1. Breach Response Planning: Hammer Out
Your Legal, Business and Technology
Differences, Before a Breach
Michael Scheidell, CISSP, CCISO, SMIEEE
Chief Information Security Officer
Miami Fraud & Breach Prevention Summit
2. Michael Scheidell, CISSP, CCISO, SMIEEE
• CISSP, Certified CISO
• Former Banking and Finance
Sector Chief, FBI InfraGard,
South Florida Members Alliance
• Delegate to NIST CSF workshop
• Senior Member, IEEE
• Privacy Expert
• Member ISSA, IAPP, ISACA, SFTA, CSA
• Patents in Network Security
• Founded 3 technology companies
• Recent Engagements: $2.2BN National
Pharmacy, Law Office, Banking Audits
@scheidell
561-948-1305 / michael@securityprivateers.com
http://www.securityprivateers.com
3.
4. If you haven’t been breached yet:
•You have, but don’t know it (90%): PWC 1
•It WILL happen. (100%): RSA 2
1. http://www.scmagazineuk.com/pwc-almost-all-large-companies-suffered-a-data-breach-last-year/article/418343/
2. http://www.crn.com/news/security/232601663/coviello-rsa-security-breach-could-happen-to-anyone.htm
7. DETECT
Develop and implement the appropriate
activities to identify the occurrence of a
cybersecurity event.
•Anomalies and Events
•Security Continuous Monitoring
•Detection Process
8. RESPOND
Develop and implement the appropriate
activities to take action regarding a detected
cybersecurity event.
•Response Planning
•Communications
•Analysis
•Mitigation
•Improvements
9. RECOVER
Develop and implement the appropriate
activities to maintain plans for resilience and to
restore any capabilities or services that were
impaired due to a cybersecurity event.
•Recovery Planning
•Improvements
•Communications
10. Important elements of any breach plan
• Define ‘breach’
• DON’T SAY IT, but define it. (it is an EVENT or INCIDENT)
“A data breach is the intentional or unintentional release of secure
information to an untrusted environment.” Wikipedia 3
• Data breach laws start the disclosure ‘clock’ when you identify a
breach.
• If the help desk sends you an email “We have a breach”. The clock
starts then.
• Decide who has LEGAL authority to declare a breach
3. https://en.wikipedia.org/wiki/Data_breach
11. Legal
• Breach Definitions (different)
• List of Personally Identifiable Information
• Breach Disclosure to Law enforcement
• Breach ‘clock’ different: 30 days, 60 days
• When to do a national press release: 500
records!
• NOT JUST IT/TECH RELATED
12. Technology
•System Log Management
• At least a separate syslog server
• Record logon/off/failures
• Record Firewall Deny logs
• Record Windows security events
•Forensics
• Create a ‘jump kit’: data dump/inspection
• Contract with a forensics company
• Be prepared to investigate incident involving secure information
13. Business / Data Governance
• Who are the Governors?
• Who ‘owns’ the data?
• Who is responsible for it?
• Data Classification
• NOT AN IT OR SECURITY ISSUE, a GRC ISSUE
• Protect ALL data the same?
• Do you know WHAT constitutes sensitive data?
• Do you know WHERE your sensitive data is stored?
• FFIEC Demands Data Classification
14. Before the breach
• Take commercially reasonable measures
• Locate and Protect Data
• Keep Logs and Backups
• Security Awareness Training
• BreachIncident Reporting
• Know what you will do: PRACTICE
• Cultivate relationship with Law Enforcement (FBI / USSS)
15. During the Breach
• Document everything
• Get help
• Let Top Management know you have a breachincident
• If user/database/server/laptop/workstation had sensitive
information, be prepared for full forensics. DON’T TRY TO REMOVE
THE VIRUS, IT WILL JUST MAKE IT WORSE
• Think about what you could have done to prevent it. MAKE NOTES
• Consider shutting down the whole network (before it gets worse)
16. After the Breach
• Again: Notes: what could you have done
differently?
• Upper management, including data owners
should be involved in meetings
• Report should go to top management (the
governors!)
• Don’t point fingers (4 point back to you?)
• Report the breach (yes, it is a breach) according
to HIPAA/PCI/Contract/ 47 state data breach
laws.