Zero Day Response: Strategies for the Newest Innovation in Corporate Defense

Zero Day Response: Strategies for the Newest Innovation in Corporate Defense

Dr. Anton Chuvakin

SecurityWarrior LLC

April 21, 2010

Dr. Anton Chuvakin

SecurityWarrior LLC

April 21, 2010

Page 2

Key Question #1

How can senior management lead to a focused and effective security program?

Page 3

Leadership

•Be aware of information security, specifically:• Threats to your organization: cybercrime, insiders,

etc• Impact: data loss, public disclosure, brand damage• Vulnerabilities: many of your systems are vulnerable

now!• Regulations: disclosure laws => fixed incident cost!

•Security is not “some IT stuff”, it is about information that “runs” your business•Security team is NOT the one ultimately responsible for your organization survival – you are!

Page 4

 What are the top 3 elements that an effective policy or strategy must have to reduce the breach-to-detection gap?

Key Question #2

Page 5

•90% of effective incident response happens before the breach: PREPARE!

• Log, monitor, build baselines, learn what is normal to respond when anomalies happen

•Deploy tools (log management, integrity monitoring, network monitoring, etc) BEFORE the incident is the best “incident response” technique•Tools don’t run themselves! Train the IR team in using tools and in not panicking Checklists help.

Reducing the Breach-to-Detection Gap

Page 6

How do you best ensure that policies are actually being followed?

Key Question #3

Page 7

•Same answer: Log, monitor, build baselines• Awareness and visibility BEFORE control

•“Trust but verify” … but really… don’t trust the users!

• Deploy tools (log management, integrity monitoring, network monitoring, etc)

• Learn how to use them well; make them part of daily practice

•Have a plan of action when policy violations are detected: no enforcement action -> no following!

• Education alone won’t do it!

Ensuring Policies are Followed

Page 8

 What are some of the key tools you need to improve and speed up response to breaches and optimize investigations?

Key Question #4

Page 9

Key tools:•Log management: create an audit trail for ALL IT and user activities; goldmine for forensics and incident response•SIEM: automated security monitoring, correlation, incident notification•Integrity checking: build the baseline for OS, application and data files•Network monitoring: record suspicious traffic as additional evidence•Forensic tools: use while investigating an incident

Improving & Speeding up Response to Breaches, Optimizing Investigations

Page 10

What are the top 5 specific steps organizations can take to ensure adequate accountability and repeatability of incident response?

Key Question #5

Page 11

Key practices:1. Log! Logs are IT vehicle for accountability.2. Build plans and checklists: when panic hits,

prepared actions work; others just FAIL3. Train people: tools and checklists don’t work alone4. Build your knowledge base: what worked/failed in

incident response5. Focus on “reactive faster/better”, forget “proactive”

for now

Slide #5

Security Warrior Consultingwww.securitywarriorconsulting.com

Dr. Anton Chuvakin

Questions?

Dr. Anton Chuvakin

Security Warrior Consulting

Email: anton@chuvakin.org

Site: http://www.chuvakin.org

Blog: http://www.securitywarrior.org

Twitter: @anton_chuvakin

Consulting: http://www.securitywarriorconsulting.com

Security Warrior Consultingwww.securitywarriorconsulting.com

Dr. Anton Chuvakin

More on Anton

• Now: independent consultant• Book author: “Security Warrior”, “PCI Compliance”,

“Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc

• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide

• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,

ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,

Evangelist, Product Manager

Security Warrior Consultingwww.securitywarriorconsulting.com

Dr. Anton Chuvakin

Security Warrior Consulting Services

• Logging and log management strategy, procedures and practices– Develop logging policies and processes, log review procedures, workflows and

periodic tasks as well as help architect those to solve organization problems – Plan and implement log management architecture to support your business

cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation

– Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations

– Help integrate logging tools and processes into IT and business operations• SIEM and log management content development

– Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs

– Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations

More at www.SecurityWarriorConsulting.com

Security Warrior Consultingwww.securitywarriorconsulting.com

Dr. Anton Chuvakin

More on Anton

• Consultant: http://www.securitywarriorconsulting.com • Book author: “Security Warrior”, “PCI Compliance”,

“Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc

• Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide

• Standard developer: CEE, CVSS, OVAL, etc• Community role: SANS, Honeynet Project, WASC, CSI,

ISSA, OSSTMM, InfraGard, ISSA, others• Past roles: Researcher, Security Analyst, Strategist,

Evangelist, Product Manager

Security Warrior Consultingwww.securitywarriorconsulting.com

Dr. Anton Chuvakin

Security Warrior Consulting Services• Logging and log management strategy, procedures and practices

– Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems

– Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation

– Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations

– Help integrate logging tools and processes into IT and business operations• SIEM and log management content development

– Develop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs

– Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations

More at www.SecurityWarriorConsulting.com

Security Warrior Consultingwww.securitywarriorconsulting.com

Dr. Anton Chuvakin

Want a PCI DSS Book?

“PCI Compliance” by Anton Chuvakin and Branden Williams

Useful reference for merchants, vendors – and everybody else

Released December 2009!

www.pcicompliancebook.info