Presentation is loading. Please wait.

Presentation is loading. Please wait.

Incident Response Managing Security at Microsoft Published: April 2004.

Published bySarina Cains Modified over 10 years ago

Similar presentations

Presentation on theme: "Incident Response Managing Security at Microsoft Published: April 2004."— Presentation transcript:

1 Incident Response Managing Security at Microsoft Published: April 2004

2 Solution OverviewSituation Benefits Solution Security threats to computer networks often come from attackers who take advantage of security flaws, such as well- known configuration errors and published product vulnerabilities. Just like any enterprise, Microsoft is the target of computer attacks. Security threats to computer networks often come from attackers who take advantage of security flaws, such as well- known configuration errors and published product vulnerabilities. Just like any enterprise, Microsoft is the target of computer attacks. Microsoft IT developed a consistent process for responding to incidents and recovering from disasters that do occur. The primary objectives of this process are to establish a clear command and control center, to rapidly mitigate exposure, to maximize cooperation, and to efficiently coordinate response activities. Microsoft IT developed a consistent process for responding to incidents and recovering from disasters that do occur. The primary objectives of this process are to establish a clear command and control center, to rapidly mitigate exposure, to maximize cooperation, and to efficiently coordinate response activities. Microsoft IT’s detailed, well-rehearsed and flexible incident response plan ensures that any exploit that occurs can be handled in an orderly, effective manner that minimizes the impact to systems. Microsoft IT’s detailed, well-rehearsed and flexible incident response plan ensures that any exploit that occurs can be handled in an orderly, effective manner that minimizes the impact to systems.

3 Microsoft IT Security Methodology People Process Technology Dedicated staff Dedicated staff Training Training Security – a mindset and a priority Security – a mindset and a priority Employee education Employee education Planning for security Planning for security Prevention Prevention Detection Detection Reaction Reaction Baseline technology Baseline technology Standards, encryption, protection Standards, encryption, protection Product security features Product security features Security tools and products Security tools and products

4 Risk Assessment LowHigh Risk Asset Value Property Tangible/Replaceable Information Clients/Corporate Network People Employees High

5 Preventing Incidents ● Scanning ● Auditing ● Detecting Intrusions ● Establishing Defense In Depth ● Securing Clients for Remote Users

6 Incident Response Team Structure Incident Lead Core Incident Response Team All incidents Examples of Extended Technical Response Team Engaged as needed Security, Services & Architecture Lead Investigations Lead Communications Lead Other Group Leads (as needed) Network Operations IT Helpdesk Virus Alert Command Team (VACT)

7 Virus Attack Command Team VACT Lead Information Security Messaging Server Operations Network Operations Desktop Services IT Helpdesk

8 Incident Response Team Chairs ● Incident Command Chair ● Manage central logistics ● Coordinate response strategies ● Ensure staffing of the Operations Center ● Maintain a comprehensive record of events ● Communications Chair ● Draft and submit all proposed communication ● Coordinate with Corporate Public Relations ● Monitor media for press related to the incident ● Investigations Chair ● Pursue investigative leads ● Perform a forensics examination of computer and information systems ● Coordinate with law enforcement officials

9 Incident Response Plan Trigger Phase Security Scan/Audit Response Phase Ongoing evaluation and response revisions Response Team Assembled Operations External Web Site Internal Web Site User Support Information on incident received Decision to begin Incident Response Plan Evaluate Situation Establish First Course of Action Isolate and Contain Analyze and Respond Alert Others as Required Begin Remediation De-escalation: Return to Normal Operations Post-Incident Review Revise/Improve Response Process Quick guide to determining the significance of incident Severity of the event Severity of the event Overall business impact Overall business impact Criticality of vulnerable/attacked assets Criticality of vulnerable/attacked assets Public availability of information Public availability of information Scope of exposure Scope of exposure Public relations impacts Public relations impacts Extent of use of groups outside of security Extent of use of groups outside of security

10 Trigger Phase And Team Assembly ● Trigger Phase ● Evaluate the situation ● Establish the first course of action ● Team Assembly

11 Response Phase ● Isolate and Contain ● Analyze and Respond ● Alert Others As Required ● Begin Remediation

12 De-escalation And Post- Incident Review ● De-escalation ● Return to normal business operations ● No reporting of new information by the parties involved ● Post-incident Review ● Debrief of the key organizations ● Discussion of the successes and shortcomings of the incident response

13 Defending Against Malware: Trojan Horse And Worm ● The Trojan horse does something more than the user expects ● The backdoor Trojan horse compromises computer security while appearing to do something useful ● Worm viruses copy from one disk drive to another and use a variety of means to replicate themselves

14 Defending Against Malware: Virus ● Ways to significantly reduce downtime caused by an attack ● Educate users about the importance of complying with security policies ● Follow general guidelines for protection against viruses ● In the event of a major attack, the incident response plan takes effect, tailored to a virus attack

15 Defending Against DDoS Attacks ● In the event of a DDoS attack against the Microsoft network or other domain properties, the incident response plan takes effect ● The response is tailored to the DDoS type of attack ● When symptoms such as high CPU usage indicate a DDoS attack, remember that there may be other causes of the symptoms, such as new content on a Web server or newly released products

16 Defending Against Internet- Facing Server Attacks ● Systems in the perimeter network are usually the first to be attacked ● In the event of an Internet-facing server attack against the Microsoft network or other domain properties, the incident response plan takes effect ● The response is tailored to an attack on an Internet-facing server

17 Defending Against Unauthorized Network Intrusions ● An attacker may try to attack the infrastructure – routers, Exchange-based servers, domain controllers, and attacks on the Active Directory directory service ● In the event of a network intrusion at Microsoft, the incident response plan takes effect, tailored to a network intrusion attack ● Attackers sometimes use a “smoke screen” – an attack to divert attention from a more stealthy network intrusion

18 Closing Vulnerabilities In Products ● Product vulnerabilities become apparent only when the software is run on a particular computer, under a particular operating system, or in a specific configuration ● If a major vulnerability is discovered in a Microsoft product, the response is tailored to the situation; therefore, the specific steps involved are somewhat different from the steps required to handle an attack

19 Lessons Learned ● Poor password management ● Weak account management processes ● Unsecured and unmanaged remote computers ● Poorly configured and unpatched systems ● Weak auditing and monitoring processes ● Inadequately restricted access to critical information

20 First Layer Of Defense: Secure The Network Perimeter ● Use secure wireless access ● Use a perimeter messaging firewall on the network ● Use an effective network intrusion detection system ● Secure remote user connections ● Deny viruses at the perimeter

21 Second Layer of Defense: Secure The Network Interior ● Control programs available to users ● Eliminate weak passwords ● Eliminate shared domain service accounts ● Use secure domain controllers ● Enforce application of antivirus software and software patches ● Use secure, robust operating systems for clients and servers

22 Conclusion ● Prevention is less costly than reacting to incidents ● Enterprises should develop a system of security audits, system scans, and remediation steps and educate users about protecting their systems ● Impact to systems is reduced by having a detailed, well-rehearsed, and flexible incident response plan

23 For More Information ● Additional content on Microsoft IT deployments and best practices can be found on http://www.microsoft.comhttp://www.microsoft.com ● Microsoft TechNet http://www.microsoft.com/technet/itshowcase http://www.microsoft.com/technet/itshowcase ● Microsoft Case Study Resources http://www.microsoft.com/resources/casestudies ● E-mail IT Showcase showcase@microsoft.com

24 This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Download ppt "Incident Response Managing Security at Microsoft Published: April 2004."

Similar presentations

Harnessing the power of SWIFT for enterprise financial messaging Published: April 2007 Microsoft BizTalk Accelerator for SWIFT.

Harnessing the power of SWIFT for enterprise financial messaging Published: April 2007 Microsoft BizTalk Accelerator for SWIFT.
Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Chapter 12 Network Security.

Chapter 12 Network Security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Managing Employee Earnings Statements: PAYSTUB 3.0 A centralized, intranet-based application used to view employee earnings statements online Published:

Managing Employee Earnings Statements: PAYSTUB 3.0 A centralized, intranet-based application used to view employee earnings statements online Published:
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
ESupport Shifting Customers to the Internet for Support Published: January 2002.

ESupport Shifting Customers to the Internet for Support Published: January 2002.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
Managing LOB Applications by Using System Center Operations Manager Published: March 2007.

Managing LOB Applications by Using System Center Operations Manager Published: March 2007.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

Similar presentations

Ads by Google