Make IR Effective with Risk Evaluation and Reporting
0 likes663 views
The document discusses the challenges and systemic failures of traditional incident response (IR) approaches in cybersecurity. It emphasizes the need for a business-driven incident response that integrates threat intelligence and risk assessment from a business perspective, moving beyond mere technical fixes. Recommendations include collaborating with business units, updating IR plans, and developing a scoring algorithm to evaluate cyber risks effectively.
![#RSAC
Detection Score
Detection
H [3]
>100+ hosts
detected
M [2]
>11-99 hosts
detected
L [1]
>1-10 hosts
detected](https://image.slidesharecdn.com/air-r02-make-ir-effective-with-risk-evaluation-and-reporting-160310120156/85/Make-IR-Effective-with-Risk-Evaluation-and-Reporting-13-320.jpg)
![#RSAC
Response Score
Response
H [3]
>10% detected
blocked
M [2]
>65% detected
blocked
L [1]
> 90% detected
blocked](https://image.slidesharecdn.com/air-r02-make-ir-effective-with-risk-evaluation-and-reporting-160310120156/85/Make-IR-Effective-with-Risk-Evaluation-and-Reporting-14-320.jpg)
![#RSAC
Remediation Score
Remediate
H [3]
>10%
remediated
M [2]
>65%
remediated
L [1]
>90%
remediated](https://image.slidesharecdn.com/air-r02-make-ir-effective-with-risk-evaluation-and-reporting-160310120156/85/Make-IR-Effective-with-Risk-Evaluation-and-Reporting-15-320.jpg)
![#RSAC
Recover Score
Recover
H [3]
10%
recovered
M [2]
65%
recovered
L [1]
90%
recovered](https://image.slidesharecdn.com/air-r02-make-ir-effective-with-risk-evaluation-and-reporting-160310120156/85/Make-IR-Effective-with-Risk-Evaluation-and-Reporting-16-320.jpg)
![#RSAC
Reputational Score
Reputation
Press
Y[3]
N[0]
WH
Y[3]
N[0]
Hill
Y[3]
N[0]
DHS
Y[3]
N[0]](https://image.slidesharecdn.com/air-r02-make-ir-effective-with-risk-evaluation-and-reporting-160310120156/85/Make-IR-Effective-with-Risk-Evaluation-and-Reporting-17-320.jpg)
Make IR Effective with Risk Evaluation and Reporting
- 1. SESSION ID: #RSAC Justin Monti Make IR Effective with Risk Evaluation and Reporting AIR-R02 Sr. VP Security Engineering MKA Cyber Mischel Kwon President/CEO MKA Cyber @mkacyber
- 2. #RSAC You’ve Got an Incident – Now What? 2 Monitoring detects new rogue AD accounts Preliminary investigation suggests an intrusion What next? Who runs the incident? Forensic investigation reveals many technical details of the attack but fails to grasp business impact Without clear understanding of risk to company and client data, internal escalation is inadequate before client notification Company is behind the 8-ball as clients aggressively respond to potential breach
- 3. #RSAC Classic Stove Piped Compliance Driven Security Program Executive Layer Executives HR Finance Legal Business Function P&L R&D IT Infrastructure Desktop/ Laptop Servers Security Architecture Policy/ Compliance Policies Controls Audit Reporting SOC Threat Intelligence Forensics Detection/ Analysis IR Management Reporting
- 4. #RSAC Classic SOC Practices Indicators based on disk forensics and canned vendor-delivered signatures SEIM Alert Pick a number – address the first 40 incidents because that’s what you can handle Malware focus Find the dirty box and reimage Count up the hits – measure by numbers An occasional hunt and campaign discovery
- 5. #RSAC This is What it Looks Like:
- 6. #RSAC Incident Response – The Old Way OMG it’s malware! – Manual Anti-virus Risk is all about the “sexiness” of the malware No distinction by systems impacted – critical business process or the soda machine Business owners not involved – treated as an IT issue only No criteria for severity – impact or technical sophistication – leaves open-ended decisions to analysts Anti-virus vendor, scan vendor – High, Medium, Low Impossible to articulate risk to executives – the sky is always falling The SOC ran the IR
- 7. #RSAC Old IR Approach = FAIL External attention to an incident requires careful handling – missteps can be impossible to recover from Not understanding the true impact to the business mission hinders mitigation efforts Incident is not just impacting IT – it impacts the business Loss of business capability = loss of revenue Reputational damage = loss of customer confidence/trust, brand damage Regulatory/Investigation = penalties and other consequences
- 8. #RSAC Why this does NOT work… Remediation Reconstitution Data Infrastructure Damage BusinessLoss Reputation
- 9. #RSAC Threat and Business Risk Driven Program Not just SOC Education/Training/Exercise prior to incident Often other types of risk processes are used if a cyber incident affects a large amount of the enterprise/business – Crisis Teams Intelligence Threat Analysis Update Sensoring DefenseDetection Reporting Remediation Business Risk
- 10. #RSAC Business Driven Incident Response IncidentResponse Investigation Immediate Response Reputational Defense Reconstitution Post Mortem • Business may take over responding to the incident • Collaboration and early education on the threat is critical • Risk is more than losing the box • Risk is more than losing data • Risk is: • Loss • Cost • Time • Reputation
- 11. #RSAC Articulating Incident Risk to the Business Cyber Risk Condition Severe Severe Risk to the Entity’s mission or function High High Risk to the Entity’s mission or function Elevated Elevated Risk to the Entity’s mission or function Guarded Guarded Risk to the Entity’s mission or function Low Low Risk to the Entity’s mission or function
- 12. #RSAC The Algorithm Attack Score * (Detection + Response + Remediation + Recovery + Reputation) = Risk Score Severe 129 - 200 High 73 - 128 Elevated 33 - 72 Guarded 9 - 32 Low 0 - 8 This is an example – you would tailor this to your organization
- 13. #RSAC Detection Score Detection H [3] >100+ hosts detected M [2] >11-99 hosts detected L [1] >1-10 hosts detected
- 14. #RSAC Response Score Response H [3] >10% detected blocked M [2] >65% detected blocked L [1] > 90% detected blocked
- 15. #RSAC Remediation Score Remediate H [3] >10% remediated M [2] >65% remediated L [1] >90% remediated
- 16. #RSAC Recover Score Recover H [3] 10% recovered M [2] 65% recovered L [1] 90% recovered
- 18. #RSAC Scoring the Malware Attack Attributes Score (0-10) Prolific spreading (viral) 10 Polymorphic 10 Lateral movement 0 Zero day 0 Entity vulnerability exists 10 Lack of visibility to detect 8 Lack of intelligence 7 Lack of forensic evidence 5 Mission information exfiltration 10 (unknown) Command and Control of internal machines 10 (unknown) Spamming Campaign 10 Total 80 Total number of attributes = 11 AttackScore = Sum(Scores) Count(Attributes) 80 11 = 7.27
- 19. #RSAC Cyber Risk Score - not just the SOC Severe High Malware Attributes Vulnerability Exposure Elevated Guarded Low Threat Intelligence Reputation Impact: Press, Regulatory Notification, Law Enforcement IR Stats: Detection, Response, Remediation, Recovery
- 20. #RSAC Data and Analytics – the Achilles’ Heel Massive amount of Data – just sensors – not including remediation/compliance 165,000 end users – 6000 servers 3 core enterprise domains 10 internet gateways – 4 OC-12s, 6 OC-3s 1B+ Log Events daily Expensive Analysts often repeating basic analysis tasks
- 21. #RSAC Pulling the Data Together
- 22. #RSAC Challenges 22 Technical Fast Analysis Engine – In Memory Agile Data Model - Simple Modifications Mapping Attack to Vuln to Control/Policy Communicate Reporting - Technical, Managerial, Executive Metrics - Technical, Managerial, Executive Logistical Data Storage Data Access Data Sources Organizational Budget Policy – Keeping up with the Adversary Understanding Impact/Risk to Business
- 23. #RSAC The Future Wish List Shared Pattern Libraries – on the meta data level Vulnerability management based on patterns not just one for one One data format Acceptance and tools to manage other data storage formats Shared Analyst pools Mission participation in Risk Analysis
- 24. #RSAC Apply – What Can I Do? 24 Help the SOC understand the business mission they protect Get the SOC access to asset data – what business process it supports, vulnerability state, configuration hygiene state Review your IR plan – what is the escalation and communication plan? Who is included? HR? Legal? PR? Business Units? Work with IR stakeholders to tune the Cyber Risk Score algorithm to your organization Use it to track risk in your next incident or IR exercise
- 25. #RSAC Summary Today’s SOC must be driven by internal and external intelligence to clearly understand both the threat and the risk The entire organization MUST understand the threat and participate in assessing the risk from the business perspective in order to accept the risk Risk must be derived from Business Risk , IT Risk, as well as Security Vulnerability IR is more than understanding the attack – and loss of data – but what it takes to get back to business or even – JUST SURVIVE Targeted is scary – but a business that is crippled is just as scary We have all the data – now how do we look at it…
- 26. #RSAC Q&A Mischel Kwon Justin Monti info@mkacyber.com +1 (703) 291-1331 2700 Prosperity Ave, Suite 262 Fairfax, VA 22031 USA