SlideShare una empresa de Scribd logo

INCIDENT RESPONSE CONCEPTS

S
Sylvain Martinez

This presentation looks at the core component of an Incident Response plan (NIST 800-61) as well as custom practical implementation framework developed by ELYSIUMSECURITY based on NIST and FIRST.

Tecnología
1 de 39
Descargar para leer sin conexión
CYBER SECURITY INCIDENT RESPONSE CONCEPT VERSION: 1.3 DATE: 25/06/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ES-CSIR CLASSIFICATION: PUBLIC
2 • Presentation goal; • Who am I; • Who we are; • Our customers; • IR framework benefits; • Data breach statistics; • Incident cost; • Incident readiness; • Incident response concept; • Teams and mandates; • Registers and purposes; • Registers and reporting synergy; • IR policy & plan overview; • Incident playbook overview; • NIST IR lifecycle; • NIST IR steps; • Preparation • Detection & Analysis; • Containment, Eradication & Recovery; • Post-incident activity; • Incident Response Check list • ELYSIUMSECURITY Incident Response; • Overview; • Rules of Engagement; • Preparation; • Detection; • Categorization; • Containment; • Investigation; • Remediation; • Reporting; • Lessons Learnt; CONTENTS PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT • Short Term – How to start?; • Long Term – IR Implementation; • Extra Resources.
PRESENTATION GOAL 3 LEARN HOW TO START 3 LEARN HOW TO APPLY AN IR FRAMEWORK 2 LEARN ABOUT IR CORE ELEMENTS 1 TO LEARN ABOUT CYBER INCIDENT RESPONSE (IR) MAIN CONCEPTS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT Icons: from The Noun Project unless stated otherwisePUBLIC
WHO AM I 4 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC LIVED AND WORKED IN FRANCE, UK, USA AND MAURITIUS CONTRIBUTING AND LEADING VARIOUS OPEN SOURCE CYBER SECURITY PROJECTS FOR THE LAST 20 YEARS VETTED, TRAINED AND OVER 20 YEARS OF CYBER SECURITY EXPERIENCE WORKING FROM LARGE INTERNATIONAL CORPORATIONS PASSIONATE ABOUT IT FROM VERY EARLY YEARS FOUNDER AND RUNNING THE MAURITIUS SECURITY CLUB (MU.SCL) WITH FREE SECURITY AWARENESS PRESENTATIONS EVERY MONTH
WHO WE ARE 5 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC FOUNDED IN 2015 BY SYLVAIN MARTINEZ INCORPORATED AND OPERATING IN MAURITIUS (2017) AND IN THE UK/EUROPE (2015) PROVIDING INDEPENDENT EXPERTISE IN CYBER SECURITY MULTITUDE OF RECOGNIZED PROFESSIONAL CERTIFICATIONS 20 YEARS OF INTERNATIONAL CYBER SECURITY CORPORATE EXPERIENCE OUR BOUTIQUE STYLE APPROACH PROVIDES A DISCREET, TAILORED AND SPECIALIZED CYBER SECURITY SERVICE THAT FITS YOUR WORKING ENVIRONMENT
CUSTOMERS 6 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC • HEDGE FUNDS • GOVERNMENT AGENCY SERVICE SUPPLIER 2016 2019 • 1x BANK • 1x TELECOMMUNICATION GROUP • 4x LARGE COMMERCIAL GROUPS; • 2x BANKS; 3x MANAGEMENT FUNDS; • 6x HOTELS; 3x TEXTILE; 1x SHOPPING; • 1x HEALTHCARE; REFERENCES AVAILABLE ON DEMAND 2018 2017 2019
INCIDENT RESPONSE FRAMEWORK BENEFITS 7 • REDUCED OPERATION DOWNTIME • REDUCED INCIDENT IMPACT • REDUCED/AVOID FINES REDUCED IMPACT COST • IMPROVED RESPONSE TIME • IMPROVED INCIDENT CONTAINMENT • IMPROVED INCIDENT VISIBILITY IMPROVED SECURITY • CONTRACT REQUIREMENT • INDUSTRY REQUIREMENT • LAW REQUIREMENT BUSINESS ENABLEMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
DATA BREACH STATISTICS 8 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT EVERY DAY 6,313,865 RECORDS EVERY HOUR 263,078 RECORDS EVERY MINUTE 4,385 RECORDS EVERY SECONDS 73 RECORDS DATA RECORDS ARE LOST OR STOLEN AT THE FOLLOWING FREQUENCY DATA RECORDS LOST OR STOLEN SINCE 2013 4 7 1 7 6 1 8 2 8 6, ,,1 Source: Breach Level Index - May 2019PUBLIC
INCIDENT COST 9 ELYSIUMSECURITY INVESTIGATIONS MAURITIUS JANUARY 2018 – JUNE 2019 80% FINANCIAL FRAUD 20% RANSOMWARE 100% PHISHING JAN 2018 MAY 2018 AUG 2018 APR 2019 MAY 2019 JUNE 2019 $0.5M $1M $2M $0.5M $1M $0.5M AVERAGE COST PER DATA BREACH AVERAGE COST PER MALWARE INFECTION AVERAGE DETECTION TIME FROM OUTSIDERS CRIMINALS DATA BREACHES FROM HEALTHCARE ORGANISATIONS $3.86M $2.4M 197 DAYS 73% 24% WORLDWIDE WORLDWIDE STATS FROM SAFEATLAST.CO – APRIL 2019 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
INCIDENT READINESS 10 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT INCIDENT READINESS PUBLIC
INCIDENT RESPONSE CONCEPT 11 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT INCIDENT RESPONSE STRUCTURE INCIDENT RESPONSE HANDLINGCOORDINATION & INFORMATION SHARING TO MINIMISE OPERATIONAL, FINANCIAL & BUSINESS INCIDENT IMPACT NIST SP 800-61 PUBLIC
INTERNAL AUDIT TEAM COMPLIANCE TEAM SUBJECT EXPERT VENDOR SUPPORT TEAM IT SUPPORT TEAM TEAMS AND MANDATES 12 CYBER SECURITY TEAM SECURITY OPERATIONS AND PROJECTS CYBER RISK TEAM RISK IDENTIFICATION AND MANAGEMENT CYBER INCIDENT (VIRTUAL) TEAM INCIDENT MANAGEMENT AND RESPONSE CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
REGISTERS AND PURPOSES 13 CYBER ISSUE REGISTER POTENTIAL AND CONFIRMED SECURITY ISSUES DETAILS CYBER RISK REGISTER POTENTIAL AND CONFIRMED RISK DETAILS CYBER INCIDENT REGISTER PAST AND CURRENT INCIDENTS DETAILS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT IT OPERATION REGISTER CURRENT GENERAL IT ISSUES DETAILS PUBLIC
GLOBAL ISSUE REGISTER REGISTERS AND REPORTING SYNERGY 14 CYBER SECURITY REGISTER CYBER ISSUE REGISTER CYBER RISK REGISTER CYBER INCIDENT REGISTER IT OPERATION REGISTER IT ISSUE REGISTER NETWORK ISSUE REGISTER PROJECT ISSUE REGISTER ONE VIEW ONE PROCESS DIFFERENT ACCESS DIFFERENT TEAMS DIFFERENT VIEWS DIFFERENT ACCESS DIFFERENT TEAMS DIFFERENT VIEWS DIFFERENT ACCESS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
INCIDENT RESPONSE POLICY & PLAN - OVERVIEW 15 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC INCIDENT RESPONSE POLICY INCIDENT SCOPE INCIDENT DEFINITION & PRIORITIZATION INCIDENT REPORTING INCIDENT RESPONSE PLAN INCIDENT HANDLING INCIDENT COORDINATION CONTINUOUS IMPROVEMENT
INCIDENT PLAYBOOK SCENARIOS INCIDENT PLAYBOOK OVERVIEW 16 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT CONTAIN INCIDENT UNDERSTAND CAUSE OF INCIDENT ANALYSE SIGNS OF INCIDENT READY MADE SCENARIOS PRACTICAL RESPONSE ACTIONS AVAILABLE AND COMMUNICATED PUBLIC
NIST INCIDENCE RESPONSE LIFECYCLE 17 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY NIST SP 800-61 REV 2
NIST INCIDENCE RESPONSE - STEPS 18 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY 1. COMMUNICATION & FACILITIES 2. HARDWARE & SOFTWARE 3. RESOURCES 4. ATTACK VECTORS IDENTIFICATION 11 CONTAINMENT STRATEGY 15. LESSONS LEARNT 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS 7. INCIDENT ANALYSIS 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORITIZATION 10. INCIDENT NOTIFICATION 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION
PREPARATION - OVERVIEW 19 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT 1. COMMUNICATION & FACILITIES CONTACT DETAILS PHYSICAL LOGISTICS COORDINATION SYSTEM 2. HARDWARE & SOFTWARE 3. RESOURCES GENERAL IT SPARE EQUIPMENT FORENSICS SPECIFIC EQUIPMENT TRUSTED SOURCED SOFTWARE ARCHITECTURE DIAGRAMS DOCUMENTATION INCIDENT PLAYBOOK PUBLIC
DETECTION & ANALYSIS - OVERVIEW 20 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 4. ATTACK VECTORS IDENTIFICATION 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS & INDICATORS 7. INCIDENT ANALYSIS SECURITY ALERTS SECURITY LOGS PEOPLE FEEDBACK NETWORK LOGS SYSTEM LOGS EXPLOIT ANNOUNCEMENT BASELINES LOG ANALYSIS DATA RESULTS FILTERING SOURCE OF ATTACK TYPE OF ATTACK METHOD OF ATTACK
DETECTION & ANALYSIS - OVERVIEW 21 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORIZATION 10. INCIDENT NOTIFICATION UPPER MANAGEMENT STAFF EXTERNAL BODIES FUNCTIONAL IMPACT INFORMATION IMPACT RECOVERABILITY STATUS WORK DONE NEXT STEPS
CONTAINMENT, ERADICATION & RECOVERY - OVERVIEW 22 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 11. CONTAINMENT STRATEGY 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY SOURCE IP ATTACKER RESEARCH COMMUNICATION MONITORING INCIDENT INFORMATION TIME AND DATE LOCATION REMOVING IMMEDIATE THREAT REMEDIATING VULNERABILITIES GROUP WIDE CHANGES INCIDENT IMPACT EVIDENCE REQUIREMENTS SOLUTION SUSTAINABILITY
POST INCIDENT ACTIVITY - OVERVIEW 23 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 15. LESSONS LEARNT 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION PROSECUTION DATA RETENTION COST INCIDENT STATISTICS INCIDENT SLA INCIDENT ASSESSMENT INCIDENT DETAILS TECHNOLOGY AND PROCESS GAPS POSSIBLE IMPROMENTS
INCIDENCE RESPONSE CHECKLIST 24 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 25 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PRACTICAL IMPLEMENTATION OF NIST GUIDED PROCESS SHORTER PROCESS USED NIST AND FIRST CORE ELEMENTS 17x STEPS -> 8x STEPS CLIENTS REQUIREMENTS ELYSIUMSECURITY IR FRAMEWORK 5x ACTIVITIES PER STEPS PUBLIC
ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 26 {elysiumsecurity} INCIDENT RESPONSE FRAMEWORK 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - RULES OF ENGAGEMENT 27 DO NOT MAKE THINGS WORSE! DO NOT ENGAGE OR INTERACT WITH THE HACKER/THREAT GROUP 1 DO NOT CONNECT TO THE THREAT’S RELATED NETWORK(S) FROM YOUR ORGANISATION 2 PRESERVE EVIDENCE3 COORDINATE INTERNAL AND EXTERNAL COMMUNICATION WITH MANAGEMENT 4 ALL INCIDENT DETAILS MUST BE TREATED AS CONFIDENTIAL 5 PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
{es} INCIDENT RESPONSE - PREPARATION 28 INCIDENT RESPONSE PLAN1 TEAM, PROCEDURES, DOCUMENTATION, APPROVAL, MANAGEMENT COMMITMENT INCIDENT RESPONSE PLAYBOOK2 PHISHING, RANSOMWARE, KEYLOGGER, DDOS LOGISITICS3 MEETING ROOMS, LAPTOPS, REMOVABLE STORAGE, PHONES, STATIONNARY, PRINTERS, SLEEPING AND CATERING ARRANGEMENTS CONTACTS4 TEAM, ALTERNATIVE CONTACT METHODS, ESCALATION, ON CALL, SUPPORT, VENDOR, SUPPORT5 INCIDENT REGISTER, ARCHITECTURE DIAGRAM, NETWORK DIAGRAM, DATA FLOWS, APPLICATION AND SYSTEM DOCUMENTATION ACTIVITIES EXAMPLE 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - DETECTION 29 WHO/WHAT DETECTED/REPORTED THE THREAT?1 IT STAFF, SECURITY TOOLS WHAT IS THE DATE AND TIME OF THE THREAT DETECTION/REPORT?2 NORMALISE TIME AND DATE ACROSS REPORTING – RECORD TIME IN GMT HOW WAS THE THREAT DETECTED/REPORTED?3 EMAIL, TEXT, WARNING POP UP, PHONE CALL HAS A SIMILAR THREAT ALREADY BEEN REPORTED?4 PREVIOUS INCIDENT REGISTER LOGS IS THE THREAT VALID?5 CONFIRMED, FALSE POSITIVE ACTIVITIES EXAMPLE 2. DETECTION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - CATEGORISATION 30 WHO/WHAT IS THE TARGET OF THE THREAT?1 USER, SYSTEM, SPECIFIC DATA IS THIS AN ON GOING/LIVE THREAT?2 ON GOING, STOPPED, UNKNOWN WHAT IS THE IMPACT OF THE THREAT?3 FINANCIAL, OPERATIONAL, REPUTATIONAL, LEGAL CATEGORISE THE PRIORITY OF THE INCIDENT4 PRIORITY 1, 2 ,3 (P1 > P2 > P3) CLASSIFY THE INCIDENT COMMUNICATION5 RESTRICTED / UNRESTRICTED ACTIVITIES EXAMPLE 3. CATEGORISATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - CONTAINMENT 31 COORDINATE INCIDENT MANAGEMENT1 TEAM, COMMS, ACTIVITIES, DOCUMENTATION LIGHT AND QUICK THREAT ANALYSIS2 NETWORK, SYSTEM, USER IDENTIFY MAIN ATTACK AND COMPROMISE VECTORS3 IP, PORTS, SIGNATURES, EMAIL ISOLATE THE TARGETED ASSET4 REMOVE FROM NETWORK, DISABLE ACCOUNT IMPLEMENT EMERGENCY CHANGES AS REQUIRED5 NETWORK, SYSTEM, USER ACTIVITIES EXAMPLE 4. CONTAINMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - INVESTIGATION 32 THREAT NETWORK ANALYSIS1 FIREWALL, CLOUD APP LOGS, ASSET LOGS, INTERCEPTED TRAFFIC, TRAFFIC AND DATA FLOWS, SIEM THREAT MALWARE ANALYSIS2 A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE ENGINEERING THREAT SYSTEM ANALYSIS3 EVENT LOGS, APP/PLUGINS INSTALLED, AD/EMAIL ACTIVITIES, AUTHENTICATED VULNERABILITY ASSESSSMENT, SIEM THREAT USER ANALYSIS4 INTERVIEW TARGETED USER, CONTEXT, TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS THREAT RESEARCH ANALYSIS5 ONLINE SEARCH FOR SIMILAR THREATS, PROFESSIONAL FORUMS, VENDOR ENGAGEMENT ACTIVITIES EXAMPLE 5. INVESTIGATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
ELYSIUMSECURITY INCIDENT RESPONSE - REMEDIATION 33 THREAT NETWORK REMEDIATION1 BLOCK IP, PORTS, DOMAINS, EMAILS. UPDATE F/W, IDS, APT AND SIEM RULES THREAT MALWARE REMEDIATION2 UPDATE SYSTEM AND NETWORK A/V SIGNATURES. ENGAGE WITH VENDORS THREAT SYSTEM REMEDIATION3 REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR INBOX RULES, REMEDIATE ISSUES FOUND WITH THE VULNERABIULTIY ASSESSMENT THREAT USER REMEDIATION4 INDIVIDUAL AND GROUP USER AWARENESS SESSION RELEVANT TO THE THREAT DECLARE THE INCIDENT REMEDIATED5 FULL, PARTIAL, ACCEPTED ACTIVITIES EXAMPLE 6. REMEDIATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - REPORTING 34 ON GOING REPORTING1 DOCUMENTATION AND EVIDENCE SHOULD BE GENERATED AS MUCH AS POSSIBLE DURING THE PREVIOUS PHASES EVIDENCE GATHERING2 THREAT ACTORS, ATTACK VECTORS, ATTACK SURFACE INCIDENT DOCUMENTATION3 THREAT AND INCIDENT DETAILS, TRIGGERS, OWNER, FINDINGS, TIMELINE INCIDENT REGISTER4 CREATE/UPDATE AN OVERALL INCIDENT REGISTER TO TRACK PROGRESS AND GENERATES STATISTICS INCIDENT REPORT COMMUNICATION5 INTERNAL, EXTERNAL, STAFF, MANAGEMENT, BOARD, VENDORS, CLIENTS, GOVERNMENT, REGULATORS, LAW ENFORCEMENT ACTIVITIES EXAMPLE 7. REPORTING CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE – LESSONS LEARNT 35 ROOT CAUSE ANALYSIS1 IDENTIFY AND DOCUMENT INCIDENT TRIGGERS AND SECURITY GAPS THAT ENABLED THE INCIDENT TO OCCUR CONTROLS AND PROCESSES READINESS2 EVALUATE THE EFFICIENCY OF CURRENT SECURITY CONTROLS AND PROCESSES IN LIGHT OF THE INCIDENT INCIDENT TRENDS ANALYSIS3 ARE YOU LEARNING FROM PAST INCIDENTS? IS YOUR RISK PROFILE CHANGING? MITIGATION PLAN4 MITIGATE IMPACT OF SIMILAR FUTURE INCIDENTS IMPROVEMENTS PLAN5 STOP OCCURRENCE OF SIMILAR FUTURE INCIDENTS ACTIVITIES EXAMPLE 8. LESSONS LEARNT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
SHORT TERM – HOW TO START? 36 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT REVIEW EXISTING INCIDENT PROCESS1 ESTABLISH INCIDENT TEAM2 CONDUCT REGULAR INCIDENT TEAM MEETING 3 SET GROUND RULES4 DEFINE WHAT IS AN INCIDENT5 INFORM STAFF OF RULES AND INCIDENT CONTACT 6 CREATE INCIDENT REGISTER7 DOCUMENT RECENT AND FUTURE INCIDENTS 8 FOLLOW NIST INCIDENT HANDLING METHODOLOGY 9 CREATE HIGH LEVEL PLAYBOOK TO COMPLEMENT CHECKLIST 10 PUBLIC
LONG TERM – INCIDENT RESPONSE IMPLEMENTATION 37 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT SELECT INCIDENT RESPONSE FRAMEWORK (NIST SP 800-61 REV 2 RECOMMENDED) 1 IMPLEMENT FULL INCIDENT RESPONSE FRAMEWORK 2 DEDICATED INCIDENT RESPONSE TEAM AND TRAINING 3 INCIDENT RESPONSE SIMULATION4 CONTINUOUS IMPROVEMENT5 PUBLIC
EXTRA RESOURCES 38 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT FORUM OF INCIDENT RESPONSE AND SECURITY TEAMS (FIRST) FRAMEWORK (HTTPS://WWW.FIRST.ORG/EDUCATION/FIRST_SIRT_SERVICES_FRAMEWORK_VERSION1.0.PDF) NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY (NIST) SPECIAL PROCEDURE (SP) 800-61 (HTTPS://NVLPUBS.NIST.GOV/NISTPUBS/SPECIALPUBLICATIONS/NIST.SP.800-61R2.PDF) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-1:2016 (HTTPS://WWW.ISO.ORG/STANDARD/60803.HTML) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-2:2016 (HTTPS://WWW.ISO.ORG/STANDARD/62071.HTML?BROWSE=TC) CONTACT US! (CONSULTING@ELYSIUMSECURITY.COM) PUBLIC
© 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM CONSULTING@ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.

Recomendados

INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterKomand
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 

Recomendados

INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterKomand
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations CenterSiemplify
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptxSandeshUprety4
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDIDavid Sweigert
 
INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSSylvain Martinez
 
CyberOps.pptx
CyberOps.pptxCyberOps.pptx
CyberOps.pptxAhmedRobaid1
 

Más contenido relacionado

La actualidad más candente

Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations CenterSiemplify
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDIDavid Sweigert
 

La actualidad más candente (20)

Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations Center
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat hunting
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDI
 

Similar a INCIDENT RESPONSE CONCEPTS

INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSSylvain Martinez
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Effective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businessesEffective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businessesShawn Tuma
 
DATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWDATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWSylvain Martinez
 
ACEDS Dallas - Back to School Lessons on the EDRM
ACEDS Dallas - Back to School Lessons on the EDRMACEDS Dallas - Back to School Lessons on the EDRM
ACEDS Dallas - Back to School Lessons on the EDRMPatrickBilgere
 
Incident Response: Security's Special Teams
Incident Response: Security's Special TeamsIncident Response: Security's Special Teams
Incident Response: Security's Special TeamsResilient Systems
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitShawn Tuma
 
Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7James Nesbitt
 
Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Resilient Systems
 
ID IGF 2016 - Infrastruktur 3 - Towards National Cyber Security Framework
ID IGF 2016 - Infrastruktur 3 - Towards National Cyber Security FrameworkID IGF 2016 - Infrastruktur 3 - Towards National Cyber Security Framework
ID IGF 2016 - Infrastruktur 3 - Towards National Cyber Security FrameworkIGF Indonesia
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMAlienVault
 
Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Bob Radvanovsky
 
CV-SMB-infographic-small
CV-SMB-infographic-smallCV-SMB-infographic-small
CV-SMB-infographic-smallJeff Geissler
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON
 

Similar a INCIDENT RESPONSE CONCEPTS (20)

INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICS
 
CyberOps.pptx
CyberOps.pptxCyberOps.pptx
CyberOps.pptx
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Effective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businessesEffective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businesses
 
PHISHING PROTECTION
PHISHING PROTECTIONPHISHING PROTECTION
PHISHING PROTECTION
 
DATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWDATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEW
 
ACEDS Dallas - Back to School Lessons on the EDRM
ACEDS Dallas - Back to School Lessons on the EDRMACEDS Dallas - Back to School Lessons on the EDRM
ACEDS Dallas - Back to School Lessons on the EDRM
 
Incident Response: Security's Special Teams
Incident Response: Security's Special TeamsIncident Response: Security's Special Teams
Incident Response: Security's Special Teams
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
 
Herklotz - Information Operations and Security - Spring Review 2013
Herklotz - Information Operations and Security - Spring Review 2013Herklotz - Information Operations and Security - Spring Review 2013
Herklotz - Information Operations and Security - Spring Review 2013
 
Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7
 
Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents
 
ID IGF 2016 - Infrastruktur 3 - Towards National Cyber Security Framework
ID IGF 2016 - Infrastruktur 3 - Towards National Cyber Security FrameworkID IGF 2016 - Infrastruktur 3 - Towards National Cyber Security Framework
ID IGF 2016 - Infrastruktur 3 - Towards National Cyber Security Framework
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016
 
CV-SMB-infographic-small
CV-SMB-infographic-smallCV-SMB-infographic-small
CV-SMB-infographic-small
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
 

Más de Sylvain Martinez

PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYSylvain Martinez
 
INTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYINTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYSylvain Martinez
 
2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEW2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEWSylvain Martinez
 
VIRTUAL CISO AND OTHER KEY CYBER ROLES
VIRTUAL CISO AND OTHER KEY CYBER ROLESVIRTUAL CISO AND OTHER KEY CYBER ROLES
VIRTUAL CISO AND OTHER KEY CYBER ROLESSylvain Martinez
 
Mobile Security Assessment
Mobile Security AssessmentMobile Security Assessment
Mobile Security AssessmentSylvain Martinez
 
Talk1 esc7 muscl-gdpr_debate_v1_2
Talk1 esc7 muscl-gdpr_debate_v1_2Talk1 esc7 muscl-gdpr_debate_v1_2
Talk1 esc7 muscl-gdpr_debate_v1_2Sylvain Martinez
 
Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2Sylvain Martinez
 
INCIDENT HANDLING IN ORGANISATIONS
INCIDENT HANDLING IN ORGANISATIONSINCIDENT HANDLING IN ORGANISATIONS
INCIDENT HANDLING IN ORGANISATIONSSylvain Martinez
 
SOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPONSOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPONSylvain Martinez
 
Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Sylvain Martinez
 
Talk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bTalk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bSylvain Martinez
 

Más de Sylvain Martinez (20)

PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITY
 
INTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYINTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHY
 
2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEW2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEW
 
VIRTUAL CISO AND OTHER KEY CYBER ROLES
VIRTUAL CISO AND OTHER KEY CYBER ROLESVIRTUAL CISO AND OTHER KEY CYBER ROLES
VIRTUAL CISO AND OTHER KEY CYBER ROLES
 
OFFENSIVE IDS
OFFENSIVE IDSOFFENSIVE IDS
OFFENSIVE IDS
 
IOT Security
IOT SecurityIOT Security
IOT Security
 
ARE YOU RED TEAM READY?
ARE YOU RED TEAM READY?ARE YOU RED TEAM READY?
ARE YOU RED TEAM READY?
 
GDPR SECURITY ISSUES
GDPR SECURITY ISSUESGDPR SECURITY ISSUES
GDPR SECURITY ISSUES
 
Mobile Security Assessment
Mobile Security AssessmentMobile Security Assessment
Mobile Security Assessment
 
The Art of CTF
The Art of CTFThe Art of CTF
The Art of CTF
 
OFFICE 365 SECURITY
OFFICE 365 SECURITYOFFICE 365 SECURITY
OFFICE 365 SECURITY
 
Risk on Crypto Currencies
Risk on Crypto CurrenciesRisk on Crypto Currencies
Risk on Crypto Currencies
 
Talk1 esc7 muscl-gdpr_debate_v1_2
Talk1 esc7 muscl-gdpr_debate_v1_2Talk1 esc7 muscl-gdpr_debate_v1_2
Talk1 esc7 muscl-gdpr_debate_v1_2
 
Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
INCIDENT HANDLING IN ORGANISATIONS
INCIDENT HANDLING IN ORGANISATIONSINCIDENT HANDLING IN ORGANISATIONS
INCIDENT HANDLING IN ORGANISATIONS
 
SOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPONSOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPON
 
Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2
 
Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1
 
Talk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bTalk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2b
 

Último

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Último (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

INCIDENT RESPONSE CONCEPTS

  • 1. CYBER SECURITY INCIDENT RESPONSE CONCEPT VERSION: 1.3 DATE: 25/06/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ES-CSIR CLASSIFICATION: PUBLIC
  • 2. 2 • Presentation goal; • Who am I; • Who we are; • Our customers; • IR framework benefits; • Data breach statistics; • Incident cost; • Incident readiness; • Incident response concept; • Teams and mandates; • Registers and purposes; • Registers and reporting synergy; • IR policy & plan overview; • Incident playbook overview; • NIST IR lifecycle; • NIST IR steps; • Preparation • Detection & Analysis; • Containment, Eradication & Recovery; • Post-incident activity; • Incident Response Check list • ELYSIUMSECURITY Incident Response; • Overview; • Rules of Engagement; • Preparation; • Detection; • Categorization; • Containment; • Investigation; • Remediation; • Reporting; • Lessons Learnt; CONTENTS PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT • Short Term – How to start?; • Long Term – IR Implementation; • Extra Resources.
  • 3. PRESENTATION GOAL 3 LEARN HOW TO START 3 LEARN HOW TO APPLY AN IR FRAMEWORK 2 LEARN ABOUT IR CORE ELEMENTS 1 TO LEARN ABOUT CYBER INCIDENT RESPONSE (IR) MAIN CONCEPTS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT Icons: from The Noun Project unless stated otherwisePUBLIC
  • 4. WHO AM I 4 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC LIVED AND WORKED IN FRANCE, UK, USA AND MAURITIUS CONTRIBUTING AND LEADING VARIOUS OPEN SOURCE CYBER SECURITY PROJECTS FOR THE LAST 20 YEARS VETTED, TRAINED AND OVER 20 YEARS OF CYBER SECURITY EXPERIENCE WORKING FROM LARGE INTERNATIONAL CORPORATIONS PASSIONATE ABOUT IT FROM VERY EARLY YEARS FOUNDER AND RUNNING THE MAURITIUS SECURITY CLUB (MU.SCL) WITH FREE SECURITY AWARENESS PRESENTATIONS EVERY MONTH
  • 5. WHO WE ARE 5 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC FOUNDED IN 2015 BY SYLVAIN MARTINEZ INCORPORATED AND OPERATING IN MAURITIUS (2017) AND IN THE UK/EUROPE (2015) PROVIDING INDEPENDENT EXPERTISE IN CYBER SECURITY MULTITUDE OF RECOGNIZED PROFESSIONAL CERTIFICATIONS 20 YEARS OF INTERNATIONAL CYBER SECURITY CORPORATE EXPERIENCE OUR BOUTIQUE STYLE APPROACH PROVIDES A DISCREET, TAILORED AND SPECIALIZED CYBER SECURITY SERVICE THAT FITS YOUR WORKING ENVIRONMENT
  • 6. CUSTOMERS 6 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC • HEDGE FUNDS • GOVERNMENT AGENCY SERVICE SUPPLIER 2016 2019 • 1x BANK • 1x TELECOMMUNICATION GROUP • 4x LARGE COMMERCIAL GROUPS; • 2x BANKS; 3x MANAGEMENT FUNDS; • 6x HOTELS; 3x TEXTILE; 1x SHOPPING; • 1x HEALTHCARE; REFERENCES AVAILABLE ON DEMAND 2018 2017 2019
  • 7. INCIDENT RESPONSE FRAMEWORK BENEFITS 7 • REDUCED OPERATION DOWNTIME • REDUCED INCIDENT IMPACT • REDUCED/AVOID FINES REDUCED IMPACT COST • IMPROVED RESPONSE TIME • IMPROVED INCIDENT CONTAINMENT • IMPROVED INCIDENT VISIBILITY IMPROVED SECURITY • CONTRACT REQUIREMENT • INDUSTRY REQUIREMENT • LAW REQUIREMENT BUSINESS ENABLEMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 8. DATA BREACH STATISTICS 8 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT EVERY DAY 6,313,865 RECORDS EVERY HOUR 263,078 RECORDS EVERY MINUTE 4,385 RECORDS EVERY SECONDS 73 RECORDS DATA RECORDS ARE LOST OR STOLEN AT THE FOLLOWING FREQUENCY DATA RECORDS LOST OR STOLEN SINCE 2013 4 7 1 7 6 1 8 2 8 6, ,,1 Source: Breach Level Index - May 2019PUBLIC
  • 9. INCIDENT COST 9 ELYSIUMSECURITY INVESTIGATIONS MAURITIUS JANUARY 2018 – JUNE 2019 80% FINANCIAL FRAUD 20% RANSOMWARE 100% PHISHING JAN 2018 MAY 2018 AUG 2018 APR 2019 MAY 2019 JUNE 2019 $0.5M $1M $2M $0.5M $1M $0.5M AVERAGE COST PER DATA BREACH AVERAGE COST PER MALWARE INFECTION AVERAGE DETECTION TIME FROM OUTSIDERS CRIMINALS DATA BREACHES FROM HEALTHCARE ORGANISATIONS $3.86M $2.4M 197 DAYS 73% 24% WORLDWIDE WORLDWIDE STATS FROM SAFEATLAST.CO – APRIL 2019 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 11. INCIDENT RESPONSE CONCEPT 11 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT INCIDENT RESPONSE STRUCTURE INCIDENT RESPONSE HANDLINGCOORDINATION & INFORMATION SHARING TO MINIMISE OPERATIONAL, FINANCIAL & BUSINESS INCIDENT IMPACT NIST SP 800-61 PUBLIC
  • 12. INTERNAL AUDIT TEAM COMPLIANCE TEAM SUBJECT EXPERT VENDOR SUPPORT TEAM IT SUPPORT TEAM TEAMS AND MANDATES 12 CYBER SECURITY TEAM SECURITY OPERATIONS AND PROJECTS CYBER RISK TEAM RISK IDENTIFICATION AND MANAGEMENT CYBER INCIDENT (VIRTUAL) TEAM INCIDENT MANAGEMENT AND RESPONSE CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 13. REGISTERS AND PURPOSES 13 CYBER ISSUE REGISTER POTENTIAL AND CONFIRMED SECURITY ISSUES DETAILS CYBER RISK REGISTER POTENTIAL AND CONFIRMED RISK DETAILS CYBER INCIDENT REGISTER PAST AND CURRENT INCIDENTS DETAILS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT IT OPERATION REGISTER CURRENT GENERAL IT ISSUES DETAILS PUBLIC
  • 14. GLOBAL ISSUE REGISTER REGISTERS AND REPORTING SYNERGY 14 CYBER SECURITY REGISTER CYBER ISSUE REGISTER CYBER RISK REGISTER CYBER INCIDENT REGISTER IT OPERATION REGISTER IT ISSUE REGISTER NETWORK ISSUE REGISTER PROJECT ISSUE REGISTER ONE VIEW ONE PROCESS DIFFERENT ACCESS DIFFERENT TEAMS DIFFERENT VIEWS DIFFERENT ACCESS DIFFERENT TEAMS DIFFERENT VIEWS DIFFERENT ACCESS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 15. INCIDENT RESPONSE POLICY & PLAN - OVERVIEW 15 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC INCIDENT RESPONSE POLICY INCIDENT SCOPE INCIDENT DEFINITION & PRIORITIZATION INCIDENT REPORTING INCIDENT RESPONSE PLAN INCIDENT HANDLING INCIDENT COORDINATION CONTINUOUS IMPROVEMENT
  • 16. INCIDENT PLAYBOOK SCENARIOS INCIDENT PLAYBOOK OVERVIEW 16 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT CONTAIN INCIDENT UNDERSTAND CAUSE OF INCIDENT ANALYSE SIGNS OF INCIDENT READY MADE SCENARIOS PRACTICAL RESPONSE ACTIONS AVAILABLE AND COMMUNICATED PUBLIC
  • 17. NIST INCIDENCE RESPONSE LIFECYCLE 17 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY NIST SP 800-61 REV 2
  • 18. NIST INCIDENCE RESPONSE - STEPS 18 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY 1. COMMUNICATION & FACILITIES 2. HARDWARE & SOFTWARE 3. RESOURCES 4. ATTACK VECTORS IDENTIFICATION 11 CONTAINMENT STRATEGY 15. LESSONS LEARNT 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS 7. INCIDENT ANALYSIS 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORITIZATION 10. INCIDENT NOTIFICATION 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION
  • 19. PREPARATION - OVERVIEW 19 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT 1. COMMUNICATION & FACILITIES CONTACT DETAILS PHYSICAL LOGISTICS COORDINATION SYSTEM 2. HARDWARE & SOFTWARE 3. RESOURCES GENERAL IT SPARE EQUIPMENT FORENSICS SPECIFIC EQUIPMENT TRUSTED SOURCED SOFTWARE ARCHITECTURE DIAGRAMS DOCUMENTATION INCIDENT PLAYBOOK PUBLIC
  • 20. DETECTION & ANALYSIS - OVERVIEW 20 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 4. ATTACK VECTORS IDENTIFICATION 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS & INDICATORS 7. INCIDENT ANALYSIS SECURITY ALERTS SECURITY LOGS PEOPLE FEEDBACK NETWORK LOGS SYSTEM LOGS EXPLOIT ANNOUNCEMENT BASELINES LOG ANALYSIS DATA RESULTS FILTERING SOURCE OF ATTACK TYPE OF ATTACK METHOD OF ATTACK
  • 21. DETECTION & ANALYSIS - OVERVIEW 21 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORIZATION 10. INCIDENT NOTIFICATION UPPER MANAGEMENT STAFF EXTERNAL BODIES FUNCTIONAL IMPACT INFORMATION IMPACT RECOVERABILITY STATUS WORK DONE NEXT STEPS
  • 22. CONTAINMENT, ERADICATION & RECOVERY - OVERVIEW 22 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 11. CONTAINMENT STRATEGY 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY SOURCE IP ATTACKER RESEARCH COMMUNICATION MONITORING INCIDENT INFORMATION TIME AND DATE LOCATION REMOVING IMMEDIATE THREAT REMEDIATING VULNERABILITIES GROUP WIDE CHANGES INCIDENT IMPACT EVIDENCE REQUIREMENTS SOLUTION SUSTAINABILITY
  • 23. POST INCIDENT ACTIVITY - OVERVIEW 23 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 15. LESSONS LEARNT 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION PROSECUTION DATA RETENTION COST INCIDENT STATISTICS INCIDENT SLA INCIDENT ASSESSMENT INCIDENT DETAILS TECHNOLOGY AND PROCESS GAPS POSSIBLE IMPROMENTS
  • 24. INCIDENCE RESPONSE CHECKLIST 24 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 25. ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 25 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PRACTICAL IMPLEMENTATION OF NIST GUIDED PROCESS SHORTER PROCESS USED NIST AND FIRST CORE ELEMENTS 17x STEPS -> 8x STEPS CLIENTS REQUIREMENTS ELYSIUMSECURITY IR FRAMEWORK 5x ACTIVITIES PER STEPS PUBLIC
  • 26. ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 26 {elysiumsecurity} INCIDENT RESPONSE FRAMEWORK 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 27. {es} INCIDENT RESPONSE - RULES OF ENGAGEMENT 27 DO NOT MAKE THINGS WORSE! DO NOT ENGAGE OR INTERACT WITH THE HACKER/THREAT GROUP 1 DO NOT CONNECT TO THE THREAT’S RELATED NETWORK(S) FROM YOUR ORGANISATION 2 PRESERVE EVIDENCE3 COORDINATE INTERNAL AND EXTERNAL COMMUNICATION WITH MANAGEMENT 4 ALL INCIDENT DETAILS MUST BE TREATED AS CONFIDENTIAL 5 PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
  • 28. {es} INCIDENT RESPONSE - PREPARATION 28 INCIDENT RESPONSE PLAN1 TEAM, PROCEDURES, DOCUMENTATION, APPROVAL, MANAGEMENT COMMITMENT INCIDENT RESPONSE PLAYBOOK2 PHISHING, RANSOMWARE, KEYLOGGER, DDOS LOGISITICS3 MEETING ROOMS, LAPTOPS, REMOVABLE STORAGE, PHONES, STATIONNARY, PRINTERS, SLEEPING AND CATERING ARRANGEMENTS CONTACTS4 TEAM, ALTERNATIVE CONTACT METHODS, ESCALATION, ON CALL, SUPPORT, VENDOR, SUPPORT5 INCIDENT REGISTER, ARCHITECTURE DIAGRAM, NETWORK DIAGRAM, DATA FLOWS, APPLICATION AND SYSTEM DOCUMENTATION ACTIVITIES EXAMPLE 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 29. {es} INCIDENT RESPONSE - DETECTION 29 WHO/WHAT DETECTED/REPORTED THE THREAT?1 IT STAFF, SECURITY TOOLS WHAT IS THE DATE AND TIME OF THE THREAT DETECTION/REPORT?2 NORMALISE TIME AND DATE ACROSS REPORTING – RECORD TIME IN GMT HOW WAS THE THREAT DETECTED/REPORTED?3 EMAIL, TEXT, WARNING POP UP, PHONE CALL HAS A SIMILAR THREAT ALREADY BEEN REPORTED?4 PREVIOUS INCIDENT REGISTER LOGS IS THE THREAT VALID?5 CONFIRMED, FALSE POSITIVE ACTIVITIES EXAMPLE 2. DETECTION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 30. {es} INCIDENT RESPONSE - CATEGORISATION 30 WHO/WHAT IS THE TARGET OF THE THREAT?1 USER, SYSTEM, SPECIFIC DATA IS THIS AN ON GOING/LIVE THREAT?2 ON GOING, STOPPED, UNKNOWN WHAT IS THE IMPACT OF THE THREAT?3 FINANCIAL, OPERATIONAL, REPUTATIONAL, LEGAL CATEGORISE THE PRIORITY OF THE INCIDENT4 PRIORITY 1, 2 ,3 (P1 > P2 > P3) CLASSIFY THE INCIDENT COMMUNICATION5 RESTRICTED / UNRESTRICTED ACTIVITIES EXAMPLE 3. CATEGORISATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 31. {es} INCIDENT RESPONSE - CONTAINMENT 31 COORDINATE INCIDENT MANAGEMENT1 TEAM, COMMS, ACTIVITIES, DOCUMENTATION LIGHT AND QUICK THREAT ANALYSIS2 NETWORK, SYSTEM, USER IDENTIFY MAIN ATTACK AND COMPROMISE VECTORS3 IP, PORTS, SIGNATURES, EMAIL ISOLATE THE TARGETED ASSET4 REMOVE FROM NETWORK, DISABLE ACCOUNT IMPLEMENT EMERGENCY CHANGES AS REQUIRED5 NETWORK, SYSTEM, USER ACTIVITIES EXAMPLE 4. CONTAINMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 32. {es} INCIDENT RESPONSE - INVESTIGATION 32 THREAT NETWORK ANALYSIS1 FIREWALL, CLOUD APP LOGS, ASSET LOGS, INTERCEPTED TRAFFIC, TRAFFIC AND DATA FLOWS, SIEM THREAT MALWARE ANALYSIS2 A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE ENGINEERING THREAT SYSTEM ANALYSIS3 EVENT LOGS, APP/PLUGINS INSTALLED, AD/EMAIL ACTIVITIES, AUTHENTICATED VULNERABILITY ASSESSSMENT, SIEM THREAT USER ANALYSIS4 INTERVIEW TARGETED USER, CONTEXT, TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS THREAT RESEARCH ANALYSIS5 ONLINE SEARCH FOR SIMILAR THREATS, PROFESSIONAL FORUMS, VENDOR ENGAGEMENT ACTIVITIES EXAMPLE 5. INVESTIGATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 33. ELYSIUMSECURITY INCIDENT RESPONSE - REMEDIATION 33 THREAT NETWORK REMEDIATION1 BLOCK IP, PORTS, DOMAINS, EMAILS. UPDATE F/W, IDS, APT AND SIEM RULES THREAT MALWARE REMEDIATION2 UPDATE SYSTEM AND NETWORK A/V SIGNATURES. ENGAGE WITH VENDORS THREAT SYSTEM REMEDIATION3 REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR INBOX RULES, REMEDIATE ISSUES FOUND WITH THE VULNERABIULTIY ASSESSMENT THREAT USER REMEDIATION4 INDIVIDUAL AND GROUP USER AWARENESS SESSION RELEVANT TO THE THREAT DECLARE THE INCIDENT REMEDIATED5 FULL, PARTIAL, ACCEPTED ACTIVITIES EXAMPLE 6. REMEDIATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 34. {es} INCIDENT RESPONSE - REPORTING 34 ON GOING REPORTING1 DOCUMENTATION AND EVIDENCE SHOULD BE GENERATED AS MUCH AS POSSIBLE DURING THE PREVIOUS PHASES EVIDENCE GATHERING2 THREAT ACTORS, ATTACK VECTORS, ATTACK SURFACE INCIDENT DOCUMENTATION3 THREAT AND INCIDENT DETAILS, TRIGGERS, OWNER, FINDINGS, TIMELINE INCIDENT REGISTER4 CREATE/UPDATE AN OVERALL INCIDENT REGISTER TO TRACK PROGRESS AND GENERATES STATISTICS INCIDENT REPORT COMMUNICATION5 INTERNAL, EXTERNAL, STAFF, MANAGEMENT, BOARD, VENDORS, CLIENTS, GOVERNMENT, REGULATORS, LAW ENFORCEMENT ACTIVITIES EXAMPLE 7. REPORTING CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 35. {es} INCIDENT RESPONSE – LESSONS LEARNT 35 ROOT CAUSE ANALYSIS1 IDENTIFY AND DOCUMENT INCIDENT TRIGGERS AND SECURITY GAPS THAT ENABLED THE INCIDENT TO OCCUR CONTROLS AND PROCESSES READINESS2 EVALUATE THE EFFICIENCY OF CURRENT SECURITY CONTROLS AND PROCESSES IN LIGHT OF THE INCIDENT INCIDENT TRENDS ANALYSIS3 ARE YOU LEARNING FROM PAST INCIDENTS? IS YOUR RISK PROFILE CHANGING? MITIGATION PLAN4 MITIGATE IMPACT OF SIMILAR FUTURE INCIDENTS IMPROVEMENTS PLAN5 STOP OCCURRENCE OF SIMILAR FUTURE INCIDENTS ACTIVITIES EXAMPLE 8. LESSONS LEARNT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 36. SHORT TERM – HOW TO START? 36 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT REVIEW EXISTING INCIDENT PROCESS1 ESTABLISH INCIDENT TEAM2 CONDUCT REGULAR INCIDENT TEAM MEETING 3 SET GROUND RULES4 DEFINE WHAT IS AN INCIDENT5 INFORM STAFF OF RULES AND INCIDENT CONTACT 6 CREATE INCIDENT REGISTER7 DOCUMENT RECENT AND FUTURE INCIDENTS 8 FOLLOW NIST INCIDENT HANDLING METHODOLOGY 9 CREATE HIGH LEVEL PLAYBOOK TO COMPLEMENT CHECKLIST 10 PUBLIC
  • 37. LONG TERM – INCIDENT RESPONSE IMPLEMENTATION 37 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT SELECT INCIDENT RESPONSE FRAMEWORK (NIST SP 800-61 REV 2 RECOMMENDED) 1 IMPLEMENT FULL INCIDENT RESPONSE FRAMEWORK 2 DEDICATED INCIDENT RESPONSE TEAM AND TRAINING 3 INCIDENT RESPONSE SIMULATION4 CONTINUOUS IMPROVEMENT5 PUBLIC
  • 38. EXTRA RESOURCES 38 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT FORUM OF INCIDENT RESPONSE AND SECURITY TEAMS (FIRST) FRAMEWORK (HTTPS://WWW.FIRST.ORG/EDUCATION/FIRST_SIRT_SERVICES_FRAMEWORK_VERSION1.0.PDF) NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY (NIST) SPECIAL PROCEDURE (SP) 800-61 (HTTPS://NVLPUBS.NIST.GOV/NISTPUBS/SPECIALPUBLICATIONS/NIST.SP.800-61R2.PDF) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-1:2016 (HTTPS://WWW.ISO.ORG/STANDARD/60803.HTML) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-2:2016 (HTTPS://WWW.ISO.ORG/STANDARD/62071.HTML?BROWSE=TC) CONTACT US! (CONSULTING@ELYSIUMSECURITY.COM) PUBLIC
  • 39. © 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM CONSULTING@ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.