incident handling in a byod environment
TRANSCRIPT
Incidents Happen! Management in a BYOD Environment
Presented to: CENIC ConferenceMarch 22, 2017
The Naval Postgraduate School
2
Graduate School of Operational and Information SciencesGraduate School of Engineering and Applied Sciences
Graduate School of Business and Public PolicySchool of International Graduate Studies
Enrollment 2,600 StudentsRepresenting 40 Countries
Mission
To provide technology and communications support for the NPS core mission of teaching, research, and service to the Navy and Department of Defense.
To provide voice, video, and data infrastructure as mission crucial enablers of innovation and experimentation within
the educational enterprise.
Network Upgrade
• Every router and switch at NPS upgraded• Edge router now connected to CENIC at 100GigE• Core and BDFs upgraded to 160GigE and
80GigE, respectively.• Select edge ports connected with 20GigE
– High Performance Computing– Select research labs
• NPS Network– Allows NPS to take full advantage of 100GigE CENIC
backbone– Support high-Speed Switch Fabrics– Provide the backbone infrastructure for Software
Defined Networking.5
NPS Wireless
6
• New Ruckus network has 360 Access Points with faster 802.11AC radios
• Replaced ~200 old APs from various technologies• Improved campus coverage including strategic outdoor
locations with faster speeds• New onboarding features with simplified administration
options
Educational Technologies
• Labs/Classrooms– 141 classrooms/labs/conference rooms
• 87 classrooms• 13 labs• 5 auditoria• 7 VTE suites• 17 conference rooms
– Classrooms include:• Audio visual equipment: projectors and audio
equipment• Faculty podium: desktop computer with access
8
High Performance Computing
“Hamming” Supercomputer• Over 100 servers in 8 cabinets;
• Over 4,600 CPU “cores” tied together by fast network ;
• Over 3 Petabytes of disk storage (= 3,000 Terabytes);
• Scientific Computation (number-crunching): weather/ice forecasting, turbopropulsion models, earthquake prediction);
• “Big Data”: searching for text and imagery in huge datasets; think of “Google Search” applied to DoD interests. $1M grant in FY15 for hardware procurement;
• Used for teaching as well as research;
• Instrumental in recruiting faculty.
• 100 Gigabit/s network: will allow us to move large datasets into/out to/from collaborators.
Cloud Initiatives
• MS Office 365:– Exchange Online– Sharepoint Online– Skype for Business
• Box storage– Unlimited file storage
• Amazon Web Services– Infrastructure-as-a-Service– ITACS backups, web
development and operations9
Incident Handling
Naval Postgraduate School
DLI Cybersecurity Team
Compliance - Prevention Detection – Response
Internal & External Monitoring, Audit & Reporting
SOC Manager
Sr. Incident HandlerSr. Cyber Analyst
End Point Protection
Director of Cybersecurity
Jr. Cyber Analyst Jr. Cyber AnalystSr. Cyber Analyst
Jr. Incident Handler
Scanning / Compliance
Sr. Cyber Analyst
ISSM – DREN & Higher
Director
NCIS | SSO/Security Manager | Command IG | IT Task ForceFLTCYBERCOM | NCDOC | HPCMP CND |SPAWAR CA
Jr. Cyber Analyst
CS Plans / Projects ISSM - EDU
Cybersecurity Organization
Function DeviceSIEM AlienVault
Firewall PA-7050IDS1 HPCMP, NCDOC, Snort
Network Access 802.1x, SafeConnectA/V SEP, PA-7050, WildfireWeb PA-7050Mail Barracuda
Scanning ACAS (Nessus), NetsparkerEndpoint management LANDESK / WSUS / Puppet
EMM2 Airwatch2FA2 Duo Security
1 Both the High Performance Computing Management Program Office and Navy Cyber Defense Operations Command have sensors on the NPS EDU Network; additionally NPS contracts for internal CND services that use Snort.2 Pending deployment
Technology
Processes
ØDocumentation of incident handling / response standard operating procedures.
13
ØTemplates and workflow / task management of incident handling actions.
ØReal-time collaboration between team members during significant cyber events.
Incident Handling - the Basics
• Step by step Incident Handling (IH) process• Quick reference for IH personnel to perform
duties• Template / Automate as much as possible• Historical record
– Document, document, document – Have we seen something similar before?– Did the adversary modify their TTPs?
• Facilitate reporting and trend analysis14
A Few More Basics
• Handlers should have as much access as required to take immediate action– Remove phish / spearphish from user’s inbox– Blacklist IP and / or Domain– Disable account– Block device from accessing network
• But know contact info for technical SMEs if required– Email– DNS– Firewall – Routers 15
Incident Handling Step-by-Step
1. Identify2. Contain3. Neutralize4. Recover / Report5. Document / Assess
16
NIST SP 800-61 Rev 2
Handler Morning Routine
• Provides initial situational awareness of detected / reported events
• To-do list to start the handler’s day
• Repeatable / sustainable• Hosted on wiki ->
collaborative effort
17
Incident Handling Step-by-Step
1. Identify2. Contain3. Neutralize4. Recover / Report5. Document / Assess
18
NIST SP 800-61 Rev 2
Incident Handling Step-by-Step
1. Identify2. Contain3. Neutralize4. Recover / Report5. Document / Assess
19
NIST SP 800-61 Rev 2
Incident Handling Step-by-Step
1. Identify2. Contain3. Neutralize4. Recover / Report5. Document / Assess
20
NIST SP 800-61 Rev 2
Incident Handling Step-by-Step
1. Identify2. Contain3. Neutralize4. Recover / Report5. Document / Assess
21
NIST SP 800-61 Rev 2
Incident Handling Step-by-Step
1. Identify2. Contain3. Neutralize4. Recover / Report5. Document / Assess
22
NIST SP 800-61 Rev 2
JIRA Incident Template - Example
23
JIRA Incident Template - Example
24
JIRA Incident Template - Example
25
JIRA Incident Template - Example
26
JIRA Incident Template – Example
27
JIRA Incident Template - Example
28
JIRA Incident Template - Example
29
Summary
• BYOD environment increases IH complexity• Maximize automation and use of templates to
standardize process• Document as much as possible• Marathon – not a sprint – Wiki / JIRA provide
for collaboration and rapid, continuous changes to SOPs, etc.
• User training and reporting mechanism ([email protected]) critical
30
QUESTIONS?
31