craft your incident response plan (before it's too late)

Upload: co3sys

Post on 04-Apr-2018

219 views

Category:

Documents


0 download

TRANSCRIPT

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    1/22

    2011 Co3 Systems, Inc.The information contained herein is proprietary and confidential. Page 1

    Cyber Incident Response

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    2/22

    Page 2

    Agenda

    Introductions

    Cyber Incident Response The process Tips for getting it right

    Todays reality with breaches CSO versus CPO Q&A

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    3/22

    Page 3

    Introductions: Todays Speakers

    Gant Redmon, GC and VP Business Development, Co3 Former CPO of Arbor Networks, Inc. General Counsel for 12 years

    Ellen Giblin, Privacy Counsel, Ashcroft Law Firm Internationally-recognized expert in privacy, data breach, data

    protection, cyber security, and information management

    Privacy Counsel at Littler Mendelson P.C. Privacy Officer for Citizens Financial Group

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    4/22

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    5/22

    Page 5

    Cyber Incident Response Plans

    Every company should develop a written cyber incident responseplan

    Not only is it a good idea, some regulations require it The plan should document cyber attack scenarios and define

    appropriate responses

    The plan should include: Response team Reporting Initial response Investigation Recovery and follow-up Public relations Law enforcement

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    6/22

    Page 6

    Cyber Incident Response Team

    The response team should:

    Identify and classify cyber attack scenarios Determine the tools and technology used to detect attacks Develop a checklist for handling initial investigations of cyber

    attacks

    Determine the scope of an internal investigation once an attackhas occurred

    Conduct any investigations within the determined scope Address data breach issues, including notification requirements Conduct follow up reviews on the effectiveness of the company's

    response to an actual attack

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    7/22

    Page 7

    Discovery and Reporting of Cyber Incidents

    Define procedures for cyber attack discovery and reporting,including:

    Team members who monitor industry practices to ensure that: information systems are appropriately updated; and information systems are instrumented to allow for early

    discovery of attacks

    A database to track all reported incidents A risk rating to classify all reported incidents (ex. low,

    medium, or high) and facilitate the appropriate response

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    8/22

    Page 8

    Initial Response to a Cyber Attack

    Conduct a preliminary investigation to determine whether a cyberattack has occurred

    follow the investigation checklist set out in the cyber incidentresponse plan

    The initial response varies depending on the type of attack and levelof seriousness. However, the response team should aim to:

    Stop the cyber intrusions from spreading further into thecompany's computer systems Appropriately document the investigation

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    9/22

    Page 9

    Investigating a Cyber Attack

    A formal internal investigation may be required depending on: the level of intrusion its impact on critical business functions

    An internal investigation allows the company to: Fully understand the intrusion Fotn its chances of identifying the attacker Detect previously-unknown security vulnerabilities Identify required improvements to IT systems

    If the company's response team or IT department lacks thecapacity or expertise to conduct an internal investigation the

    company may wish to retain: Legal counsel A cyber security consultant

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    10/22

    Page 10

    Common Cyber Attack Scenarios

    Cyber attacks often fall into one or more common scenarios Anticipate and prepare for these common scenarios in advance and

    provide preliminary investigatory questions for each

    Obtaining fast and accurate answers to these questions helps shapeand expedite the investigation

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    11/22

    Page 11

    Recovery and Follow-Up After a Cyber Attack

    Address the recovery of IT systems by both: Eliminating the vulnerabilities exploited by the attacker and

    any other identified vulnerabilities

    Bringing the repaired systems back online Once systems are restored:

    Determine what improvements are needed to prevent similarincidents from reoccurring

    Evaluate how the response team executed the response plan

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    12/22

    Page 12

    The Role of the CPO in a Breach

    Understand the efforts underway by security staff to plug thegaps and restore integrity

    Realize that there may be a conflict of interest Know how to align and satisfy all our organizations requirements

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    13/22

    Page 13

    Suggestions

    Working with Security in advance is vital, knowing where thetensions are, and what youll do to resolve them is key to success

    Early triage is critical to determining if PI has been exposed

    Establish Executive support in advance of a breach for anythingthat may look contentious

    Have a clear process that coordinates activities across multiplegroups to ensure an efficient organizational response

    Conduct dry runs, simulations or tabletops it will illuminatewhere there are potential issues make sure to test out multiple

    scenarios

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    14/22

    Page 14

    Security and Privacy the Yin and the Yang

    CPO-DrivenResponse

    Cyber Incidents Cyber breach DDoS Malware, etc.

    CISO-DrivenResponse

    IT/Security: protect the integrity and continuity of business operations Privacy: protect customers and employees

    aligning objectives

    PII Exposed

    Combined

    Response

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    15/22

    Page 15

    5 Rules for Working With Your CSO

    Rule #1: Know Your History The modern day CSO has been around about the same amount

    of time as the CPO

    The CPO title came about in the mid to late 90s with theadvent of GLB and HIPAA The CSO title (as opposed to the CiSO title) arose after 9/11

    with the increased focus on security

    The CPO role weakened following 9/11 but has strengthened aspersonal information becomes basis of corporate value

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    16/22

    Page 16

    5 Rules for Working With Your CSO

    Rule #2 Accept Your Co-Dependence Privacy and Security are intertwined. You can have security

    without privacy, but you cant have privacy without security

    You can promise not to share information, but that doesnt domuch good if any hacker can just steal it Theres no responding to a data breach if you dont know about

    it or you cant identify what information has been accessed

    IT is generally the real first responder. They are the ER triageof data breach response

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    17/22

    Page 17

    5 Rules for Working With Your CSO

    Rule #3 Empathize with Your CSO CSOs stockpile data. CPOs are minimalist. Show your CSO the

    advantages of cleaning house

    Data retention policy compliance eDiscovery advantages Less exposure if a breach occurs if there is less sensitive data available

    Follow the Data The CSO knows the flow of data within the organization. You need to work with CSO

    to understand this flow and do your job

    Once you understand the flow of data, you can compare it to the business processthat drives that flow

    With an understanding the flow of data and the business process, you can makesuggestions that take into consideration the value proposition of the use of customer

    data Many companies see the role of CPO as driving internal process improvement

    Privacy can be an unnatural act for the CSO The CSO is charged with protecting the perimeter The CPO may be asking the CSO for holes below the waterline in the perimeter for

    purposes of information owner inspection and verification

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    18/22

    Page 18

    5 Rules for Working With Your CSO

    Rule #4 Stop Talking Privacy

    Privacy is a loaded word. Its like saying conservative orliberal. Use a word your CSO and others can rally around.

    Call it Information Governance Information governance encompasses information management, security,

    use, and data strategy

    Information governance can refer to a lifecycle: how we createinformation, how we keep it safe and secure and accessible during its

    lifecycle, and how we thoughtfully dispose of it

    Information governance rings true with the legal department Can refer to data retention and eDiscovery Positions you as a bridge between the GC and CSO GCs didnt go to law school because of their engineering prowess. Give

    them a hand

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    19/22

    Page 19

    5 Rules for Working With Your CSO

    Rule #5 Keep Your Head Out of the Boat A CSOs role is largely inward looking. They must protect corporate assets and

    keep the system running

    The CPOs role is outward facing because they act as the customers' andemployees' advocate within the company

    Customer/Client advocacy translates to corporate revenue. Ask yourself whatother department uses this argument to drive change within your organization

    The CPO must be business savvy and navigate conflicting interests of businessneeds, customer expectation and legal requirements

    If the CPO can prove him or herself to be an ally with management in thebalancing of concerns, then that CPO will be embraced by those above

    If the CPO is embraced by the management team, the CPO is more likely to behave a good working relationship with the CSO

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    20/22

    Page 20

    5 Rules for Working With Your CSO

    Bonus Rule #6 Embrace Technology to Improve Processes andEfficiency

    CSOs make their career out of using software to improveprocess conversations will go well if you speak their language

    CSOs can use software as breach triage as well as forescalating events to the CPO

    Using software to diagnose an event makes the outcome andaction plan both objective and quantifiable. These are traits

    valued by both the GC and CSO

    Build a dashboard. CSOs love them as a way to stay in the loopand remain part of an incident response

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    21/22

    2011 Co3 Systems, Inc.

    The information contained herein is proprietary and confidential. Page 21

    Questions

  • 7/30/2019 Craft Your Incident Response Plan (Before It's Too Late)

    22/22

    Page 22

    Thanks!

    Gartner:Co3 define(s) what software

    packages for privacy look like.

    1 Alewife Center, Suite 450Cambridge, MA 02140

    ph: 617.206.3900

    e: [email protected]

    www.co3sys.com

    1100 Main Street, Suite 2710Kansas City, MO 64105

    ph: 816.285.7600

    e: [email protected]

    www.ashcroftgroupllc.com/law/