Upload
anton-chuvakin
View
1.059
Download
5
Tags:
Embed Size (px)
DESCRIPTION
Zero Day Response: Strategies for the Security Innovation in Corporate Defense by Dr. Anton Chuvakin
Citation preview
Zero Day Response: Strategies for the Newest Innovation in Corporate Defense
Zero Day Response: Strategies for the Newest Innovation in Corporate Defense
Dr. Anton Chuvakin
SecurityWarrior LLC
April 21, 2010
Dr. Anton Chuvakin
SecurityWarrior LLC
April 21, 2010
Page 2
Key Question #1
How can senior management lead to a focused and effective security program?
Page 3
Leadership
•Be aware of information security, specifically:• Threats to your organization: cybercrime, insiders,
etc• Impact: data loss, public disclosure, brand damage• Vulnerabilities: many of your systems are vulnerable
now!• Regulations: disclosure laws => fixed incident cost!
•Security is not “some IT stuff”, it is about information that “runs” your business•Security team is NOT the one ultimately responsible for your organization survival – you are!
Page 4
What are the top 3 elements that an effective policy or strategy must have to reduce the breach-to-detection gap?
Key Question #2
Page 5
•90% of effective incident response happens before the breach: PREPARE!
• Log, monitor, build baselines, learn what is normal to respond when anomalies happen
•Deploy tools (log management, integrity monitoring, network monitoring, etc) BEFORE the incident is the best “incident response” technique•Tools don’t run themselves! Train the IR team in using tools and in not panicking Checklists help.
Reducing the Breach-to-Detection Gap
Page 6
How do you best ensure that policies are actually being followed?
Key Question #3
Page 7
•Same answer: Log, monitor, build baselines• Awareness and visibility BEFORE control
•“Trust but verify” … but really… don’t trust the users!
• Deploy tools (log management, integrity monitoring, network monitoring, etc)
• Learn how to use them well; make them part of daily practice
•Have a plan of action when policy violations are detected: no enforcement action -> no following!
• Education alone won’t do it!
Ensuring Policies are Followed
Page 8
What are some of the key tools you need to improve and speed up response to breaches and optimize investigations?
Key Question #4
Page 9
Key tools:•Log management: create an audit trail for ALL IT and user activities; goldmine for forensics and incident response•SIEM: automated security monitoring, correlation, incident notification•Integrity checking: build the baseline for OS, application and data files•Network monitoring: record suspicious traffic as additional evidence•Forensic tools: use while investigating an incident
Improving & Speeding up Response to Breaches, Optimizing Investigations
Page 10
What are the top 5 specific steps organizations can take to ensure adequate accountability and repeatability of incident response?
Key Question #5
Page 11
Key practices:1. Log! Logs are IT vehicle for accountability.2. Build plans and checklists: when panic hits,
prepared actions work; others just FAIL3. Train people: tools and checklists don’t work alone4. Build your knowledge base: what worked/failed in
incident response5. Focus on “reactive faster/better”, forget “proactive”
for now
Slide #5
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Questions?
Dr. Anton Chuvakin
Security Warrior Consulting
Email: [email protected]
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
Twitter: @anton_chuvakin
Consulting: http://www.securitywarriorconsulting.com
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
More on Anton
• Now: independent consultant• Book author: “Security Warrior”, “PCI Compliance”,
“Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide
• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,
ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,
Evangelist, Product Manager
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Security Warrior Consulting Services
• Logging and log management strategy, procedures and practices– Develop logging policies and processes, log review procedures, workflows and
periodic tasks as well as help architect those to solve organization problems – Plan and implement log management architecture to support your business
cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
– Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
– Help integrate logging tools and processes into IT and business operations• SIEM and log management content development
– Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
– Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
More at www.SecurityWarriorConsulting.com
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
More on Anton
• Consultant: http://www.securitywarriorconsulting.com • Book author: “Security Warrior”, “PCI Compliance”,
“Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,
ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,
Evangelist, Product Manager
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Security Warrior Consulting Services• Logging and log management strategy, procedures and practices
– Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
– Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
– Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
– Help integrate logging tools and processes into IT and business operations• SIEM and log management content development
– Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
– Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
More at www.SecurityWarriorConsulting.com
Security Warrior Consultingwww.securitywarriorconsulting.com
Dr. Anton Chuvakin
Want a PCI DSS Book?
“PCI Compliance” by Anton Chuvakin and Branden Williams
Useful reference for merchants, vendors – and everybody else
Released December 2009!
www.pcicompliancebook.info