Upload
michael-mcdonnell-cism
View
415
Download
2
Tags:
Embed Size (px)
DESCRIPTION
A presentation on developing an Incident Response Program (Information Security related). Heavily based on NIST guidelines.
Citation preview
Michael McDonnellGIAC Certified Intrusion Analyst
Creative Commons License: You are free to share and remix but you must provide attribution and you must share alike.
IncidentResponse
Incident Response Overview
1. Events and Incidents2. Response vs Handling3. Process and Capability4. Questions
Incidents are Events
Any real or suspected adverse event
related to information systems
A violation existing Information security policy
Security Incidents are Common
Any real or suspected adverse event
related to information systems
A violation existing Information security policy
Incidents are… Viruses
Incidents are… Hackers
Incidents are… Hackers
Incidents are… Vandalism
Incidents are… Theft
Incidents are… Data Loss
Incidents are… “Outages”
Incidents are… Espionage
Incidents are not… Disasters (maybe)
Incidents are… Continuous
Incident Response is a Capability
1.Events: Monitor and Detect
2.Incidents: Identify and Analyze
3.Actions: Contain and Correct
4.Lessons: Learn and Improve
Incidents Response is…
A Processthat manages risk associated with information systems
A Capabilityof an organization to respond to continuous security threats
Incidents Response vs Handling
Strategic vs OperationalContinual vs Discreet
Process vs ActionImprovement vs Remediation
Incidents Response is…
SystematicConsistent
Fast & EfficientDriver for Improvement
Authoritative/EmpoweredSensitive/Confidential
Documented
Incidents Response Teams
Supported by ManagementCross-functional
Well TrainedGood Communicators
Technical ExpertsWell Equipped
Have Broad Access
Incident Response is a Process
1.Preparation2.Detection and Analysis3.Containment/Mitigation4.Recovery5.Post-Incident Analysis
1.Be Prepared2.Be Systematic & Organized3.Act Quickly4.Fix the Problem5.Make Improvements
Preparation: Training
Preparation: Communications
Preparation: Hardware & Software
Preparation: Continuous Monitoring
Preparation: Analysis & Migitation
Detection & Analysis
Different threat require different responses
Incident Categories:1. Denial of Service2. Malicious Software3. Unauthorized Access4. Inappropriate Usage5. Hybrid
Detection: How was it detected? Is it really an incident or an unusual event? Can it be confirmed?
Analysis: What is at risk? (“System Profile”) What is normal for that system? Correlate events for more information Carefully record and document data
Detection & Analysis
Detection & Analysis
Diagnosis Matrix
Extremely helpful for inexperienced or ad-hoc incident handlers.
Part of diagnosis means seeking help from others• Sysadmins for knowledge of normal system operations• Managers for knowledge of impact
Incident Documentation
Begin as soon as an incident is suspected
Include: System events Telephone conversations Observed or initiated changes Note the current status frequently with timestamps.
At any given moment: Current status and priority Summary of incident Actions taken by handlers Contact information for other parties List of evidence gathered Comments for other handlers Next steps to be taken
Incident Priority: Effect & Criticality
Incident Containment & Mitigation
Identify and block the attackerPatch the systemTake the system offlineUpgrade softwareRestore from backupReboot
It is key to consult external databases for advice, and data about the type of attack, the attacker, the problem, and its solution.
Incident Containment & Mitigation
Incident Post-Mortem
Incident Response is a driver for improvements in information security. So it is critical to conduct a post-incident analysis and report.
Exactly what happened, and at what times? How well did staff and management perform in dealing with the incident? Were
the documented procedures followed? Were they adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? What would the staff and management do differently the next time a similar
incident occurs? What corrective actions can prevent similar incidents in the future? What additional tools or resources are needed to detect, analyze, and mitigate
future incidents?What Personally Identifiable Information involved? Is disclosure advised?
Incident Post-Mortem
Incident Checklist
Incident Reporting
What should you report?
What happened?Why did it happen?What was done to correct it?What impact did it have?What did it cost?What could have been done differently?How could it have been avoided?Is it resolved? What else is needed?How likely is it to happen again? How often?What is the long term impact?
Information Security is an Outcome
"Our systems are secure from hackers“
"We have blocked 17,342 viruses to date“
“Our systems are all online“
“Insiders cannot steal our information”
“We have backups”
“We are Secure”
Information Security is a Process
“We want to improve security“
"We need to protect against more threats"
"We want to reduce risk"
"We want to increase customer confidence"
"We want to decrease the number of compromises"
“We want to be more Secure”
Defence in Depth lowers Risk
Process leads to Outcome
Firewalls do not make you secureAnti-virus does not make you secure
Policies do not make you secureVPNs do not make you secure
Guards do not make you securePasswords do not make you secure
Incident Response is a Capability that enables them to make you
MORE secure