YOU CAN’T STOP A BREACH.

NOW WHAT?!?

“Begin with the end in mind.”~Stephen Covey

“You couldn't know what you didn't know, but now you know.” ~Yogi

Berra

PRESENTERS

Nate Latessa Heureka Chief Operating Officer

nate.latessa@heurekasoftware.com

Stephen MarchewitzVP Client SolutionsStephen.marchewitz@heurekasoftware.com

HEUREKA OVERVIEW

Heureka Meaning: “I’ve found it!”

Heureka was formed to allow clients to search and respond quickly to discovery, security, compliance and free-form investigation needs.

WHY?

There is a need for quick information regarding:

BreachLawsuitHR IssuesBSA Licensing InquiryProcess ChangeLack of PlanningExcessive failed logins undetected

Unpatched EndpointsForced to classify data Unknown what's in the cloudUnknown IOC's Intellectual Property LossFailed AuditProof of compliance

HOW?

• Endpoint Intelligence

• Viewed via the search and correlation platform

• Numerous workflows – eDiscovery– Data Classification– Incident and Indicator

Response– Audit and Compliance– Free Form Investigation

YOU CAN’T STOP A BREACH

Overview

• Security’s Strategic Change

• Resilience

• Reducing the Impact

• Reverse Engineering Your Plan of Action

“Enterprises have long over-spent on prevention and under-spent on detection and response.” --Gartner

SPENDING ALL YOUR MONEY ON PROTECTION IS FAILING

Verizon breach report shows:– 80% RATED AS SIMPLE ATTACKS

– ⅔s WERE ACTIVE FOR MONTHS BEFORE BEING DISCOVERED.

PHASES OF A BREACH

•Controls•Hardening•Enforcement

BEFORE

• Detect• Block• Defend

DURING

• Scope• Contain• Remediate

AFTER

SPENDING BEFORE KNOWN BREACH

•$$$$$$$$$$BEFORE

•$$$$DURING

•$AFTER

SPENDING SHIFT POST-BREACH

•$$$$$$$$BEFORE

•$$$$$DURING

•$$$$AFTERA 20% increase in spending after a breach, disproportionally in forensic and investigative tools. --Ponemon

WHILE WE CAN’T STOP A BREACH…

Can we realistically contain it?

RESILIENT

Patterned After Nature

You have to be

WHAT WILL IT TAKE?

• Increasing the speed and accuracy of security response actions during an attack

• Effective and adaptive plans and processes to identify and remediate security breaches after they have occurred

- SANS report 2014

THE MOVE FROM PREVENTION

Respond

Detect

Prevent

IMPACT REDUCING EFFORTS

• Data Classification• Granular Audits• Solid Proactive Processes• Anomaly Detection• Policies and Procedures• Incident Identification and

Remediation • Patching Process

NEED FOR PLANNING

• Incident Response Plan• Data Classification Plan• Audit Plan• Risk Management Plan• Business Impact Analysis• Business Continuity Plan• Patch Plan– And Everything Must be a Process!

YET PLANS TAKE TIME AND RESOURCES

• Again, after a breach, spending only goes up 20%.

Corporations (on average) have

• No patience ( yet lack speed)

• Not enough resources (yet incomplete planning)

Starting with a conceptual plan doesn’t work (easily) in practice

REVERSE ENGINEERING

It’s too difficult to forward engineer in today’s environment.

Data Data

THE FIVE KEYS TO REVERSE ENGINEERING

1. Determine the most basic level what happened (or could), what you have, and where it is—(i.e. malware, data, files, systems, network traffic, etc).

2. Define the problem

3. Identify as many steps as possible that are required to resolve the issue.

4. Define the tools and resources needed to get the job done.

5. Create the policies and procedures based on those steps and resources.

BENEFITS OF REVERSE ENGINEERING

• Starting with a blank canvas is too

difficult

• Systematically identifies areas to

improve

• Provides a baseline for making

changes and testing them

• Helps assess performance and

provides a basis for making

improvements.

IDEAL INCIDENT RESPONSE

Goals

• Risks and Impacts• Classify

Plan

• Policies• Procedures

Discover

• Scope• Validate

Contain

• Prioritize• Group

Eradicate

• Correlate• Cleanse

Recove

r

• Resolve Collateral Issues• Improve

REVERSE ENGINEERED IR

Discover

• Scope• Validate

Contain

• Prioritize• Group

Eradicate

• Correlate• Cleanse

Recove

r

• Resolve Collateral Issues• Improve

Goals

• Risks and Impacts• Classify

Plan

• Policies• Procedures

DISCOVERY IS KEY

What do we have? Where is it? Who owns it?

What’s happening now? Where should we start?

This is critical for many issues• Incident Response• Compliance• Data Classification• Intellectual Property Loss• Lawsuits• Etc.

SUMMARY

• You’re breached• Ensure you ‘know what you know.’• The ideal doesn’t work in practice• Begin with the end in mind –Resilience

is key• Have your tools and processes reflect

this fact• Start from where you are to reduce

impact and collateral risk issues

THANK YOU!

HEUREKA – I’VE FOUND IT!

www.heurekasoftware.com