incident handling in a byod environment

Incidents Happen! Management in a BYOD Environment

Presented to: CENIC ConferenceMarch 22, 2017

The Naval Postgraduate School

2

Graduate School of Operational and Information SciencesGraduate School of Engineering and Applied Sciences

Graduate School of Business and Public PolicySchool of International Graduate Studies

Enrollment 2,600 StudentsRepresenting 40 Countries

Mission

To provide technology and communications support for the NPS core mission of teaching, research, and service to the Navy and Department of Defense.

To provide voice, video, and data infrastructure as mission crucial enablers of innovation and experimentation within

the educational enterprise.

Network Upgrade

• Every router and switch at NPS upgraded• Edge router now connected to CENIC at 100GigE• Core and BDFs upgraded to 160GigE and

80GigE, respectively.• Select edge ports connected with 20GigE

– High Performance Computing– Select research labs

• NPS Network– Allows NPS to take full advantage of 100GigE CENIC

backbone– Support high-Speed Switch Fabrics– Provide the backbone infrastructure for Software

Defined Networking.5

NPS Wireless

6

• New Ruckus network has 360 Access Points with faster 802.11AC radios

• Replaced ~200 old APs from various technologies• Improved campus coverage including strategic outdoor

locations with faster speeds• New onboarding features with simplified administration

options

Educational Technologies

• Labs/Classrooms– 141 classrooms/labs/conference rooms

• 87 classrooms• 13 labs• 5 auditoria• 7 VTE suites• 17 conference rooms

– Classrooms include:• Audio visual equipment: projectors and audio

equipment• Faculty podium: desktop computer with access

8

High Performance Computing

“Hamming” Supercomputer• Over 100 servers in 8 cabinets;

• Over 4,600 CPU “cores” tied together by fast network ;

• Over 3 Petabytes of disk storage (= 3,000 Terabytes);

• Scientific Computation (number-crunching): weather/ice forecasting, turbopropulsion models, earthquake prediction);

• “Big Data”: searching for text and imagery in huge datasets; think of “Google Search” applied to DoD interests. $1M grant in FY15 for hardware procurement;

• Used for teaching as well as research;

• Instrumental in recruiting faculty.

• 100 Gigabit/s network: will allow us to move large datasets into/out to/from collaborators.

Cloud Initiatives

• MS Office 365:– Exchange Online– Sharepoint Online– Skype for Business

• Box storage– Unlimited file storage

• Amazon Web Services– Infrastructure-as-a-Service– ITACS backups, web

development and operations9

Incident Handling

Naval Postgraduate School

DLI Cybersecurity Team

Compliance - Prevention Detection – Response

Internal & External Monitoring, Audit & Reporting

SOC Manager

Sr. Incident HandlerSr. Cyber Analyst

End Point Protection

Director of Cybersecurity

Jr. Cyber Analyst Jr. Cyber AnalystSr. Cyber Analyst

Jr. Incident Handler

Scanning / Compliance

Sr. Cyber Analyst

ISSM – DREN & Higher

Director

NCIS | SSO/Security Manager | Command IG | IT Task ForceFLTCYBERCOM | NCDOC | HPCMP CND |SPAWAR CA

Jr. Cyber Analyst

CS Plans / Projects ISSM - EDU

Cybersecurity Organization

Function DeviceSIEM AlienVault

Firewall PA-7050IDS1 HPCMP, NCDOC, Snort

Network Access 802.1x, SafeConnectA/V SEP, PA-7050, WildfireWeb PA-7050Mail Barracuda

Scanning ACAS (Nessus), NetsparkerEndpoint management LANDESK / WSUS / Puppet

EMM2 Airwatch2FA2 Duo Security

1 Both the High Performance Computing Management Program Office and Navy Cyber Defense Operations Command have sensors on the NPS EDU Network; additionally NPS contracts for internal CND services that use Snort.2 Pending deployment

Technology

Processes

ØDocumentation of incident handling / response standard operating procedures.

13

ØTemplates and workflow / task management of incident handling actions.

ØReal-time collaboration between team members during significant cyber events.

Incident Handling - the Basics

• Step by step Incident Handling (IH) process• Quick reference for IH personnel to perform

duties• Template / Automate as much as possible• Historical record

– Document, document, document – Have we seen something similar before?– Did the adversary modify their TTPs?

• Facilitate reporting and trend analysis14

A Few More Basics

• Handlers should have as much access as required to take immediate action– Remove phish / spearphish from user’s inbox– Blacklist IP and / or Domain– Disable account– Block device from accessing network

• But know contact info for technical SMEs if required– Email– DNS– Firewall – Routers 15

Incident Handling Step-by-Step

1. Identify2. Contain3. Neutralize4. Recover / Report5. Document / Assess

16

NIST SP 800-61 Rev 2

Handler Morning Routine

• Provides initial situational awareness of detected / reported events

• To-do list to start the handler’s day

• Repeatable / sustainable• Hosted on wiki ->

collaborative effort

17



18




19




20




21




22


JIRA Incident Template - Example

23


24


25


26

JIRA Incident Template – Example

27


28


29

Summary

• BYOD environment increases IH complexity• Maximize automation and use of templates to

standardize process• Document as much as possible• Marathon – not a sprint – Wiki / JIRA provide

for collaboration and rapid, continuous changes to SOPs, etc.

• User training and reporting mechanism ([email protected]) critical

30

QUESTIONS?

31