140 likes | 158 Views
Explore the essential roles of Incident Response and how it differs from Security Operations. Learn the next steps to measure, govern, and assess cyber risk effectively. Dive into methodologies and disciplines for proactive threat hunting.
E N D
Business-driven security lifecycle A New Plan for Chaos
Picture, if you will… Why Not Cyber? Security Patrol Broken Window Report & Escalate Record & Assess Follow Trail Schrodinger’s Safe Police Investigate Brief Leadership
AGENDA • Business-Driven Security Lifecycle • Plan for Chaos • Why Hunting Matters • Essential Roles of Incident Response (IR) • How IR Differs from Security Operations • Next Steps Shane Harsch MBA, GCIA, GCIH, GCED, CISSP Senior Solutions Principal, RSA Risk & Cybersecurity Practice SANS Mentor shane.harsch@rsa.com
Measure Risk RSA BUSINESS-DRIVENSecurity lifecycle Governance RSA Archer Suite • Defense-in-Depth Risk Intelligence Fraud Detection RSA Fraud & Risk Intelligence Suite Security Controls Operations RSA SecurIDSuite RSA Identity Governance & Lifecycle Plan for Chaos Detection & Response RSA NetWitness Suite
Plan for Chaos • Create Risk Register with Critical Assets and Threat Priorities. • Align Defense-in-Depth (DiD) to mitigate Threat Priorities. • Cultivate Threat Intelligence for Threat Priorities that bypass DiD. • Develop Use Cases to Detect Threats that bypass DiD. • Establish Incident Response Plan around your Threat Priorities. • Define Playbooks for your Use Cases. • Operationalize Playbooks for Incident Handling. • Hunt for Anomalies that exist outside your Playbooks. • Exercise Playbooks through Simulation/TTXfor readiness. • Assess resilience to threats with Gap Analysis. IR Noise Reduction Easy Button Wishful Thinking Daily Operations Where the real threats are Methodology and discipline
Why hunting matters Defense-in-Depth Prevented? PlaybookDetected? DWELL TIME DWELL TIME NO NO YES YES Active Threat Threat Hunting Critical Asset Security Operations Incident Response
Jargon Check — What is an Incident? • CIRT vs SOC • CIRTs handle incident response SOCs handle security administration of security controlsCrticial Incident Response TeamSecurity Operations Center • Events • Log records • Network sessions • Incidents Physical Example: Broken window • Events or collections of events with indicators that align with threat priorities • Require investigation, resulting in remediation • Declared Incidents Physical Example: Broken window with evidence it was a burglar • Incidents that indicate the potential for loss • Require leadership notification • Breach Physical Example: Path from window leads to safe that is now empty • Evidence of loss • Require activation of Executive Response plan which extends operational Incident Response plan
OPERATIONAL ROLES OF INCIDENT RESPONSE • Threat • What threats are of concern? • What data feeds provide necessary information? • Which threat records are valid? • Content • What is the logic necessary to identify threats? • Which tools are required to identify threats? • What are the rules/parsers/alerts required? • Playbook • Validate tuned alerts • Execute standard procedures • Escalate if Playbook does not identify remediation • Hunting • 90% Proactive investigations • 10% Playbook escalations • Inform Threat of new findings
Operations and response IR and SOC share the effort • Preparation • Roles & Responsibilities • Communications Plan • IR Workflow • Detection & Analysis • Incident Classification • Use Case Methodology • Incident Prioritization • Response Procedures • Identify Remediation Plan • Containment, Eradication • & Recovery • Execute Remediation Plan • Evidence Handling • Execute Remediation Plan • Recovery • Post-Incident Activity • After Action Report & Lessons Learned CIRT Incident Response SOC Security Operations NIST 800-61r2 Incident Response Lifecycle
Next steps How do we realize these objectives…tomorrow?
A New Plan for Chaos (stage 1) Essential Foundations—30 day Quick Wins 1 Identify scope of IR objectives 2 Retainer w/RSA (or 3rd Party) 3 Define initial plan 4 Deploy endpoint visibility tool 5 Co-hunting w/RSA (or 3rd Party) 6 Train for EDR product (step 4) 7 Train for incident handling 8 TTX for orientation to IR Plan 9 Train to be an analyst 10 Identify next roadmap Day 21 – 30 IR Plan & Hunting in Place Day 1 – 10 Engagements kick-off Day 11 – 20 Training & Knowledge Transfer Next Steps Workshop10 IR Hunting Orientation5 OperationalCyberIntel Training9 Maturity IR TableTop Exercise8 Endpoint Detection & Response (EDR) Implementation4 Incident HandlingTraining7 InitialIR Plan³ IR Retainer² EDR Training6 Incident Readiness Workshop¹ Customer Evolution Planning “Yes, I have an IR plan” Execution “Yes, I have advanced defenses” Evolution “Yes, I know my next steps”
RSA risk & cybersecurity practice A Portfolio for Readiness, Response and Resilience Incident Response Retainer | Incident Discovery | Incident ResponseIR Hunting Services | Breach Management | NSA CIRA Accredited ASOC Design & Implementation Future State Design | Technology Acquisition | ASOC Implementation Residencies & Education Services Incident Response Program Development Incident Management Lifecycle Development | Threat Detection Use Case Development | Metric and KPI Modeling Cyber Threat Intelligence Program Development | Portal Implementation & Customization Threat Intel Roadmap | Threat Research Security Readiness and Strategy Current State & Gap Analysis | Maturity Modeling NIST CSF Roadmap Development
What We Covered Today • Business-Driven Security Lifecycle • Plan for Chaos • Why Hunting Matters • Essential Roles of Incident Response (IR) • How IR Differs from Security Operations • Next Steps Thank you Shane Harsch MBA, GCIA, GCIH, GCED, CISSP Senior Solutions Principal, RSA Risk & Cybersecurity Practice SANS Mentor shane.harsch@rsa.com