1 / 13

Business-driven security lifecycle

Business-driven security lifecycle. A New Plan for Chaos. Picture, if you will…. Security Patrol. Broken Window. Report & Escalate. Record & Assess. Follow Trail. Schrodinger’s Safe. Police Investigate. Brief Leadership. AGENDA Business-Driven Security Lifecycle Plan for Chaos

Thomas
Download Presentation

Business-driven security lifecycle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business-driven security lifecycle A New Plan for Chaos

  2. Picture, if you will… Security Patrol Broken Window Report & Escalate Record & Assess Follow Trail Schrodinger’s Safe Police Investigate Brief Leadership

  3. AGENDA • Business-Driven Security Lifecycle • Plan for Chaos • Why Hunting Matters • Essential Roles of Incident Response (IR) • How IR Differs from Security Operations • Next Steps Sean Griesheimer Senior Systems Engineer, RSA NetWitness Suite Sean.Griesheimer@rsa.com

  4. Measure Risk BUSINESS-DRIVEN Security lifecycle Governance Simplify Controls Operations Plan for Chaos Detection & Response

  5. BREACH! BREACH! They’re everywhere!

  6. Plan for Chaos • Create Risk Register with Critical Assets and Threat Priorities. • Align Defense-in-Depth (DiD) to mitigate Threat Priorities. • Cultivate Threat Intelligence for Threat Priorities that bypass DiD. • Develop Use Cases to Detect Threats that bypass DiD. • Establish Incident Response Plan around your Threat Priorities. • Define Playbooks for your Use Cases. • Operationalize Playbooks for Incident Handling. • Hunt for Anomalies that exist outside your Playbooks. • Exercise Playbooks through Simulation/TTX for readiness. • Assess resilience to threats with Gap Analysis. IR Noise Reduction Easy Button Wishful Thinking Daily Operations Where the real threats are Methodology and discipline

  7. Why hunting matters Defense-in-Depth Prevented? PlaybookDetected? DWELL TIME DWELL TIME NO NO YES YES Active Threat Threat Hunting Critical Asset Security Operations Incident Response

  8. OPERATIONAL ROLES OF INCIDENT RESPONSE • Threat • What threats are of concern? • What data feeds provide necessary information? • Which threat records are valid? • Content • What is the logic necessary to identify threats? • Which tools are required to identify threats? • What are the rules/parsers/alerts required? • Playbooks • Validated tuned alerts • Execute standard procedures • Escalate if playbook does not identify remediation • Hunting • 90% Proactive investigations • 10% Triage escalations • Inform Threat of new findings

  9. Security operations vs incident response CIRT Incident Response • Preparation • Roles & Responsibilities • Communications Plan • IR Workflow • Detection & Analysis • Incident Classification • Use Case Methodology • Incident Prioritization • Response Procedures • Identify Remediation Plan • Containment • Execute Remediation Plan • Evidence Handling • Eradication & Recovery • Execute Remediation Plan • Recover Data & Operations • Post-Incident Review • After Action Report & Lessons Learned SOC Security Operations

  10. Next steps How do we realize these objectives…tomorrow?

  11. threat detection and response • Technology is only an enabler… • What kind of people do we need? • What processes do we need? • How do we retain them? • How do we build a career path? • How is this different that what we’re already doing? • What kind of education do we need?

  12. Additional Steps • PROGRAM DEVELOPMENT • How do we orient staff and test capabilities? • Annual Tabletop Exercises (TTX) for orientation • What does our process framework look like? • THIRD-PARTY ESCALATION • Where do we go when we have a major incident? • SKILL DEVELOPMENT • How do we maintain our skills and focus? • How do we educate our staff? • Planning • Retainer • Education • Incident Response is more than just a plan

  13. What We Covered Today • Business-Driven Security Lifecycle • Plan for Chaos • Why Hunting Matters • Essential Roles of Incident Response (IR) • How IR Differs from Security Operations • Next Steps Thank you Sean Griesheimer Senior Systems Engineer, RSA NetWitness Suite Sean.Griesheimer@rsa.com

More Related