Cyber Resilience – Industry Best Practice in Managing

Security Incidents

Arne Jacobsen, Country Manager, DACH

Introduction to Cyber Resilience

DACH research on the state of Cyber Resilience

What is an Incident Response Platform?

About Resilient, an IBM Company

Q&A

21-JUN-16 2

Agenda

What is cyber resilience?

Cyber Resilience: Aligning prevention, detection, and response capabilities

to manage, mitigate, and move on from cyberattacks.

PREVENTION DETECTIONPREVENTION

Help to continuously stop attacks and

remediate vulnerabilities

DETECTION

Identify the most important threats

with advanced analytics and forensics

RESPONSE

Respond to incidents in integrated

and organized fashion

IR challenges: what we hear most often

• Skills shortage

• Too many alerts, not enough

time or resources

• Unrefined IR processes and

communication

• Confusing regulatory

landscape

Average spend in 2

years

Pre

ve

nt &

Pro

tect

De

tect &

Re

sp

on

d

77% 61%

75% 60%

Average spend

today

Median spend

today

Median spend in

2 years

23% 39%

25% 40%

Average spend in 2

years

Average spend

today

Median spend

today

Median spend in

2 years

Massive move in security spending is underwayResearch conducted April ‘15 by Pierre Audion Consultants

Resilience attributes from our customers

• More proactive and strategic

security planning

Resilience attributes from our customers

• More proactive and strategic

security planning

• More granular and customized

incident response planning

Resilience attributes from our customers

• More proactive and strategic

security planning

• More granular and customized

incident response planning

• A single pane of glass for

integrations, collaboration, and

coordination

Resilience attributes from our customers

• More proactive and strategic

security planning

• More granular and customized

incident response planning

• A single pane of glass for

integrations, collaboration, and

coordination

• Continuous assessment and

improvementSecurity posture improvement

Security Incident

Knowledge Base

Cyber Incident

Response Process

“This is the decade of

response...sophisticated

robust, resilient.”

-Bruce Schneier, CTO,

Resilient Systems

“This is the decade of

response…sophisticated,

robust, and resilient.”

-Bruce Schneier, CTO,

Resilient

DACH Ponemon Report Findings21-JUN-16

New Research on German Cyber Resilience

21-JUN-16 12

• 445 respondents from DACH organisations

• 1st German research on the state of Cyber Resilience

• 58%+ of the attendees are at supervisor level or above.

• The largest industry sectors represented are Financial Services, Government, Health & Pharmaceutical and Industrial

The importance of cyber resilience to

achieving certain business goalsVery Important and important response combined

January 2016 Ponemon Institute© Private and Confidential 13

60%

66%

91%

95%

0% 20% 40% 60% 80% 100%

Enhancing brand value and reputation

Maximizing employee productivity

Protecting intellectual property

Minimizing non-compliance with laws

How companies rate their resilience to

cyber attacks 7 + responses combined from a scale of 1 = low

resilience to 10 = high resilience

January 2016 Ponemon Institute© Private and Confidential 14

46%

51%

54%

56%

63%

0% 10% 20% 30% 40% 50% 60% 70%

Ability to prevent a cyber attack

Ability to recover from a cyber attack

Cyber resilience

Ability to quickly detect a cyber attack

Ability to contain a cyber attack

What best describes your organization’s

cyber security incident response plan?

January 2016 Ponemon Institute© Private and Confidential 15

21%

21%

27%

31%

0% 5% 10% 15% 20% 25% 30% 35%

We have a well-defined CSIRP that isapplied consistently across the entire

enterprise

We don’t have a CSIRP

We have a well-defined CSIRP, but is notapplied consistently across the enterprise

Our CSIRP is informal or “ad hoc”

The most significant barriers to achieving

a high level of cyber resilience within

your organization Four responses permitted

January 2016 Ponemon Institute© Private and Confidential 16

26%

27%

30%

33%

38%

39%

45%

45%

69%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Lack of expert or knowledgeable staff

Lack of funding

Emergence of disruptive technologies…

Lack of leadership

Silos and turf issues

Complexity of IT processes

Insufficient risk awareness, analysis…

Complexity of business processes

Insufficient planning and preparedness

The Global view - How companies rate their resilience to

cyber attacks7 + responses combined from a scale of 1 = low resilience to 10 =

high resilience

54%

46%

51%

56%

63%

29%

35%

36%

42%

49%

25%

33%

31%

45%

47%

0% 10% 20% 30% 40% 50% 60% 70%

Cyber resilience

Ability to prevent a cyber attack

Ability to recover from a cyber attack

Ability to quickly detect a cyber attack

Ability to contain a cyber attack

US UK DE

3 Key Areas from the research

Preparation for Security Incidents

– Company-wide strategy is essential

Organisational Ownership and Leadership

– Cybersecurity challenges needs senior focus

Cross-functional Collaboration

– Breaches are not only a Security Operations problem

Action Plan : Plan and

Prepare

1. Review your cybersecurity incident response plan (CSIRP)

– Identify gaps in your plan – and fix

– Make it dynamic for new threats and updated regulations

– Build a plan to execute against your CSIRP

• Establish KPI’s to drive success

• Deploy technologies to track the successful execution of your

plan

– Communicate your CSIRP

• Ensure the entire organisation understands their roles and

responsibilities

Action Plan: Cybersecurity

Ownership

2. Establish who owns cybersecurity issues in your organisation

– Companies need to have a business owner for Cyber Resilience. For

most organisations, this should be the CIO or the CISO

– Create clear reporting lines and metrics to improve the organisation’s

security posture

• Establish reporting measures and cadence, look at ‘Time to Detect’

or ”Time to Remediate’ incidents, for example

– Expect the Board of Directors to show interest

• The state of Cyber Resilience will become part of the Board’s

oversight – think about the information they need

Action Plan: Collaboration

3. Measure and improve the current state of collaboration in your

organisation

– Specific plans help

• Properly developed CSIRPs will ensure that siloes and turf issues can

be identified

– Practice cross-functional collaboration

• Cybersecurity incident simulations and war gaming helps different

parts of the business understand their roles.

– Get subject matter experts in the business to contribute

• Legal should own data privacy regulations and HR can weigh in on

employee investigations

What is an Incident Response Platform?

The purpose of an Incident Response

Platform (IRP)

• Creates a single hub for

all IR

• Empowers teams to work

more intelligently

• Agile platform

• Compatible with all other

systems

INTELLIGENCE FEEDS

SIEM

EXTERNAL COMMUNICATION

CONFIGURATIONMGT

SANDBOX

ASSET DATABASEFORENSICS

CUSTOM PORTAL

EMAIL

TICKETING

INCIDENT RESPONSE PLATFORM

Inputs/Escalation

INCIDENT RESOLUTION

INCIDENT RESPONSE PLATFORM

AUTOMATIC ENRICHMENT

Threat Data

ACTION PLANS

Malware ticket Mitigation: Phishing Attack Data

Resilient generates a malware-specific IR playbook:

• Quarantine infected system • Reimage machine • Post-incident review – update policies and procedures

IRP use case: Malware outbreak in midsize environment

::

App

Logs

F/W

Logs

DHCP

Logs

Inputs/Escalation

IRP use case: Fusion center

MANUALLY INVOKED REMEDIATION

IT Help Desk

Forensics

Identity Management

INCIDENT RESPONSE PLATFORM

AUTOMATIC ENRICHMENT

Vulnerability Management

Passive DNS

Threat Data

MANUALLY INVOKED

ENRICHMENT

Endpoint Security

Malware

Web Gateway

About Resilient, an IBM Company

21-Jun-16 27

INCIDENT CREATION

QRadarPrioritized security insights from logs, flows, vulns, user,

config data etc

Resilient Incident Response PlatformProcess for responding to threats, breaches,

vulnerabilities

GATHER CONTEXT & TASK

REMEDIATE & CLOSE

CONTINUOUS SECURITY ANALYTICS SECURITY INCIDENT TRIAGE

Security incident knowledge base

Incident report and notifySECURITY POSTURE IMPROVEMENT

QRadar & Resilient: Life of an incident

► Assign based on type (e.g. breach)

► Business notification based on type (e.g. risk)

► Associate additional evidence

► Apply compliance context

► Assign tasks

► Communicate remediation tasks to teams

► Confirm remediation

► Close incident

► Report/notify

21-Jun-16 29