Post on 18-Nov-2014
description
© 2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential. Page 1
Cyber Incident Response
Page 2
Agenda
§ Introductions § Cyber Incident Response
– The process – Tips for getting it right
§ Today’s reality with breaches – CSO versus CPO
§ Q&A
Page 3
Introductions: Today’s Speakers
§ Gant Redmon, GC and VP Business Development, Co3 – Former CPO of Arbor Networks, Inc. – General Counsel for 12 years
§ Ellen Giblin, Privacy Counsel, Ashcroft Law Firm – Internationally-recognized expert in privacy, data breach, data
protection, cyber security, and information management – Privacy Counsel at Littler Mendelson P.C. – Privacy Officer for Citizens Financial Group
Page 4
CYBER INCIDENT RESPONSE PLANS
Page 5
Cyber Incident Response Plans
§ Every company should develop a written cyber incident response plan – Not only is it a good idea, some regulations require it
§ The plan should document cyber attack scenarios and define
appropriate responses
§ The plan should include: – Response team – Reporting – Initial response – Investigation – Recovery and follow-up – Public relations – Law enforcement
Page 6
Cyber Incident Response Team
The response team should:
• Identify and classify cyber attack scenarios • Determine the tools and technology used to detect attacks • Develop a checklist for handling initial investigations of cyber
attacks • Determine the scope of an internal investigation once an attack
has occurred • Conduct any investigations within the determined scope • Address data breach issues, including notification requirements • Conduct follow up reviews on the effectiveness of the company's
response to an actual attack
Page 7
Discovery and Reporting of Cyber Incidents
§ Define procedures for cyber attack discovery and reporting, including: – Team members who monitor industry practices to ensure that:
• information systems are appropriately updated; and • information systems are instrumented to allow for early
discovery of attacks – A database to track all reported incidents – A risk rating to classify all reported incidents (ex. low,
medium, or high) and facilitate the appropriate response
Page 8
Initial Response to a Cyber Attack
• Conduct a preliminary investigation to determine whether a cyber attack has occurred • follow the investigation checklist set out in the cyber incident
response plan • The initial response varies depending on the type of attack and level
of seriousness. However, the response team should aim to: • Stop the cyber intrusions from spreading further into the
company's computer systems • Appropriately document the investigation
Page 9
Investigating a Cyber Attack
§ A formal internal investigation may be required depending on: – the level of intrusion – its impact on critical business functions
§ An internal investigation allows the company to: – Fully understand the intrusion – Fotn its chances of identifying the attacker – Detect previously-unknown security vulnerabilities – Identify required improvements to IT systems
§ If the company's response team or IT department lacks the capacity or expertise to conduct an internal investigation the company may wish to retain:
• Legal counsel • A cyber security consultant
Page 10
Common Cyber Attack Scenarios
• Cyber attacks often fall into one or more common scenarios • Anticipate and prepare for these common scenarios in advance and
provide preliminary investigatory questions for each
• Obtaining fast and accurate answers to these questions helps shape and expedite the investigation
Page 11
Recovery and Follow-Up After a Cyber Attack
§ Address the recovery of IT systems by both: – Eliminating the vulnerabilities exploited by the attacker and
any other identified vulnerabilities – Bringing the repaired systems back online
§ Once systems are restored:
– Determine what improvements are needed to prevent similar incidents from reoccurring
– Evaluate how the response team executed the response plan
Page 12
The Role of the CPO in a Breach
§ Understand the efforts underway by security staff to ‘plug the gaps’ and restore integrity
§ Realize that there may be a conflict of interest
§ Know how to align and satisfy all our organization’s requirements
Page 13
Suggestions
§ Working with Security in advance is vital, knowing where the tensions are, and what you’ll do to resolve them is key to success
§ Early triage is critical to determining if PI has been exposed
§ Establish Executive support in advance of a breach for anything that may look contentious
§ Have a clear process that coordinates activities across multiple groups to ensure an efficient organizational response
§ Conduct dry runs, simulations or tabletops – it will illuminate where there are potential issues – make sure to test out multiple scenarios
Page 14
Security and Privacy – the Yin and the Yang
CPO-Driven Response
Cyber Incidents • Cyber breach • DDoS • Malware, etc.
CISO-Driven Response
§ IT/Security: protect the integrity and continuity of business operations § Privacy: protect customers and employees
aligning objectives
PII Exposed
Combined Response
Page 15
5 Rules for Working With Your CSO
§ Rule #1: Know Your History – The modern day CSO has been around about the same amount
of time as the CPO
– The CPO title came about in the mid to late 90s with the advent of GLB and HIPAA
– The CSO title (as opposed to the CiSO title) arose after 9/11 with the increased focus on security
– The CPO role weakened following 9/11 but has strengthened as personal information becomes basis of corporate value
Page 16
5 Rules for Working With Your CSO
§ Rule #2 Accept Your Co-Dependence – Privacy and Security are intertwined. You can have security
without privacy, but you can’t have privacy without security
– You can promise not to share information, but that doesn’t do much good if any hacker can just steal it
– There’s no responding to a data breach if you don’t know about it or you can’t identify what information has been accessed
– IT is generally the real first responder. They are the ER triage of data breach response
Page 17
5 Rules for Working With Your CSO
§ Rule #3 Empathize with Your CSO – CSOs stockpile data. CPOs are minimalist. Show your CSO the
advantages of cleaning house • Data retention policy compliance • eDiscovery advantages • Less exposure if a breach occurs if there is less sensitive data available
– Follow the Data • The CSO knows the flow of data within the organization. You need to work with CSO
to understand this flow and do your job • Once you understand the flow of data, you can compare it to the business process
that drives that flow • With an understanding the flow of data and the business process, you can make
suggestions that take into consideration the value proposition of the use of customer data
• Many companies see the role of CPO as driving internal process improvement
– Privacy can be an unnatural act for the CSO • The CSO is charged with protecting the perimeter • The CPO may be asking the CSO for “holes below the waterline” in the perimeter for
purposes of information owner inspection and verification
Page 18
5 Rules for Working With Your CSO
§ Rule #4 Stop Talking “Privacy” – Privacy is a loaded word. It’s like saying “conservative” or
“liberal.” Use a word your CSO and others can rally around.
– Call it “Information Governance” • Information governance encompasses information management, security,
use, and data strategy • Information governance can refer to a lifecycle: how we create
information, how we keep it safe and secure and accessible during its lifecycle, and how we thoughtfully dispose of it
– Information governance rings true with the legal department • Can refer to data retention and eDiscovery • Positions you as a bridge between the GC and CSO • GCs didn’t go to law school because of their engineering prowess. Give
them a hand
Page 19
5 Rules for Working With Your CSO
§ Rule #5 Keep Your Head Out of the Boat – A CSO’s role is largely inward looking. They must protect corporate assets and
keep the system running
– The CPO’s role is outward facing because they act as the customers' and employees' advocate within the company
– Customer/Client advocacy translates to corporate revenue. Ask yourself what other department uses this argument to drive change within your organization
– The CPO must be business savvy and navigate conflicting interests of business needs, customer expectation and legal requirements
– If the CPO can prove him or herself to be an ally with management in the balancing of concerns, then that CPO will be embraced by those above
– If the CPO is embraced by the management team, the CPO is more likely to be have a good working relationship with the CSO
Page 20
5 Rules for Working With Your CSO
§ Bonus Rule #6 Embrace Technology to Improve Processes and Efficiency – CSOs make their career out of using software to improve
process – conversations will go well if you speak their language
– CSOs can use software as “breach triage” as well as for escalating events to the CPO
– Using software to diagnose an event makes the outcome and action plan both objective and quantifiable. These are traits valued by both the GC and CSO
– Build a dashboard. CSOs love them as a way to stay in the loop and remain part of an incident response
© 2011 Co3 Systems, Inc. The information contained herein is proprietary and confidential. Page 21
Questions
Page 22
Thanks!
Gartner: “Co3 …define(s) what software packages for privacy look like.”
1 Alewife Center, Suite 450 Cambridge, MA 02140 ph: 617.206.3900 e: info@co3sys.com
www.co3sys.com
1100 Main Street, Suite 2710 Kansas City, MO 64105 ph: 816.285.7600 e: info@ashcroftlawfirm.com
www.ashcroftgroupllc.com/law/