SlideShare una empresa de Scribd logo

Automated Incident Handling Using SIM

Anton Chuvakin
Anton Chuvakin

The document discusses how to build an effective security incident response process using Security Information Management (SIM) products. It outlines the six steps of the SANS Institute incident response methodology: preparation, identification, containment, eradication, recovery, and follow-up. SIM systems can integrate incident handling functionality to gather security event data around incidents, enforce response workflows, and act as a knowledge repository. Tight integration of SIM and incident response provides benefits like automating aspects of the response and securely storing evidence.

TecnologíaEmpresariales
1 de 5
www.chuvakin.org “Automated Incident Handling Using SIM” Anton Chuvakin, Ph.D., GCIA, GCIH WRITTEN: 2003 DISCLAIMER: Security is a rapidly changing field of human endeavor. Threats we face literally change every day; moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be able to stay in touch with such ever-changing reality, one has to evolve with the space as well. Thus, even though I hope that this document will be useful for to my readers, please keep in mind that is was possibly written years ago. Also, keep in mind that some of the URL might have gone 404, please Google around. In this paper we will look at building the effective the security incident response process using the Security Information Management (SIM) products. Introduction Security professionals learn to live by the slogan “prevention-detection-response.” Each of these three components is known to be of crucial importance to the organization’s security posture. However, unlike detection and prevention, the response is simply impossible to avoid. While it is not uncommon for the organization to have weak prevention and detection capabilities, response will have to be there since the organization will often be forced into response mode by the attackers. The organization will likely be made to respond in some way after the incident has occurred. In light of this, becoming prepared for the incident response is likely to be one of the most cost effective security measures the organization takes. Timely and effective incident response is directly related to decreasing the incident-induced loss to the organization. Several industry surveys have identified that public company's stock price may plunge several percent as a result of a publicly disclosed incident. Incidents that are known to wreak catastrophic results upon the organizations may involve malicious hacking, virus outbreaks, economic espionage, intellectual property theft, network access abuse, theft of IT resources and other policy violations. Effectively responding to incidents requires knowledge of your computing environment, company culture and internal procedures, implemented security countermeasures as well as possessing incident response skills. Incident response fuses together technical and non-technical resources, bound by the incident response policy. To build an initial incident response (IR) framework one can use SANS (SysAdmin, Audit, Network, Security) Institute Six-Step incident response methodology, which includes the following six steps of dealing with the incident: Page 1 Anton Chuvakin, Ph.D., GCIA, GCIH
www.chuvakin.org 1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Follow-Up The actions defined by the plan are started even before the incident transpires (Preparation steps) and extend beyond the end of the immediate mitigation activities (Follow-Up). Preparation stage covers everything one should do before handling the first incident. It involves both technology issues, such as preparing response and forensics tools, learning the environment, configuring systems for optimal response and monitoring, and process issues, such as developing response policy, assigning responsibility, forming a team and establishing escalation procedures. Additionally, the steps to increase the security posture and thus decrease the likelihood and damage from future incidents are included here. Security audits, patch management, employee security awareness program and other security tasks all serve to prepare the organization for the incident action. Building a culture of security and a secure computing environment also serves as incident preparation. For example, establishing a real-time system and network security event monitoring program will help to receive early warnings about the hostile activities as well as collect evidence after the incident. Identification is what happens first when the incident is detected, reported by the third parties or even suspected. Determining whether the observed event does in fact constitute an incident is of crucial importance here. Careful record keeping is also very important, since such documentation will be heavily used at later stages of the response process. One should record everything that was observed in relation to the incident, whether online or in the physical environment. Thus, increased security event monitoring is likely to help at that stage by providing information about the chain of events leading to the incident. During this stage, it is important that people responsible for the handling maintain the proper chain of custody. Contrary to popular opinion, this is important even when the case is never destined to end up in court. Various security technologies play a role in incident identification. For example, firewall, IDS, host and application logs reveal evidence of potentially hostile activities, coming from both outside and inside the protected perimeter. Logs are often tantamount in finding the party responsible for those activities. Security event correlation is essential for high quality incident identification, due to its ability to uncover patterns in incoming security event flow. Collecting various audit logs and correlating them in near real-time goes a long way towards making the identification step of the response process less painful. Containment is what keeps the incident from spreading and thus incurring higher financial or other loss. During this stage, the incident responders will intervene and attempt to limit the damage, such as by tightening network or host access controls, changing system passwords, disabling accounts, etc. While completing the above steps, one should make every effort to keep all the potential evidence intact, balancing the needs of system owners and incident investigators. The backup of the affected systems to preserve them for further investigation is also essential at Page 2 Anton Chuvakin, Ph.D., GCIA, GCIH
www.chuvakin.org this step. The important decision on whether to continue operating the affected assets should be made by the appropriate authorities during this stage. Automated containment measures may be deployed in case of some security incidents, especially those on the perimeter of the organization. This is possible if security event correlation is used in the incident identification process for reliable threat identification. Correlation makes incident identification much more accurate, thus enabling automated containment measures such as firewall blocking, system reconfiguration or forced file integrity checks. Eradication is a stage when the factors leading to the incident are eliminated or mitigated. Such factors often include system vulnerabilities, unsafe system configurations, out-of-date protection software or even imperfect physical access control. Also, the non-IT controls such as building access policies or key card privileges might be adjusted at this stage. As a result of this stage in case of a hacker-related incident, the affected systems are likely to be restored from last clean backup or rebuilt from the operating system vendor media with all applications reinstalled. Time is critical during the eradication stage. The first response should satisfy several often conflicting criteria, such as accommodating the system owners requests, preserving evidence, stopping the spread of damage while complying to all the appropriate organization's policies. Recovery is the stage where the organization's operations return to normal. Systems are restored, configured to prevent recurrence and are returned to regular use. To insure that the newly established controls are working, the organization might want to maintain the increased monitoring of the affected assets for some period of time. Increased monitoring implemented at the recovery stage will not only lead to increased protection of the affected assets, but also might be adopted as a new baseline for the whole organization, especially if such monitoring helps to uncover new threats. Follow-Up is an extremely important stage of the incident response process. Just as in the preparation stage above, proper incident follow-up helps to ensure that lessons are learned from the incident and that the recurrence of similar incidents is prevented. Reports on the incident are often submitted to the senior management. It covers the taken actions, summarizes the lessons learned and also serves as a knowledge base in case of similar incidents in the future. It might also summarize the intruder's actions, tools used, details of vulnerabilities exploited and contain other information on the perpetrator. More in-depth changes to the organization's handling of security are also performed at this step. Follow-up steps often need to be distributed to a wider audience than the rest of the investigation process. It will ensure that IT resource owners will be more prepared to combat future threats. To optimize the distribution of incident information, one can use various forms and templates, prepared in advanced for different types of incidents. Incident cases should also be added to an organization-wide security knowledge base. A summary of suggested actions might also be sent to the senior management. Overall, the SANS process allows one to give structure to the otherwise chaotic incident response workflow. It defines the steps that will then be followed under incident-induced stress with high precision. In fact, many of the above steps may be built from the pre-defined Page 3 Anton Chuvakin, Ph.D., GCIA, GCIH
www.chuvakin.org procedures. The following the steps will then be as easy as selecting and sometimes customizing the procedures for each case at hand. Incident handling workflow will become relatively painless and the crucial steps will not be missed and documented properly. Using pre-defined procedures also helps train the incident response staff on proper actions for each process step. The automated system may be built to keep track of the response workflow, to suggest proper procedures for various steps and to securely handle incident evidence. Additionally, such a system will facilitate collaboration between various response team members, who can share the workload for increased efficiency. SIM and Incident Handling Integration The incident handling system is thus a natural component of the Security Information Management (SIM) solution, since properly deployed SIM solution holds most evidence of the information security incident. Incident handling is SIM product functionality aimed at gathering and organizing security event data around incidents and also enforcing proper response workflow in order to facilitate effective and prompt response to security incidents. General trouble ticketing systems simply don't have the workflow optimized for security incidents and incur a steep learning curve as well. Tight integration of Security Information Management and incident handling provides many important benefits to the system users. It establishes a single control point of the security response capabilities by combining the major potential evidence storage (a SIM solution) with the investigative platform. Also, it enables users to create incidents from detected event data with just a few mouse clicks or even automatically. Moreover, due to sensitive nature of both incident data and security event data, a SIM solution can provide a secure way to store case evidence and apply tight and granular access controls to case data, while still allowing investigators to work together on a case. Conclusion Security Information Management (SIM) systems have an incident handling component to assist the system users with the crucial part of the security triad – incident response. Such a component should not only simplify and optimize the response process, but also serve as a security knowledge repository and be useful for security staff training. Having a highly efficient incident response program will help organizations save money by limiting the damage from security incidents and increasing the efficiency of the existing security infrastructure investments. ABOUT THE AUTHOR: This is an updated author bio, added to the paper at the time of reposting in 2009. Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, correlation, Page 4 Anton Chuvakin, Ph.D., GCIA, GCIH
www.chuvakin.org data analysis, PCI DSS, security management (see list www.info-secure.org) . His blog http://www.securitywarrior.org is one of the most popular in the industry. In addition, Anton teaches classes and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on the advisory boards of several security start-ups. Currently, Anton is developing his security consulting practice, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University. Page 5 Anton Chuvakin, Ph.D., GCIA, GCIH

Recomendados

Importance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessImportance Of Structured Incident Response Process
Importance Of Structured Incident Response Process
Anton Chuvakin
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
Anton Chuvakin
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_print
james morris
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
Piyush Jain
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategy
RapidSSLOnline.com
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...
Symantec
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
Samuel Loomis
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 

Recomendados

Importance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessImportance Of Structured Incident Response Process
Importance Of Structured Incident Response Process
Anton Chuvakin
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
Anton Chuvakin
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_print
james morris
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
Piyush Jain
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategy
RapidSSLOnline.com
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...
Symantec
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
Samuel Loomis
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
April Mardock CISSP
 
Incident Response
Incident ResponseIncident Response
Incident Response
MichaelRodriguesdosS1
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEO
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseFIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident Response
Anton Chuvakin
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
ahmad abdelhafeez
 
Risk Management
Risk ManagementRisk Management
Risk Management
ijtsrd
 
Incident Response
Incident ResponseIncident Response
Incident Response
primeteacher32
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
Ashley Deuble
 
Incident response
Incident responseIncident response
Incident response
Jarno Niemela
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It Right
Resilient Systems
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
Monitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System ControlMonitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System Control
Marc-Andre Heroux
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlation
frantzyv
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
tschraider
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
Ernest Staats
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
Vskills
 
Autoevaluación secuencia didáctica matemáticas formularios de google
Autoevaluación secuencia didáctica matemáticas formularios de googleAutoevaluación secuencia didáctica matemáticas formularios de google
Autoevaluación secuencia didáctica matemáticas formularios de google
maría amparo díaz
 
Web 2.0, Meet Sparta Township Public Schools
Web 2.0, Meet Sparta Township Public SchoolsWeb 2.0, Meet Sparta Township Public Schools
Web 2.0, Meet Sparta Township Public Schools
Patrick HIggins
 

Más contenido relacionado

La actualidad más candente

Risk Management
Risk ManagementRisk Management
Risk Management
ijtsrd
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It Right
Resilient Systems
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
tschraider
 

La actualidad más candente (20)

NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
 
Incident Response
Incident ResponseIncident Response
Incident Response
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEO
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseFIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident Response
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Incident Response
Incident ResponseIncident Response
Incident Response
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
 
Incident response
Incident responseIncident response
Incident response
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It Right
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
 
Monitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System ControlMonitoring your organization against threats - Critical System Control
Monitoring your organization against threats - Critical System Control
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlation
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 

Destacado

Autoevaluación secuencia didáctica matemáticas formularios de google
Autoevaluación secuencia didáctica matemáticas formularios de googleAutoevaluación secuencia didáctica matemáticas formularios de google
Autoevaluación secuencia didáctica matemáticas formularios de google
maría amparo díaz
 
Web 2.0, Meet Sparta Township Public Schools
Web 2.0, Meet Sparta Township Public SchoolsWeb 2.0, Meet Sparta Township Public Schools
Web 2.0, Meet Sparta Township Public Schools
Patrick HIggins
 

Destacado (9)

Autoevaluación secuencia didáctica matemáticas formularios de google
Autoevaluación secuencia didáctica matemáticas formularios de googleAutoevaluación secuencia didáctica matemáticas formularios de google
Autoevaluación secuencia didáctica matemáticas formularios de google
 
Web 2.0, Meet Sparta Township Public Schools
Web 2.0, Meet Sparta Township Public SchoolsWeb 2.0, Meet Sparta Township Public Schools
Web 2.0, Meet Sparta Township Public Schools
 
Suma y resta de polinomios
Suma y resta de polinomiosSuma y resta de polinomios
Suma y resta de polinomios
 
Menghitung kurva hidrostatis
Menghitung kurva hidrostatisMenghitung kurva hidrostatis
Menghitung kurva hidrostatis
 
Folio report kayu
Folio report kayuFolio report kayu
Folio report kayu
 
Branimir Kovačić: Pregled internet kupovine u Hrvatskoj u 2015, temeljeno na ...
Branimir Kovačić: Pregled internet kupovine u Hrvatskoj u 2015, temeljeno na ...Branimir Kovačić: Pregled internet kupovine u Hrvatskoj u 2015, temeljeno na ...
Branimir Kovačić: Pregled internet kupovine u Hrvatskoj u 2015, temeljeno na ...
 
Darko Dujić: Key challenges in managing the consumer journey
Darko Dujić: Key challenges in managing the consumer journeyDarko Dujić: Key challenges in managing the consumer journey
Darko Dujić: Key challenges in managing the consumer journey
 
Martin Fabian: Innovative ways of handling customer complaints
Martin Fabian: Innovative ways of handling customer complaintsMartin Fabian: Innovative ways of handling customer complaints
Martin Fabian: Innovative ways of handling customer complaints
 
Отделение волейбола
Отделение волейболаОтделение волейбола
Отделение волейбола
 

Similar a Automated Incident Handling Using SIM

11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
abhichowdary16
 
Chapter 33Incident Response and Forensic AnalysisCopyright ©.docx
Chapter 33Incident Response and Forensic AnalysisCopyright ©.docxChapter 33Incident Response and Forensic AnalysisCopyright ©.docx
Chapter 33Incident Response and Forensic AnalysisCopyright ©.docx
christinemaritza
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
madunix
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
Ram Srivastava
 
3895SafeAssign Originality ReportComputer Sec.docx
3895SafeAssign Originality ReportComputer Sec.docx3895SafeAssign Originality ReportComputer Sec.docx
3895SafeAssign Originality ReportComputer Sec.docx
lorainedeserre
 
Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxRisk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docx
SUBHI7
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
ciso_insights
 
An incident response plan (IRP) is a set of written instructions for.pdf
An incident response plan (IRP) is a set of written instructions for.pdfAn incident response plan (IRP) is a set of written instructions for.pdf
An incident response plan (IRP) is a set of written instructions for.pdf
aradhana9856
 

Similar a Automated Incident Handling Using SIM (20)

Future Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecFuture Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - Symantec
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse
 
Incident response Process in information security .pptx
Incident response Process in information security .pptxIncident response Process in information security .pptx
Incident response Process in information security .pptx
 
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
 
Chapter 33Incident Response and Forensic AnalysisCopyright ©.docx
Chapter 33Incident Response and Forensic AnalysisCopyright ©.docxChapter 33Incident Response and Forensic AnalysisCopyright ©.docx
Chapter 33Incident Response and Forensic AnalysisCopyright ©.docx
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crime
 
Five Mistakes of Incident Response
Five Mistakes of Incident ResponseFive Mistakes of Incident Response
Five Mistakes of Incident Response
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.com
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management II
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
IDS Research
IDS ResearchIDS Research
IDS Research
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
 
3895SafeAssign Originality ReportComputer Sec.docx
3895SafeAssign Originality ReportComputer Sec.docx3895SafeAssign Originality ReportComputer Sec.docx
3895SafeAssign Originality ReportComputer Sec.docx
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxRisk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docx
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
An incident response plan (IRP) is a set of written instructions for.pdf
An incident response plan (IRP) is a set of written instructions for.pdfAn incident response plan (IRP) is a set of written instructions for.pdf
An incident response plan (IRP) is a set of written instructions for.pdf
 

Más de Anton Chuvakin

SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
Anton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
Anton Chuvakin
 

Más de Anton Chuvakin (20)

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Automated Incident Handling Using SIM

  • 1. www.chuvakin.org “Automated Incident Handling Using SIM” Anton Chuvakin, Ph.D., GCIA, GCIH WRITTEN: 2003 DISCLAIMER: Security is a rapidly changing field of human endeavor. Threats we face literally change every day; moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be able to stay in touch with such ever-changing reality, one has to evolve with the space as well. Thus, even though I hope that this document will be useful for to my readers, please keep in mind that is was possibly written years ago. Also, keep in mind that some of the URL might have gone 404, please Google around. In this paper we will look at building the effective the security incident response process using the Security Information Management (SIM) products. Introduction Security professionals learn to live by the slogan “prevention-detection-response.” Each of these three components is known to be of crucial importance to the organization’s security posture. However, unlike detection and prevention, the response is simply impossible to avoid. While it is not uncommon for the organization to have weak prevention and detection capabilities, response will have to be there since the organization will often be forced into response mode by the attackers. The organization will likely be made to respond in some way after the incident has occurred. In light of this, becoming prepared for the incident response is likely to be one of the most cost effective security measures the organization takes. Timely and effective incident response is directly related to decreasing the incident-induced loss to the organization. Several industry surveys have identified that public company's stock price may plunge several percent as a result of a publicly disclosed incident. Incidents that are known to wreak catastrophic results upon the organizations may involve malicious hacking, virus outbreaks, economic espionage, intellectual property theft, network access abuse, theft of IT resources and other policy violations. Effectively responding to incidents requires knowledge of your computing environment, company culture and internal procedures, implemented security countermeasures as well as possessing incident response skills. Incident response fuses together technical and non-technical resources, bound by the incident response policy. To build an initial incident response (IR) framework one can use SANS (SysAdmin, Audit, Network, Security) Institute Six-Step incident response methodology, which includes the following six steps of dealing with the incident: Page 1 Anton Chuvakin, Ph.D., GCIA, GCIH
  • 2. www.chuvakin.org 1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Follow-Up The actions defined by the plan are started even before the incident transpires (Preparation steps) and extend beyond the end of the immediate mitigation activities (Follow-Up). Preparation stage covers everything one should do before handling the first incident. It involves both technology issues, such as preparing response and forensics tools, learning the environment, configuring systems for optimal response and monitoring, and process issues, such as developing response policy, assigning responsibility, forming a team and establishing escalation procedures. Additionally, the steps to increase the security posture and thus decrease the likelihood and damage from future incidents are included here. Security audits, patch management, employee security awareness program and other security tasks all serve to prepare the organization for the incident action. Building a culture of security and a secure computing environment also serves as incident preparation. For example, establishing a real-time system and network security event monitoring program will help to receive early warnings about the hostile activities as well as collect evidence after the incident. Identification is what happens first when the incident is detected, reported by the third parties or even suspected. Determining whether the observed event does in fact constitute an incident is of crucial importance here. Careful record keeping is also very important, since such documentation will be heavily used at later stages of the response process. One should record everything that was observed in relation to the incident, whether online or in the physical environment. Thus, increased security event monitoring is likely to help at that stage by providing information about the chain of events leading to the incident. During this stage, it is important that people responsible for the handling maintain the proper chain of custody. Contrary to popular opinion, this is important even when the case is never destined to end up in court. Various security technologies play a role in incident identification. For example, firewall, IDS, host and application logs reveal evidence of potentially hostile activities, coming from both outside and inside the protected perimeter. Logs are often tantamount in finding the party responsible for those activities. Security event correlation is essential for high quality incident identification, due to its ability to uncover patterns in incoming security event flow. Collecting various audit logs and correlating them in near real-time goes a long way towards making the identification step of the response process less painful. Containment is what keeps the incident from spreading and thus incurring higher financial or other loss. During this stage, the incident responders will intervene and attempt to limit the damage, such as by tightening network or host access controls, changing system passwords, disabling accounts, etc. While completing the above steps, one should make every effort to keep all the potential evidence intact, balancing the needs of system owners and incident investigators. The backup of the affected systems to preserve them for further investigation is also essential at Page 2 Anton Chuvakin, Ph.D., GCIA, GCIH
  • 3. www.chuvakin.org this step. The important decision on whether to continue operating the affected assets should be made by the appropriate authorities during this stage. Automated containment measures may be deployed in case of some security incidents, especially those on the perimeter of the organization. This is possible if security event correlation is used in the incident identification process for reliable threat identification. Correlation makes incident identification much more accurate, thus enabling automated containment measures such as firewall blocking, system reconfiguration or forced file integrity checks. Eradication is a stage when the factors leading to the incident are eliminated or mitigated. Such factors often include system vulnerabilities, unsafe system configurations, out-of-date protection software or even imperfect physical access control. Also, the non-IT controls such as building access policies or key card privileges might be adjusted at this stage. As a result of this stage in case of a hacker-related incident, the affected systems are likely to be restored from last clean backup or rebuilt from the operating system vendor media with all applications reinstalled. Time is critical during the eradication stage. The first response should satisfy several often conflicting criteria, such as accommodating the system owners requests, preserving evidence, stopping the spread of damage while complying to all the appropriate organization's policies. Recovery is the stage where the organization's operations return to normal. Systems are restored, configured to prevent recurrence and are returned to regular use. To insure that the newly established controls are working, the organization might want to maintain the increased monitoring of the affected assets for some period of time. Increased monitoring implemented at the recovery stage will not only lead to increased protection of the affected assets, but also might be adopted as a new baseline for the whole organization, especially if such monitoring helps to uncover new threats. Follow-Up is an extremely important stage of the incident response process. Just as in the preparation stage above, proper incident follow-up helps to ensure that lessons are learned from the incident and that the recurrence of similar incidents is prevented. Reports on the incident are often submitted to the senior management. It covers the taken actions, summarizes the lessons learned and also serves as a knowledge base in case of similar incidents in the future. It might also summarize the intruder's actions, tools used, details of vulnerabilities exploited and contain other information on the perpetrator. More in-depth changes to the organization's handling of security are also performed at this step. Follow-up steps often need to be distributed to a wider audience than the rest of the investigation process. It will ensure that IT resource owners will be more prepared to combat future threats. To optimize the distribution of incident information, one can use various forms and templates, prepared in advanced for different types of incidents. Incident cases should also be added to an organization-wide security knowledge base. A summary of suggested actions might also be sent to the senior management. Overall, the SANS process allows one to give structure to the otherwise chaotic incident response workflow. It defines the steps that will then be followed under incident-induced stress with high precision. In fact, many of the above steps may be built from the pre-defined Page 3 Anton Chuvakin, Ph.D., GCIA, GCIH
  • 4. www.chuvakin.org procedures. The following the steps will then be as easy as selecting and sometimes customizing the procedures for each case at hand. Incident handling workflow will become relatively painless and the crucial steps will not be missed and documented properly. Using pre-defined procedures also helps train the incident response staff on proper actions for each process step. The automated system may be built to keep track of the response workflow, to suggest proper procedures for various steps and to securely handle incident evidence. Additionally, such a system will facilitate collaboration between various response team members, who can share the workload for increased efficiency. SIM and Incident Handling Integration The incident handling system is thus a natural component of the Security Information Management (SIM) solution, since properly deployed SIM solution holds most evidence of the information security incident. Incident handling is SIM product functionality aimed at gathering and organizing security event data around incidents and also enforcing proper response workflow in order to facilitate effective and prompt response to security incidents. General trouble ticketing systems simply don't have the workflow optimized for security incidents and incur a steep learning curve as well. Tight integration of Security Information Management and incident handling provides many important benefits to the system users. It establishes a single control point of the security response capabilities by combining the major potential evidence storage (a SIM solution) with the investigative platform. Also, it enables users to create incidents from detected event data with just a few mouse clicks or even automatically. Moreover, due to sensitive nature of both incident data and security event data, a SIM solution can provide a secure way to store case evidence and apply tight and granular access controls to case data, while still allowing investigators to work together on a case. Conclusion Security Information Management (SIM) systems have an incident handling component to assist the system users with the crucial part of the security triad – incident response. Such a component should not only simplify and optimize the response process, but also serve as a security knowledge repository and be useful for security staff training. Having a highly efficient incident response program will help organizations save money by limiting the damage from security incidents and increasing the efficiency of the existing security infrastructure investments. ABOUT THE AUTHOR: This is an updated author bio, added to the paper at the time of reposting in 2009. Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, correlation, Page 4 Anton Chuvakin, Ph.D., GCIA, GCIH
  • 5. www.chuvakin.org data analysis, PCI DSS, security management (see list www.info-secure.org) . His blog http://www.securitywarrior.org is one of the most popular in the industry. In addition, Anton teaches classes and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on the advisory boards of several security start-ups. Currently, Anton is developing his security consulting practice, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University. Page 5 Anton Chuvakin, Ph.D., GCIA, GCIH