THE EVOLUTION OF
SECURITY INCIDENT
MANAGEMENT
PRACTICES
Facing New Threat Paradigms
8/10/2015
Dr. Emmanouil Serrelis
CISM, BEng, MSc, MBA, PhD
eserrelis@metropolitan.edu.gr
2
The evolution of a soldier
3
Current attack surface
4
Current attack surface
5
New attack surface
6
New attack surface
7
New attack paradigms
• Trust exploitation
• Hackers Intelligence
• Medium-neutral attacks (e.g. Cloud, O/S, IoT)
• Industry-specific attacks (e.g. Pharma trojan)
• Combination attacks (e.g. Bank Insider Fraud)
• Unknown attacks
• Are they really?
The current answer: Incident Management
9
Incident management best practices
• Define: What is an incident for you?
• Develop workflows: What should you do in case of…?
• Obtain resources: Who/what should be involved?
• Train: What should you know beforehand?
• Prepare Plan B: What if workflows fail?
• Communicate: Who should be informed about what?
• Integrate: Who are your business / technical liaisons?
• Enrich knowledge: What should be added to your
knowledge base?
• Review and Report: What are the conclusions?
• Evolve: How should the whole process be improved?
10
A new perspective: Drivers
• Current research activity
• Metropolitan College: Information Security and
Computer Forensics research team
• Current applications and services are protected through
enterprise-wide mechanisms and processes,
e.g. corporate SIEM solutions, SOC as a Managed
service
• Protection mechanisms are based on:
• Integration capabilities of applications and services
• Knowledge of applications and services internal
structure and function
11
A new perspective: Principles
• What if we start building apps and services ready to
integrate to Open SOCs that would dynamically:
• Indicate most risky vulnerable points
• Indicate most risky suspicious actions
• Indicate less risky countermeasures
• Open SOCs could combine the collective knowledge of:
• Corporate SIEM solutions
• Intelligence networks
• Security vulnerabilities and threat DBs
• etc.
12
A new perspective: Development
• Relevant efforts exist, e.g. Cisco OpenSOC
• However, our design is build to :
• include non-network data as well
• accommodate confidentiality needs of sensitive
service data
• combine heterogeneous sources (e.g. anti-fraud and
SIEM systems)
• Integrate to app or a SOC middleware (as opposed to
the SOC itself)
• Find me later to talk more about it … :)
Hold these thoughts…
• Attacks change their pattern and techniques
• The attack surface continues to increase
• Focus on critical services and goods – not the medium
• Act as in a “state of compromisation” – Stay alert
• Invest on people’s awareness
• Standardize and automate procedures
• Introduce business-oriented Risk factor in incident monitoring
• More on tomorrow's workshop “Production-Oriented Risk Management Techniques for
Managing Cybercrime Threats”
• Become active member of Community Intelligence Networks
(e.g. CCS)
THE EVOLUTION OF
SECURITY INCIDENT
MANAGEMENT
PRACTICES
Facing New Threat Paradigms
Thank you!
8/10/2015
Dr. Emmanouil Serrelis
CISM, BEng, MSc, MBA, PhD
eserrelis@metropolitan.edu.gr