Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Incident Response

Presented at InnoTech Dallas 2016. All rights reserved.

  • Login to see the comments

Incident Response

  1. 1. How To Avoid a Corporate Meltdown: Create a Security Response Plan Now By Mic Martin, President www.MTCyberC.com
  2. 2. Topics of Discussion • Background • Policies and Directives • Incident Response Plan Components • Response Team Roles and Responsibilities • Importance of Testing and Practice • Information Sharing and Communication • Cyber Security Information Sharing Act of 2015
  3. 3. Background  18 years of Information Security expertise: Security Awareness Training, Cross-Sector Collaboration Information Sharing Bridge, Incident Response, Encryption, Policy, and System Security Risk Assessments (C&A)  Served in executive leadership roles with Dept of Defense (DoD), Dept of Homeland Security (DHS) in Washington D.C, and Federal Bureau of Investigation (FBI)  Trains the FBI on Information Security Subject Matter Areas of Expertise  Operation Iraqi Freedom U.S. Air Force Veteran  The President of MicheTechnology Cyber Consultants, LLC  Specializes in: – Critical Infrastructure Protection Master: Cyber Threat and Hazard Identification – Intelligence Community (IC) Classified Information Systems – National Security Systems Risk Assessments – Law Enforcement (LE) Sensitive Systems – Insider Threat
  4. 4. Policies and Governance
  5. 5. We Are Inextricably Intertwined • Hospitals/Medical Facilities IT and Communications • Maritime and Power Grid IT and Communications • Transportation IT and Communications • Emergency Management IT and Communications • Defense IT and Communications The Climate Is Changing Too Fast For You To Still Be Doing What You Did A Year Ago In Your Organizations
  6. 6. A Good Reputation Is More Valuable Than Costly Perfume Company Reputation Fines for Non-Compliance Fees for Consumer Protection Loss of Business Credibility Higher Insurance Premiums Irreparable Damage or Loss Lawsuits
  7. 7. Incident Response Plan Components Critical Assets – **NEED TO BE IDENTIFIED** – Who Do They Belong To And Who Has Them? – Where They Are Located? – Who Has Privileged Access To Them, What Type, and What For? What is Considered an Incident For Your Company? – Human-Caused: Insider Threat, Untrained Staff – Natural-Caused: Tornadoes, Floods, Earthquakes – Technological-Caused: Power Grid Failure, Transportation Failures
  8. 8. Incident Response Plan Components Require a Formal Incident Reporting System Determine a Category Escalation Matrix Incident Trigger-Employee, Self-Report, Notice Team Roles and Responsibilities Investigation Communication Testing and Practice Maintenance and Updates
  9. 9. Human-Caused Incidents • Lost/Stolen Mobile Device, Laptops, Tablets • Unauthorized Software/Hardware Installs • Data Leaks/Spills and Breaches • Unauthorized/Improper Use of Access • Ransomware- Locky, CryptoWall, CryptoLocker • Virus Intrusions • Insider Threat Turncoats
  10. 10. Escalation Matrix Ideas DOD Chairman of the Joint Chiefs of Staff Matrix Example CJCSM 6510.01B
  11. 11. Escalation Matrix Ideas Dept of Homeland Security DHS 4300A Matrix Example
  12. 12. Customary Response Team Members INFO TECHNOLOGY CSIRT-IT Sanitizing Team Data Center Security Operations Center Server Management Mainframes Information Security/ Assurance Office Database Administrator Vulnerability Assessment Help Desk Web Developers Classified Network Forensics Infrastructure Protection Program Manager Storage & Virtualization COMSEC Engineers Malware Analysis PKI Certificate Authority Destruction Penetration Testers Network & Sys Admin End Users
  13. 13. Blindspots = Vulnerability Everyone Else Evidence Response Teams Supply and Inventory Technicians Vendors and Contractors Policy and Governance Office Privacy/Civil Liberties Physical Security Building Owner for Leased Facilities Inspector General (IG) Office *FTI-US Treasury Supervisors and Managers Facilities Security Officers (FSO)/Clearance Specialists Human Capital (HR) Legal Office Media /Public Affairs Office Finance OSHA Safety Officers Law Enforcement Emergency Management Coordinator Hospital Fire Department Red Cross Insider Threat Crisis Management Coordinators CIRT-Other Acquisition Office Cloud Service Provider Command Centers/Dispatch City, County, State, Tribal, Federal Agencies System Owner Executive Management Your Customers
  14. 14. Full Team Roles & Responsibilities CSIRT-IT Sanitizing Team Data Center Security Operations Center Server Management Mainframes Information Security/ Assurance Office Database Admins Vulnerability Assessment Help Desk Web App Classified Network Forensics Infrastructure Protection Program Manager Storage & Virtualization COMSEC Engineers Malware Analysis PKI Certificate Authority Destruction Penetration Testers Network & Sys Admin End Users Evidence Response Teams Supply and Inventory Technicians Vendors and Contractors Policy and Governance Office Privacy/Civil Liberties Physical Security Building Owner for Leased Facilities Inspector General (IG) Office *FTI-US Treasury Supervisors and Managers Facilities Security Officers (FSO)/Clearance Specialists Human Capital (HR) Legal Office Media /Public Affairs Office Finance OSHA Safety Officers Law Enforcement Emergency Management Coordinator Hospital Fire Department Red Cross Insider Threat Crisis Management Coordinators CIRT-Other Acquisition Office Cloud Service Provider Command Centers/Dispatch City, County, State, Tribal, Federal Agencies System Owner Executive Management Your Customers
  15. 15. Testing and Practice Improves Response Time and Avoids a Corporate Meltdown Gone are the days when you could simply change the date and replace names in your Security Response Plans
  16. 16. Practice and Testing Types
  17. 17. Communication Must Notify Everyone Identified In Your Response Plan of Their Role and Responsibilities Annotate Contact Information: Name, Title, Email, Physical Address, Mailing Address, Desk Phone, Cell Phone, Home Phone, After-Hours Phone, Radio Call Sign, Twitter Handle, Skype ID… Communicate the Plan To Your Staff What Good Is A Security Response Plan If No One Knows About It?
  18. 18. Information Sharing of the Plan
  19. 19. Cyber Security Information Sharing Act of 2015
  20. 20. Who’s Going to Update This?!?CSIRT-IT Sanitizing Team Data Center Security Operations Center Server Management Mainframes Information Security/ Assurance Office Database Admins Vulnerability Assessment Help Desk Web App Classified Network Forensics Infrastructure Protection Program Manager Storage & Virtualization COMSEC Engineers Malware Analysis PKI Certificate Authority Destruction Penetration Testers Network & Sys Admin End Users Evidence Response Teams Supply and Inventory Technicians Vendors and Contractors Policy and Governance Office Privacy/Civil Liberties Physical Security Building Owner for Leased Facilities Inspector General (IG) Office *FTI-US Treasury Supervisors and Managers Facilities Security Officers (FSO)/Clearance Specialists Human Capital (HR) Legal Office Media /Public Affairs Office Finance OSHA Safety Officers Law Enforcement Emergency Management Coordinator Hospital Fire Department Red Cross Insider Threat Crisis Management Coordinators CIRT-Other Acquisition Office Cloud Service Provider Command Centers/Dispatch City, County, State, Tribal, Federal Agencies System Owner Executive Management Your Customers
  21. 21. Response Plan Components Review  Identify Company Critical Assets  Who has them (System Owner)  Where they are located  Who has privileged access to them and what type  What is Considered an Incident For You?  Human-Caused: Insider Threat, Untrained Staff  Natural-Caused: Tornadoes, Floods, Earthquakes  Technological-Caused: Power Grid Failure, Transportation Failure  Require a Formal Incident Reporting System  Determine a Category Escalation Matrix  Incident Trigger-Employee, Self-report, Notice  Roles and Responsibilities  Investigation  Communication and Information Sharing  Cyber Security Information Sharing Act of 2015  Testing and Practice  Maintenance and Updates of the Response Plan
  22. 22. THANK YOU! For Incident Response Training Information Contact: Mic Martin, President Email: micmartin@mtcyberc.com Tel: 469-340-2804 www.MTCyberC.com

×