Security & Risk Management Update 2017 Scandic Bygholm Park, Horsens, den 1. juni 2017 Premium partner: Partnere:
Beredskab in action - processen fra hændelse til oprydning Kim Elgaard 1.juni 2017
Hvad skal vi have ud af dette indlæg? Mine mål med dette indlæg: 1. Skabe overblik over forløbet i forbindelse med en sikkerhedshændelse (incident) fra forberedelsen til den afsluttende rapportering og forbedringsforslag. 2. Skabe forståelse for hvorfor beredskabet er en så vigtigt del af virksomhedernes it-sikkerhed 3. Give input til hvad man konkret skal kigge på for at blive klar til at håndtere en sikkerhedshændelse.
Hvorfor? Der er to typer virksomheder: Dem, der ved at de er blevet hacket, og dem der ikke ved at de er blevet hacket. Pointen er, at alle er blevet hacket James Comey, tidl. direktør, FBI Antallet af malware og incidents vokser støt Cryptolocker, hacktivisme og spionage er blevet hverdag Alle sektorer og industrier er/bliver udsat for angreb Begrænset adgang til it-sikkerhedskompetencer & ressourcer med den nødvendige træning og erfaring
Respond & Recover Incident response is an organized approach to addressing and managing the aftermath of a security breach or incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
It-sikkerhedsprocessen Incident Response Predict & Identify Prevent & Protect Detect Respond & Recover Security capabilities Risk Management Vulnerability Management Fundamental Security Security Monitoring Incident handling Disaster recovery Visibility Analytics Advanced Security Threat Intelligence Containment Forensics
Beredskabsprocessen Prepare Improve Detect Recover Contain Eradicate
Preparation Incident Response Plan Playbook Setting the Team Who are the players Training Backup and restore Tools Preped, tuned and up-to-date Security Maturity Level Awareness in organisation and management
Incident Response People Formal Training Internal Training On-Job Training Tools and Product Training Technology Process Incident Detection Forensics Log Collection Network Monitoring Lessons Learned Preparation Identification Threat Intelligence Incident Respond Inspiration: SANS SOC Whitepaper
Detection / Identification Early detection Honeypot/Malware hunting Indicators of compromize Behavior analysis Involve Incident Response Team first responder (Alarm!!) Activate Incident response plan Scope of Incident Data Breach Respond Plan Time IS important (MTTD) ransomware attack 54 % detects incident within 1 hour 35 % detects incident within 24 hour 11 % - later...
Containment Minimize damage minimize cost Disconnect!!! Need to do forensics Short-term Disconnect/Isolate Segment Secure Evidence Take off-line for forensics Long-term Update AV, sandbox and other protections Development scipting : tools to address Zero Days Remove malware Disable accounts Patch
Eradication When possible Reimage Replace disk to ensure evidens
Recovery Backup is key Especially in the case of ransomware Be SURE that your backup is working Is your backup Clean Speed and prioritization is important Rapid restoration of production facilities to minimize loss Monitoring of all involved systemes How to test and verify that the compromised systems are clean and fully functional. The tools to test, monitor, and validate system behavior. The duration of extended monitoring to observe for abnormal behaviors. Change passwords, enable extra logging Some of the important decisions to make during this phase are: Time and date to restore operations it is vital to have the system operators/owners make the final decision based upon the advice of the IRT.
Lessons Learned Important to learn from you incidents Don t make the same mistake twice Use the information to build better Protections...and to improve your early detections Lesson learned When was the problem first detected and by whom The scope of the incident How it was contained and eradicated Work performed during recovery Areas where the IRT were effective Areas that need to be improvemed
Prepare for Security Incident Response Check List - Inspiration Incident response plan Playbook Up-to-date Teamet Staffing and commitment Detect Threat Intelligence Containment Tools Recovery Backup or rebuild Lesson Learned Fixed form for evaluation and reporting
Hvad skal du gøre når du kommer hjem? På mandag Evauler på jeres nuværende beredskab Næste uge Udarbejd Incident response plan Næste måned Sæt teamet og træn!!
Tak!