Presentation is loading. Please wait.

Presentation is loading. Please wait.

Joint ISACA and IIA Chapter Meeting November 10, 2016

Published byCori Sparks Modified over 6 years ago

Similar presentations

Presentation on theme: "Joint ISACA and IIA Chapter Meeting November 10, 2016"— Presentation transcript:

1 Joint ISACA and IIA Chapter Meeting November 10, 2016
Assessing the Maturity of Your Threat Detection and Incident Response Capabilities Joint ISACA and IIA Chapter Meeting November 10, 2016

2 Outline 12:10 – 12:25 PM – Jonathan Trull, Introduce Speakers & Topic 12:25 – 12:45 PM – Alfritch Anderson, State of Colorado 12:45 – 1:05 PM – Ryan Lazarony, Western Union 1:05 – 1:25 PM – Todd Gaiser, Microsoft 1:25 – 1:50 PM – Recap and Q&A

3 Panel of Speakers Host – Jonathan Trull, Chief Cybersecurity Advisor, Microsoft Panel Alfritch Anderson, Security Operations Manager, State of Colorado Ryan Lazarony, Incident Response Manager, Western Union Todd Gaiser, Enterprise Threat Detection, Microsoft

4 Threat Detection & Incident Response
Threats – the potential source of an adverse event Vulnerability – a weakness in a system, application, or network that is subject to exploitation or misuse Indicator – a sign that an incident may have occurred or may be currently occurring Event – any observable occurrence in a network or system Incident Response or Incident Handling – the process of detecting and analyzing incidents and limiting the incident’s effect.

5 General Incident Response Capability
Create an incident response policy and plan Develop procedures for performing incident handling and reporting Setting guidelines for communicating with outside parties regarding incidents Select a team structure and staffing model Establish relationships and lines of communication between the IR team and other groups Determine what services the IR team should provide Staff and train the IR team

6 NIST Detection and Response Lifecycle

7 COBIT® Harmonises Other Standards
COBIT is often used at the highest level of IT governance It harmonises practices and standards such as ITIL, ISO and 27002, and PMBOK Improves their alignment to business needs Covers full spectrum of IT-related activities COBIT is designed to be complementary to, and used together with, other standards and good practices. Detailed practices and standards such as ITIL, ISO and 27002, and PMBOK (the Project Management Body of Knowledge) cover specific areas and can be mapped to the COBIT framework, providing a hierarchy of guidance. Standards should be implemented to benefit the specific needs of businesses and COBIT can help ensure that various standards are aligned. 27001/2 7

8 COBIT® Defines Processes, Goals and Metrics
Relationship Amongst Process, Goals and Metrics (DS5) The chart illustrates the relationship between the business, IT, process and activity goals, and the different metrics. From top left to top right, the goals cascade is illustrated. Below the goal is the outcome measure for the goal. The small arrow indicates that the same metric is a performance indicator for the higher-level goal. The example provided is from DS5 Ensure systems security. COBIT provides metrics only up to the IT goals outcome as delineated by the dotted line. While they are also performance indicators for the business goals for IT, COBIT does not provide business goal outcome measures. The metrics have been developed with the following characteristics in mind: • A high insight-to-effort ratio (i.e., insight into performance and the achievement of goals as compared to the effort to capture them) • Comparable internally (e.g., percent against a base or numbers over time) • Comparable externally irrespective of enterprise size or industry • Better to have a few good metrics (may even be one very good one that could be influenced by different means) than a longer list of lower-quality metrics • Easy to measure, not to be confused with targets

9 U.S. Framework for Improving Critical Infrastructure Cybersecurity

10 Detection Controls

11 Detection Controls

12 Detection Controls

13 Response Controls

14 Response Controls

15 CSC # 6 – Maintenance, Monitoring, and Analysis of Audit Logs
CSC # 6: Maintenance, Monitoring, and Analysis of Audit Logs - Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack. CSC # 16: Account Monitoring and Control – Actively manage life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. CSC # 19: Incident Response and Management – Protect the organization’s information, as well as it’s reputation, by developing and implementing an incident response infrastructure for quickly discovering an attack and effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and system.

16 My Top Line Measures Median Time to Detection or MTD = 2 hours or less
Median Time to Containment or MTC = 30 minutes or less

17 Typical Attack Timeline & Observations
6/11/2018 9:37 AM Typical Attack Timeline & Observations 24-48 Hours Average 8 months  Initial compromise or entry vector Core security compromised Service outage or data exfiltration Attack detected Title: Typical attack timeline & observations Notes: Key Message: Microsoft Understands these attacks from firsthand experience helping customers with them 0. (Start of Slide) Attackers are usually after your organization’s data to make money (though we have also seen destructive attacks), they will go after any device or server or service to get it. Attackers will research you and exploit any seam, inconsistency, or weakness (slow patching process, weak configurations, sophisticated attacks, old/weak passwords, etc.). 1. Exploiting Credentials In the attacks we have seen, attackers that get a “beachhead” on one of your network hosts will seek and find domain administrator credentials to steal within hours (often quicker). This gives them the ability to steal almost any information on any computer. 2. Attacks Not Detected Most of these attacks go undetected for around a year (on average), leaving organizations vulnerable to ongoing loss and damage. 3. Response and Recovery Investigating and cleaning up from these attacks is typically very complex, technically challenging, and requires a lot of expertise. (Source: CSIS-McAfee Report) (Source: Ponemon Institute releases 2014 Cost of Data Breach) © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Sources for Criteria NIST Special Publication Rev. 2 – Computer Security Incident Handling Guide Framework for Improving Critical Infrastructure Cybersecurity CIS Critical Security Controls

Download ppt "Joint ISACA and IIA Chapter Meeting November 10, 2016"

Similar presentations

David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
COBIT®. COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation.

COBIT®. COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.

CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.
Appendix C: Designing an Operations Framework to Manage Security.

Appendix C: Designing an Operations Framework to Manage Security.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
HO20110473 1 © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
COBIT®. COBIT® - Control Objectives for Information and related Technology. C OBI T was initially created by the Information Systems Audit & Control Foundation.

COBIT®. COBIT® - Control Objectives for Information and related Technology. C OBI T was initially created by the Information Systems Audit & Control Foundation.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
SecSDLC Chapter 2.

SecSDLC Chapter 2.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Module 7: Designing Security for Accounts and Services.

Module 7: Designing Security for Accounts and Services.
Www.bitworkconsult.com “ I C T a d v i s o r y s e r v i c e s ” Transforming Enterprise IT Thomas Bbosa, CISSP BitWork Consult Ltd BitWork Consult Ltd.

“ I C T a d v i s o r y s e r v i c e s ” Transforming Enterprise IT Thomas Bbosa, CISSP BitWork Consult Ltd BitWork Consult Ltd.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Info-Tech Research Group1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine.

Info-Tech Research Group1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine.

Similar presentations

Ads by Google