Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shifting from “Incident” to “Continuous” Response

Published bySabrina Walters Modified over 6 years ago

Similar presentations

Presentation on theme: "Shifting from “Incident” to “Continuous” Response"— Presentation transcript:

1 Shifting from “Incident” to “Continuous” Response
By: Bill White CISSP, CISA, CRISC State Farm – Information Security Architecture @riskofinfosec

2 Internal Reconnaissance Privileged Operations
Weaponization Delivery Exploitation Installation Command & Control (C2) Internal Reconnaissance Privileged Operations Internal Pivot Maintain Presence Mission Objectives Incident Response: An organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. How? Kill the attacker as early as possible in the Cyber Attack Lifecycle

3 Internal Reconnaissance Privileged Operations
Weaponization Delivery Exploitation Installation Command & Control (C2) Internal Reconnaissance Privileged Operations Internal Pivot Maintain Presence Mission Objectives Incident Response: An organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. No, Really, How? Really! Find them and stop them! Take the knowledge you just gained and watch for that to happen again. AGGREGATION of intelligence is the key!

4 Internal Reconnaissance Privileged Operations
Weaponization Delivery Exploitation Installation Command & Control (C2) Internal Reconnaissance Privileged Operations Internal Pivot Maintain Presence Mission Objectives This IP address has been scanning the perimeter A new exploit is identified in the wild A was delivered with a file attachment Application error on workstation Powershell execution or new executable Anomalous DNS traffic detected

5 The core of the next-generation security protection process will be continuous, pervasive monitoring and visibility that is constantly analyzed for indications of compromise. “Designing an Adaptive Security Architecture for Protection from Advanced Attacks,” by Neil MacDonald and Peter Firstbrook, 12 February 2014, refreshed 28 January 2016, ID G , architecture-protection

6 Security Monitoring will encompass as many layers of the IT stack as possible including network activity, endpoints, system interactions, application transactions and user activity. The design and benefit of joining the foundational elements of intelligence, context, and correlation with an adaptive architecture will be explored.

7 This presentation will provide security related scenarios where centralized security data analytics and adaptive security architecture are used to respond in a dynamic way to enable this next generation security protection.

8 We will look behind the curtain of "marketecture" to the real and aspirational solutions for a SOC that will likely materialize as vendor products mature over the next few years.

9 What makes up the next generation of security protection?
“Integrated Adaptive Cyber Defense (IACD) Baseline Reference Architecture”, Johns Hopkins Applied Physics Laboratory

10 The first step occurs when the Sensor/Control Interface receives notification of a Security Event from enterprise sensors. Based on enterprise-defined policies and processes, the Policy Engine will determine that either the security event requires further action or it does not. If further action is required, it will pass the security event information to the Enrichment/ Analytic Framework as an alert. Otherwise, it will simply log the security event. Aggregation Analytics

11 Enrichment and Analytic Framework receives an alert, it will perform any number of operations (i.e. a particular analytic workflow) to enrich the alert information. Based on the enriched information and enterprise policies and processes, the Analytic Framework will determine whether further action is required or not. If further action is required, it will pass the enriched information as an action alert to the Decision-Making Engine. If no further action is required, it will simply log its activities. Aggregation Decision

12 Decision-Making Engine will determine what Course of Action (COA) is appropriate
For example, a selected COA might block all traffic from a specific internet address or quarantine a specific host system. It is possible that enterprise policies and processes require the notification and involvement of a human decision maker. It is also possible that no enterprise COA exists for a given action alert and the Decision-Making Engine may simply initiate a manual workflow via SOC. Once a COA is selected, the Decision-Making Engine will pass the selected COA(s) to the Response Engine.

13 The Response/Action Engine translates the COA into a machine translatable execution workflow, which it sends to the Sensor interface. Upon receipt of an execution workflow, the Sensor Interface translates the workflow into device-specific response actions that it sends to the appropriate enterprise sensors and controls.

14 An Basic Example Policy: Is the laptop in the authorized asset inventory? Is the laptop configured and patched to standards? Analytics: Retrieve asset history from CMDB or ARM Retrieve vulnerability information on this asset from VM Decision: Allow DHCP to complete Move the asset to the remediation network for mitigation Action: Do or do not. There is no try.

15 Another Basic Example Policy: High Risk User? High Risk Geo? Prior Authentication Risk? New Asset? Analytics: Retrieve credential memberships Retrieve IP history Retrieve authentication history Retrieve asset information Decision: Allow, Step Up Authentication, Send to remediation network

16 A Mature Example Policy: Approved executable? Normal? Privileged? Analytics: Retrieve asset inventory Retrieve executable history Retrieve user/action history Decision: Run the executable in sandbox Send Executable to malware analytics Enable full packet capture Step up authentication

17 “Continuous Response”
Intelligence Driven Adaptive Security Architecture Time to mature Focus on addressing specific use cases while building the engines Leverage automation and orchestration Fail CLOSED! (throw unknowns back to humans for analysis and decision) Advantages Detect, Respond, Recover at machine speed Free up analysts to address complex incidents Focus on gathering intelligence to feed analytics Stop being reactive! Change from “Incident Response” to “Continuous Response”

18 QUESTIONS? Shifting from “Incident” to “Continuous” Response
By: Bill White CISSP, CISA, CRISC State Farm – Information Security Architecture @riskofinfosec

Download ppt "Shifting from “Incident” to “Continuous” Response"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.

© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.
Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Microsoft Ignite /16/2017 4:54 PM

Microsoft Ignite /16/2017 4:54 PM
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005.

Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005.
Ali Alhamdan, PhD National Information Center Ministry of Interior

Ali Alhamdan, PhD National Information Center Ministry of Interior

Similar presentations

Ads by Google