© 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team...
Transcript of © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team...
![Page 1: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/1.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
![Page 2: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/2.jpg)
Peter Watson
Cisco Head of Security Services APJC27th March 2018
Strengthen Your Readiness and Response to Attacks
Cisco Incident Response Services
![Page 3: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/3.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security is Fundamental to Digitization
2 in 5Executives say privacy
and security restrict their
IoT investment
39%“My organization halted a
mission-critical initiative
due to cybersecurity
concerns.”
71%“Cybersecurity risks
and threats hinder
innovation in my organization.”
Innovations are moving forward,
but probably at 70%-80% of what they otherwise could if there were
better tools to deal with the dark cloud of cybersecurity threats.
Airline Industry CFO
“”
![Page 4: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/4.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Slower Response = Greater Risk
66%of breaches took months or even
years to discover
60% of breaches have data exfiltrated in
first 24 hours
60,000 Number of alerts hackers set off at
Global Retailer
184Median number
of days advanced attackers present before detection
27
33%Of organizations
discover breaches through
their own monitoring
![Page 5: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/5.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Time
ResponseDetection
Is Our Security Posture Effective?
Threat
Time to Detect, Time to Respond
![Page 6: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/6.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
You will get breached
Prevention is not a silver bullet
Detection is an absolute must
Speed to discovery and containment are critical
Intel isn’t just for spies anymore
Upfront Reality
![Page 7: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/7.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Detect
![Page 8: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/8.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cyber Security Monitoring
Focus on the anomalies
![Page 9: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/9.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
PROTECTING CISCOTHE ENVIRONMENT
‐ Each presents its own specific set of security challenges that needs to be dealt with.
‐ Security events cross multiple boxes.
USERS138,771
VENDOR ORGS2690
ADMIN ACCOUNTS4474
SERVICE ACCOUNTS13,096
DATA CENTERS13
OFFICES600
COUNTRIES102
CITIES343
EXTRANET PARTNERS318
CSP296
ACQUISITIONS8 (AVG YR)
ENDPOINTS127,454
MOBILES73,162
INFRA DEVICES194,875
BUSINESS GROUPS13,899
LABS2370
83,78243,672
![Page 10: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/10.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threats Across the Internet
Threats Inside your Network
Hundreds of Thousands Customers
7.3T Threats Blocked Annually
250 Threat Researchers
Tens of Millions Users
Hundreds of Threat Analytic
Engines
TALOS – Unmatched Visibility, Research, and Analytics
![Page 11: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/11.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Internet Cisco Assets
Threats Prevented / QuarterThreat Defense
DNS RPZ
BGP Blackhole
WSA
ESA
AntiVirus
HIPS
EndPoint AMP
Prevention
1,558,649,099
39,778,560
242,805,292
229,012,330
25,802,4983,364,08720,529
Managed Incidents / Quarter 1,978Detection
CSIRT
Umbrella 421,000,000
The reverse pyramid
![Page 12: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/12.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Response
![Page 13: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/13.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Enhance security status with regulators
Provides protection when its needed most
Drives cross architectural and organizational integration
Quickly react and respond to security incidents
Why Incident Response?
Every customer should have an Incident ResponsePlan
Open The Door
![Page 14: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/14.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
playbook |ˈplāˌbŏk| (noun)
A prescriptive collection of repeatable queries (reports) against security event data sources that lead to incident detection and response.
Operationalizing and optimizing
Response Playbook
![Page 15: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/15.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Inventory of Control’s
Security as a Service
Controls Store
• Leverage existing investments• Always have untapped features• Control adoption as well as threat metrics• Security posture against required goals.• Shift focus from risk to compliance.
“More than a risk register”
![Page 16: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/16.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Leverage Automation• Understanding the environment
• Testing, validation, applying a fix
• Filtering out data and helping identify what to look at
• Enable knowledge share and continuous investigations
• Update architecture templates and operational processes
• Tuning the plays and giving recommendations
AI and machine learning fail because its treated as “magic” instead of part of a larger solution
Incident Response team members have to have the skills to determine if events are true or false positives, and tune as necessary
![Page 17: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/17.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IR Evolution & Maturity
Maturity Level
Ad-hoc Maturing Strategic
As NeededDedicatedPart-Time Full-Time SOC/IR+ Fusion
CMM Equivalent Initial Repeatable Defined Managed Optimized
Existing IR Capabilities
People • 0-1 • 1-3
• Specialization• 2-5• Formal roles
• ~10• Shifts (possible 24x7)
• 15+• Intel, SOC, and IR Teams
Pro
cess
• Chaotic and relying on individual heroics; reactive
• General purpose run-book
• Tribal knowledge
• Situational run books; someconsistency
• Email-based processes
• Requirements and Workflows documented as standard business process
• Some improvement over time
• Process is measured via metrics
• Minimal Threat Sharing
• Shift turnover• SLAs
• Processes are constantly improved and optimized
• Broad Threat sharing
• Hunt teams
Technolo
gy
• AV• Firewalls• IDS/IPS
• SIEM• Sandboxing
• ContinuousMonitoring
• Endpoint Forensics• Tactical Intelligence
• Malware Analysis• Additional
Intelligence• IT Operations
Integration
• Intel+IR Drives Security Program
• Strategic Intelligence
• Coordination with Physical Security/Intelligence
![Page 18: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/18.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
I need a plan for when a data breach
occurs
IR Tabletop Exercises
I want to know I have a team standing by
Incident Response Retainers
In need help now
Emergency Incident Response
I need to know what is in my network
Proactive Threat Hunting
I need to know if I can respond appropriately
IR Readiness Assessments
Included in the IR Retainers
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Incident Response Services
![Page 19: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/19.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Invest in Intel & IR; it can be measured, evolved, and simplified.
• Intel is more than a nice to have- it is a requirement
• Think beyond IT; Partnerships are critical to success. Educate and form alliances in the business and externally (e.g. local Law Enforcement office, competitors, colleges)
• Communicate findings back into other functions; Defense is a team sport
• Reward your teams!
Final Thoughts
![Page 20: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/20.jpg)
![Page 21: © 2017 Cisco and/or its affiliates. All rights reserved. Cisco … · Incident Response team members have to have the skills to determine if events ... when a data breach occurs](https://reader036.fdocuments.us/reader036/viewer/2022071113/5feaba9a239eda108c6f74f8/html5/thumbnails/21.jpg)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential