Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Forensic Psychology

All_incidents_are_not_the_same v3 (2)

advertisement 
Seccuris is North America’s premier Information
Assurance integrator. We enable organizations to
achieve business goals through effective management
of information risk.
We are agile, innovative, flexible, and responsive. We
assist your organization in managing all aspects of
information risk. We specialize in end-to-end services,
comprehensive solutions, and tailored programs.
What makes a Security Incident
different from other IT incidents?
Break and Enter
• Lets apply our standard IT Incident
Management Methodology to a simple ‘real
world’ example:
Preparation
Detection
Diagnosis
Repair
Recovery
A Break and Enter into a home…
Resolution
Break and Enter
• Preparation - Monitored House Alarm,
Heavy Door, Video Surveillance,
Neighbourhood Watch
• Detection - Alarm Trips, Phone call is made
• Diagnosis - House has been broken into.
Door was smashed, items were stolen,
house was rummaged.
Break and Enter
• Repair - Door is fixed, clean up glass, clean
house, call insurance.
• Recovery - Stolen items are replaced.
• Resolution - All is done, issues have been
dealt with. Life is back to normal
Break and Enter
• What is wrong with this approach?
• Has information been gathered by the thief?
• What ‘intangibles’ have been stolen?
• Why is this methodology not suitable for IT
Security Events?
Break and Enter
EVIDENCE HAS BEEN DESTROYED:
Conventional IT Incident Management processes
are insufficient and sometimes even harmful to
the chain of custody.
Break and Enter
The goal of incident management is to restore the
status quo.
However, with Information Security Incidents there's a
higher likelihood of collateral damage:
- the beginning of a systemic outbreak
- an all-out outage
- important data has left the environment
Break and Enter
Agenda:
5 Reasons why we shouldn’t follow the same
methodology for Security Incidents as regular
incidents.
At what phase is an incident identified as a Security
Incident?
How do we best integrate the outcome of an incident
handling effort into the change control processes?
The Future: Short-Term and Long-term
Break and Enter
Most Typical Information Security Incident Outcomes are:
a. Denial of Service
b. Unauthorized use of IT Resources
c. Credential/Data Theft
5 Reasons why we can't follow
the same methodology for
Security Incidents as regular
incidents.
5 Main Reasons – Threat Agents
Reason #1 – Threat Agents
Security Incidents always have a
threat agent.
5 Main Reasons – Threat Agents
Reason #1 – Threat Agents
They can be:
Non-Target Specific: viruses, worms, trojans
Employees: Staff, contractors,
operational/maintenance staff
Organized Crime and Criminals: mostly looking for $
Corporations/Government: mostly looking for
competitive advantage
Human, Intentional: Insider, outsider, hacktivists,etc
5 Reasons - Containment
Reason #2 – Containment
Security Incidents
Incidents
Preparation
Preparation
Detection
Detection
Containment
?
Analysis
Diagnosis
Eradication
Repair
Recovery
Recovery
Follow-up
Resolution
5 Reasons – Service Levels
Reason #3 – Service Levels
Information Security events are much like
a Hospital Emergency Room, where the
goal is not to measure resolution
5 Reasons – Service Levels
RESOLUTION
EFFORT
CONTAINMENT
TIME
5 Reasons – Impact not readily
known
Reason #4 – Impact not readily
known
In some cases there’s no visible
impact at all
5 Reasons – Impact not readily
known
Incidents are classified by:
Service Disruption
5 Reasons - Communication
Reason #5 – Communication
Incidents are shared on a “who can help” basis
Security Incidents are shared on
a “need to know” basis
5 Reasons – Communication
Reason #5 – Communication
Who do you communicate with?
(internal/external)
What do you communicate?
When do you communicate?
5 Reasons – Bottom Line
The differentiation between an
incident and security incident must be
clear and definite.
However, they can be mutually
complementary if defined and
managed properly.
At what phase is an incident identified
as a Security Incident?
Preparation
Detection
Best Case
Diagnosis
Sometimes
Repair
Recovery
Resolution
Too Late Or not at all
Most Commonly
What is the most effective way to
detect these Security Incidents?
People?
Systems?
Both.
Our most common sources of detection:
-
Security Device Logs
Non-Security Device Logs
Help Desk
Users
How do we best integrate
the outcome of an incident
handling effort into the
change control processes ?
ALIGN and INTEGRATE as
part of detection and
analysis
Key Factors for Integration:
Preparation and Detection!
• Create and Maintain a Security Incident
Handling Policy
• Define a Security Incident Handling Team
• Develop a communications plan
• Educate
• Establish Detection Services
Key Factors for Integration:
Containment!
•
•
•
•
•
Determine the risk of continuing operations
Outsmart your Threat Agents
Avoid potentially compromised code
Forensic image of the system
Get help
What does the future look like?
Long Term:
- Security Incidents are handled by help desk
analysts
- All necessary information is available when an
event occurs
- All analysts have enough Information Security
know-how to handle day-by-day events
- Impact is readily known
- System Forensics is automatically engaged
What does the future look like?
Short Term:
- Integrate Detection in Help Desk processes
- Start to integrate Information Security tasks
into day-to-day processes
- Engage Information Security Analysts and/or
Consultants to aid in Security Incidents
- Begin cross-training all analysts in handling
security incidents
What is OneStone
•
Software as a Service Information Security
capability for comprehensive threat protection
•
OneStone is purpose-built by Seccuris built to
easily incorporate human analysis, review, and
incident handling assistance
•
Assisted and accelerated implementation, with a
scalable, flexible architecture
•
Provides customers a choice of Self-Managing or
Managed security services
•
Straight forward, easy to use dashboards provide
a visibility into security issues, vulnerabilities
•
Security Operation Center (SOC) analysts
available 24x7
Current Services
Threat Management
Vulnerability Management
Log Management
Device Management
Security Incident Handling
Forensics
Why OneStone?
•
Allows your staff to concentrate on higher value activities
•
Uses a combination of technology and security analysts to reduce the
number of events staff needs to investigate
•
Improved network visibility and threat protection 24x7
•
Enabling risk management through a business relevant prioritized action
plan
•
We provide assistance on remediation or forensics from information
security analysts (ISAs) who understand the current threat landscape
•
Relevant reporting capabilities for various business roles
Q&A
Ivo Wiens
Manager, Security Engineering
iwiens@seccuris.com
Gus Burneau
Information Security Sales Specialist
gburneau@seccuris.com
Related documents
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
IRB: Incident Report
IRB: Incident Report
Washburn Incident Report Form
Washburn Incident Report Form
Leading from the top in BP
Leading from the top in BP
Slides
Slides
Primary Care Mental Health Service
Primary Care Mental Health Service
Job Title - 360 UAIC
Job Title - 360 UAIC
Information
Information
Managing Critical Incidents for Higher Education Institutions: A Multi
Managing Critical Incidents for Higher Education Institutions: A Multi
Download
advertisement