Business-driven security lifecycle

1. Business-driven security lifecycle A New Plan for Chaos

2. Picture, if you will… Security Patrol Broken Window Report & Escalate Record & Assess Follow Trail Schrodinger’s Safe Police Investigate Brief Leadership

3. AGENDA • Business-Driven Security Lifecycle • Plan for Chaos • Why Hunting Matters • Essential Roles of Incident Response (IR) • How IR Differs from Security Operations • Next Steps Sean Griesheimer Senior Systems Engineer, RSA NetWitness Suite Sean.Griesheimer@rsa.com

4. Measure Risk BUSINESS-DRIVEN Security lifecycle Governance Simplify Controls Operations Plan for Chaos Detection & Response

5. BREACH! BREACH! They’re everywhere!

6. Plan for Chaos • Create Risk Register with Critical Assets and Threat Priorities. • Align Defense-in-Depth (DiD) to mitigate Threat Priorities. • Cultivate Threat Intelligence for Threat Priorities that bypass DiD. • Develop Use Cases to Detect Threats that bypass DiD. • Establish Incident Response Plan around your Threat Priorities. • Define Playbooks for your Use Cases. • Operationalize Playbooks for Incident Handling. • Hunt for Anomalies that exist outside your Playbooks. • Exercise Playbooks through Simulation/TTX for readiness. • Assess resilience to threats with Gap Analysis. IR Noise Reduction Easy Button Wishful Thinking Daily Operations Where the real threats are Methodology and discipline

7. Why hunting matters Defense-in-Depth Prevented? PlaybookDetected? DWELL TIME DWELL TIME NO NO YES YES Active Threat Threat Hunting Critical Asset Security Operations Incident Response

8. OPERATIONAL ROLES OF INCIDENT RESPONSE • Threat • What threats are of concern? • What data feeds provide necessary information? • Which threat records are valid? • Content • What is the logic necessary to identify threats? • Which tools are required to identify threats? • What are the rules/parsers/alerts required? • Playbooks • Validated tuned alerts • Execute standard procedures • Escalate if playbook does not identify remediation • Hunting • 90% Proactive investigations • 10% Triage escalations • Inform Threat of new findings

9. Security operations vs incident response CIRT Incident Response • Preparation • Roles & Responsibilities • Communications Plan • IR Workflow • Detection & Analysis • Incident Classification • Use Case Methodology • Incident Prioritization • Response Procedures • Identify Remediation Plan • Containment • Execute Remediation Plan • Evidence Handling • Eradication & Recovery • Execute Remediation Plan • Recover Data & Operations • Post-Incident Review • After Action Report & Lessons Learned SOC Security Operations

10. Next steps How do we realize these objectives…tomorrow?

11. threat detection and response • Technology is only an enabler… • What kind of people do we need? • What processes do we need? • How do we retain them? • How do we build a career path? • How is this different that what we’re already doing? • What kind of education do we need?

12. Additional Steps • PROGRAM DEVELOPMENT • How do we orient staff and test capabilities? • Annual Tabletop Exercises (TTX) for orientation • What does our process framework look like? • THIRD-PARTY ESCALATION • Where do we go when we have a major incident? • SKILL DEVELOPMENT • How do we maintain our skills and focus? • How do we educate our staff? • Planning • Retainer • Education • Incident Response is more than just a plan

13. What We Covered Today • Business-Driven Security Lifecycle • Plan for Chaos • Why Hunting Matters • Essential Roles of Incident Response (IR) • How IR Differs from Security Operations • Next Steps Thank you Sean Griesheimer Senior Systems Engineer, RSA NetWitness Suite Sean.Griesheimer@rsa.com