Shifting from “Incident” to “Continuous” Response By: Bill White CISSP, CISA, CRISC State Farm – Information Security Architecture @riskofinfosec

Internal Reconnaissance Privileged Operations Weaponization Delivery Exploitation Installation Command & Control (C2) Internal Reconnaissance Privileged Operations Internal Pivot Maintain Presence Mission Objectives Incident Response: An organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. How? Kill the attacker as early as possible in the Cyber Attack Lifecycle

Internal Reconnaissance Privileged Operations Weaponization Delivery Exploitation Installation Command & Control (C2) Internal Reconnaissance Privileged Operations Internal Pivot Maintain Presence Mission Objectives Incident Response: An organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. No, Really, How? Really! Find them and stop them! Take the knowledge you just gained and watch for that to happen again. AGGREGATION of intelligence is the key!

Internal Reconnaissance Privileged Operations Weaponization Delivery Exploitation Installation Command & Control (C2) Internal Reconnaissance Privileged Operations Internal Pivot Maintain Presence Mission Objectives This IP address has been scanning the perimeter A new exploit is identified in the wild A email was delivered with a file attachment Application error on workstation Powershell execution or new executable Anomalous DNS traffic detected

The core of the next-generation security protection process will be continuous, pervasive monitoring and visibility that is constantly analyzed for indications of compromise. “Designing an Adaptive Security Architecture for Protection from Advanced Attacks,” by Neil MacDonald and Peter Firstbrook, 12 February 2014, refreshed 28 January 2016, ID G00259490, https://www.gartner.com/doc/2665515/designing-adaptive-security- architecture-protection

Security Monitoring will encompass as many layers of the IT stack as possible including network activity, endpoints, system interactions, application transactions and user activity. The design and benefit of joining the foundational elements of intelligence, context, and correlation with an adaptive architecture will be explored.

This presentation will provide security related scenarios where centralized security data analytics and adaptive security architecture are used to respond in a dynamic way to enable this next generation security protection.

We will look behind the curtain of "marketecture" to the real and aspirational solutions for a SOC that will likely materialize as vendor products mature over the next few years.

What makes up the next generation of security protection? “Integrated Adaptive Cyber Defense (IACD) Baseline Reference Architecture”, Johns Hopkins Applied Physics Laboratory https://secwww.jhuapl.edu/IACD/Resources/Architecture/IACD%20Baseline%20Reference%20Architecture%20-%20Final%20PR.pdf

The first step occurs when the Sensor/Control Interface receives notification of a Security Event from enterprise sensors. Based on enterprise-defined policies and processes, the Policy Engine will determine that either the security event requires further action or it does not. If further action is required, it will pass the security event information to the Enrichment/ Analytic Framework as an alert. Otherwise, it will simply log the security event. Aggregation Analytics

Enrichment and Analytic Framework receives an alert, it will perform any number of operations (i.e. a particular analytic workflow) to enrich the alert information. Based on the enriched information and enterprise policies and processes, the Analytic Framework will determine whether further action is required or not. If further action is required, it will pass the enriched information as an action alert to the Decision-Making Engine. If no further action is required, it will simply log its activities. Aggregation Decision

Decision-Making Engine will determine what Course of Action (COA) is appropriate For example, a selected COA might block all traffic from a specific internet address or quarantine a specific host system. It is possible that enterprise policies and processes require the notification and involvement of a human decision maker. It is also possible that no enterprise COA exists for a given action alert and the Decision-Making Engine may simply initiate a manual workflow via SOC. Once a COA is selected, the Decision-Making Engine will pass the selected COA(s) to the Response Engine.

The Response/Action Engine translates the COA into a machine translatable execution workflow, which it sends to the Sensor interface. Upon receipt of an execution workflow, the Sensor Interface translates the workflow into device-specific response actions that it sends to the appropriate enterprise sensors and controls.

An Basic Example Policy: Is the laptop in the authorized asset inventory? Is the laptop configured and patched to standards? Analytics: Retrieve asset history from CMDB or ARM Retrieve vulnerability information on this asset from VM Decision: Allow DHCP to complete Move the asset to the remediation network for mitigation Action: Do or do not. There is no try.

Another Basic Example Policy: High Risk User? High Risk Geo? Prior Authentication Risk? New Asset? Analytics: Retrieve credential memberships Retrieve IP history Retrieve authentication history Retrieve asset information Decision: Allow, Step Up Authentication, Send to remediation network

A Mature Example Policy: Approved executable? Normal? Privileged? Analytics: Retrieve asset inventory Retrieve executable history Retrieve user/action history Decision: Run the executable in sandbox Send Executable to malware analytics Enable full packet capture Step up authentication

“Continuous Response” Intelligence Driven Adaptive Security Architecture Time to mature Focus on addressing specific use cases while building the engines Leverage automation and orchestration Fail CLOSED! (throw unknowns back to humans for analysis and decision) Advantages Detect, Respond, Recover at machine speed Free up analysts to address complex incidents Focus on gathering intelligence to feed analytics Stop being reactive! Change from “Incident Response” to “Continuous Response”

QUESTIONS? Shifting from “Incident” to “Continuous” Response By: Bill White CISSP, CISA, CRISC State Farm – Information Security Architecture @riskofinfosec