Building an Incident Response Program

IR In 3 Easy Steps

Page 2

Agenda

• Introductions

• Today’s Breach Reality

• IR in 3 Easy Steps• Assemble The Team• Prepare The Plan• Practice And Improve

Page 3

Introductions: Today’s Speakers

• Ted Julian, Chief Marketing Officer, Co3 Systems

• Tim Armstrong, Security Incident Response Specialist, Co3 Systems

Page 4

Co3 Systems at a glance

From privacy breaches, to malware outbreaks, to system intrusions, to DDoS attacks — Co3 automates incident response.

Based on a knowledge-base of incident response best practices, industry standard frameworks, and regulatory requirements, Co3 makes incident response efficient, compliant, and best-of-breed.

Page 5

The complete process – based on E.R. standards

PREPARE

Improve Organizational Readiness• Appoint team members• Fine-tune response SOPs • Escalate from existing systems• Run simulations (firedrills / table

tops)

MITIGATE

Document Results & Improve Performance• Generate reports for management,

auditors, and authorities • Conduct post-mortem• Update SOPs• Track evidence• Evaluate historical performance• Educate the organization

ASSESS

Identify and Evaluate Incidents• Assign appropriate team members• Evaluate precursors and indicators• Correlate threat intelligence• Track incidents, maintain logbook• Prioritize activities based on criticality• Generate assessment summaries

MANAGE

Contain, Eradicate, and Recover• Generate real-time IR plan• Coordinate team response• Choose appropriate containment

strategy• Isolate and remediate cause• Instruct evidence gathering and

handling• Log evidence

Page 6

Today’s Breach Reality

Data breaches are on the rise and organizations are unprepared to detect them or resolve them -

• data breaches have increased in both severity (54 percent) and frequency (52 percent) in the past 24 months

• …organizations are facing a growing flood of increasingly malicious data breaches, and they don’t have the tools, staff or resources to discover and resolve them

1 “The Post Breach Boom” – The Ponemon Institute, February 2013

THE PONEMON INSTITUTE 1

Page 7

Today’s Breach Reality

“If you are going to invest in one thing, it should be incident response”GARTNER

2

“You can’t afford ineffective incident response”FORRESTER RESEARCH

3

“Only 20% of respondents rate their IR program as being ‘very effective’”

1

“Top spending priorities are training and automation tools”

2013 INCIDENT RESPONSE SURVEY – iSMG

1 “The Need For Speed: 2013 IR Survey”- Information Security Media Group - August 2013

2 Gartner Security Summit, Keynote Address - June 20133 “Seven Habits of Highly Effective Incident Response Teams” - April

2013

Page 8

Addressing Today’s Breach Reality

• Having an incident response capability is no longer optional• Being prepared means having a “when” not an “if” strategy

Fortunately, bolstering IR isn’t hard

IR in 3 Easy Steps: • Assemble The Team• Prepare The Plan• Practice And Improve

STEP 1: ASSEMBLE THE TEAM

Page 10

Identify Team Members

• CEO, CISO, and other senior management• Public Relations and General Council• Help Desk• Developers• Change Control• HR• Law enforcement• Maybe more…

Page 11

Collaboration

Page 12

Get Buy-in

• Education• Educate yourself

• Show Value• What would it cost if we didn’t react quickly?

• Show repercussions• Fines• Bad PR• Loss of revenue

Page 13

Get Buy-in

POLLOur incident response process is:

STEP 2: PREPARE THE PLAN

Page 16

Identify Incident Types and Severity

• Event types:• Malware• Phishing• DoS/DDoS• Lost/stolen equipment/media• Lost/stolen documents• Improper disposal• System intrusions• Communication errors

Page 17

Identify Incident Types and Severity

Page 18

Create Response Plans

• One for each individual type of event• Possibly multiple types for each event

Page 19

Define Required Documentation for Incidents

Page 20

Define Required Documentation for Incidents

POLL

We plan to improve our incident response capability by: 

STEP 3: PRACTICE AND IMPROVE

Page 23

Practice Your Plan

• Simulations• What if this happened to us? • Case studies

• Fire drills • What would we do if this happened to us?

Page 24

Practice Your Plan

Page 25

Practice Your Plan

Page 26

Lessons Learned

• Hire more people:• analysts, legal, forensics, etc.

• Enhance preventative measures:• New hardware, software, tools, etc.

• Invest in user awareness and training:• Phishing, scams, malware recognition• Social engineering

• Review of process:• Credit monitoring services?• Letter fulfilment?

QUESTIONS

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and very well designed.”

PONEMON INSTITUTE

“One of the hottest products at RSA…”

NETWORK WORLD – FEBRUARY 2013