Download Managing Security Events 101

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
Document related concepts

Computer security wikipedia , lookup

Transcript 
Managing Security Events 101
Matt Standart
HBGary
Information Security Incidents
 The basic idea behind this presentation, is that
Information Security Incidents are caused by threats.
By understanding the threats, we can devise a riskbased approach to managing the incidents they
cause.
#1 – Understand the nature of
Threats
 Threats are either:
 Direct or Indirect
 Threats operate:
 Externally or Internally
 Distinguishing between threats is important to
formulate appropriate response strategy
Threat Breakdown Matrix
External
Internal
“Hackers”
(APT, Targeted Attacks)
“Drive-By”
(Fake AV, Non-Targeted)
Insider Threats
(CI, Spy’s, Disgruntled Employees)
Misuse
(Policy Violators)
Direct
Indirect
#2 – Understand Threat Detection
 Organizations deploy security controls and audit the
system “events”
 Anomalies or suspicious events found in the audit results
(i.e., a detection log) indicates an adverse event; or an
event that has the potential for damage or loss
 An incident is defined as an adverse event where damage
or loss has occurred
 Event logs often do not contain sufficient information to
make this distinction; therefore an organization must
devise a process to investigate events to identify incidents
from adverse events.
Events are Threat Indicators
 Event logs often do not contain sufficient information to
assess the threat; therefore an investigation must be
conducted
 Similar events can be caused by different threat agents;
context is established only by the accumulation and
interpretation of sufficient “evidence” (forensics)
 The optimal IR process will consist of:




An investigation for every adverse event
Documentation for every adverse event (and incident)
Minimum required collection of data per investigation
Scalability to respond to every type of adverse event
#3 – Understand the (Basic I/R) Process
#4 – Response Strategies (Traditional)
External
Live Analysis
Forensic Preservation/Analysis
(I/R Team/Info Security)
Live Analysis
(Info Security)
Internal
Live Analysis
Forensic Preservation/Analysis
(HR/Legal/Info Security)
Live Analysis
(HR/Info Security)
Direct
Indirect
Response Strategies (Reality)
Traditional approaches to incident response include:
 Not responding at all
 Not reviewing logs, not investigating or responding to security alerts
(ignoring them)
 Under-responding with too little resources (traditional live analysis)
 Not making accurate threat assessment
 Not identifying scope of incident, damage done, and losses incurred
 Over-responding with too many resources (traditional forensic
analysis)
 Transporting hardware, higher downtime
 Forensic Analysis
 Answers come at a high cost (sometimes more than cost of losses)
Live Analysis vs. Forensics
 Live Analysis can be used to investigate all threat types
 Live Analysis is analysis conducted over the network
 New technologies allow for “live” remote analysis of computers
with *minimal* alteration to the computer data
 Live Analysis is faster and more responsive
 Offline “Forensic” Analysis is conducted after a system is
disconnected and removed





Volatile data is generally lost
Allows for complete preservation of computer
Loss of computer asset for a longer period of time
Preserves “crime scene” - evidentiary use
Requires high skill level/training/experience
#5 –Improving Incident Response by marrying
Live Analysis with Forensics
Triage hosts over the network without attaching to them
 Time and cost savings
 Eliminate false positives and non-incidents (adverse events)
without overcommitting resources
Forensically sound acquisition of data
 Minimize offline forensic response, costs
 Ensure non-repudiation in findings
Automated analysis scripts/queries
 Simultaneous scans
Direct/External Threats
 An external attacker commits a lot of time and money to
infiltrating your network.
 A typical attack consists of the following stages:
1.
2.
3.
4.
5.
6.
7.
Reconnaissance – external scans, social networking research
Weaponization – Embedding PDF files with malware
Delivery – Creating a GMAIL account of an employee
Exploit – Social Engineering (spear-phish email), PDF drops 0day malware
Compromise – Malware establishes back door
Command and Control – Attacker communicates through
HTTP/HTTPS
Actions on Objective – Exfiltrate data
0-day Malware
 0-day malware can remain unknown for days, weeks,
months, and even years.
 Persistence can be detected through a combination
of:
 Network monitoring (Mcafee NTR)
 Host Forensic memory analysis (HBGary DDNA)
 Enterprise IOC searching (HBGary Active Defense)
 Once a detection is made…
Investigate It Quickly!
What or who are the Threats?
 Direct/External? Or Combination?
What were their motives?
 Exfiltration or Financial Gain?
How did they get in?
 Exploit, Vulnerability, Misuse, or Combination?
What are the Risks?
 Policy Infractions, Misconfigurations, Compromised Hosts?
How do we get them out?
 Risk Remediation measures
How do we keep them out?
 Damage Assessment, Lessons learned, Root Cause Determination
Related documents
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
Web server software
Web server software
Subject Injury/Adverse Event Report
Subject Injury/Adverse Event Report
Testimony - American Security Project
Testimony - American Security Project
Intro to Forensic Science
Intro to Forensic Science
Computer Forensics
Computer Forensics
Customer markets
Customer markets
Slayt 1
Slayt 1
Database Security
Database Security
Managing Security Events A model for 21st century
Managing Security Events A model for 21st century
Security Management and Operations
Security Management and Operations
Form Offer Letter
Form Offer Letter