Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
OPERATIONALIZING INCIDENT RESPONSEDeveloping Threat Detection
and Response Capabilities
2
If you think technology can solve your security problems,
then you don't understand the problems and you don't
understand the technology. - Bruce Schneier
You can't defend. You can't prevent. The only thing you
can do is detect and respond.- Bruce Schneier
3
Hacking for profit
Profit at people’s expense
Focus on people- Shane Harsch
4
5
PICTURE, IF YOU WILL…
Security Patrol Broken Window Record & Assess Report & Escalate
Police
Investigate
Brief Leadership Follow Trail Schrodinger’s
Safe
Why Not Cyber?
6
AGENDA
▪ Business-Driven Security Lifecycle
▪ Operational Roles of Incident Response (IR)
▪ Why Hunting Matters
▪ Content
▪ How IR Differs from Security Operations
▪ Next Steps
Shane Harsch MBA, GCIA, GCIH, GCED, CTIA, CISSP
Field CTO, RSA Risk & Cybersecurity Practice
SANS Instructor
7
Certain factors decrease or increase cost of breach
• Cost is per capita per compromised record.
• Average breach cost is $141 per capita.
IR Program w/Analytics directly addresses three key factors
• Enables an Incident Response Team
• Provides comprehensive security analytics
• Mitigates the risk of notifying too quickly
• These three factors could reduce cost by $31.60 (22%)
IMPACT OF 20 FACTORS ON COST OF DATA BREACH2017 Cost of a Data Breach: Ponemon
8
Business Objectives
Risk Alignment
Threat Priorities
Content Intelligence
Analytics
Incident Response
Defense-in-Depth
Metrics
RSA BUSINESS-DRIVENSECURITY LIFECYCLE
Detection & Response
Measure Risk
Control Security Defense-in-Depth
Threat Intel
Packets
Endpoint Forensics
Logs
KPIs
Asset Criticality
Risk Register
Vulnerability Management
Patch Management
Perimeter Defense
Endpoint Protection
Network Segmentation
Identity (auth and governance)
Processes & Procedures
9
OPERATIONAL ROLES OF INCIDENT RESPONSE
Threats
What threats are of concern?
What data feeds provide necessary information?
Which threat records are valid?
Content
What is the logic necessary to identify threats?
Which tools are required to identify threats?
What are the rules/parsers/alerts required?
Playbook
Validate tuned alerts
Execute standard procedures
Escalate if Playbook does not identify remediation
Hunting
90% Proactive investigations
10% Playbook escalations
Inform Threat of new findings
Incident Response
Threat
Content
Playbooks
Hunting
10
1. Business Defines Risks
▪ Create Risk Register with Threats and Critical Assets.
2. Threat Intel Defines Controls and Priorities
▪ Align Controls to mitigate controllable Threats.
▪ Cultivate Threat Intelligence for remaining Threat Priorities.
3. Establish IR Plan around your Threat Priorities
▪ Develop Use Cases for your Threat Priorities.
4. Operationalize Incident Handling
▪ Combine your Use Cases into Playbooks.
5. Hunt for Anomalies that exist outside your Playbooks.
6. Commit to Continuous Improvement
▪ Review incidents quarterly and critical incidents directly.
▪ Exercise playbooks through Simulation/TTX for readiness.
▪ Assess resilience to threats with Gap Analysis.
PRINCIPLES OF
THREAT DETECTION
11
WHY HUNTING MATTERS
DWELL TIME
Active Threat
Critical Asset
Threat Hunting
DWELL TIMEDefense-
in-Depth
Prevented?
Security
Operations
NO
YES
Playbook
Detected?
Incident
Response
NO
YES
12
Victim Company
Recon Server
C2 Server
Perimeter
FW
ANATOMY OF A RANSOMWARE ATTACK
1313
HOW DO WE EVOLVE A SOC INTO AN ASOC?
CONTENTOF DOOM
But what kind of content?
14
Compliance OperationsDetection &
Response
Objective
Interface
Content
WHAT DATA DO WE NEEDCONTENTBY
BUSINESSCASE
In the ransomware
example, we
needed packets
and endpoint data
to detect the
attack.
Auditing
Reporting
Logs
Device Admin
Dashboards
Alerts
Security Logs
Netflow
Threat Hunting
Event DB
Queries
Context Logs
Netflow
Packets
Endpoint
1515
CRITICAL CONTENT: CORE ELEMENTS
Context from LogsWho, where, when, and which resources accessed.
Trajectory from NetflowNetflow maps an attack’s lateral movement in your environment.
Evidence from PacketsPackets show IoCs for delivery, c2, and patterns of activity.
Proof from EndpointsEndpoint data show IoCs for exploitation, installation, and actions.
Enterprise
Visibility
Critical: FW, DNS, DHCP, AD, Proxy, VPN
16
OPERATIONS AND RESPONSE
Preparation
Roles & Responsibilities
Communications Plan
IR Workflow
Detection & Analysis
Incident Classification
Use Case Methodology
▪ Incident Prioritization
▪ Response Procedures
Identify Remediation Plan
Containment, Eradication
& Recovery
Execute Remediation Plan
Evidence Handling
Execute Remediation Plan
Recovery
Post-Incident Activity
After Action Report & Lessons Learned
CIRTIncident Response
SOCSecurity Operations
IR and SOC share the effort
NIST 800-61r2 Incident Response Lifecycle
17
NEXT STEPS
HOW DO WE REALIZE THESE
OBJECTIVES…TOMORROW?
18
• Understand your key Business-drivers today
• Create a Risk Register and identify your Critical Assets
• Gather information to Prioritize Threats
• Use Business-Driven Security Lifecycle to map organization
• Review the Principles of Threat Detection and Response to
determine how you might add these capabilities today.
CONDUCT A SELF-ASSESSMENTCURRENT STATE
19
• Egress Filtering: deny dns except from internal DNS
• Force all internal DNS requests to your DNS servers
• Give your threat analysts the ability to add domains
• Automate Malware & c2 domain feeds
• Sinkhole malware and c2 domains to alert SOC (not CIRT)
*Research by Infoblox and BlueCat Networks
TAKE CONTROL OF DNSDNS
Around 95% of
malware families
use DNS for c2*
20
MALWARE & C2 DOMAIN FEEDS
• http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt
• http://www.malwaredomainlist.com/hostslist/hosts.txt
• http://malc0de.com/bl/ZONES
• http://mirror1.malwaredomains.com/files/justdomains
• https://isc.sans.edu/feeds/suspiciousdomains_High.txt
• http://osint.bambenekconsulting.com/feeds/dga-feed-high.csv
And many more…
21
Business Objectives
Risk Alignment
Threat Priorities
Content Intelligence
Analytics
Incident Response
Defense-in-Depth
Metrics
STAFFING
Detect & Respond
Measure Risk
Control Security Defense-in-Depth
Threat Intel
Packets
Endpoint Forensics
Logs
KPIs
Asset Criticality
Risk Register
Vulnerability Management
Patch Management
Perimeter Defense
Endpoint Protection
Network Segmentation
Identity (auth and governance)
Processes & Procedures
CIRT
Incident Response
MDR
SOC
Security Administration
MSSP
22
Retainer
CIRT STAFF
Threats
What threats are of concern?
What data feeds provide necessary information?
Which threat records are valid?
Content
What is the logic necessary to identify threats?
Which tools are required to identify threats?
What are the rules/parsers/alerts required?
Playbooks/Triage
Validate tuned alerts
Execute standard procedures
Escalate if Playbook does not identify remediation
Hunting
90% Proactive investigations
10% Playbook escalations
Inform Threat of new findings
Incident Response
Threat Intel
Content
Playbooks/Triage
Hunting
1-2
1-2
24x7: 6-7
8x5: 2-3 but…
1-2
CIRT
Incident Response
MDR
23
DISRUPT THE KILL CHAINSTART HUNTING
The internet is hard
and so can you
• Hunt for common indicators
• Prioritize critical assets
• Map vulnerabilities to exploits
• Map your controls
• Understand your capabilities
24
• Gap Analysis and Roadmap
• Threat Intelligence Program Roadmap
• Incident Response Plan
• Tactical Playbook Development
• Incident Response Retainer
• Controlled Attack and Response Exercises
• Tabletop Exercises
WORK WITH SOMEONE WHO HAS DONE THIS BEFORE
GET HELP
Find the right combination of internal, MSSP, MDR, Retainer, and
ACD services that makes sense for you and your threat priorities.
25
Shane Harsch MBA, GCIA, GCIH, GCED, CISSP, CTIA
Field CTO, RSA Risk & Cybersecurity Practice
SANS Instructor
Thank You
26
WORKSHOP EXERCISES
27
S E C U R I T Y AR C H I T E C T U R E
▪ Log Analysis/Management
▪ Perimeter (FW, NIPS, Proxy, etc.)
▪ Network Monitoring (Malware, NIDS)
▪ Network Segmentation
▪ Host Monitoring (HIDS, Forensics)
▪ Host Protection (AV, Malware, HIPS)
▪ Vulnerability Scanning
▪ Patch Management
▪ Identity Management/Workflow Automation
▪ Encryption
UNDERSTAND YOUR CURRENT STATE
B U S I N E S S AL I G N M E N T & P R O C E S S E S
▪ Current IR Plan
▪ Relation to Business IR Plan
▪ Escalation Plan
▪ Incident Tracking
▪ Post-Incident Review
▪ 24x7 vs 8x5
▪ Metrics Requirements for IR
▪ Critical Asset Prioritization
▪ Alignment with eGRC
▪ Current Staffing for CIRT vs. SOC
▪ Number of Incidents per day/week
28
The analysis of an adversary's intent, opportunity, and capability to do harm is known as cyber threat intelligence.
- SANS
• What attacks are likely to target which critical assets?
• How might an attack succeed in your environment?
• What content contains key Indicators of Compromise (IoCs)?
• How do you analyze your content to detect these IoCs?
• How do you gather, store, handle, vet, and share threat intel?
• What sources of threat intel do you require?
• How is that intel parsed and normalized?
• How are your threat priorities integrated into controls, playbooks, and hunting?
WHAT IS THREAT INTELLIGENCE?THREAT INTEL
29
START WITH FIRST TWO STAGES OF IR
PREPARATION
▪Roles & Responsibilities
▪Communications Plan
▪ IR Workflow
DETECTION & ANALYSIS
▪ Incident Classification
▪Use Case Methodology− Incident Prioritization
− Response Procedures
▪ Identify Remediation PlanNIST 800-61r2 Incident Response Lifecycle
30
ROLES & RESPONSIBILITIES: RACI
R – Responsible: Person or role responsible for
actually doing or completing the item
A - Accountable : Person or role responsible for
ensuring that the item is completed
C – Consulted: Person or role whose subject
matter expertise is required in order to complete
the item
I – Informed: Person or role that needs to be kept
informed of the status of item completion
RACI Chart
Incident Response
Tasks
L1
Analyst
L2
Analyst
L3
Analyst
Security
Ops
Manager
End-UserHelp
Desk
Identify Potentially
Malicious Event R R C A
Malicious traffic
“Hunting”R A
Collect & Document
supporting logs R R A
Preliminary Validation R R A
Dispatch to Desktop
Support R R R A I I
Lessons learned and
reportingR R A
Analyze Network Traffic R
Analyze Malware
Sample R A
Analyze Host Machine R A
Document Investigation
Analysis I R A
Create/update L2
checklists I R A
KPI and Security
Operations Team
effectiveness
I C R
Remediation Execution I I A C R
Security Ops Team
Policy creation & reviewI C R
31
Define how you will communicate status and conclusion with an understanding of your
audience.
▪ Example Internal
− The IS Helpdesk currently performs end user notifications via email or phone call. The IR Team
performs as an advisory role to the IS Helpdesk team when end user notification regarding security
incidents or other security communications are required. If an incident involves a server compromise,
the IR Team may communicate with the respective team directly in order to expedite the containment
and remediation of the incident.
▪ Example External
− As determined on a case by case basis, the IR Team may work in an advisory role to the executive
team regarding external communication of security incidents. All external communications will be
performed by the team designated by the Executive Breach Response Plan during security incidents.
KEEP ALL STAKEHOLDERS INFORMED
COMMUNICATIONS PLAN
32
COMMUNICATIONS SECURITY PLAN
SAMPLE INTERNAL PLAN
• Non-confidential communication does not need to be encrypted.
• If confidential information is being sent internally (customer or otherwise), ensure that any attachments are encrypted and the email itself is encrypted if any confidential information is contained in the body of the email.
• Use an out-of-band form of communication to ensure that the recipient can open any attachments that were sent. Do not include any decryption keys/passwords in the body of the email, even if the email itself is encrypted. Out-of-band communications include:
• Text messages
• Voice calls
• Meeting in person
• In the event of a breach, communications should be assumed to be compromised. Internal email and internal chat communications should not be used to discuss the incident.
SAMPLE EXTERNAL PLAN
• Verify that the email address is the intended audience to receive the email.
• If an email is sent in error, immediately send an email to the unintended recipient informing them to delete the email.
• Never transmit confidential information unencrypted
• Never transmit confidential information to personal email addresses.
33
WORKFLOW – HIGH LEVEL
34
CONTAINMENT, ERADICATION, AND RECOVERY
IDENTIFY REMEDIATION PATH
▪ Document and close out incident for IR Team
WORKING WITH THE SOC
▪ Communicate to Operations Team for Remediation
− Understand and structure communications to provide information in the best format for consumption
▪ Operations Responsible/Accountable for Last Three Stages of IR
− Containment
− Eradication
− Recovery
If your hunters are working on containment, eradication, and recovery, they aren’t hunting.
35
FRAMEWORK FOR INCIDENT RESPONSE
Preparation
▪ Roles & Responsibilities
▪ Communications Plan
▪ Workflow
Detection & Analysis
▪ Incident Classification
▪ Use Case Methodology
▪ Response Procedures
▪ Incident Prioritization
▪ Identify Remediation Plan
Containment
▪ Execute Remediation Plan
▪ Evidence Handling
Eradication & Recovery
▪ Execute Remediation Plan
▪ Recovery
Post-Incident Review
▪ After Action Report & Lessons Learned
CIRTIncident Response
SOCSecurity Operations
Operationalizing the Framework is Critical
36
ADDITIONAL INFO
37
TYING IT ALL TOGETHER
38
RSA NETWITNESS PLATFORM
ACCELERATED THREAT
DETECTION FROM THE
ENDPOINT TO THE CLOUD
FORCE MULTIPLIER FOR SECURITY
ANALYSTS & INCIDENT RESPONDERS
A BUSINESS-DRIVEN SECURITY
APPROACH, PROVIDING BUSINESS
CONTEXT
INTELLIGENCE-DRIVEN SOC
39
ADVANCED CYBER DEFENSE
RAPID PROGRAM DEVELOPMENT
Cyber Gap Analysis
Incident Response Plan
Cyber Use Cases
Cyber Threat Intelligence
Roadmap
RSA IR Retainer
▪ Gap analysis with prioritized
roadmap recommendations
▪ IR Plan
▪ Incident Walkthrough Exercise
▪ Hunting Services and Retainer
▪ Review of current capabilities
▪ Roadmap of critical requirements
▪ Four levels (bronze, silver, gold, platinum)
▪ Live response capabale (with RSA NetWitness)
▪ Up to 3 hour SLA
Threat
Detection &
Response
Structured business-driven
solutions to quickly establish
strategy and operations.
Delivers business outcomes
to remediate Organizational
impact and deliver rapid
time-to-value
Customizable packaging with
tailored scope of effort
and accelerated access to
battle-tested security experts
ADVANCED CYBER DEFENSE
AND
INCIDENT RESPONSE
▪ Technology agnostic
▪ Develop Monitoring Use Cases
▪ Response Procedures
40
RSA CONTROLLED ATTACK & RESPONSE EXERCISE (CARE)
• Capture the flag exercise
• Designed with customer input
• Simulates sophisticated actor
• Based on existing toolset/technical controls
Threat
Detection
Threat
Response
• Focused on the IR process & procedures
• Bonus points for accelerated response
• Based on existing IR Plan/operational model
41
• Review of up to 10 process documents and artifacts
• Conduct up to 6 interviews (1 hour)
• Observation of the incident response routine
• Develop 3 attack scenarios, including “capture flags”
• Execute the 3 attack scenarios over a 2 day period
• Assess capabilities throughout the incident handling lifecycle
• Conduct a basic Knowledge Transfer for recommendations
• Deliverables
• Design Report
• Findings Report
• Executive Presentation
RSA CONTROLLED ATTACK AND RESPONSE EXERCISE
ACD SERVICES
PS-BAS-CON-CARE
5 WEEKS( 3 T R I P S I N C L U D E D )
42
4-hour TTX for up to 10 executive participants,
with a scenario defined by the results of RSA’s CARE.
• Assess capabilities throughout the incident response
• Identify common response difficulties and areas for process
and communication improvement
• Conduct a basic Knowledge Transfer for recommendations
• Deliverables
• Findings Report
• Executive Presentation
RSA EXECUTIVE TABLETOP FOR CAREACD SERVICES
PS-BAS-CON-ACD10
2 WEEKS( 1 T R I P I N C L U D E D )
43
Business Objectives
Risk Alignment
Threat Priorities
Content Intelligence
Analytics
Incident Response
Defense-in-Depth
Metrics
RSA BUSINESS-DRIVEN SECURITYSOLUTIONS
Defense-in-Depth
44RSA CYBER ANALYTICS PLATFORM
RSA PORTFOLIO
45
RSA RISK AND CYBERSECURITY
PRACTICE
650+ C Y B E R S E C U R I T Y E X P E R T S
A C R O S S 24 C O U N T R I E S
R S A
L A B SR S A
A D V A N C E D
C Y B E R
D E F E N S E
P R A C T I C E
R S A
D E T E C T I O N
A N D
R E S P O N S E
P R A C T I C ER S A
I N C I D E N T
R E S P O N S E
P R A C T I C E
R S A R I S K
M A N A G E M E N T
P R A C T I C E
R S A R I S K
I D E N T I T Y
A S S U R A N C E
P R A C T I C E
R S A
U N I V E R S I T Y
R S A P R O D U C T
A N D C U S T O M E R
S U P P O R T
RSA CYBERSECURITY EXPERIENCE
46
ADVANCED CYBER DEFENSE
RAPID PROGRAM ASSESSMENT
Cyber Gap Analysis
Executive Tabletop
Cyber Use Cases
Controlled Attack and
Response Exercise (CARE)
Expert-On-Demand
▪ Gap analysis with prioritized
roadmap recommendaitons
▪ Scenario driven by CARE results
▪ 4-hour executive-focused exercise
▪ Findings Report & Recommendations
▪ Technology agnostic
▪ Develop Monitoring Use Cases
▪ Response Procedures
▪ Assessment of live response process
▪ Assessment of live response tools
▪ Report card across multiple eval points
▪ Duration Based offer of 10, 20, 40 & 60 Days
▪ Flexible service offerings
Threat
Detection &
Response
Structured business-driven
solutions to quickly establish
strategy and operations.
Delivers business outcomes
to remediate Organizational
impact and deliver rapid
time-to-value
Customizable packaging with
tailored scope of effort
and accelerated access to
battle-tested security experts
ADVANCED CYBER DEFENSE
AND
INCIDENT RESPONSE
47
NSA ACCREDITED
• One of 14 companies accredited by the NSA
−NSA Cyber Incident Response Accreditation
48
BENEFITS OF AN IR RETAINER - REAL-WORLD RESPONSE EFFORTS
Hour 0 – Customer Identified Potential Incident & contacted RSA IR Retainer
Hotline
Hour 1 – RSA IR familiarity w/ customer’s environment, capabilities, available
toolsets & data sources due to Retainer onboarding process. Immediate
assistance with Triage and Data Collection recommendations
Hour 3 – Preliminary Analysis completed, confirmation of targeted attack
against customer environment
Hour 16 – Ongoing analysis, 60% of Attacker Infrastructure identified
Hour 24 – Multiple RSA IR resources engaged to assist with targeted attack
Investigation
Confirmation of Incident and fully engaged within hours
*Expedited Investigative Timeline – Remediation completed within 2 weeks
Hour 0 – Customer Identified Potential Incident & contacted RSA
Incident Response via email
Hour 3 – Initial incident scoping call and discussion with RSA IR.
Contract discussion, recommendations for collection of preliminary
data analysis
Hour 24 – Customer coordinated availability of resources familiar
with environment for scoping of Endpoint & Network visibility
required for investigation. Availability of preliminary data for initial
review, inconclusive data sources
Hour 36 – Shipment of technology to support Incident Response
Effort
Hour 48 – Implementation of Instrumentation to provide necessary
Endpoint & Network visibility
Hour 72 – Multiple RSA IR resources engaged to assist with
investigation of potential incident
Retainer Customer Non-Retainer Customer
49
IR RETAINERS
Bronze Silver Gold PlatinumDuration 1 Year 1 Year 1 Year 1 Year
Effort Estimate (hrs.) 24 66 120 242
SLA: Initial Response 8 6 3 3
SLA: Initial Analysis 24 24 12 12
SLA: On-site Analysis 72 48 24 24
Use of unused hours N/A ✓ ✓ ✓
Deliverables Preliminary Analysis Report Preliminary Analysis Report Preliminary Analysis
Report
Preliminary Analysis Report
Incident Discovery Report
50
Addresses cyber security
operations challenges
Delivers business outcomes
to remediate Organizational
impact and deliver rapid
time-to-value
Customizable packaging with
tailored scope of effort
and accelerated access to
battle-tested security experts
THREAT DETECTION & RESPONSE
SERVICES PORTFOLIO
Design & ImplementationLogs & Packets Implementation | Endpoint Implementation |
Custom Log Parsers | Upgrade Planning & Execution
Custom Solution DevelopmentCustom Scripting | Custom Integrations | Custom Content |
Custom Packet Parsers | Event Source Onboarding
Ongoing Operational SupportNetWitness Residencies | Staff Augmentation |
Expert on Demand | Tuning & Optimization | Knowledge Transfer
THREAT DETECTION
& RESPONSE
Customizable service offerings
to fit unique organizational
needs and procurement models.
51
Addresses cyber security
operations challenges
Delivers business outcomes
to remediate Organizational
impact and deliver rapid
time-to-value
Customizable packaging with
tailored scope of effort
and accelerated access to
battle-tested security experts
RISK MANAGEMENT
SERVICES PORTFOLIO
GRC Program StrategyRisk Management Maturity | GRC Program Strategy & Roadmap
Program Governance | Process Harmonization |
RSA Archer Suite StrategyImplementation Blueprint | Strategy & Roadmap
Optimization Assessment | Assessment Services
Hardware Sizing & Performance Health Check
Upgrade Readiness Assessment
RSA Archer Advanced Use Case Design Plan of Action & Milestone | Federal Continuous Monitoring
Federal Assessment & Authorization | Operational Risk Management
Security Incident Management | Security Operations & Breach Management
Advanced IntegrationsRSA Archer Suite API Design | RSA Ecosystem Integration
Customizable service offerings
to fit unique organizational
needs and procurement models.
52
Addresses cyber security
operations challenges
Delivers business outcomes
to remediate Organizational
impact and deliver rapid
time-to-value
Customizable packaging with
tailored scope of effort
and accelerated access to
battle-tested security experts
FRAUD AND RISK INTELLIGENCE
SERVICES PORTFOLIO
Fraud and Risk Analysis Management Program (AA)
Threat Analysis Program (WTD)Fraud Pattern Analysis| Fraud Incidence investigation | Rule Scripting
Rule Performance Optimization | Knowledge Transfer | Expert On Demand
Health check and Architecture Review
Web Threat Detection (WTD) System & Hardware Capacity Evaluation| System Performance Optimization
Resolution Design & Planning
Periodic System & Core Risk Engine Evaluation
Adaptive Authentication (AA)Deployment Review according to Best practice |
Environments Scaling | System Issues investigation |Risk Engine Performance Check
FRAUD & RISK
INTELLIGENCE
Customizable service offerings
to fit unique organizational
needs and procurement models.
53
Customizable service offerings
to fit unique organizational
needs and procurement models.
Addresses cyber security
operations challenges around
Identity and Access
Management
Delivers an identity business
driven security strategy and
helps clients to identify their
risk and how to reduce it
Customizable packaging with
tailored scope of effort
and accelerated access to
battle-tested security experts
IDENTITY ASSURANCE
SERVICES PORTFOLIOBusiness Driven Identity Journey (BDIJ)
Future State Design | Planning for an Identity Strategy
Identity Gap analysis | IAM roadmap | Identity Control Framework
Business Stakeholder meetings | Round Table sessions
IAM Strategy, Assessment & RoadmapRSA G&L specific | Business Driven Review of current deployment
Future state planning | Governance / Lifecycle roadmap
Use Case Development | IAM Plan Development
Identity Assurance Strategy, Assessment & RoadmapRSA SecurID specific | Business Driven Review of current deployment
Future state planning | SecurID roadmap
Use Case Development | Identity Assurance Plan Development
Security Readiness and StrategyCurrent State & Gap Analysis | Maturity Modeling
Various Roadmap Development
54
THANK YOU
Shane Harsch MBA, GCIA, GCIH, GCED, CTIA, CISSP
Field CTO, RSA Risk & Cybersecurity Practice
SANS Instructor