SlideShare a Scribd company logo

Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident Response

Source Conference
Source Conference
Technology
1 of 17
Download to read offline
Structured Incident Types to  Streamline Incident Response Predrag Zivic Mike Lecky
Agenda • Introduction • Incident Type Definition • Function Based Alerting • Asset Classification • Streamlined Ticket and Severity • Steps to Function Based Alerting • Streamline Incident Response • Benefits • Conclusion
Introduction HIDS IDS Platforms AV Proxy/Firewall y/ FIM SIEM SCM VA Dashboard Proactive Reactive Typical Integrated Security Monitoring System
Introduction The Problem The Problem • Number of security tools • Large number of rules for alerting b f l f l i • Uncertainty about incident severity level • Inconsistent alerting thresholds • Spotty coverage Spotty coverage • Complexity of tool integration
Introduction Success After X  S Aft X Windows Platform  Server XNXYY Failed Logins from  Alert Severity ??  Send Ticket to Windows   IP  Support Incident Ticket – Identified  Security Incident The Problem Scenario • First responders confused • Ticket sent to Windows group – after few days  sent to Security Operations tt S it O ti • Security operations confused where this came  from and what severity is anyway from and what severity is anyway
Incident Type Definition Incident Type Definition C te a o de Criteria for defining incident types to achieve  g c de t types to ac e e streamlined incident response g yg • Following industry guidelines  – NIST, Carnegie Mellon, SANS • Understandable • Reportable • Comprehensive set ‐ but not too many! • Easily applied to security tools • Manageable 
Incident Incident Type Definition Examples Security or Privacy Breach Notes Unauthorized  CORPORATE personnel gain logical or physical access Compromise: All unauthorized access incidents should be without permission to network, system, application, data, handled using prescribed CORPORATE Access  Theft/ Removal facilities or other resource e.g. Hacking CORPORATE incident response operational processes. managed systems or third party managed systems; lost  Destruction Blackberry or laptop.  Modification In such event, internal processes for  External agent gains logical or physical access without  Copying investigation and possible disciplinary or permission to network, system, application, data, facilities  Use criminal charges may apply. or other resource. e.g. hacker, intruder. Unauthorized  CORPORATE employee (IT or non-IT personnel) disclose  Compromise In the case of unauthorized disclosure by a sensitive data to unauthorized persons – may be in any o Theft/ Removal CORPORATE employee, internal Disclosure form of correspondence including oral. o Destruction processes for investigation and possible  CORPORATE client (IT or business personnel) discloses o Modification disciplinary action may apply. confidential data to unauthorized CORPORATE o Copying employees. o Use There might be insufficient restrictions on  CORPORATE client (IT or business personnel) discloses  Disclosure of financial, access privileges for financial, finance confidential data to third parties. finance reports, credit reports, credit card related and personal  Granting read, write or delete privileges to individuals card related and personal information, whose duties do not require such privileges. information Unauthorized  CORPORATE application uses data matching or other  Collecting financial, Potential problem normally identified in SRA process to collect financial, finance reports, credit card finance reports, credit or audit. Process controls should be Collection related and personal information without consent or card related and personal corrected once incident is identified. knowledge of information owner information without  CORPORATE non-IT personnel: collection or use of identifying the purpose financial or personal information purposes other than verification ifi ti  External agent collecting the information from logical or physical CORPORATE infrastructure Unauthorized  Information such as financial or required finance reporting  Unavailability of financial Policy and process for retention and information not retained in accordance with CORPORATE or required restricted and disposal schedules is required. Disposal standard requirements. confidential information  Unavailability of personal information Unauthorized  CORPORATE application or a user uses data mining or  Use of financial, finance Policy should be defined for application other process for purposes other than those defined. reports, credit card related, function should be enumerated Use  Unauthorized correlation of information personal information and  CORPORATE non-IT personnel: use of financial or any other confidential or personal information for purposes other defined. restricted information
Incident Type Definition Incident Examples Security or Privacy Breach Notes Infrastructure An attack that prevents or impairs the authorized use of Unavailability Unavailability of financial, finance networks, systems, or applications by exhausting resources, reports, credit card related and Attack e.g. distributed denial of service attack or active WLAN personal information must be reported attack. and notification take place in accordance with CORPORATE standard requirements. SLAs should identify reporting requirements. Malicious Code A code-based malicious entity (virus, worm, trojan horse, Compromise See above - corruption or compromise malformed applet, rootkit, time-bombs etc) that infect or of financial, credit card and personal and Malware o Theft/ Removal destroy a host. information requires detection and o Destruction ti reporting. o Modification o Copying o Use Unavailability Infrastructure Any found critical vulnerabilities that expose critical financial May cause unavailability , or loss of Possible unavailability of financial, and personal information financial or personal information that is finance reports, credit card related and Vulnerabilities deemed confidential or restricted personal information must be dealt (found during with promptly. vulnerability management process) ) Compliance CEO&CFO Key controls and PCI key controls that could not CORPORATE exposed to not compliant Impact to financial bottom line and be classified as one of the incident type categories specified environment and may incur penalties possible executive prosecution. Specific in this matrix System Health Specific to each operational tool with specific health Security monitoring unavailable Impact to security group ability to detect incidents. Security tools can have specific issues that may incidents and increased risk to Specific impact security monitoring organization. Business is not impacted, but monitoring must be restored as soon as possible.
Function Based Alerting Incident Type Alert Scenario Events Unauthorized Access x failed logins by a user in y mins Windows failed login attempts AIX failed login attempts HP-UX failed login attempts DB failed login attempts ACS failed login attempts Security Tools NIC failed login attempts Checkpoint FW failed login attempts Mainframe failed login attempts Wireless S itch failed login attempts Switch Success after X failed logins by IP Windows failed login attempts AIX failed login attempts HP-UX failed login attempts DB failed login attempts RADIUS failed login attempts Security Tools NIC failed login attempts Checkpoint FW failed login attempts Mainframe failed login attempts Wireless Switch failed login attempts Successful Login as the built-in Windows login administrator account has been AIX login detected HP-UX login DB login g RADIUS login Security Tools login Checkpoint FW login Mainframe login Wireless Switch login
Asset Classification Importance  Asset Group Integrity Confidentiality Vulnerability (Availability) 10 10 10 1 CKA & PCI 8 8 8 1 CKA 8 8 8 1 PCI 6 6 6 1 Production 3 3 3 1 QA 3 3 3 1 Development LEGEND: Low 1-3 Medium 4-6 High 7-8 Align incident response urgency to  Very High 9-10 the business for resolution
Streamline Incident Ticket & Severity Streamline Incident Ticket & Severity Server XNXX  S XNXX Unauthorized  Success After X  Windows Platform Classified – Access Failed Logins per IP  Severity   10 CIA V1  Level 2 Incident Ticket – Identified  Security Incident The Efficient Scenario of Function Based Alerting • First responders know what type of ticket it is • Ticket sent to Security Operations with proper  severity level it l l • Security operations understand server  classification and take appropriate action classification and take appropriate action
Streamline Incident Ticket & Severity Streamline Incident Ticket & Severity Server XNXX  Unauthorized  Success After X  Windows Platform Classified – Access Failed Logins per IP  10 CIA V1  10 CIA V1 Severity   Level 1 Server UNYY  Unauthorized  Success After X  UNIX Platform Classified – Access Failed Logins per IP  10 CIA V1  10 CIA V1 Incident Tickets – Identified Multiple Security Incidents The Real Life Benefit of Function Based Alerting • First responders saw two severity 2 alerts and one severity  1 alerts from SEIM – Automatic escalation  • Alert escalated to Security Operations with proper severity  level • Security operations take incident seriously and engage Security operations take incident seriously and engage  severity 1 level response team
Steps to Function Based Alerting • Align incident types and function based  alerting across all security tools alerting across all security tools Start first with:  SEIM then add IDS, HIDS Align vulnerability  tools: VA, Secure Configuration  Align vulnerability tools: VA, Secure Configuration Management, File Integrity Management • By aligning threat and exposure achieve  y g g p quantitative operational risk metrics • Align Risk & Governance with security  g y operational risk using same threat and  vulnerability function based alerting
Streamline Incident Response Streamline Incident Response Standardized approach for incident investigation,  containment and resolution is achieved by:  containment and resolution is achieved by: Function Based Alerting  Function Based Alerting Detailed, standardized information supporting 1st and n‐ level responders  l l d Enabling efficient and effective security operations • Consistent severity assignment Consistent severity assignment • Consistent investigation • Consistent resolution
Benefits • Aligned security incident types to actions by incident  responders d • Structured incident types approach enables completeness  check on alert set • Efficient and streamlined security incident detection and  response • Minimizes gaps in detection capability across security tools g p p y y • Standardized baseline approach for statistical incident  analysis • Structured approach to threat modelling Structured approach to threat modelling • Facilitates identification of new and enhanced security  controls
Conclusion • Statistical analysis of incidents • g Straightforward threat modeling  g • Consistent operational security reporting • Foundation for enhanced: Foundation for enhanced: – Preventative controls – Detective controls  PROACTIVE REACTIVE Improve  p Incident  Posture Response Balance Investment Against Risk Appetite
Questions? Predrag Zivic Predrag Zivic Mike Lecky pzivic@rogers.com mlecky@sympatico.ca

Recommended

Combating Internal Fraud - 5 Points You Should Think About
Combating Internal Fraud - 5 Points You Should Think AboutCombating Internal Fraud - 5 Points You Should Think About
Combating Internal Fraud - 5 Points You Should Think AboutIntellinx Ltd.
 
Intellinx overview.2010
Intellinx overview.2010Intellinx overview.2010
Intellinx overview.2010Jim Porell
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of CompromiseSecurityMetrics
 
Insider Threat
Insider ThreatInsider Threat
Insider ThreatAndy Thompson
 
Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7Veronica Pereira
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasuresKAMRAN KHALID
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes ObserveIT
 

Recommended

Combating Internal Fraud - 5 Points You Should Think About
Combating Internal Fraud - 5 Points You Should Think AboutCombating Internal Fraud - 5 Points You Should Think About
Combating Internal Fraud - 5 Points You Should Think AboutIntellinx Ltd.
 
Intellinx overview.2010
Intellinx overview.2010Intellinx overview.2010
Intellinx overview.2010Jim Porell
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of CompromiseSecurityMetrics
 
Insider Threat
Insider ThreatInsider Threat
Insider ThreatAndy Thompson
 
Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7Veronica Pereira
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasuresKAMRAN KHALID
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes ObserveIT
 
Heartland
HeartlandHeartland
Heartlandgrimesjo
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Thought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking ApplicationsThought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking ApplicationsInfosys Finacle
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider ThreatMurray Security Services
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3Lancope, Inc.
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due DiligenceResilient Systems
 
APT & What we can do TODAY
APT & What we can do TODAYAPT & What we can do TODAY
APT & What we can do TODAYJames Ryan, CSyP, EA, PMP
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
Preventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best PracticesPreventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best PracticesAndy Thompson
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
Ht t17
Ht t17Ht t17
Ht t17SelectedPresentations
 
Insights Into Modern Day Threat Protection
Insights Into Modern Day Threat ProtectionInsights Into Modern Day Threat Protection
Insights Into Modern Day Threat ProtectionAbhinav Biswas
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
IBM InfoSphere Guardium overview
IBM InfoSphere Guardium overviewIBM InfoSphere Guardium overview
IBM InfoSphere Guardium overviewnazeer325
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And SecurityConstantine Karbaliotis
 
A6704d01
A6704d01A6704d01
A6704d01mudigonda
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in HealthcareQuick Heal Technologies Ltd.
 
HIPAA Preso
HIPAA PresoHIPAA Preso
HIPAA PresoJoseph Schorr
 
A brief introduction to RTIR
A brief introduction to RTIRA brief introduction to RTIR
A brief introduction to RTIRJesse Vincent
 
Incident Management Best Practices
Incident Management Best PracticesIncident Management Best Practices
Incident Management Best PracticesTechExcel
 

More Related Content

What's hot

Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Thought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking ApplicationsThought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking ApplicationsInfosys Finacle
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due DiligenceResilient Systems
 
Preventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best PracticesPreventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best PracticesAndy Thompson
 
Insights Into Modern Day Threat Protection
Insights Into Modern Day Threat ProtectionInsights Into Modern Day Threat Protection
Insights Into Modern Day Threat ProtectionAbhinav Biswas
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
IBM InfoSphere Guardium overview
IBM InfoSphere Guardium overviewIBM InfoSphere Guardium overview
IBM InfoSphere Guardium overviewnazeer325
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 

What's hot (20)

Heartland
HeartlandHeartland
Heartland
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
 
Thought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking ApplicationsThought Paper: Overview of Banking Applications
Thought Paper: Overview of Banking Applications
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider Threat
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
 
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
 
APT & What we can do TODAY
APT & What we can do TODAYAPT & What we can do TODAY
APT & What we can do TODAY
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
 
Preventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best PracticesPreventing Advanced Targeted Attacks with IAM Best Practices
Preventing Advanced Targeted Attacks with IAM Best Practices
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
Ht t17
Ht t17Ht t17
Ht t17
 
Insights Into Modern Day Threat Protection
Insights Into Modern Day Threat ProtectionInsights Into Modern Day Threat Protection
Insights Into Modern Day Threat Protection
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
 
IBM InfoSphere Guardium overview
IBM InfoSphere Guardium overviewIBM InfoSphere Guardium overview
IBM InfoSphere Guardium overview
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
A6704d01
A6704d01A6704d01
A6704d01
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in Healthcare
 
HIPAA Preso
HIPAA PresoHIPAA Preso
HIPAA Preso
 

Viewers also liked

A brief introduction to RTIR
A brief introduction to RTIRA brief introduction to RTIR
A brief introduction to RTIRJesse Vincent
 
Incident Management Best Practices
Incident Management Best PracticesIncident Management Best Practices
Incident Management Best PracticesTechExcel
 
Accident reporting and investigation
Accident reporting and investigationAccident reporting and investigation
Accident reporting and investigationHien Dinh
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
ITIL v3 Problem Management
ITIL v3 Problem ManagementITIL v3 Problem Management
ITIL v3 Problem ManagementJosep Bardallo
 

Viewers also liked (6)

A brief introduction to RTIR
A brief introduction to RTIRA brief introduction to RTIR
A brief introduction to RTIR
 
Incident Management Best Practices
Incident Management Best PracticesIncident Management Best Practices
Incident Management Best Practices
 
Accident reporting and investigation
Accident reporting and investigationAccident reporting and investigation
Accident reporting and investigation
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
 
Incident Management
Incident ManagementIncident Management
Incident Management
 
ITIL v3 Problem Management
ITIL v3 Problem ManagementITIL v3 Problem Management
ITIL v3 Problem Management
 

Similar to Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident Response

Infographic: Penetration Testing - A Look into a Full Pen Test Campaign
Infographic: Penetration Testing - A Look into a Full Pen Test CampaignInfographic: Penetration Testing - A Look into a Full Pen Test Campaign
Infographic: Penetration Testing - A Look into a Full Pen Test CampaignPratum
 
Solvit identity is the new perimeter
Solvit identity is the new perimeterSolvit identity is the new perimeter
Solvit identity is the new perimeterS.E. CTS CERT-GOV-MD
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the CloudRichard Diver
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Brianna Johnson
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementProlifics
 
Information Security
Information SecurityInformation Security
Information Securitysteffiann88
 
MT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningMT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningDell EMC World
 
Latihan6 comp-forensic-bab5
Latihan6 comp-forensic-bab5Latihan6 comp-forensic-bab5
Latihan6 comp-forensic-bab5sabtolinux
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldKatherine Cola
 
093049ov16.pptx
093049ov16.pptx093049ov16.pptx
093049ov16.pptxNguyenNM
 
Take your SOC Beyond SIEM
Take your SOC Beyond SIEMTake your SOC Beyond SIEM
Take your SOC Beyond SIEMThomas Springer
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftThe Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftCase IQ
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 sucesuminas
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemSweta Sharma
 

Similar to Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident Response (20)

Infographic: Penetration Testing - A Look into a Full Pen Test Campaign
Infographic: Penetration Testing - A Look into a Full Pen Test CampaignInfographic: Penetration Testing - A Look into a Full Pen Test Campaign
Infographic: Penetration Testing - A Look into a Full Pen Test Campaign
 
Solvit identity is the new perimeter
Solvit identity is the new perimeterSolvit identity is the new perimeter
Solvit identity is the new perimeter
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the Cloud
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access Management
 
Mis 1
Mis 1Mis 1
Mis 1
 
Information Security
Information SecurityInformation Security
Information Security
 
Insider threat
Insider threatInsider threat
Insider threat
 
MT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningMT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response Planning
 
Latihan6 comp-forensic-bab5
Latihan6 comp-forensic-bab5Latihan6 comp-forensic-bab5
Latihan6 comp-forensic-bab5
 
encase enterprise
encase enterprise encase enterprise
encase enterprise
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
 
Mis3rd
Mis3rdMis3rd
Mis3rd
 
093049ov16.pptx
093049ov16.pptx093049ov16.pptx
093049ov16.pptx
 
Take your SOC Beyond SIEM
Take your SOC Beyond SIEMTake your SOC Beyond SIEM
Take your SOC Beyond SIEM
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftThe Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data Theft
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 

More from Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 

More from Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 

Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident Response

  • 2. Agenda • Introduction • Incident Type Definition • Function Based Alerting • Asset Classification • Streamlined Ticket and Severity • Steps to Function Based Alerting • Streamline Incident Response • Benefits • Conclusion
  • 3. Introduction HIDS IDS Platforms AV Proxy/Firewall y/ FIM SIEM SCM VA Dashboard Proactive Reactive Typical Integrated Security Monitoring System
  • 4. Introduction The Problem The Problem • Number of security tools • Large number of rules for alerting b f l f l i • Uncertainty about incident severity level • Inconsistent alerting thresholds • Spotty coverage Spotty coverage • Complexity of tool integration
  • 5. Introduction Success After X  S Aft X Windows Platform  Server XNXYY Failed Logins from  Alert Severity ??  Send Ticket to Windows   IP  Support Incident Ticket – Identified  Security Incident The Problem Scenario • First responders confused • Ticket sent to Windows group – after few days  sent to Security Operations tt S it O ti • Security operations confused where this came  from and what severity is anyway from and what severity is anyway
  • 6. Incident Type Definition Incident Type Definition C te a o de Criteria for defining incident types to achieve  g c de t types to ac e e streamlined incident response g yg • Following industry guidelines  – NIST, Carnegie Mellon, SANS • Understandable • Reportable • Comprehensive set ‐ but not too many! • Easily applied to security tools • Manageable 
  • 7. Incident Incident Type Definition Examples Security or Privacy Breach Notes Unauthorized  CORPORATE personnel gain logical or physical access Compromise: All unauthorized access incidents should be without permission to network, system, application, data, handled using prescribed CORPORATE Access  Theft/ Removal facilities or other resource e.g. Hacking CORPORATE incident response operational processes. managed systems or third party managed systems; lost  Destruction Blackberry or laptop.  Modification In such event, internal processes for  External agent gains logical or physical access without  Copying investigation and possible disciplinary or permission to network, system, application, data, facilities  Use criminal charges may apply. or other resource. e.g. hacker, intruder. Unauthorized  CORPORATE employee (IT or non-IT personnel) disclose  Compromise In the case of unauthorized disclosure by a sensitive data to unauthorized persons – may be in any o Theft/ Removal CORPORATE employee, internal Disclosure form of correspondence including oral. o Destruction processes for investigation and possible  CORPORATE client (IT or business personnel) discloses o Modification disciplinary action may apply. confidential data to unauthorized CORPORATE o Copying employees. o Use There might be insufficient restrictions on  CORPORATE client (IT or business personnel) discloses  Disclosure of financial, access privileges for financial, finance confidential data to third parties. finance reports, credit reports, credit card related and personal  Granting read, write or delete privileges to individuals card related and personal information, whose duties do not require such privileges. information Unauthorized  CORPORATE application uses data matching or other  Collecting financial, Potential problem normally identified in SRA process to collect financial, finance reports, credit card finance reports, credit or audit. Process controls should be Collection related and personal information without consent or card related and personal corrected once incident is identified. knowledge of information owner information without  CORPORATE non-IT personnel: collection or use of identifying the purpose financial or personal information purposes other than verification ifi ti  External agent collecting the information from logical or physical CORPORATE infrastructure Unauthorized  Information such as financial or required finance reporting  Unavailability of financial Policy and process for retention and information not retained in accordance with CORPORATE or required restricted and disposal schedules is required. Disposal standard requirements. confidential information  Unavailability of personal information Unauthorized  CORPORATE application or a user uses data mining or  Use of financial, finance Policy should be defined for application other process for purposes other than those defined. reports, credit card related, function should be enumerated Use  Unauthorized correlation of information personal information and  CORPORATE non-IT personnel: use of financial or any other confidential or personal information for purposes other defined. restricted information
  • 8. Incident Type Definition Incident Examples Security or Privacy Breach Notes Infrastructure An attack that prevents or impairs the authorized use of Unavailability Unavailability of financial, finance networks, systems, or applications by exhausting resources, reports, credit card related and Attack e.g. distributed denial of service attack or active WLAN personal information must be reported attack. and notification take place in accordance with CORPORATE standard requirements. SLAs should identify reporting requirements. Malicious Code A code-based malicious entity (virus, worm, trojan horse, Compromise See above - corruption or compromise malformed applet, rootkit, time-bombs etc) that infect or of financial, credit card and personal and Malware o Theft/ Removal destroy a host. information requires detection and o Destruction ti reporting. o Modification o Copying o Use Unavailability Infrastructure Any found critical vulnerabilities that expose critical financial May cause unavailability , or loss of Possible unavailability of financial, and personal information financial or personal information that is finance reports, credit card related and Vulnerabilities deemed confidential or restricted personal information must be dealt (found during with promptly. vulnerability management process) ) Compliance CEO&CFO Key controls and PCI key controls that could not CORPORATE exposed to not compliant Impact to financial bottom line and be classified as one of the incident type categories specified environment and may incur penalties possible executive prosecution. Specific in this matrix System Health Specific to each operational tool with specific health Security monitoring unavailable Impact to security group ability to detect incidents. Security tools can have specific issues that may incidents and increased risk to Specific impact security monitoring organization. Business is not impacted, but monitoring must be restored as soon as possible.
  • 9. Function Based Alerting Incident Type Alert Scenario Events Unauthorized Access x failed logins by a user in y mins Windows failed login attempts AIX failed login attempts HP-UX failed login attempts DB failed login attempts ACS failed login attempts Security Tools NIC failed login attempts Checkpoint FW failed login attempts Mainframe failed login attempts Wireless S itch failed login attempts Switch Success after X failed logins by IP Windows failed login attempts AIX failed login attempts HP-UX failed login attempts DB failed login attempts RADIUS failed login attempts Security Tools NIC failed login attempts Checkpoint FW failed login attempts Mainframe failed login attempts Wireless Switch failed login attempts Successful Login as the built-in Windows login administrator account has been AIX login detected HP-UX login DB login g RADIUS login Security Tools login Checkpoint FW login Mainframe login Wireless Switch login
  • 10. Asset Classification Importance  Asset Group Integrity Confidentiality Vulnerability (Availability) 10 10 10 1 CKA & PCI 8 8 8 1 CKA 8 8 8 1 PCI 6 6 6 1 Production 3 3 3 1 QA 3 3 3 1 Development LEGEND: Low 1-3 Medium 4-6 High 7-8 Align incident response urgency to  Very High 9-10 the business for resolution
  • 11. Streamline Incident Ticket & Severity Streamline Incident Ticket & Severity Server XNXX  S XNXX Unauthorized  Success After X  Windows Platform Classified – Access Failed Logins per IP  Severity   10 CIA V1  Level 2 Incident Ticket – Identified  Security Incident The Efficient Scenario of Function Based Alerting • First responders know what type of ticket it is • Ticket sent to Security Operations with proper  severity level it l l • Security operations understand server  classification and take appropriate action classification and take appropriate action
  • 12. Streamline Incident Ticket & Severity Streamline Incident Ticket & Severity Server XNXX  Unauthorized  Success After X  Windows Platform Classified – Access Failed Logins per IP  10 CIA V1  10 CIA V1 Severity   Level 1 Server UNYY  Unauthorized  Success After X  UNIX Platform Classified – Access Failed Logins per IP  10 CIA V1  10 CIA V1 Incident Tickets – Identified Multiple Security Incidents The Real Life Benefit of Function Based Alerting • First responders saw two severity 2 alerts and one severity  1 alerts from SEIM – Automatic escalation  • Alert escalated to Security Operations with proper severity  level • Security operations take incident seriously and engage Security operations take incident seriously and engage  severity 1 level response team
  • 13. Steps to Function Based Alerting • Align incident types and function based  alerting across all security tools alerting across all security tools Start first with:  SEIM then add IDS, HIDS Align vulnerability  tools: VA, Secure Configuration  Align vulnerability tools: VA, Secure Configuration Management, File Integrity Management • By aligning threat and exposure achieve  y g g p quantitative operational risk metrics • Align Risk & Governance with security  g y operational risk using same threat and  vulnerability function based alerting
  • 14. Streamline Incident Response Streamline Incident Response Standardized approach for incident investigation,  containment and resolution is achieved by:  containment and resolution is achieved by: Function Based Alerting  Function Based Alerting Detailed, standardized information supporting 1st and n‐ level responders  l l d Enabling efficient and effective security operations • Consistent severity assignment Consistent severity assignment • Consistent investigation • Consistent resolution
  • 15. Benefits • Aligned security incident types to actions by incident  responders d • Structured incident types approach enables completeness  check on alert set • Efficient and streamlined security incident detection and  response • Minimizes gaps in detection capability across security tools g p p y y • Standardized baseline approach for statistical incident  analysis • Structured approach to threat modelling Structured approach to threat modelling • Facilitates identification of new and enhanced security  controls
  • 16. Conclusion • Statistical analysis of incidents • g Straightforward threat modeling  g • Consistent operational security reporting • Foundation for enhanced: Foundation for enhanced: – Preventative controls – Detective controls  PROACTIVE REACTIVE Improve  p Incident  Posture Response Balance Investment Against Risk Appetite
  • 17. Questions? Predrag Zivic Predrag Zivic Mike Lecky pzivic@rogers.com mlecky@sympatico.ca