Background
2
• 25+ Years Experience in Information Security• Led Professional Service Organizations for
Several Large Consultancies• Assessed and Built Information Security
Programs for Federal Agencies, State Agencies, Universities, Hospitals, Major Retailers, and Internet Companies.
• Prepared over 2000+ students for security certifications
• Developed RIOT Data Gathering Method for Risk Assessment
• Revised Security Policy Development Approaches
Information Security Breach Response
Detection Initial Assessment
Triage Escalation
Analysis
Recovery
Post-Incident
9Parsons ProprietaryITAR CM.01.2014
Many Breaches Go Undiscovered / Unreported
Detecting intrusions and breaches64% - percentage of organizations that took greater than 90 days to detect a breach243 days – median number of days that attackers were present on a victim network before detection86% of breaches were reported by an external party (U.S. Justice Dept notified Target)
Information Security Breach Response
Detection
AnalysisImpact Analysis
Response Activities
Initial Recovery
Recovery
Post-Incident
10Parsons ProprietaryITAR CM.01.2014
Incident Response Mistakes:- Under-scoping incident- Improperly staffed response- Legal Missteps
Information Security Breach Response
Detection
Analysis
Recovery Impact Mitigation
Eradication Recovery
Post-Incident
11Parsons ProprietaryITAR CM.01.2014
Incident Recovery Mistakes:- Communication Errors- Incomplete Mitigation / Eradication
Information Security Breach Response
Detection
Analysis
Recovery
Post-Incident
Root Cause Analysis
Incident Costing
Prevention Activities
12Parsons ProprietaryITAR CM.01.2014
Post-Incident Response Mistakes:- Lack / Improper Root Cause Analysis- Incomplete Costing (e.g., operational, fines)- Effective Prevention
Typical Responses
Spot Solutions –
• Security Awareness
• System Hardening / Patching
• Access Control
• Network / System Monitoring
• Vulnerability Scanning / Penetration Testing
• Secure Development
• Email Filtering
• Boundary Defense
13Parsons ProprietaryITAR CM.01.2014
Crown Jewel Approach
15Parsons ProprietaryITAR CM.01.2014
Threats Impact
Most Critical Data & Systems
All System Threats+ Unique threats+ Targeted attacks
Catastrophic Impact• upon system loss• upon data loss
Crown Jewels
16Parsons ProprietaryITAR CM.01.2014
Volume Impact
Most Critical Data & Systems
For most organizations –0.01% - 2.0% of total sensitive data
Represents up to 70% of sensitive data value
Source: U.S. President’s 2006 Economic Report to Congress
Crown Jewels Project
17ITAR CM.01.2014
Define For Each Business Unit:
Identify Critical Systems
Define Critical Data
Discover For Each Crown Jewel:
Identify Lifecycle,
Environment, and Flows
Identify System & Environment
Controls
Baseline For Each Crown Jewel:
Identify Requirements
Assess Control Effectiveness
Analyze Identify Control Gaps
Identify Security Risk
Prioritize Security Gaps
Secure Create Security Solution Sets
Deploy SolutionsMonitor Solutions
Crown Jewels Project
18ITAR CM.01.2014
Define
Discover
Baseline
Analyze
Secure
Application Risk Survey
Responses & Scoring
Required Controls
Controls Assessment
Risk Analysis
Solutions Development
Key Project Artifacts – Largely aided by automation (surveys, tools)
Crown Jewels Project Results
19Parsons Proprietary
Identification of Corporate “Crown Jewels”
Determination of Crown Jewel Risk
Limitation of Assessment to Most Impactful Elements
Creation of Security Controls Plan with Most Significant Risk Reduction
Less Work – More Results
Applying Crown Jewel Lessons
21Parsons ProprietaryITAR CM.01.2014
Define
Discover
Baseline
Analyze
Secure
Next Week
• Identify Organization’s Security Assessment Plan
• Self vs. Third Party
• Frequency
• Rigor / Technique (tests vs. assessments)
• Determine Adequacy of Plan
Applying Crown Jewel Lessons
22Parsons ProprietaryITAR CM.01.2014
Define
Discover
Baseline
Analyze
Secure
Within 1 Month
• Identify and Review Contractual and Legal Security Requirements
• Review Latest Security Assessment Reports
• Identify Business Process Owners
Within 3 Months
• Conduct Crown Jewels Project
• Apply Lessons Learned
Thank You
Contacts Doug Landoll, CEO Lantego
• (512) 633-8405
Slides
• Slideshare
23Parsons ProprietaryITAR CM.01.2014