Cybersecurity, Digital investigations, and the 'unsung' Heroes of Incident Support
•
2 likes•422 views
Focus of this talk is to outline some of the fundamentals and principals associated with cybersecurity and digital investigations, demonstrate how they are connected, and to highlight how audit now plays a part in supporting incident response. Main points covered: • Fundamentals and principles associated with Cybersecurity and Digital Investigations • How Cybersecurity and Digital Investigations are connected • How an audit plays a significant part in supporting incident response Presenter: Jason Green is a Principal at Hexigent Consulting, a cyber security, digital investigation and forensic services company based out Oakville, Ontario. He is an experienced security executive with a proven record in the delivery of strategic security services, and has operated internationally in the investigations and information/cyber security fields since 1988. He works with clients to assist with digital investigative matters, provide security thought leadership, develop and execute strategic plans, identify and address security and technology issues, and respond to incidents, with a view to reducing risks and optimizing efficiencies. His background encompasses digital forensics and investigation, governance, risk and compliance, operational security design, security assessments, social engineering, and controls design and review. Recorded webinar: https://youtu.be/3CfXQqLVq84
Recommended
Recommended
More Related Content
More from PECB
More from PECB (20)
Recently uploaded
Recently uploaded (20)
Cybersecurity, Digital investigations, and the 'unsung' Heroes of Incident Support
- 2. Cybersecurity: Mindset Investigations: Informed decisions Audit: Perspective
- 3. 1. A vulnerability will be exploited 2. Everything is vulnerable, somehow 3. We trust, even when we shouldn’t 4. Innovation leads to exploitation 5. When in doubt, see #1 Cybersecurity:
- 4. The (simplified) Approach Identify ‘Crown Jewels’ Protect Assets Detect Incidents Incident Response
- 5. Mature processes, methods, tools and skills, working in unison with a common goal. The ‘Cyber’ objective: Resulting in: Well trained people, following well developed procedures, using well implemented technology
- 6. 1. You can never have enough intel 2. Science is your friend 3. Tools are tools. There is no ‘find evidence’ button 4. Someone is going to court 5. Caffeine and jazz seem to help Digital Investigations:
- 7. Incident or Need Research Hypothesis Experiment Analysis Conclusion 1. Technical & Management Awareness 3. Incident Response Escalation 2. Triage & Risk Review 4. Reputational Management Digital Investigatio n Lifecycle
- 8. Technical & Management Awareness Reputational Management Triage & Risk Review Incident Response Escalation Initial alerting from varied Sources. Questions are asked. Reviews (tech & process) INFORMATION* *Process, workflows, technology, change management, etc.. IR Teams. War rooms. Decisions being made. Lots of noise. Definitely a problem. PR/HR/Legal are involved.
- 9. Audit Factual source of information in most organizations? “…a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes." Internal
- 11. “Why can’t we combat this, easily?” • Complex Technology • Adapting Processes • People
- 12. Create relationships Incident + Operational knowhow + Audit knowledge =
- 13. 1. Knowledge transfer / cross training is good. 2. Be flexible. Always. 3. Evolve. There’s a world outside of the walls. 4. It takes a village. …A truly collaborative approach:
- 14. ISO/IEC 27032 Training Courses • ISO/IEC 27032 Introduction 1 Day Course • ISO/IEC 27032 Foundation 2 Days Course • ISO/IEC 27032 Lead Cybersecurity Manager 5 Days Course Exam and certification fees are included in the training price. www.pecb.com/en/education-and-certification-for-individuals/iso-iec-27032 www.pecb.com/events
Editor's Notes
- What I’d like to do is talk about the mindset of cybersecurity, demonstrate how more informed decisions are possible using investigative methods, and provide a – possibly – different perspective when considering audits/auditors.
- When considering cybersecurity, I’ve found some things that are fact. These haven’t changed much throughout my career and so I’d suggest they will likely to continue to be relevant. Although applying different lens to the following, will allow for a diverse approach. Note – I saw the basis of this list in a Forbes article from Jan 2018, but have repurposed here since it’ll help make some succinct points. The speed of change in technology and the way we use it, has meant that vulnerabilities appear continuously. Bad guys, bad code, bad luck or bad karma means we’re seeing a steep uptick in operational impacts. Fort knox, the whitehouse, my laptop, or the wifi network here at the conference. All, have a one or more weakness. With the application of enough time and effort, they could be found. Then it’s just a matter of time… In any ‘security’ program one things holds true – the human element is the weakest link. We’re pre-programmed to think in certain ways and that can be used against us. In the cyber space, as things improve, things get worse. Functionality v security. Whatever you’re look ing at… it’s vulnerable. If you’re auditing, remember that. Most folk see this list through a technical lens – servers, systems, applications & devices. But what if we re-considered it from a governance perspective…. A vulnerability in your governance model etc… Fresh thinking. Don’t just think technically, about what appears to be a technical issue. It’s bigger. This is usually thought of the in the technical sense, but consider these through the lens of governance/strategy/or process.
- A simple approach to the cybersecurity problem. How do we look at it. Figure out what you need to protect Come up with controls (detective and preventative) Have a way of seeing when things go sideways, or wrong. Have a plan.. a good one.. to make sure fires can be put out…quickly.
- It all sounds great, but what are we actually trying to achieve. What is the ‘cyber objective’ Ultimately, we want to help the folks that pay our salary - or fees - make informed decisions, and keep the lights on at our place of employment. Simple premise. Complex execution.
- Switching gears. One of the ‘spokes’ of cyber is incident response. Regardless of what it is, if an investigation is needed, there are some things were remembering. Much like cyber – these don’t really change. Lots of information is needed; in fact… get ‘all the data and information’. A logical and structured approach is needed to make sense of things. Forensic ‘science’ is typically applied to ensure that all avenues are explored, and findings derived. Rinse, repeat. It’s not about the tools… but they help. Everything needs documenting….someone will be going to court and have to defend activities…maybe years away. Self explanatory
- Blue -The approach to incidents. Note the analysis to research cyclic aspect (for the scientists amongst the audiences). Example could be applied to any type of incident/situation, but lets assume a significant security incident. {walkthrough to examples each component} Orange - Then consider the macro level ‘business view’ of whats going on. {Same – examples – brief}
- Flipping to the business view Tech & management. Initial notifications or understanding. Something is wrong. Needs explanation. Incident management approach is dusted off Triage & risk. Typically technical triage to validate notification or suspicions. Likely involving 2nd line technical folks, but as things are established, possibly switching to business stakeholders to perform ad hoc risk reviews / suspected impact assessments. IR escalation. Game on. It’s an incident…SMT / board is involved. Now decisions start to get made for a variety or reasons, all with different drivers. Bias becomes a problem (usually). Crisis managers need to step in to wrangle things. While #3 is taking place, if things are serious enough, leadership would look to manage their reputation. Get the right message out…work with facts and not speculation, carefully frame messages, all the while making decisions. All of this needs one thing – information.
- So… information… it’s coming from all directions…but if we step back and consider where the non-traditional sources of some information come from, we see audit. The IA function is one that has been ever present throughout my time in the workforce. They adapt, they evolve, but they’re ever present with the same task.. Rarely seen in incident/investigation situations, but actually valuable. Here’s the story of why…{share story} Not to say my experience either supporting audit, or working with clients to help them through an audit, has always been simple. In fact.. Here’s a visual that best describes the cyber functionsd relationship with auditors, or auditees (depending on your perspective) Its not that there is conflict, but there can be the perception of conflict. Audit (especially internal audit) can be seen as challenging. Folks don’t have time, don’t’ want to have time. Have better things to do, that they are measured on. The business – rightly – see’s IA as just another function and ‘we’re all in it together for the greater good of the organization’, but those on the ground don’t alway’s align. It can create….friction.
- …and it’s not surprising. The raft of technology changes that come so rapidly, mean that security and investigative professionals change the way in which they do things, the tools and methods they use, and agile/lean approach's to combat security challenges. We then ask IA to audit those. They don’t always understand them (as they’re new and constantly moving), and the process of auditing becomes frustrating, on both sides.
- The question is asked frequently. Audit want to know why something more measurable might not be in place; The business just assume IA can ‘figure it out’. Compliance requirements help to formalize things, but new requirements are coming continuously they will change the landscape. Mandatory breach reporting across Canada and GDPR – while straightforward in description – will have significant upstream affects when one considers how to comply…effectively and efficiently.
- So where’s this going. Bridging the audit/operations gap by building a true appreciation for each others role is beneficial. Sharing knowledge about the challenges and perspectives from both sides will result in more positive interactions. When considering incidents and investigations, using operational know how AND drawing on audit knowledge where needed could potentially result in the unthinkable….
- A truly collaborative approach! So let me leave you with another short list. If each business unit or party has an appreciation and understanding of the goals, and the challenges faced…things will be better. If ever the opportunity arises to shadow in each others department, do it. Both sides here…accept that cyber approaches now are flexible. They change continuously and traditional approaches need to adapt. Be open to change, and give more time to truly share context around either requirements , architecture, processes etc.. Keep an eye on how others do things. The cyber community is rich with knowledge which is frequently shared. It’s all readily available, so take a few mins a week to understand how things are changing. Don’t assume your way is the right way (it’s just your way). Contribute, don’t just wait to be told. We’re all in it together. We want to protect our organizations in the most sustainable manner. Everyone plays a part, and when things don’t go to plan, or when incidents are occurring it can take the entire team to course correct, put the fires out, and keep moving forward. All under the watchful, and collaborative eye of the audit function