Cyber Resilience – Industry Best Practice in Managing
Security Incidents
Arne Jacobsen, Country Manager, DACH
Introduction to Cyber Resilience
DACH research on the state of Cyber Resilience
What is an Incident Response Platform?
About Resilient, an IBM Company
Q&A
21-JUN-16 2
Agenda
What is cyber resilience?
Cyber Resilience: Aligning prevention, detection, and response capabilities
to manage, mitigate, and move on from cyberattacks.
PREVENTION DETECTIONPREVENTION
Help to continuously stop attacks and
remediate vulnerabilities
DETECTION
Identify the most important threats
with advanced analytics and forensics
RESPONSE
Respond to incidents in integrated
and organized fashion
IR challenges: what we hear most often
• Skills shortage
• Too many alerts, not enough
time or resources
• Unrefined IR processes and
communication
• Confusing regulatory
landscape
Average spend in 2
years
Pre
ve
nt &
Pro
tect
De
tect &
Re
sp
on
d
77% 61%
75% 60%
Average spend
today
Median spend
today
Median spend in
2 years
23% 39%
25% 40%
Average spend in 2
years
Average spend
today
Median spend
today
Median spend in
2 years
Massive move in security spending is underwayResearch conducted April ‘15 by Pierre Audion Consultants
Resilience attributes from our customers
• More proactive and strategic
security planning
Resilience attributes from our customers
• More proactive and strategic
security planning
• More granular and customized
incident response planning
Resilience attributes from our customers
• More proactive and strategic
security planning
• More granular and customized
incident response planning
• A single pane of glass for
integrations, collaboration, and
coordination
Resilience attributes from our customers
• More proactive and strategic
security planning
• More granular and customized
incident response planning
• A single pane of glass for
integrations, collaboration, and
coordination
• Continuous assessment and
improvementSecurity posture improvement
Security Incident
Knowledge Base
Cyber Incident
Response Process
“This is the decade of
response...sophisticated
robust, resilient.”
-Bruce Schneier, CTO,
Resilient Systems
“This is the decade of
response…sophisticated,
robust, and resilient.”
-Bruce Schneier, CTO,
Resilient
DACH Ponemon Report Findings21-JUN-16
New Research on German Cyber Resilience
21-JUN-16 12
• 445 respondents from DACH organisations
• 1st German research on the state of Cyber Resilience
• 58%+ of the attendees are at supervisor level or above.
• The largest industry sectors represented are Financial Services, Government, Health & Pharmaceutical and Industrial
The importance of cyber resilience to
achieving certain business goalsVery Important and important response combined
January 2016 Ponemon Institute© Private and Confidential 13
60%
66%
91%
95%
0% 20% 40% 60% 80% 100%
Enhancing brand value and reputation
Maximizing employee productivity
Protecting intellectual property
Minimizing non-compliance with laws
How companies rate their resilience to
cyber attacks 7 + responses combined from a scale of 1 = low
resilience to 10 = high resilience
January 2016 Ponemon Institute© Private and Confidential 14
46%
51%
54%
56%
63%
0% 10% 20% 30% 40% 50% 60% 70%
Ability to prevent a cyber attack
Ability to recover from a cyber attack
Cyber resilience
Ability to quickly detect a cyber attack
Ability to contain a cyber attack
What best describes your organization’s
cyber security incident response plan?
January 2016 Ponemon Institute© Private and Confidential 15
21%
21%
27%
31%
0% 5% 10% 15% 20% 25% 30% 35%
We have a well-defined CSIRP that isapplied consistently across the entire
enterprise
We don’t have a CSIRP
We have a well-defined CSIRP, but is notapplied consistently across the enterprise
Our CSIRP is informal or “ad hoc”
The most significant barriers to achieving
a high level of cyber resilience within
your organization Four responses permitted
January 2016 Ponemon Institute© Private and Confidential 16
26%
27%
30%
33%
38%
39%
45%
45%
69%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Lack of expert or knowledgeable staff
Lack of funding
Emergence of disruptive technologies…
Lack of leadership
Silos and turf issues
Complexity of IT processes
Insufficient risk awareness, analysis…
Complexity of business processes
Insufficient planning and preparedness
The Global view - How companies rate their resilience to
cyber attacks7 + responses combined from a scale of 1 = low resilience to 10 =
high resilience
54%
46%
51%
56%
63%
29%
35%
36%
42%
49%
25%
33%
31%
45%
47%
0% 10% 20% 30% 40% 50% 60% 70%
Cyber resilience
Ability to prevent a cyber attack
Ability to recover from a cyber attack
Ability to quickly detect a cyber attack
Ability to contain a cyber attack
US UK DE
3 Key Areas from the research
Preparation for Security Incidents
– Company-wide strategy is essential
Organisational Ownership and Leadership
– Cybersecurity challenges needs senior focus
Cross-functional Collaboration
– Breaches are not only a Security Operations problem
Action Plan : Plan and
Prepare
1. Review your cybersecurity incident response plan (CSIRP)
– Identify gaps in your plan – and fix
– Make it dynamic for new threats and updated regulations
– Build a plan to execute against your CSIRP
• Establish KPI’s to drive success
• Deploy technologies to track the successful execution of your
plan
– Communicate your CSIRP
• Ensure the entire organisation understands their roles and
responsibilities
Action Plan: Cybersecurity
Ownership
2. Establish who owns cybersecurity issues in your organisation
– Companies need to have a business owner for Cyber Resilience. For
most organisations, this should be the CIO or the CISO
– Create clear reporting lines and metrics to improve the organisation’s
security posture
• Establish reporting measures and cadence, look at ‘Time to Detect’
or ”Time to Remediate’ incidents, for example
– Expect the Board of Directors to show interest
• The state of Cyber Resilience will become part of the Board’s
oversight – think about the information they need
Action Plan: Collaboration
3. Measure and improve the current state of collaboration in your
organisation
– Specific plans help
• Properly developed CSIRPs will ensure that siloes and turf issues can
be identified
– Practice cross-functional collaboration
• Cybersecurity incident simulations and war gaming helps different
parts of the business understand their roles.
– Get subject matter experts in the business to contribute
• Legal should own data privacy regulations and HR can weigh in on
employee investigations
What is an Incident Response Platform?
The purpose of an Incident Response
Platform (IRP)
• Creates a single hub for
all IR
• Empowers teams to work
more intelligently
• Agile platform
• Compatible with all other
systems
INTELLIGENCE FEEDS
SIEM
EXTERNAL COMMUNICATION
CONFIGURATIONMGT
SANDBOX
ASSET DATABASEFORENSICS
CUSTOM PORTAL
TICKETING
INCIDENT RESPONSE PLATFORM
Inputs/Escalation
INCIDENT RESOLUTION
INCIDENT RESPONSE PLATFORM
AUTOMATIC ENRICHMENT
Threat Data
ACTION PLANS
Malware ticket Mitigation: Phishing Attack Data
Resilient generates a malware-specific IR playbook:
• Quarantine infected system • Reimage machine • Post-incident review – update policies and procedures
IRP use case: Malware outbreak in midsize environment
::
App
Logs
F/W
Logs
DHCP
Logs
Inputs/Escalation
IRP use case: Fusion center
MANUALLY INVOKED REMEDIATION
IT Help Desk
Forensics
Identity Management
INCIDENT RESPONSE PLATFORM
AUTOMATIC ENRICHMENT
Vulnerability Management
Passive DNS
Threat Data
MANUALLY INVOKED
ENRICHMENT
Endpoint Security
Malware
Web Gateway
About Resilient, an IBM Company
21-Jun-16 27
INCIDENT CREATION
QRadarPrioritized security insights from logs, flows, vulns, user,
config data etc
Resilient Incident Response PlatformProcess for responding to threats, breaches,
vulnerabilities
GATHER CONTEXT & TASK
REMEDIATE & CLOSE
CONTINUOUS SECURITY ANALYTICS SECURITY INCIDENT TRIAGE
Security incident knowledge base
Incident report and notifySECURITY POSTURE IMPROVEMENT
QRadar & Resilient: Life of an incident
► Assign based on type (e.g. breach)
► Business notification based on type (e.g. risk)
► Associate additional evidence
► Apply compliance context
► Assign tasks
► Communicate remediation tasks to teams
► Confirm remediation
► Close incident
► Report/notify
21-Jun-16 29