Post on 03-May-2020
transcript
Preparation is the best defense Guide to The first 24hr
Neumann Lim, CISSP, CCNA, CHFI
Network and Security Architect
New firewall rules Server patching Firewall updates Threat Intel ingestion User account audits Password failure audits Access removal requests VPN account creations Enforce Vendors violating
policy Endless Meetings with business
units requesting access they don’t need
CEO’s laptop infected again Threat hunting!? When do I
have time…
The Ransom Note
CISO Phone call
When you think your day couldn’t get any worse…
Speaker BIO Neumann Lim
Lead IT Network and Security Architect, Detour Gold Corporation
Neumann Lim has been at Detour for the last year serving as the Enterprise Security Architect responsible for developing Detour's enterprise security architecture, strategies and methodologies on cyber security. Prior to this role, Neumann spent several years working with enterprises such as, Microsoft, Cognizant, and Johnson Control, specializing in incident response. Neumann has over 8 years of cyber security and networking experience. He currently holds the CISSP, CCNA and CHFI certifications and is an active member of various security organizations such as HTCIA, ISC2 and the Cloud Security Alliance.
ASSUMPTIONS - Very much a People, Technology, Process Problem
#1 – You have the right technical people.
#2 – You have the support of the C-suite and the budgetary funding.
#3 – You have the right defensive Safeguards.
#4 – You have the right network architecture to give you maximum visibility.
#5 – The Incident Response Plan is part of a key business process.
Today’s Fire Alarm 12mins 28sec full investigation time
10min fire response time
If today’s fire alarm were a breach it would be:
12min x 1gbps = 72GB (theoretical) or ~54GB (actual)
If you have Fire escape plans… why not an incident response plan
Why have an incident response plan? In the midst of an incident, there is no time to think about how to coordinate efforts or who will be doing what.
The incident response plan’s main purpose is to
1) Plan, Coordinate and Prepare the entire corporation on the proper processes and protocols to engage during a breach.
2) Allow the teams of personnel to engage a structured plan of attack, gain proper resources and track all their efforts.
3) Minimize potential financial costs as a result of the breach.
Plenty of free templates online from different security frameworks. Find the one that works best for your corporation and industry.
Breach Costs Data breaches are very costly (Data from https://eriskhub.com/mini-
dbcc)
Average breach cost: $665,000 (NOTE: SME)
if HealthCare: $717,000
Per record cost: $17,000
Average Crisis Services cost: $357,000
Average cost of Defense: $130,000
Average cost of Settlement: $815,000
One EXTREMELY IMPORTANT Aside – Digital Privacy Law “Bill S-4”
Very possibly coming into force this year.
Mandatory Breach Notification Requirement.
Federal Privacy Commissioner will investigate your breach.
Possible harsh regulatory penalties.
Even harsher litigated penalties from victims.
PIPEDA Report 2014-004 – safeguards found to be appropriate
First 24 Hours
Assemble the team Starting with the designated Incident Commander.
Activate your IT and Security Teams.
Notify Executive Leadership, Legal, Breach Coach***, PR, HR, and other appropriate vendors.
Activate the WAR ROOM or EOC
***Breach Coach is a Lawyer specializing in data breaches (SANS 2014)
Start the INVESTIGATION
1. Raise Shields! Secure the environment.
2. Begin a Business Impact Assessment. 3. Start at the source. Analyze the data
and begin link analysis. 4. Note down the timestamps. Gather
and correlate the network logs, security logs, event logs.
5. Once root cause is identified and breach is confirmed, notify stakeholders (and activate Breach Coach). Activate forensics team for evidence preservation.
Collect Evidence First Then Remediate Document everything; Interview everyone
To whom it was reported? Who discovered it? Who knows about it? What was the cause of the breach? What was stolen? How? How are the current systems affected…
Assess the priorities and risk to the business
Review the communication protocols and update everyone on a “need-to-know” basis
Consult with Breach Coach and PR for next steps
Contact Law Enforcement
Only do this under the advice of Legal!!!
Make sure your forensics team know about the decision and have what they need to do their job.
Once LE is on-site, chain of command may change. Additional seizures of equipment may occur.
There may be a risk of public disclosure of sensitive data.
NOTIFICATION, Call Centers and Support
Using Alberta’s OIPC Breach Report Form as reference for now
Make public announcement
Activate a Call Center for victims (Crisis Communications)
Activate identity or credit protection for victims and support them
Don’t forget to support your staff!!!
Sample Letter
Returning to normal Make response teams and executives understand that any new business
projects may have to be postponed until the return to normal order
Once RTO is achieved and all traces of threat actor is removed, the Incident Commander can issue the return to normal order
Hardening Up (Lessons Learned) Update your BIA, Contact lists, Response plan, DR and BCP
Improve Vendor relations, contracts and safeguards
Review communications and notification guidelines
Review IT Security playbooks
Review Staff security awareness
Train, Engage, and Support your IT Staff
Drills
You know you are truly prepared when…
You are calm like this guy
Questions
Further inquires, email: lneumann@protonmail.com