Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identifying and Responding to Security Incidents in the Law Firm

Published byJocelyn McCullough Modified over 10 years ago

Similar presentations

Presentation on theme: "Identifying and Responding to Security Incidents in the Law Firm"— Presentation transcript:

1 Identifying and Responding to Security Incidents in the Law Firm
Presented by: Carlos Batista, Information Security Manager Alston & Bird LLP

2 Learning Objectives Understand how one law firm developed and enacted a formal Computer Incident Response Team (CIRT) Identify key stakeholders in Incident Response Identify most likely scenarios for a computer security breach Define a methodology and establish measures for how to respond to such breaches

3 About Alston & Bird: National, Full-Service Law Firm
725 Attorneys, 5 U.S. Offices 240 Servers & 2,100 Desktops Almost all IT & Security Services Hosted In-House 25% of Servers Virtualized

4 The Benefits of a Computer Incident Response Team (CIRT)
Proactive approach to responding to a security breach Better prepared to collect & analyze forensic quality evidence Less downtime to impacted / breached & un-impacted systems Firm’s reputation is better preserved by following proper containment strategies

5 #1 Key to CIRT Planning & Success:
Senior Management Support!

6 How to Form a CIRT – Key Players
Core Team Information Security Manager (CIRT Team Leader) IT Infrastructure Manager Director of I.T. Information Security Analyst Facilities Manager Support Team Finance Manager BC / DR Representative H.R. Representative Business Development / Public Relations Attorney / Loss Prevention C.I.O.

7 Identify Likely Breach Scenarios
There are many security breach scenarios – you need to narrow them down to a few and address how to respond to those. We chose to develop responses to four scenarios: Significant Computer or Network Equipment Theft Compromise of Firm’s Website Virus or Worm Outbreak on the Network Unauthorized Disclosure by Electronic Means

8 Identify a Methodology for Responding
Response scenarios are typically easier to devise when an overall strategy or methodology is followed. We chose the PDCERF model (Schultz & Shumway) for incident response.

9 PDCERF Methodology Defined
Preparation – Being ready to respond before an incident actually occurs. Detection – Determining that something malicious has actually occurred. Containment – Limiting the extent of an incident, preventing further damage from occurring. Eradication – Finding and eliminating the root cause or causes that made the incident possible. Recovery – Restoring the environment to its pre-incident state but protected so the incident cannot reoccur. Follow-Up – Reviewing and integrating “lessons learned” into your incident response plans and security operations.

10 Scenario #2 – Compromise of Firm’s Website

11 Preparation Determined Incident Response Posture & Obtained Approval
Configured FW, IDS/IPS Optimally for Attack Detection Configured Web Server & Database Logging Created Known-Good System Backups with MD5 Hashes Synchronized Network Time across All Devices Established Relationship with Infragard (FBI) Created CIRT Calling Tree Created “Maintenance” Website Built Documentation on CIRT Framework and Cutover Procedures Prepare to Record Everything During an Incident (Timeline)

12 Detection Interfaced with Support Groups / Help Center to define a Notification Plan Defined SLAs for Initial Response, First Meeting, and Incident Updates to Management Defined Procedures for Initial Evidence Gathering Created Secure Repository for All Digital Evidence

13 Containment VMWare Guest Machines For Website Paused
VMWare Files Copied to a Forensic Server Impacted Hosts Segmented From Rest of Network Full Disclosure Kept Strictly Confidential Help Center Instructed to Inform Others Website is Experiencing “Technical Difficulties” External Parties Not Contacted (Not Currently)

14 Eradication Depends Largely On The Determined Root Cause
May Involve Software Updates, Software Removal, Configuration Changes, Better Change Control, Operational Security, Physical Security, etc Changes Tested in QA / Development Environment As Much as Possible

15 Recovery All Impacted Systems Are Flattened And Rebuilt
Rebuilds Performed From Certified Known Good Backup (MD5) Procedures Developed for Rebuild to Minimize Possibility Of Breach Reoccurring Mitigations to Address Root Cause of Breach Implemented Validation Testing Performed Access to Fully Operational Website Re-enabled

16 Follow-Up Post-Mortem Meetings to Review the Following: Timeline
Response Time Recovery Procedures Evidence Gathered Investigatory Next Steps - If Applicable Parties Involved – Should Others Be Brought In? Disposition of Evidence What Can Be Done Better? Update Scenario Response Plan

17 CIRT – Next Steps Continue Working on Scenarios – Incident Response is a Process, not a Project Implement Syslog Server Investigate using Tripwire for Integrity Check Integrate AlertFind Into CIRT Procedures Actively Test Scenarios – Challenging Because Downtime is Required

18 References Schultz & Shumway: Incident Response – A Strategic Guide to Handling System and Network Security Breaches. Mandia, Prosise & Pepe: Incident Response & Computer Forensics (2nd Edition). SANS Institute (sans.org)

19 “In God we trust…all others we virus scan.” 
Questions / Comments? “In God we trust…all others we virus scan.”  - Anonymous

Download ppt "Identifying and Responding to Security Incidents in the Law Firm"

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+

WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack.

GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Incidence Response & Computer Forensics, Second Edition

Incidence Response & Computer Forensics, Second Edition
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.

Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
APA of Isfahan University of Technology In the name of God.

APA of Isfahan University of Technology In the name of God.
Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted.

Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted.

Similar presentations

Ads by Google