Add to collection(s) Add to saved
  1. Business
  2. Management

Incident Response – How to Fight Back

advertisement 
SANS Incident Response Survey
Incident Techniques and Processes:
Where We Are in the Six-Step Process
Presented by:
Alissa Torres
Certified SANS Instructor
© 2014 The SANS™ Institute – www.sans.org
Six Steps of Incident Response
IR Survey Overview
• Survey online from May to June 2014
• Respondents solicited from 13 different
regions and countries
• 259 qualified respondents
• Qualified = “professionals working w/or in IT
organizations to promote cybersecurity,
especially in the area of IR”
• 85% of respondents work in incident
response roles within their organizations
© 2014 The SANS™ Institute – www.sans.org
3
0%
© 2014 The SANS™ Institute – www.sans.org
Engineering/Construction
Aerospace
Transportation
Law practice/Legal support
services
ISP/Hosting/Service
provider
Religious/Nonprofit
8%
Retail
12%
Insurance
14%
Manufacturing
16%
Telecommunications/Servic
e provider
Incident
response/Forensics…
Government (nonmilitary)
Forensics
consulting/Incident…
Other
Energy/Utilities
Government (law
enforcement and military)
Health care/Pharmaceutical
Education
Financial services
Technology/IT services
Survey Demographics
“What is your company's primary industry?”
15% Tech/IT Industry
14% Financial Services
11% Government
10%
“cross section of all major industries”
6%
4%
2%
4
Organization Size
“How large is your organization’s workforce, including both employee and
contractor staff?”
24% over 20,000 employees
17% less than 100 employees
17.0%
“fantastic audience to enable
correlation of organization’s size
with incident activity”
23.6%
Over 20,000
12.0%
15,000–19,999
6.9%
10,000–14,999
5,000–9,999
5.8%
13.9%
2,000–4,999
500–1,999
9.3%
11.6%
100–499
Fewer than 100
© 2014 The SANS™ Institute – www.sans.org
5
Respondent Roles
“What is your primary role in the organization, regardless of whether
you are considered an employee or consultant?”
29% Security Analysts
28% Management
11% Forensic Examiners/Investigators
30%
25%
20%
15%
10%
5%
© 2014 The SANS™ Institute – www.sans.org
Legal professional
Helpdesk
agent/Technician
Network operations
Compliance
officer/Auditor
Investigator
System administrator
Other
Digital forensics
specialist
IT manager/Director/CIO
Incident responder
Security
manager/Director/CSO/
CISO
Security analyst
0%
6
Respondent Roles
“Are you actively involved in the detection, analysis or remediation
of incidents in your organization?”
85% Actively Involved in
Detection, Analysis or
Remediation of Incidents
15.2%
Yes
No
84.8%
© 2014 The SANS™ Institute – www.sans.org
7
Respondent Roles
“Did you play a role in any of the above incidents’ detection, analysis or
remediation? If so, what was that role?”
33% Led Remediation Process
20% Assisted with Identification of the Incident
5.4%
1.1%
5.4%
Led remediation process
33.3%
11.8%
Assisted with identification of incident
Assisted with remediation
Discovered and reported
Didn’t play a role
20.4%
Didn’t play a role, but observed
22.6%
Other
© 2014 The SANS™ Institute – www.sans.org
8
Self-Reported IR Effectiveness
“How effective do you feel your incident response capabilities and
processes are (including your outsourcing arrangement)?”
0.0%
25.6%
9.3%
41.9% Very Effective/Effective
25% NOT Effective
“the personality of the IR community”
Very effective
Effective
32.6%
Somewhat effective
Not effective
Unknown
32.6%
© 2014 The SANS™ Institute – www.sans.org
9
Incident Quantity
“Over the past two years, how many critical incidents (such as those
resulting in data breach, unauthorized access, denial of service) has your
organization experienced that required incident response?”
48% 1-25 Incidents/24 mths
18% None
21% Unknown
50%
45%
40%
35%
30%
25%
20%
15%
10%
5%
© 2014 The SANS™ Institute – www.sans.org
Over 500
101–500
51–100
26–50
1–25
None
Unknown
0%
10
Incidents by Type
“What was the nature of the incidents? If possible, please provide the
frequency for each type of incident or false alarm experienced.”
90%
80%
70%
More than 20
60%
10–20
50%
40%
6–10
30%
20%
2–5
10%
Other
Distributed denial of
service
Advanced persistent
threat
Data breach
False alarms
Unauthorized access
Malware
0%
1
© 2014 The SANS™ Institute – www.sans.org
82% Malware
70% Unauthorized Access
66% False Alarms **
49% DDOS
11
Incident Identification Methods
“How does your organization identify impacted systems, and how
automated are these processes of identification?”
100%
90%
80%
Manual
70%
60%
50%
Automated
Automated:
54% Network Scanning
46% HIDS alerts
45% Firewall/IDS alerts
22% SIEM Correlation
40%
30%
Both
20%
10%
0%
N/A
© 2014 The SANS™ Institute – www.sans.org
Manual:
52% User Notification
51% Log Analysis
37% Forensic Suites
31% Network Sniffing
12
Detection to Containment
“From the time the incident was discovered, how much time elapsed until
containment was accomplished?”
© 2014 The SANS™ Institute – www.sans.org
More than 12
months
6–12 months
3–6 months
1–3 months
1–2 weeks
2–7 days
1–2 days
9–24 hours
4–8 hours
1–4 hours
Less than 1 hour
Not achieved
Unknown
20%
18%
16%
14%
12%
10%
8%
6%
4%
2%
0%
2–4 weeks
20% 4-8 Hours
16% 1-4 Hours
13% 9-24 Hours
14% 2-7 Days
11% Over a month
2.2% Never
13
Detection to Containment
What Steps are Accomplished in this Timeframe?
•
•
•
•
•
System Identification
Rule Out False Positive
Triage Process
Escalation to Higher Tier Support
Automated or Manual Network Isolation
20% 4-8 Hours
16% 1-4 Hours
13% 9-24 Hours
14% 2-7 Days
11% Over a month
2.2% Never
© 2014 The SANS™ Institute – www.sans.org
13
Detection to Remediation
“From the time the incident was discovered, how much time elapsed
until remediation was achieved?”
© 2014 The SANS™ Institute – www.sans.org
More than 12
months
6–12 months
1–3 months
2–4 weeks
1–2 weeks
2–7 days
1–2 days
9–24 hours
4–8 hours
1–4 hours
Less than 1 hour
Not achieved
Unknown
20%
18%
16%
14%
12%
10%
8%
6%
4%
2%
0%
3–6 months
21.5% 2-7 Days
17% 1-2 Days
7.5% 1-2 Weeks
7.5% 9-24 Hours
15% Over a Month
14
Detection to Remediation
What Steps are Accomplished in this Timeframe?
•
•
•
•
•
•
•
•
System Identification
21.5% 2-7 Days
17% 1-2 Days
Rule Out False Positive
7.5% 1-2 Weeks
Triage Process
7.5% 9-24 Hours
Escalation to Higher Tier Support
15% Over a Month
Automated or Manual Network Isolation
Enterprise Scoping
Reset Compromised Credentials
Removal of Malware/Rebuilding of a Machine
© 2014 The SANS™ Institute – www.sans.org
14
Targeted Data
“If you experienced a data breach in the past two years, what type of data
was exfiltrated from the environment? Please select all that apply.”
36.4% Employee Data
36.4% Consumer Info
32% Proprietary Customer Data
32% Intellectual Property
40%
35%
30%
25%
20%
15%
10%
5%
© 2014 The SANS™ Institute – www.sans.org
Legal data
Other
Intellectual property
(source code,
manufacturing plans,
etc.)
Proprietary customer
information
Individual consumer
customer information
Employee information
0%
15
Barriers to Efficient IR
“What do you believe are the key impediments to effective IR at your
organization?”
Lack of time to review/…
Lack of budget for…
Lack of a formal IR team or IR service
Little visibility into system/endpoint…
Lack of IR plans and procedures
Difficulties correlating events…
Silos between IR and other groups
Difficulty in finding and…
Accessing records involved…
62% Lack of Time to Review Procedures
60% Lack of Budget for Tools/Tech
55% Lack of Formal IR Team/Service
52% Lack of Visibility into Endpoints
Difficulties finding tools…
Legal/HR impediments
Lack of trusted service providers available
Jurisdictional issues with cloud services
Other jurisdictional issues
Other
0%
10%
20%
30%
© 2014 The SANS™ Institute – www.sans.org
40%
50%
60%
16
Planned Area of Improvements
“What improvements is your organization planning for incident response
programs over the next 24 months? Select all that apply.”
68% More Automation/SIEM Integration
58% Improved Visibility into Threats/Vulns
53.7% Improved Remediation/Follow-Up
41.5% Improved Ability to Scope Intrusion
70%
60%
50%
40%
30%
20%
10%
© 2014 The SANS™ Institute – www.sans.org
Other
Better response time
Improved ability to scope
impacted systems and
pinpoint source
Improved remediation
and follow-up processes
Improved visibility into
threats and associated
vulnerabilities as they
apply to the environment
More automation/security
event information
management (SEIM)
integration for reporting
and analysis
0%
17
Sources for IR Capability
“What resources does your organization utilize in responding to incidents?
Select all that apply.”
4.3%
22.9%
61.4% Surge Team
59% Dedicated Internal Team
25% 3rd Party IR Services as needed
25% 3rd Party IT Service Provider
61.4%
Surge team drawn from our internal
staff
27.1%
Dedicated internal team focused on
IR, reporting and remediation
Third-party IR services we call as
needed
Third-party IT management provider
Other
58.6%
© 2014 The SANS™ Institute – www.sans.org
20
Sources for IR Capability
“How large is your response team? Please indicate your dedicated capability as
well as surge capability (additional manpower called in during large incidents).“
Surge Team:
24% Size of 3-5
17% Size of 6-10
17% Size of 11-20
Dedicated Team:
31% Size of 3-5
25% Size of 1-2
35%
30%
25%
None
20%
15%
10%
1–2
5%
3–5
Surge
capability
Dedicated
team
0%
6–10
11–20
More than 20
© 2014 The SANS™ Institute – www.sans.org
21
0%
Other
In the cloud marketplace via
shared applications, such as…
Third-party social media accounts
or platforms
Virtual servers running in the cloud
(e.g., Azure or Amazon EC2)
Web applications
Embedded, or non-PC devices,
such as media and…
Employee-owned computers,
laptops, tablets and…
Corporate-owned social media
accounts
Internal network systems and
applications, including…
Company-owned laptops,
smartphones, tablets and other…
Business applications in the cloud,
such as SAP or email
Capability for Incident Types
“What business processes and systems can your organization investigate in-
house? What capabilities do your outsourced IR services provide?”
100%
90%
80%
70%
60%
50%
40%
30%
Inhouse:
Company Owned Assets
Internal Network Systems
Outsourced:
Cloud Services/Apps
Non-PC Devices
20%
10%
In-house
Outsourced
Both
N/A
© 2014 The SANS™ Institute – www.sans.org
22
0%
© 2014 The SANS™ Institute – www.sans.org
Other
60%
Using automated methods to
surgically remediate
compromised machines
70%
Restoring gold builds
80%
Rebuilding compromised
machines from OS media and
reinstalling programs
Using manual methods to
surgically remediate
compromised machines (i.e.,
remove file and registry keys
related to the compromise…
Restoring compromised
machines from backup
Removing rogue files
Killing rogue process
Wiping and reimaging
compromised machines from
golden (baseline) image
Remediation Techniques
“What practices do you have in place for remediating incidents? Select all
that apply.”
74.6% Wiping/Reimaging
68.7% Killing Rogue Processes
68.7% Removing Rogue Files
56.7% Restore from Backup
54% Surgically Remediate
50%
40%
30%
20%
10%
23
Historical Network Data Archives
“Does your organization have a way to look back and find incidents that
occurred in the past using network history data?”
50.7% - Yes
32.8% - No
16.4% - Unknown
16.4%
50.7%
Yes
No
32.8%
Unknown
© 2014 The SANS™ Institute – www.sans.org
24
Threat Intel Tracking
“Does your organization perform adversary/attacker attribution based on
the data/signatures collected during the incident response process?”
31.3% Yes
46.3% No
22.4% Unknown
22.4%
31.3%
Yes
No
Unknown
46.3%
© 2014 The SANS™ Institute – www.sans.org
25
IR Budget Allotments
“What percentage of your security budget is assigned to incident response?”
38.6% Unknown
29.5% None
11.4% - 4-5% of Budget
6.8% - 1-2% of Budget
6.8% - 5-10% of Budget
4.5%
6.8%
11.4%
38.6%
Unknown
2.3%
None
1–2%
6.8%
2–3%
4–5%
5–10%
29.5%
Greater than
10%
© 2014 The SANS™ Institute – www.sans.org
26
IR Expense Tracking
“Do you measure the associated costs of handling incident response?”
62.8% Do Not Track
14% Do Track Expenses
23.3% Unknown
14.0%
23.3%
Yes
No
Unknown
62.8%
© 2014 The SANS™ Institute – www.sans.org
27
IR Expense Tracking:
Metrics to Track
•
•
•
•
•
•
•
•
Travel Expenses
Cost of System Downtime
Productivity Loss for Employees
Security Team Man Hours
Forensics Imaging/Analysis Costs
Cost of Ineffective/Inefficient Tools
Reinventing Procedures due to Lack of Formal Plan
Cost of Training Surge Staff
© 2014 The SANS™ Institute – www.sans.org
28
IR Expense Tracking:
Benefits of Keeping Metrics
•
•
•
•
•
•
•
Justify Additional Full-Time Employees
Justify Additional Tool/Skill Training
Support Acquisition of Enterprise Forensic/IR Tools
Support Vendor Training on Tools
Justify Enterprise Tool “Baselining”
Fuel Stakeholder Buy-In
Emphasize Security Focus in All Departments
© 2014 The SANS™ Institute – www.sans.org
29
Bottom Line
• Many IR professionals feel their organizations’ IR
capabilities are ineffective.
• Broad definitions of an incident place a strain on
IR teams.
• Lack of time to review and practice IR
procedures is a primary barrier to effective
incident response.
• Lack of formalized IR plans and dedicated staff
plague most organizations.
• Organizations need to implement collection and
correlation of threat intelligence.
© 2014 The SANS™ Institute – www.sans.org
18
Bottom Line (2)
• SIEM tools are the focus on those working to
improve their IR capability.
• Organizations have not yet implemented the
collection and correlation of threat intelligence.
• Efficient response to incidents is hindered by lack
of budget dedicated in support of the IR mission.
• Metrics such as costs incurred per incident are
NOT being tracked within organizations.
© 2014 The SANS™ Institute – www.sans.org
31
Recommendations
• Define your specific organization’s definition
of incident and staff team accordingly.
• Increase efficiency of IR tools to maximize
limited manpower.
• Build security into other business unit’s
processes.
• Formalize incident response plans, policies
and procedures.
© 2014 The SANS™ Institute – www.sans.org
32
Recommendations (2)
• Effective IR team management must include
tracking budgetary and human resources to
meet to IR mission.
• Implement internal training and tabletop
exercises for gap analysis of skill sets and IR
process/procedures.
• Track Incident Response metrics to justify IR
tools and increased team size, training, tool
maintenance.
© 2014 The SANS™ Institute – www.sans.org
33
Survey Results
https://www.sans.org/readingroom/whitepapers/analyst/incident-response-fight35342
© 2014 The SANS™ Institute – www.sans.org
34
Related documents
Copies of "The Road not Taken"
Copies of "The Road not Taken"
All the world`s a stage, And all the men and women merely players
All the world`s a stage, And all the men and women merely players
insitu_SANS_abstract
insitu_SANS_abstract
Vacancies: Security Incident Handlers at Salesforce
Vacancies: Security Incident Handlers at Salesforce
Mobile Device Encryption Policy Created by or for the SANS Institute
Mobile Device Encryption Policy Created by or for the SANS Institute
Light scattering and small angle neutron scattering (SANS) on
Light scattering and small angle neutron scattering (SANS) on
Shakespeare's Language: What's the Meaning?
Shakespeare's Language: What's the Meaning?
DOC - SANS Institute
DOC - SANS Institute
Dr Penni Cotton Publications and other outputs: 2000
Dr Penni Cotton Publications and other outputs: 2000
Download
advertisement