope,  Inc.      All  rights  reserved.         18  
NetFlow  vs  and  Packet  Capture   ©  2014  Lancope,  Inc.      All  rights  reserved.         19  
•  NetFlow   –  Lots  of  breadth,  less  depth   –  Lower  disk  space   requirements   •  Full  Packet  Capture   –  Deep  but  not  broad   –  Expensive   –  High  disk  space   requirements   ©  2014  Lancope,  Inc.      All  rights  reserved.         20  
©  2014  Lancope,  Inc.      All  rights  reserved.         21  
Service  Logs   ©  2014  Lancope,  Inc.      All  rights  reserved.         22  
Services   (as  targets)   ©  2014  Lancope,  Inc.      All  rights  reserved.         23  
Services   (as  supplementary  informaMon)   ©  2014  Lancope,  Inc.      All  rights  reserved.         24  
Host  Logs   ©  2014  Lancope,  Inc.      All  rights  reserved.         25  
©  2014  Lancope,  Inc.      All  rights  reserved.         61%   52%   48%   36%   31%   34%   0%   10%   20%   30%   40%   50%   60%   70%   Network  Security  Devices   All  Client  PCs   All  ApplicaMon  Servers   All  IdenMty  Management  Infrastructure   All  Network  Infrastructure   We  Don't   From  where  do  you  send  informaMon  to  your   SIEM?   26  
•  Are  you  just  logging  informaMon  or  are  you  also  collecMng  it?   •  Are  you  saving  only  ‘special’  log  lines,  or  everything?   •  Do  you  have  a  standard  retenMon  period  in  policy?   –  Does  the  budget  control  the  period,  or  the  period  the  budget?   •  If  you  have  end-­‐user  managed  hosts,  are  they  subject  to  the   same  logging  policies?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Regardless  of  the  informaJon  source…   27  
©  2014  Lancope,  Inc.      All  rights  reserved.         Backups  -­‐  the  stakes  have  been  raised!   28  
©  2014  Lancope,  Inc.      All  rights  reserved.         29  
©  2014  Lancope,  Inc.      All  rights  reserved.         43%   54%   3%   0%   10%   20%   30%   40%   50%   60%   Yes   No   Unsure   Do  your  organizaMon's  incident  invesMgaMons   result  in  threat  indicators  which  are  used  to   defend  the  organizaMon  from  future  aGacks?   30  
Security  Analyst   Network  Forensics  Analyst   Hard  Drive  Forensic  Analyst   Malware  Analyst   Threat  Intelligence  Analyst     Security  [OperaJons]  Engineer   OperaMons  Engineer   Sonware  Engineer   Roles  in  a  Modern  Incident  Response  Team   ©  2014  Lancope,  Inc.      All  rights  reserved.         31  
Staffing   12%   16%   44%   23%   5%   0%   10%   20%   30%   40%   50%   None   One   2  to  5   6  to  10   More  than  10   Number  of  team  members  in   CSIRT   45%   28%   14%   11%   2%   0%   10%   20%   30%   40%   50%   None   One   2  to  5   6  to  10   More  than  10   Number  of  team  members  fully   dedicated  to  CSIRT   ©  2014  Lancope,  Inc.      All  rights  reserved.         32  
©  2014  Lancope,  Inc.      All  rights  reserved.         21%   14%   6%   12%   29%   18%   0%   5%   10%   15%   20%   25%   30%   35%   On  an  ongoing  basis   On  a  quarterly  basis   On  a  semi-­‐annual  basis   On  an  annual  basis   Not  on  a  regular  schedule   Readiness  is  not  assessed   How  frequently  do  you  assess  the  readiness  of   your  Incident  Response  team?   33  
•  Firewall   •  Web  Gateway   •  Mail  Gateway   •  IPS  /  IDS   •  SIEM   ©  2014  Lancope,  Inc.      All  rights  reserved.         Use  of  Indicators   34  
©  2014  Lancope,  Inc.      All  rights  reserved.         45%   26%   23%   15%   12%   0%   5%   10%  15%  20%  25%  30%  35%  40%  45%  50%   InformaMon  is  neither  received  nor  shared   InformaMon  is  received  from  sharing   partners  but  not  shared  with  them   InformaMon  is  shared  with  law  enforcement   or  other  government  agencies   InformaMon  is  shared  with  various  CERTs   InformaMon  is  shared  with  industry  peers   Are  you  sharing  threat  intelligence?   35  
©  2014  Lancope,  Inc.      All  rights  reserved.         36  
©  2014  Lancope,  Inc.      All  rights  reserved.         23%   75%   2%   Do  you  have  a  PR  and  Analyst  RelaMons  plan  in   place  in  the  event  of  a  breach?   Yes   No   Unsure   37  
©  2014  Lancope,  Inc.      All  rights  reserved.         79%   14%   10%   36%   45%   47%   43%   0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   IT  Management   ExecuMve  Management   Board  of  Directors   Risk  management   Legal   Compliance   HR   What  funcMons  or  departments  are  involved  in   the  incident  response  process?   38  
©  2014  Lancope,  Inc.      All  rights  reserved.         91%   64%   51%   50%   49%   24%   20%   12%   0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   100%   IT  management   Compliance  /  Audit   Legal   HR   Risk  management   Broadly  within  the  organizaMon   ExecuMve  management   Board  of  directors   Frequency  of  cyber  threat  breifings  to  various   funcMons   39  
Should  your  CSIRT  make  decisions  or   recommendaMons?   ©  2014  Lancope,  Inc.      All  rights  reserved.         40  
•  Who  can  approve  what  acMons?   –  Does  the  type  of  incident  affect  the  answer?   –  If  an  appropriate  person  cannot  be  reached,  can  the  incident   responder  act  on  their  own  aner  a  given  amount  of  Mme?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Things  to  get  in  wriJng   41  
•  What  are  end-­‐users’  responsibiliMes  in  the  incident   response  process?   –  Are  they  required  to  turn  over  machines  to  the  CSIRT?   –  In  the  event  of  a  compromise  resulMng  in  a  wipe,  do  users  get   access  to  their  files?  Which  ones?   –  What  happens  when  a  user  needs  something  that  the  CSIRT  has   blocked?   –  Who  handles  excepMons?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Things  to  get  in  wriJng   42  
•  Can  your  CSIRT  parMcipate  in  informaMon  and  indicator   sharing  groups?   •  Can  your  CSIRT  run  malware  live  on  the  internet?   –  What  are  safe  handling  requirements?   •  Can  your  CSIRT  interact  with  malicious  hosts  for  the   purpose  of  intelligence  gathering?   –  From  the  corporate  LAN?  An  unaGributed  network?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Things  to  get  in  wriJng   43  
©  2014  Lancope,  Inc.      All  rights  reserved.         44  
§  Ponemon Research Report: 2014 Cyber Security Incident Response http://www.lancope.com/ponemon-incident- response §  The Forum of Incident Response & Security Teams www.first.org §  CERT Division of the Software Engineering Institute (SEI) www.cert.org/incident-management/ Resources   ©  2014  Lancope,  Inc.      All  rights  reserved.         45  
Q/A   ©  2014  Lancope,  Inc.      All  rights  reserved.         46  

Recommended

Proactive incident response
Proactive incident responseProactive incident response
Proactive incident responseBrian Honan
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye, Inc.
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsFireEye, Inc.
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapFireEye, Inc.
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 

Recommended

Proactive incident response
Proactive incident responseProactive incident response
Proactive incident responseBrian Honan
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye, Inc.
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsFireEye, Inc.
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapFireEye, Inc.
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Rahul Neel Mani
 
Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response PlanMatthew J McMahon
 
The State of Ransomware 2020
The State of Ransomware 2020The State of Ransomware 2020
The State of Ransomware 2020Netpluz Asia Pte Ltd
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceCharles Lim
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Solar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesSolar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesInfosec
 
10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security RisksHeimdal Security
 
Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Asia Pte Ltd
 
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...Shawn Tuma
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...IBM Security
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing OCTF Industry Engagement
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services OverviewCasey Lucas
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNcentralohioissa
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterSpanning Cloud Apps
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
Impacts cloud remote_workforce
Impacts cloud remote_workforceImpacts cloud remote_workforce
Impacts cloud remote_workforceRodrigo Varas
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationPRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationSymantec
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approachesvngundi
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 

More Related Content

What's hot

Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Rahul Neel Mani
 
Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response PlanMatthew J McMahon
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceCharles Lim
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Solar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesSolar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesInfosec
 
10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security RisksHeimdal Security
 
Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Asia Pte Ltd
 
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...Shawn Tuma
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...IBM Security
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services OverviewCasey Lucas
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNcentralohioissa
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterSpanning Cloud Apps
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
Impacts cloud remote_workforce
Impacts cloud remote_workforceImpacts cloud remote_workforce
Impacts cloud remote_workforceRodrigo Varas
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationPRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationSymantec
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approachesvngundi
 

What's hot (20)

Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
 
Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response Plan
 
The State of Ransomware 2020
The State of Ransomware 2020The State of Ransomware 2020
The State of Ransomware 2020
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security Governance
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Solar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesSolar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenches
 
10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks
 
Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service
 
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services Overview
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware Disaster
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
Impacts cloud remote_workforce
Impacts cloud remote_workforceImpacts cloud remote_workforce
Impacts cloud remote_workforce
 
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security SimulationPRESENTATION▶ Cyber Security Services (CSS): Security Simulation
PRESENTATION▶ Cyber Security Services (CSS): Security Simulation
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
 

Similar to Modern Incident Response Program Needs

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec
 
комплексная защита от современных интернет угроз с помощью Check point sandblast
комплексная защита от современных интернет угроз с помощью Check point sandblastкомплексная защита от современных интернет угроз с помощью Check point sandblast
комплексная защита от современных интернет угроз с помощью Check point sandblastDiana Frolova
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Phil Agcaoili
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code ProtectionPerforce
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Decisions
 
Threat Detection Algorithms Make Big Data into Better Data
Threat Detection Algorithms Make Big Data into Better Data Threat Detection Algorithms Make Big Data into Better Data
Threat Detection Algorithms Make Big Data into Better Data Enterprise Management Associates
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewSymantec
 
Cisco Security Architecture
Cisco Security ArchitectureCisco Security Architecture
Cisco Security ArchitectureCisco Canada
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Decisions
 
Webinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of DefenseWebinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of DefenseCyren, Inc
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Decisions
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
SanerNow Vulnerability Management
SanerNow Vulnerability ManagementSanerNow Vulnerability Management
SanerNow Vulnerability ManagementSecPod Technologies
 

Similar to Modern Incident Response Program Needs (20)

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
 
комплексная защита от современных интернет угроз с помощью Check point sandblast
комплексная защита от современных интернет угроз с помощью Check point sandblastкомплексная защита от современных интернет угроз с помощью Check point sandblast
комплексная защита от современных интернет угроз с помощью Check point sandblast
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
 
CPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor LandscapeCPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor Landscape
 
Check Point NGFW
Check Point NGFWCheck Point NGFW
Check Point NGFW
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code Protection
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa Presentation
 
Threat Detection Algorithms Make Big Data into Better Data
Threat Detection Algorithms Make Big Data into Better Data Threat Detection Algorithms Make Big Data into Better Data
Threat Detection Algorithms Make Big Data into Better Data
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
 
Cisco Security Architecture
Cisco Security ArchitectureCisco Security Architecture
Cisco Security Architecture
 
SentinelOne Buyers Guide
SentinelOne Buyers GuideSentinelOne Buyers Guide
SentinelOne Buyers Guide
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 
Webinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of DefenseWebinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of Defense
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
SanerNow Vulnerability Management
SanerNow Vulnerability ManagementSanerNow Vulnerability Management
SanerNow Vulnerability Management
 

More from Lancope, Inc.

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is HereLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Lancope, Inc.
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)Lancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointLancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesLancope, Inc.
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Lancope, Inc.
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesLancope, Inc.
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of SpartaLancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Lancope, Inc.
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 

More from Lancope, Inc. (20)

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
 
Protecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data BreachesProtecting the Crown Jewels from Devastating Data Breaches
Protecting the Crown Jewels from Devastating Data Breaches
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14Looking for the weird webinar 09.24.14
Looking for the weird webinar 09.24.14
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 

Recently uploaded

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Recently uploaded (20)

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

Modern Incident Response Program Needs

  • 1. Needs  of  a   Modern  Incident   Response   Program   Tom  Cross   Director  of  Security  Research,  Lancope     Brandon  Tansey   Security  Researcher,  Lancope   ©  2014  Lancope,  Inc.      All  rights  reserved.         1  
  • 2. 2   What  advantages  do  a8ackers  have?   Asymmetry     “The  defender  has  to  cover  every   vulnerability  but  the  aGacker  only   has  to  find  one.”       ©  2014  Lancope,  Inc.      All  rights  reserved.        
  • 3. A8ackers  Can  O>en  Evade  Defenses   ©  2014  Lancope,  Inc.      All  rights  reserved.         3  
  • 4. Perimeter  Security   •  Much  of  the  pracMce  of  computer  security  has  to  do  with   making  sure  the  doors  are  locked.     –  When  we  have  incidents  we  spend  more  money  on  prevenMon.   –  We  tend  to  assume  that  if  the  bad  guys  are  in,  its  game  over.     •  We’re  focusing  our  energy  where  aGackers  have  the  most   strength     4  ©  2014  Lancope,  Inc.      All  rights  reserved.         4  
  • 5. What  advantages  do  defenders  have?   Home  Court  Advantage   •  Defenders  create  the  network  environment  that   aGackers  are  trying  to  compromise   •  Defenders   •  Know  what  is  on  the  network   •  Have  visibility  into  the  network   •  AGackers  have  to  discover  the  environment  through   reconnaissance   •  Defenders  can  exploit  the  aGacker’s  lack  of   knowledge  of  the  environment  in  order  to  detect   aGackers  and  waste  their  Mme   ©  2014  Lancope,  Inc.      All  rights  reserved.         5  
  • 6. •  A  sophisMcated  aGack  on  a  network  involves  a  series  of  steps   •  TradiMonal  thinking  views  any  system  compromise  as  a  successful  breach   •  Any  successful  acMon  taken  to  stop  an  infecMon  prior  to  data  exfiltraMon  can  be  considered  a   win   •  This  is  the  Kill  Chain  concept  introduced  by  Mike  Cloppert  at  Lockheed   •  Controls  should  be  put  in  place  at  each  stage  of  the  chain     ©  2014  Lancope,  Inc.      All  rights  reserved.         A  Four  Dimensional  View  of  A8acker  Behavior   Recon Exploitation Initial Infection Internal Pivot Data Preparation & Exfiltration Command and Control 6  
  • 7. Factors  driving  the  change:     •  The  persistent  nature  of  the  threat   •  Other  organizaMons  aren’t  necessarily   experiencing  the  same  aGacks   •  The  desire  to  collect  threat  intelligence   that  can  be  used  to  detect  future  incidents   •  A  sophisMcated  aGack  on  a  network   involves  a  series  of  steps   ©  2014  Lancope,  Inc.      All  rights  reserved.         Toward  ConJnuous  Incident  Response   Detect RespondAnalyze Distill Intel 7  
  • 8. Sample Response Freq Pct% Sampling frame 20,446 100% Total returns 793 3.9% Rejected & screened surveys 119 0.6% Final sample 674 3.3% A scientific sampling frame of 20,446 experienced IT and IT security practitioners located in all regions of the United States and United Kingdom were selected as participants to this survey. Ponemon  Research  Report:   2014  Cyber  Security  Incident  Response   ©  2014  Lancope,  Inc.      All  rights  reserved.         8  
  • 9. 68%   62%   44%   36%   29%   0%   10%   20%   30%   40%   50%   60%   70%   80%   BeGer  incident  response  capabiliMes   Threat  Intelligence  or  IP  reputaMon  services   Improved  vulnerability  audits  and   assessments   Improved  patch  management  process   Higher  quality  professional  staffing   How  can  your  organizaMon  most  effecMvely   miMgate  future  security  breaches?   ©  2014  Lancope,  Inc.      All  rights  reserved.         9  
  • 10. 34%   18%   45%   3%   How  did  this  percentage  change   over  the  past  24  months?   Increased   Decreased   Stayed  the  same   Cannot  determine   ©  2014  Lancope,  Inc.      All  rights  reserved.         50%   31%   11%   5%   2%   1%   Percentage  of  security  budget   spent  on  Incident  Response   Less  than  10%   10%  to  20%   21%  to  30%   31%  to  40%   41%  to  50%   More  than  50%   Incident  Response  Budgets   10  
  • 11. ©  2014  Lancope,  Inc.      All  rights  reserved.         11  
  • 12. ©  2014  Lancope,  Inc.      All  rights  reserved.   12  
  • 13. ©  2014  Lancope,  Inc.      All  rights  reserved.         13  
  • 14. ©  2014  Lancope,  Inc.      All  rights  reserved.         80%   76%   67%   65%   0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   NetFlow  /  Pcap   SIEM   IDS  /  IPS   Threat  Feeds   What  type  of  tools  are  most  effecMve  in  helping  to   detect  breaches?   14  
  • 15. ©  2014  Lancope,  Inc.      All  rights  reserved.         15  
  • 16. ©  2014  Lancope,  Inc.      All  rights  reserved.         16  
  • 17. ©  2014  Lancope,  Inc.      All  rights  reserved.         Network   Services   Hosts   17  
  • 18. ©  2014  Lancope,  Inc.      All  rights  reserved.         18  
  • 19. NetFlow  vs  and  Packet  Capture   ©  2014  Lancope,  Inc.      All  rights  reserved.         19  
  • 20. •  NetFlow   –  Lots  of  breadth,  less  depth   –  Lower  disk  space   requirements   •  Full  Packet  Capture   –  Deep  but  not  broad   –  Expensive   –  High  disk  space   requirements   ©  2014  Lancope,  Inc.      All  rights  reserved.         20  
  • 21. ©  2014  Lancope,  Inc.      All  rights  reserved.         21  
  • 22. Service  Logs   ©  2014  Lancope,  Inc.      All  rights  reserved.         22  
  • 23. Services   (as  targets)   ©  2014  Lancope,  Inc.      All  rights  reserved.         23  
  • 24. Services   (as  supplementary  informaMon)   ©  2014  Lancope,  Inc.      All  rights  reserved.         24  
  • 25. Host  Logs   ©  2014  Lancope,  Inc.      All  rights  reserved.         25  
  • 26. ©  2014  Lancope,  Inc.      All  rights  reserved.         61%   52%   48%   36%   31%   34%   0%   10%   20%   30%   40%   50%   60%   70%   Network  Security  Devices   All  Client  PCs   All  ApplicaMon  Servers   All  IdenMty  Management  Infrastructure   All  Network  Infrastructure   We  Don't   From  where  do  you  send  informaMon  to  your   SIEM?   26  
  • 27. •  Are  you  just  logging  informaMon  or  are  you  also  collecMng  it?   •  Are  you  saving  only  ‘special’  log  lines,  or  everything?   •  Do  you  have  a  standard  retenMon  period  in  policy?   –  Does  the  budget  control  the  period,  or  the  period  the  budget?   •  If  you  have  end-­‐user  managed  hosts,  are  they  subject  to  the   same  logging  policies?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Regardless  of  the  informaJon  source…   27  
  • 28. ©  2014  Lancope,  Inc.      All  rights  reserved.         Backups  -­‐  the  stakes  have  been  raised!   28  
  • 29. ©  2014  Lancope,  Inc.      All  rights  reserved.         29  
  • 30. ©  2014  Lancope,  Inc.      All  rights  reserved.         43%   54%   3%   0%   10%   20%   30%   40%   50%   60%   Yes   No   Unsure   Do  your  organizaMon's  incident  invesMgaMons   result  in  threat  indicators  which  are  used  to   defend  the  organizaMon  from  future  aGacks?   30  
  • 31. Security  Analyst   Network  Forensics  Analyst   Hard  Drive  Forensic  Analyst   Malware  Analyst   Threat  Intelligence  Analyst     Security  [OperaJons]  Engineer   OperaMons  Engineer   Sonware  Engineer   Roles  in  a  Modern  Incident  Response  Team   ©  2014  Lancope,  Inc.      All  rights  reserved.         31  
  • 32. Staffing   12%   16%   44%   23%   5%   0%   10%   20%   30%   40%   50%   None   One   2  to  5   6  to  10   More  than  10   Number  of  team  members  in   CSIRT   45%   28%   14%   11%   2%   0%   10%   20%   30%   40%   50%   None   One   2  to  5   6  to  10   More  than  10   Number  of  team  members  fully   dedicated  to  CSIRT   ©  2014  Lancope,  Inc.      All  rights  reserved.         32  
  • 33. ©  2014  Lancope,  Inc.      All  rights  reserved.         21%   14%   6%   12%   29%   18%   0%   5%   10%   15%   20%   25%   30%   35%   On  an  ongoing  basis   On  a  quarterly  basis   On  a  semi-­‐annual  basis   On  an  annual  basis   Not  on  a  regular  schedule   Readiness  is  not  assessed   How  frequently  do  you  assess  the  readiness  of   your  Incident  Response  team?   33  
  • 34. •  Firewall   •  Web  Gateway   •  Mail  Gateway   •  IPS  /  IDS   •  SIEM   ©  2014  Lancope,  Inc.      All  rights  reserved.         Use  of  Indicators   34  
  • 35. ©  2014  Lancope,  Inc.      All  rights  reserved.         45%   26%   23%   15%   12%   0%   5%   10%  15%  20%  25%  30%  35%  40%  45%  50%   InformaMon  is  neither  received  nor  shared   InformaMon  is  received  from  sharing   partners  but  not  shared  with  them   InformaMon  is  shared  with  law  enforcement   or  other  government  agencies   InformaMon  is  shared  with  various  CERTs   InformaMon  is  shared  with  industry  peers   Are  you  sharing  threat  intelligence?   35  
  • 36. ©  2014  Lancope,  Inc.      All  rights  reserved.         36  
  • 37. ©  2014  Lancope,  Inc.      All  rights  reserved.         23%   75%   2%   Do  you  have  a  PR  and  Analyst  RelaMons  plan  in   place  in  the  event  of  a  breach?   Yes   No   Unsure   37  
  • 38. ©  2014  Lancope,  Inc.      All  rights  reserved.         79%   14%   10%   36%   45%   47%   43%   0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   IT  Management   ExecuMve  Management   Board  of  Directors   Risk  management   Legal   Compliance   HR   What  funcMons  or  departments  are  involved  in   the  incident  response  process?   38  
  • 39. ©  2014  Lancope,  Inc.      All  rights  reserved.         91%   64%   51%   50%   49%   24%   20%   12%   0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   100%   IT  management   Compliance  /  Audit   Legal   HR   Risk  management   Broadly  within  the  organizaMon   ExecuMve  management   Board  of  directors   Frequency  of  cyber  threat  breifings  to  various   funcMons   39  
  • 40. Should  your  CSIRT  make  decisions  or   recommendaMons?   ©  2014  Lancope,  Inc.      All  rights  reserved.         40  
  • 41. •  Who  can  approve  what  acMons?   –  Does  the  type  of  incident  affect  the  answer?   –  If  an  appropriate  person  cannot  be  reached,  can  the  incident   responder  act  on  their  own  aner  a  given  amount  of  Mme?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Things  to  get  in  wriJng   41  
  • 42. •  What  are  end-­‐users’  responsibiliMes  in  the  incident   response  process?   –  Are  they  required  to  turn  over  machines  to  the  CSIRT?   –  In  the  event  of  a  compromise  resulMng  in  a  wipe,  do  users  get   access  to  their  files?  Which  ones?   –  What  happens  when  a  user  needs  something  that  the  CSIRT  has   blocked?   –  Who  handles  excepMons?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Things  to  get  in  wriJng   42  
  • 43. •  Can  your  CSIRT  parMcipate  in  informaMon  and  indicator   sharing  groups?   •  Can  your  CSIRT  run  malware  live  on  the  internet?   –  What  are  safe  handling  requirements?   •  Can  your  CSIRT  interact  with  malicious  hosts  for  the   purpose  of  intelligence  gathering?   –  From  the  corporate  LAN?  An  unaGributed  network?   ©  2014  Lancope,  Inc.      All  rights  reserved.         Things  to  get  in  wriJng   43  
  • 44. ©  2014  Lancope,  Inc.      All  rights  reserved.         44  
  • 45. §  Ponemon Research Report: 2014 Cyber Security Incident Response http://www.lancope.com/ponemon-incident- response §  The Forum of Incident Response & Security Teams www.first.org §  CERT Division of the Software Engineering Institute (SEI) www.cert.org/incident-management/ Resources   ©  2014  Lancope,  Inc.      All  rights  reserved.         45  
  • 46. Q/A   ©  2014  Lancope,  Inc.      All  rights  reserved.         46