Business-driven security lifecycle

1. Business-driven security lifecycle A New Plan for Chaos

2. Picture, if you will… Why Not Cyber? Security Patrol Broken Window Report & Escalate Record & Assess Follow Trail Schrodinger’s Safe Police Investigate Brief Leadership

3. AGENDA • Business-Driven Security Lifecycle • Plan for Chaos • Why Hunting Matters • Essential Roles of Incident Response (IR) • How IR Differs from Security Operations • Next Steps Shane Harsch MBA, GCIA, GCIH, GCED, CISSP Senior Solutions Principal, RSA Risk & Cybersecurity Practice SANS Mentor shane.harsch@rsa.com

4. Measure Risk RSA BUSINESS-DRIVENSecurity lifecycle Governance RSA Archer Suite • Defense-in-Depth Risk Intelligence Fraud Detection RSA Fraud & Risk Intelligence Suite Security Controls Operations RSA SecurIDSuite RSA Identity Governance & Lifecycle Plan for Chaos Detection & Response RSA NetWitness Suite

5. BREACH! BREACH! They’re everywhere!

6. Plan for Chaos • Create Risk Register with Critical Assets and Threat Priorities. • Align Defense-in-Depth (DiD) to mitigate Threat Priorities. • Cultivate Threat Intelligence for Threat Priorities that bypass DiD. • Develop Use Cases to Detect Threats that bypass DiD. • Establish Incident Response Plan around your Threat Priorities. • Define Playbooks for your Use Cases. • Operationalize Playbooks for Incident Handling. • Hunt for Anomalies that exist outside your Playbooks. • Exercise Playbooks through Simulation/TTXfor readiness. • Assess resilience to threats with Gap Analysis. IR Noise Reduction Easy Button Wishful Thinking Daily Operations Where the real threats are Methodology and discipline

7. Why hunting matters Defense-in-Depth Prevented? PlaybookDetected? DWELL TIME DWELL TIME NO NO YES YES Active Threat Threat Hunting Critical Asset Security Operations Incident Response

8. Jargon Check — What is an Incident? • CIRT vs SOC • CIRTs handle incident response SOCs handle security administration of security controlsCrticial Incident Response TeamSecurity Operations Center • Events • Log records • Network sessions • Incidents Physical Example: Broken window • Events or collections of events with indicators that align with threat priorities • Require investigation, resulting in remediation • Declared Incidents Physical Example: Broken window with evidence it was a burglar • Incidents that indicate the potential for loss • Require leadership notification • Breach Physical Example: Path from window leads to safe that is now empty  • Evidence of loss • Require activation of Executive Response plan which extends operational Incident Response plan

9. OPERATIONAL ROLES OF INCIDENT RESPONSE • Threat • What threats are of concern? • What data feeds provide necessary information? • Which threat records are valid? • Content • What is the logic necessary to identify threats? • Which tools are required to identify threats? • What are the rules/parsers/alerts required? • Playbook • Validate tuned alerts • Execute standard procedures • Escalate if Playbook does not identify remediation • Hunting • 90% Proactive investigations • 10% Playbook escalations • Inform Threat of new findings

10. Operations and response IR and SOC share the effort • Preparation • Roles & Responsibilities • Communications Plan • IR Workflow • Detection & Analysis • Incident Classification • Use Case Methodology • Incident Prioritization • Response Procedures • Identify Remediation Plan • Containment, Eradication • & Recovery • Execute Remediation Plan • Evidence Handling • Execute Remediation Plan • Recovery • Post-Incident Activity • After Action Report & Lessons Learned CIRT Incident Response SOC Security Operations NIST 800-61r2 Incident Response Lifecycle

11. Next steps How do we realize these objectives…tomorrow?

12. A New Plan for Chaos (stage 1) Essential Foundations—30 day Quick Wins 1 Identify scope of IR objectives 2 Retainer w/RSA (or 3rd Party) 3 Define initial plan 4 Deploy endpoint visibility tool 5 Co-hunting w/RSA (or 3rd Party) 6 Train for EDR product (step 4) 7 Train for incident handling 8 TTX for orientation to IR Plan 9 Train to be an analyst 10 Identify next roadmap Day 21 – 30 IR Plan & Hunting in Place Day 1 – 10 Engagements kick-off Day 11 – 20 Training & Knowledge Transfer Next Steps Workshop10 IR Hunting Orientation5 OperationalCyberIntel Training9 Maturity IR TableTop Exercise8 Endpoint Detection & Response (EDR) Implementation4 Incident HandlingTraining7 InitialIR Plan³ IR Retainer² EDR Training6 Incident Readiness Workshop¹ Customer Evolution Planning “Yes, I have an IR plan” Execution “Yes, I have advanced defenses” Evolution “Yes, I know my next steps”

13. RSA risk & cybersecurity practice A Portfolio for Readiness, Response and Resilience Incident Response Retainer | Incident Discovery | Incident ResponseIR Hunting Services | Breach Management | NSA CIRA Accredited ASOC Design & Implementation Future State Design | Technology Acquisition | ASOC Implementation Residencies & Education Services Incident Response Program Development Incident Management Lifecycle Development | Threat Detection Use Case Development | Metric and KPI Modeling Cyber Threat Intelligence Program Development | Portal Implementation & Customization Threat Intel Roadmap | Threat Research Security Readiness and Strategy Current State & Gap Analysis | Maturity Modeling NIST CSF Roadmap Development

14. What We Covered Today • Business-Driven Security Lifecycle • Plan for Chaos • Why Hunting Matters • Essential Roles of Incident Response (IR) • How IR Differs from Security Operations • Next Steps Thank you Shane Harsch MBA, GCIA, GCIH, GCED, CISSP Senior Solutions Principal, RSA Risk & Cybersecurity Practice SANS Mentor shane.harsch@rsa.com