heureka webinar - increase resilience and reduce the impact of a breach
TRANSCRIPT
“Begin with the end in mind.”~Stephen Covey
“You couldn't know what you didn't know, but now you know.” ~Yogi
Berra
PRESENTERS
Nate Latessa Heureka Chief Operating Officer
Stephen MarchewitzVP Client [email protected]
HEUREKA OVERVIEW
Heureka Meaning: “I’ve found it!”
Heureka was formed to allow clients to search and respond quickly to discovery, security, compliance and free-form investigation needs.
WHY?
There is a need for quick information regarding:
BreachLawsuitHR IssuesBSA Licensing InquiryProcess ChangeLack of PlanningExcessive failed logins undetected
Unpatched EndpointsForced to classify data Unknown what's in the cloudUnknown IOC's Intellectual Property LossFailed AuditProof of compliance
HOW?
• Endpoint Intelligence
• Viewed via the search and correlation platform
• Numerous workflows – eDiscovery– Data Classification– Incident and Indicator
Response– Audit and Compliance– Free Form Investigation
YOU CAN’T STOP A BREACH
Overview
• Security’s Strategic Change
• Resilience
• Reducing the Impact
• Reverse Engineering Your Plan of Action
“Enterprises have long over-spent on prevention and under-spent on detection and response.” --Gartner
SPENDING ALL YOUR MONEY ON PROTECTION IS FAILING
Verizon breach report shows:– 80% RATED AS SIMPLE ATTACKS
– ⅔s WERE ACTIVE FOR MONTHS BEFORE BEING DISCOVERED.
PHASES OF A BREACH
•Controls•Hardening•Enforcement
BEFORE
• Detect• Block• Defend
DURING
• Scope• Contain• Remediate
AFTER
SPENDING SHIFT POST-BREACH
•$$$$$$$$BEFORE
•$$$$$DURING
•$$$$AFTERA 20% increase in spending after a breach, disproportionally in forensic and investigative tools. --Ponemon
WHAT WILL IT TAKE?
• Increasing the speed and accuracy of security response actions during an attack
• Effective and adaptive plans and processes to identify and remediate security breaches after they have occurred
- SANS report 2014
IMPACT REDUCING EFFORTS
• Data Classification• Granular Audits• Solid Proactive Processes• Anomaly Detection• Policies and Procedures• Incident Identification and
Remediation • Patching Process
NEED FOR PLANNING
• Incident Response Plan• Data Classification Plan• Audit Plan• Risk Management Plan• Business Impact Analysis• Business Continuity Plan• Patch Plan– And Everything Must be a Process!
YET PLANS TAKE TIME AND RESOURCES
• Again, after a breach, spending only goes up 20%.
Corporations (on average) have
• No patience ( yet lack speed)
• Not enough resources (yet incomplete planning)
Starting with a conceptual plan doesn’t work (easily) in practice
THE FIVE KEYS TO REVERSE ENGINEERING
1. Determine the most basic level what happened (or could), what you have, and where it is—(i.e. malware, data, files, systems, network traffic, etc).
2. Define the problem
3. Identify as many steps as possible that are required to resolve the issue.
4. Define the tools and resources needed to get the job done.
5. Create the policies and procedures based on those steps and resources.
BENEFITS OF REVERSE ENGINEERING
• Starting with a blank canvas is too
difficult
• Systematically identifies areas to
improve
• Provides a baseline for making
changes and testing them
• Helps assess performance and
provides a basis for making
improvements.
IDEAL INCIDENT RESPONSE
Goals
• Risks and Impacts• Classify
Plan
• Policies• Procedures
Discover
• Scope• Validate
Contain
• Prioritize• Group
Eradicate
• Correlate• Cleanse
Recove
r
• Resolve Collateral Issues• Improve
REVERSE ENGINEERED IR
Discover
• Scope• Validate
Contain
• Prioritize• Group
Eradicate
• Correlate• Cleanse
Recove
r
• Resolve Collateral Issues• Improve
Goals
• Risks and Impacts• Classify
Plan
• Policies• Procedures
DISCOVERY IS KEY
What do we have? Where is it? Who owns it?
What’s happening now? Where should we start?
This is critical for many issues• Incident Response• Compliance• Data Classification• Intellectual Property Loss• Lawsuits• Etc.
SUMMARY
• You’re breached• Ensure you ‘know what you know.’• The ideal doesn’t work in practice• Begin with the end in mind –Resilience
is key• Have your tools and processes reflect
this fact• Start from where you are to reduce
impact and collateral risk issues