1 / 19

Identifying and Responding to Security Incidents in the Law Firm

Identifying and Responding to Security Incidents in the Law Firm. Presented by: Carlos Batista, Information Security Manager Alston & Bird LLP. Learning Objectives. Understand how one law firm developed and enacted a formal Computer Incident Response Team (CIRT)

laken
Download Presentation

Identifying and Responding to Security Incidents in the Law Firm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identifying and Responding to Security Incidents in the Law Firm Presented by: Carlos Batista, Information Security Manager Alston & Bird LLP

  2. Learning Objectives • Understand how one law firm developed and enacted a formal Computer Incident Response Team (CIRT) • Identify key stakeholders in Incident Response • Identify most likely scenarios for a computer security breach • Define a methodology and establish measures for how to respond to such breaches

  3. About Alston & Bird: • National, Full-Service Law Firm • 725 Attorneys, 5 U.S. Offices • 240 Servers & 2,100 Desktops • Almost all IT & Security Services Hosted In-House • 25% of Servers Virtualized

  4. The Benefits of a Computer Incident Response Team (CIRT) • Proactive approach to responding to a security breach • Better prepared to collect & analyze forensic quality evidence • Less downtime to impacted / breached & un-impacted systems • Firm’s reputation is better preserved by following proper containment strategies

  5. #1 Key to CIRT Planning & Success: Senior Management Support!

  6. Core Team Information Security Manager (CIRT Team Leader) IT Infrastructure Manager Director of I.T. Information Security Analyst Facilities Manager Support Team Finance Manager BC / DR Representative H.R. Representative Business Development / Public Relations Attorney / Loss Prevention C.I.O. How to Form a CIRT – Key Players

  7. Identify Likely Breach Scenarios • There are many security breach scenarios – you need to narrow them down to a few and address how to respond to those. • We chose to develop responses to four scenarios: • Significant Computer or Network Equipment Theft • Compromise of Firm’s Website • Virus or Worm Outbreak on the Network • Unauthorized Disclosure by Electronic Means

  8. Identify a Methodology for Responding • Response scenarios are typically easier to devise when an overall strategy or methodology is followed. • We chose the PDCERF model (Schultz & Shumway) for incident response.

  9. PDCERF Methodology Defined • Preparation – Being ready to respond before an incident actually occurs. • Detection – Determining that something malicious has actually occurred. • Containment – Limiting the extent of an incident, preventing further damage from occurring. • Eradication – Finding and eliminating the root cause or causes that made the incident possible. • Recovery – Restoring the environment to its pre-incident state but protected so the incident cannot reoccur. • Follow-Up – Reviewing and integrating “lessons learned” into your incident response plans and security operations.

  10. Scenario #2 – Compromise of Firm’s Website

  11. Preparation • Determined Incident Response Posture & Obtained Approval • Configured FW, IDS/IPS Optimally for Attack Detection • Configured Web Server & Database Logging • Created Known-Good System Backups with MD5 Hashes • Synchronized Network Time across All Devices • Established Relationship with Infragard (FBI) • Created CIRT Calling Tree • Created “Maintenance” Website • Built Documentation on CIRT Framework and Cutover Procedures • Prepare to Record Everything During an Incident (Timeline)

  12. Detection • Interfaced with Support Groups / Help Center to define a Notification Plan • Defined SLAs for Initial Response, First Meeting, and Incident Updates to Management • Defined Procedures for Initial Evidence Gathering • Created Secure Repository for All Digital Evidence

  13. Containment • VMWare Guest Machines For Website Paused • VMWare Files Copied to a Forensic Server • Impacted Hosts Segmented From Rest of Network • Full Disclosure Kept Strictly Confidential • Help Center Instructed to Inform Others Website is Experiencing “Technical Difficulties” • External Parties Not Contacted (Not Currently)

  14. Eradication • Depends Largely On The Determined Root Cause • May Involve Software Updates, Software Removal, Configuration Changes, Better Change Control, Operational Security, Physical Security, etc • Changes Tested in QA / Development Environment As Much as Possible

  15. Recovery • All Impacted Systems Are Flattened And Rebuilt • Rebuilds Performed From Certified Known Good Backup (MD5) • Procedures Developed for Rebuild to Minimize Possibility Of Breach Reoccurring • Mitigations to Address Root Cause of Breach Implemented • Validation Testing Performed • Access to Fully Operational Website Re-enabled

  16. Follow-Up • Post-Mortem Meetings to Review the Following: • Timeline • Response Time • Recovery Procedures • Evidence Gathered • Investigatory Next Steps - If Applicable • Parties Involved – Should Others Be Brought In? • Disposition of Evidence • What Can Be Done Better? • Update Scenario Response Plan

  17. CIRT – Next Steps • Continue Working on Scenarios – Incident Response is a Process, not a Project • Implement Syslog Server • Investigate using Tripwire for Integrity Check • Integrate AlertFind Into CIRT Procedures • Actively Test Scenarios – Challenging Because Downtime is Required

  18. References • Schultz & Shumway: Incident Response – A Strategic Guide to Handling System and Network Security Breaches. • Mandia, Prosise & Pepe: Incident Response & Computer Forensics (2nd Edition). • SANS Institute (sans.org)

  19. Questions / Comments? “In God we trust…all others we virus scan.”  - Anonymous

More Related