Presentation is loading. Please wait.

Presentation is loading. Please wait.

IR Awakens http://foxgguy2001.deviantart.com/art/Star-Wars-The-Force-Awakens-Powerpoint-Template-610876315.

Published byVeronica Tate Modified over 6 years ago

Similar presentations

Presentation on theme: "IR Awakens http://foxgguy2001.deviantart.com/art/Star-Wars-The-Force-Awakens-Powerpoint-Template-610876315."— Presentation transcript:

1 IR Awakens

2 Common problems IR teams face
What's this Talk About? Common problems IR teams face What actions we took to address them and results.

3 Worked in State Law Enforcement (5) Manage SOC for USC (11)
About me Worked in State Law Enforcement (5) Manage SOC for USC (11) Internet Storm Center Handler (3) SANS GSE #76

4 Centrally Manage ~3,000 Desktops
Environment Enrollment ~42,000 Fac/Staff FT&PT ~ 18,000 8 Campus System Distributed IT Each Campus Each Department Centrally Manage ~3,000 Desktops

5 Staff (Projects/IR/Engineering/GRC) Slow response time
Challenges Staff (Projects/IR/Engineering/GRC) Slow response time Slow time to collect Slow analysis Distributed environment Unnecessary Response

6 Opportunity for Change
SC DOR Breach

7 2 year project to implement change New technologies
What did we do? 2 year project to implement change New technologies SIEM Full Packet Capture Remote IR Tool Data Discovery Minimum security standard Data Discovery (All Systems) Remote IR tool (Restricted and Compliance)

8 We doubled our staff Added 2 IR staff (5) Added 2 GRC staff (3)
New Staff We doubled our staff Added 2 IR staff (5) Added 2 GRC staff (3) Added 1 PR staff (1)

9 Tech Talks (Bi-monthly) Mentoring ~18 Months to get staff self-reliant
Training SANS Product Training Tech Talks (Bi-monthly) Mentoring ~18 Months to get staff self-reliant This is why some of the stats you’ll improve over time as staff gets more experience.

10 Automated prioritization More eyes on glass
Slow Response Time Added a SIEM Moved from home-grown syslog solution Automated prioritization More eyes on glass

11 DBIR says 30 days The more people made a dramatic change in this.

12 Changed IR analysis process
Slow Analysis Changed IR analysis process (ISC Post 2016-Aug-24) FW Log IDS HID BRO DHCP NAC Full Packet SMTP Logs DNS AD DLP Phish S P Web Shell C&C Data Exfil Logged-in user P (Primary) S (Secondary)

13 Reduced number of whole disk collection Full packet capture
Slow Analysis Reduced number of whole disk collection Due to new remote IR tool Compliance, HR, Legal or Confirmed loss Full packet capture Quickly determine what happened on network

14 2014 lull was due to implementations of new tools
2015 Several large incidents and Mentoring staff

15 Hours Per Incident

16 Time from Data Collection to Analysis
2013 (2+ Days) Try to lookup who owned managed the system (~ 10k lines) Check NAC,DHCP,NMAP Contact Admin & Contact User 2015 (Within Minutes) Pre-deployed IR tool Slightly improved IP mgmt contact Network Manager/User isn’t informed until after confirmed compromised During the delay, admin and/or users had lots of time to start scanning and stomping on the systems.

17 Days to Close Based on 24hrs a Day

18 Distributed Environment
Policy requirement for centrally managed tools Meeting and informing Deans and Department heads what is expected Tools that self-update and little overhead

19 Unnecessary Response 2013 Rely on the admin/users to tell us of sensitive data In most cases we investigated all confirmed compromises 2015 Systems with commodity malware and no sensitive data we typically don’t investigate Untold number of hours saved

20 Develop a plan to reduce key metrics
Key Takeaways Start gather metrics Develop a plan to reduce key metrics Have requests ready when incidents happen Submit them more than once (change the date) Staff Retention Training Progression Path Quality of Life

21 What Had the Most Impact
Data Discovery Tool Endpoint Forensics Full Packet Capture SIEM Note: We already had other standard tech in place (FW, SecurityOnion, Syslog)

22 Additional position to manage systems Automation of quarantine Hunting
What's next Additional position to manage systems Reduce response time Automation of quarantine Hunting Better use of and collection of Threat Intel

23 Richard Hackley Jonathan Martin Brian Payne James Perry Jeff Whitson
Special Thanks Richard Hackley Jonathan Martin Brian Payne James Perry Jeff Whitson

24 https://github.com/tcw3bb
Questions? @twsecblog

Download ppt "IR Awakens http://foxgguy2001.deviantart.com/art/Star-Wars-The-Force-Awakens-Powerpoint-Template-610876315."

Similar presentations

Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident.

Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident.
QoS Solutions Confidential 2010 NetQuality Analyzer and QPerf.

QoS Solutions Confidential 2010 NetQuality Analyzer and QPerf.
© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.

© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
HR Action Reference Frequently Requested Transactions April 2014.

HR Action Reference Frequently Requested Transactions April 2014.
Normalized Endpoint Computing Research Team Results PSU Technology Solution Mat B. & Alice S.

Normalized Endpoint Computing Research Team Results PSU Technology Solution Mat B. & Alice S.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, 2014 -WITH THANKS TO.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
© 2010 Verizon. All Rights Reserved. PTE14626 07/10 2011 DBIR.

© 2010 Verizon. All Rights Reserved. PTE / DBIR.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.

Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Wireless Intrusion Prevention System https://store.theartofservice.com/the-wireless-intrusion-prevention-system-toolkit.html.

Wireless Intrusion Prevention System
CU – Boulder Security Incidents Jon Giltner. Our Challenge.

CU – Boulder Security Incidents Jon Giltner. Our Challenge.
Chapter 6: Securing the Local Area Network

Chapter 6: Securing the Local Area Network
Välkommen till Forefront Tour 2008!. Forefront Partners här idag.

Välkommen till Forefront Tour 2008!. Forefront Partners här idag.
T OUCHBASE FOR ARCs October 21, 2015. 2 What We’re Covering Today Tips for getting requests through faster Resources available to you Process for adding.

T OUCHBASE FOR ARCs October 21, What We’re Covering Today Tips for getting requests through faster Resources available to you Process for adding.
IS3220 Information Technology Infrastructure Security

IS3220 Information Technology Infrastructure Security
ARAMA TECH D A T A P R O T E C T I O N P R O F E S S I O N A L S VISION & STRATEGY.

ARAMA TECH D A T A P R O T E C T I O N P R O F E S S I O N A L S VISION & STRATEGY.
2© Copyright 2013 EMC Corporation. All rights reserved. Cyber Intelligence Fighting Cyber Crime Insert Event Date LEADERS EDGE.

2© Copyright 2013 EMC Corporation. All rights reserved. Cyber Intelligence Fighting Cyber Crime Insert Event Date LEADERS EDGE.
Www.cygnia.co.uk 1 1 Advanced Cyber Security Event - Introduction 11 th May 2016 Matt Locker.

1 1 Advanced Cyber Security Event - Introduction 11 th May 2016 Matt Locker.
Information Security in Laurier Grant Li Wilfrid Laurier University.

Information Security in Laurier Grant Li Wilfrid Laurier University.
Taking on Tomorrow's Challenges Today Taking on Tomorrow's Challenges Today Almost every organisation has been attacked …. But most don’t know about it!

Taking on Tomorrow's Challenges Today Taking on Tomorrow's Challenges Today Almost every organisation has been attacked …. But most don’t know about it!

Similar presentations

Ads by Google