Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Renault Ross CISSP, MCSE, CHSS, VCP5 Chief Cybersecurity Business Strategist
Ian Schmertzler President
Cyber Information Sharing
Know Your Team Under Pressure
Trust Your Eyes
Know the Supply Chain
Have Secondary Comms
Do it Right, Make it Here
FIREWALLENDPOINT
SERVERGATEWAYEmail metadata Source email server identityWeb connection historyInbound attachmentsOutbound attachments
Administrative activityNetwork connectionsSuccessful / failed loginsSensitive docs accessedCompliance status
Security settings changesNetwork connectionsSuccessful / failed loginsSensitive docs accessedProcess behaviors
Inbound network trafficOutbound network trafficProtocol tunneling activityAdministrative activityInbound network traffic
BETTERPROTECTION+ REMEDIATION
BETTERPROTECTION+ REMEDIATION
BETTERPROTECTION+ REMEDIATION
BETTERPROTECTION+ REMEDIATION
GLOBALLY INFORMED SOLUTION SETTINGS
BENCHMARKINGACROSS PEERS
INDUSTRY‐TARGETED ATTACK CAMPAIGNS
ENDLESS USE CASES
COLLECT
TOMORROW
TODAY
PARTNER
BUILD/ACQUIRE
INTERACTIVEANALYTICS
UNIFIED INCIDENTMGMT.
RISK ANALYSIS
INCIDENTINVESTIGATION
APP EXCHANGE
SOCIAL PLATFORM
Top Rated
C&C DetectorNova Software
Load LookLevel2 Studio
Target SweepGO Getit EX
RemotecontrolElipse Strategy
Termin8erSupercoil Software
Secure CheckSupercoil Software
Information Sharing APP Exchange
Recently Viewed
Top Rated
New Releases
By Industry
Joe Admin – InfoSec Admin, Company 1
APPS
Developer Tool Package
Q&A
Database
Developer Zone
By Category
Logged In
Secure App News
17Sep2014“Load Look” by Level2 Studio, advances to the next level of protection.
17Sep2014 10 new compliance apps added.
16Sep2014Nova Software contributes robust C&C Detection tool.
16Sep2014 Supercoil Software enhances security prioritization and checklist features.
?
News Archive >>
Message Board
1hCheck out our latest development utilizing aggregated risk analysis tolerance feedback – Super Coil Software
1DDashboard elite is not all it’s cracked up to be, we’ve hit snags with the custom navigation integration module. – Joe
FREE TRIAL
FREE TRIAL
Upcoming Events
Trending
Information SharingSocial Platform
Update My Status
Joe Admin
Groups
Interests
Contacts
Recommended
We are seeing a lot of instances of foo.exe on our endpoints. Where is it coming from?
POSTAll
Lisa Andrews Manufacturing CISOs Verified
Yes. I saw it a few weeks ago. seems to be related to the earlier attack. I’ll ask Dave to send you a source IP we have associated with that executable.
2 hours ago
Dave Admin Manufacturing Admin Verified
Hi Joe, we have traced the origin of foo.exe to the following IP: 172.16.254.11 hours ago
Joe Admin – InfoSec Admin, Company 1
Logged In?
Joe Admin Software Developer Verified
We are seeing a lot of instances of foo.exe on our endpoints. Where is it coming from? 3 hours ago
172.16.254.1172.16.254.1Source:Source:
IP AddressIP AddressType:Type:
Forensic results:Forensic results:
Connection from SAM_WIN8/SPY.EXE to 172.16.254.1 at 6:18:08 pm on 10/6/14Connection from SAM_WIN8/SPY.EXE to 172.16.254.1 at 6:18:08 pm on 10/6/14
Origin:Origin: UnknownUnknown
File TED_WIN7/BOT.EXE retrieved from 172.16.254.1 at 8:20:10 am on 10/24/14File TED_WIN7/BOT.EXE retrieved from 172.16.254.1 at 8:20:10 am on 10/24/14
172.16.254.1Source:
IP AddressType:
Forensic results:
Connection from SAM_WIN8/SPY.EXE to 172.16.254.1 at 6:18:08 pm on 10/6/14
Origin: Unknown
File TED_WIN7/BOT.EXE retrieved from 172.16.254.1 at 8:20:10 am on 10/24/14
Connection from SALLY_ANDROID_1 to 172.16.254.1 at 4:24:08 pm on 11/6/14
STARTING POINT…CSF NIST ADOPTION
Copyright © 2017 Symantec Corporation
14
Functions
ID Identify What assets need protection?
PR Protect What safeguards are available?
DE Detect What techniques can identify incidents?
RS Respond What techniques can contain impacts of incidents?
RC Recover What techniques can restore capabilities?
Core
CSF FUNCTIONS – BUILD PROFILE
Copyright © 2017 Symantec Corporation9
UNDERSTAND YOUR MATURITY: SELF ASSESSMENT LED
PR.ATAwareness Training
DE.CMContinuous Monitoring
DE.AEAnomalies &
Events
DE.DPDetection Processes
RS.IMResponse
Improvements
RECOVER
RESPOND
DETECT
PROTECT
RS.MIResponse Mitigation
RS.ANResponse Analysis
RS.COResponse
Communications
RS.RPResponse Planning
RC.RP Recovery Planning
PR.ACAccessControl
IDENTIFYID.BE
OrganizationID.GV
GovernanceID.RA
Risk AssessmentID.RM
Risk Strategy MgtID.AM
Asset Mgt.
PR.DSData
Security
PR.IPInfo Processes &,
Procedures
RC.IMRecovery
Improvements
RC.CORecovery
Communications
Not At All Planned Partially Mostly In Place Optimized
WHERE AM I
Fxn. Cat. Sub. Current Profile
ID ID.AM
ID.AM‐1
ID.AM‐2
ID.AM‐3
ID.AM‐4
ID.AM‐5
ID.AM‐6
Tier 1
Tier 1
Tier 2
Unused
Tier 4
Tier 3
Fxn. Cat. Sub. Target Profile
ID ID.AM
ID.AM‐1
ID.AM‐2
ID.AM‐3
ID.AM‐4
ID.AM‐5
ID.AM‐6
Tier 2
Unused
Tier 4
Tier 3
Tier 4
Tier 4
The image part with relationship ID rId3 was not found in the file.
This image cannot currently be displayed.
Enables a prioritizedaction plan
66
Function Category Subcategory Informative References
Respond (RS)
Response Planning(RS.RP):
RS.RP‐1: Response plan is executed during
or after an event
• COBIT 5 BAI01.10 • CCS CSC 18 • ISA 62443‐2‐1:2009 4.3.4.5.1 • ISO/IEC 27001:2013 A.16.1.5 • NIST SP 800‐53 Rev. 4 CP‐2, CP‐10, IR‐4, IR‐8
Core
HOW CAN I ALIGN WITH BEST PRACTICES
Copyright © 2017 Symantec Corporation10
CoreINFORMATIVE REFERENCES
Copyright © 2017 Symantec Corporation10
• Information Risk Management & Reporting
Strategic Tactical
• Inventory & Asset Management• Mobility & Wireless
• .
Busine
ss Strategy
and Governa
nce
On‐Going
Com
pliance
and Security Ope
ratio
ns
• Security Policies and procedures
• Awareness and Training
• Security Team Structure, Roles & Responsibilities
• Information Risk Management & Reporting
• Digital Trust• High Assurance
• Identity Management• Authentication
• Information Risk Management & Reporting
• Data Loss Controls • Data Classification
• Encryption• Electronic Discovery
• Information Risk Management & Reporting
• Configuration & Patch Management
• Sys Integrity & Lockdown
Inform
ation
Protection
Infra
structure
Managem
ent
• Information Risk Management & Reporting
• Logging & Monitoring • Malicious Code Protection • Security Intelligence
• Secure Network Design• Network Perimeter Security
Infra
structure
Protection
GRC Policy
ENC
2FAPKI CASB
Mobile EPM
LOA3Secure Info
Access
ENTERPRISE TOOLKIT: A Mature Compliance and Security ModelBusiness Strategy and Governance driving Security Operations
Governance
(security, priva
cy,
complian
ce)
GRC Standards & UA GRC Dashboards
GRC Dashboards
GRC Dashboards
GRC Dashboards
GRC Dashboards
DLPGRC Policy
EPMHIPS
PEN TestEDRMSSPIR RetainerATP