© 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team...

Peter Watson

Cisco Head of Security Services APJC27th March 2018

Strengthen Your Readiness and Response to Attacks

Cisco Incident Response Services


Security is Fundamental to Digitization

2 in 5Executives say privacy

and security restrict their

IoT investment

39%“My organization halted a

mission-critical initiative

due to cybersecurity

concerns.”

71%“Cybersecurity risks

and threats hinder

innovation in my organization.”

Innovations are moving forward,

but probably at 70%-80% of what they otherwise could if there were

better tools to deal with the dark cloud of cybersecurity threats.

Airline Industry CFO

“”


Slower Response = Greater Risk

66%of breaches took months or even

years to discover

60% of breaches have data exfiltrated in

first 24 hours

60,000 Number of alerts hackers set off at

Global Retailer

184Median number

of days advanced attackers present before detection

27

33%Of organizations

discover breaches through

their own monitoring


Time

ResponseDetection

Is Our Security Posture Effective?

Threat

Time to Detect, Time to Respond


You will get breached

Prevention is not a silver bullet

Detection is an absolute must

Speed to discovery and containment are critical

Intel isn’t just for spies anymore

Upfront Reality


Detect


Cyber Security Monitoring

Focus on the anomalies

http://www.tatvic.com/blog/detecting-real-time-anomalies-using-r-google-analytics-360-data/













PROTECTING CISCOTHE ENVIRONMENT

‐ Each presents its own specific set of security challenges that needs to be dealt with.

‐ Security events cross multiple boxes.

USERS138,771

VENDOR ORGS2690

ADMIN ACCOUNTS4474

SERVICE ACCOUNTS13,096

DATA CENTERS13

OFFICES600

COUNTRIES102

CITIES343

EXTRANET PARTNERS318

CSP296

ACQUISITIONS8 (AVG YR)

ENDPOINTS127,454

MOBILES73,162

INFRA DEVICES194,875

BUSINESS GROUPS13,899

LABS2370

83,78243,672


Threats Across the Internet

Threats Inside your Network

Hundreds of Thousands Customers

7.3T Threats Blocked Annually

250 Threat Researchers

Tens of Millions Users

Hundreds of Threat Analytic

Engines

TALOS – Unmatched Visibility, Research, and Analytics


The Internet Cisco Assets

Threats Prevented / QuarterThreat Defense

DNS RPZ

BGP Blackhole

WSA

ESA

AntiVirus

HIPS

EndPoint AMP

Prevention

1,558,649,099

39,778,560

242,805,292

229,012,330

25,802,4983,364,08720,529

Managed Incidents / Quarter 1,978Detection

CSIRT

Umbrella 421,000,000

The reverse pyramid


Response


Enhance security status with regulators

Provides protection when its needed most

Drives cross architectural and organizational integration

Quickly react and respond to security incidents

Why Incident Response?

Every customer should have an Incident ResponsePlan

Open The Door


playbook |ˈplāˌbŏk| (noun)

A prescriptive collection of repeatable queries (reports) against security event data sources that lead to incident detection and response.

Operationalizing and optimizing

Response Playbook


Inventory of Control’s

Security as a Service

Controls Store

• Leverage existing investments• Always have untapped features• Control adoption as well as threat metrics• Security posture against required goals.• Shift focus from risk to compliance.

“More than a risk register”

http://www.iconarchive.com/tag/shop

http://www.iconarchive.com/tag/shop


Leverage Automation• Understanding the environment

• Testing, validation, applying a fix

• Filtering out data and helping identify what to look at

• Enable knowledge share and continuous investigations

• Update architecture templates and operational processes

• Tuning the plays and giving recommendations

AI and machine learning fail because its treated as “magic” instead of part of a larger solution

Incident Response team members have to have the skills to determine if events are true or false positives, and tune as necessary


IR Evolution & Maturity

Maturity Level

Ad-hoc Maturing Strategic

As NeededDedicatedPart-Time Full-Time SOC/IR+ Fusion

CMM Equivalent Initial Repeatable Defined Managed Optimized

Existing IR Capabilities

People • 0-1 • 1-3

• Specialization• 2-5• Formal roles

• ~10• Shifts (possible 24x7)

• 15+• Intel, SOC, and IR Teams

Pro

cess

• Chaotic and relying on individual heroics; reactive

• General purpose run-book

• Tribal knowledge

• Situational run books; someconsistency

• Email-based processes

• Requirements and Workflows documented as standard business process

• Some improvement over time

• Process is measured via metrics

• Minimal Threat Sharing

• Shift turnover• SLAs

• Processes are constantly improved and optimized

• Broad Threat sharing

• Hunt teams

Technolo

gy

• AV• Firewalls• IDS/IPS

• SIEM• Sandboxing

• ContinuousMonitoring

• Endpoint Forensics• Tactical Intelligence

• Malware Analysis• Additional

Intelligence• IT Operations

Integration

• Intel+IR Drives Security Program

• Strategic Intelligence

• Coordination with Physical Security/Intelligence


I need a plan for when a data breach

occurs

IR Tabletop Exercises

I want to know I have a team standing by

Incident Response Retainers

In need help now

Emergency Incident Response

I need to know what is in my network

Proactive Threat Hunting

I need to know if I can respond appropriately

IR Readiness Assessments

Included in the IR Retainers

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Incident Response Services


• Invest in Intel & IR; it can be measured, evolved, and simplified.

• Intel is more than a nice to have- it is a requirement

• Think beyond IT; Partnerships are critical to success. Educate and form alliances in the business and externally (e.g. local Law Enforcement office, competitors, colleges)

• Communicate findings back into other functions; Defense is a team sport

• Reward your teams!

Final Thoughts

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team...

Documents

Transcript of © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team...