2. Agenda
• Introduction
• Incident Type Definition
• Function Based Alerting
• Asset Classification
• Streamlined Ticket and Severity
• Steps to Function Based Alerting
• Streamline Incident Response
• Benefits
• Conclusion
3. Introduction
HIDS IDS Platforms AV
Proxy/Firewall
y/ FIM
SIEM
SCM
VA
Dashboard
Proactive Reactive
Typical Integrated Security Monitoring System
5. Introduction
Success After X
S Aft X
Windows Platform Server XNXYY
Failed Logins from
Alert Severity ?? Send Ticket to Windows
IP
Support
Incident Ticket – Identified Security Incident
The Problem Scenario
• First responders confused
• Ticket sent to Windows group – after few days
sent to Security Operations
tt S it O ti
• Security operations confused where this came
from and what severity is anyway
from and what severity is anyway
6. Incident Type Definition
Incident Type Definition
C te a o de
Criteria for defining incident types to achieve
g c de t types to ac e e
streamlined incident response
g yg
• Following industry guidelines
– NIST, Carnegie Mellon, SANS
• Understandable
• Reportable
• Comprehensive set ‐ but not too many!
• Easily applied to security tools
• Manageable
7. Incident
Incident Type Definition
Examples Security or Privacy Breach Notes
Unauthorized CORPORATE personnel gain logical or physical access Compromise: All unauthorized access incidents should be
without permission to network, system, application, data, handled using prescribed CORPORATE
Access Theft/ Removal
facilities or other resource e.g. Hacking CORPORATE incident response operational processes.
managed systems or third party managed systems; lost Destruction
Blackberry or laptop. Modification In such event, internal processes for
External agent gains logical or physical access without Copying investigation and possible disciplinary or
permission to network, system, application, data, facilities Use criminal charges may apply.
or other resource. e.g. hacker, intruder.
Unauthorized CORPORATE employee (IT or non-IT personnel) disclose Compromise In the case of unauthorized disclosure by a
sensitive data to unauthorized persons – may be in any o Theft/ Removal CORPORATE employee, internal
Disclosure
form of correspondence including oral. o Destruction processes for investigation and possible
CORPORATE client (IT or business personnel) discloses o Modification disciplinary action may apply.
confidential data to unauthorized CORPORATE o Copying
employees. o Use There might be insufficient restrictions on
CORPORATE client (IT or business personnel) discloses Disclosure of financial, access privileges for financial, finance
confidential data to third parties. finance reports, credit reports, credit card related and personal
Granting read, write or delete privileges to individuals card related and personal information,
whose duties do not require such privileges. information
Unauthorized CORPORATE application uses data matching or other Collecting financial, Potential problem normally identified in SRA
process to collect financial, finance reports, credit card finance reports, credit or audit. Process controls should be
Collection
related and personal information without consent or card related and personal corrected once incident is identified.
knowledge of information owner information without
CORPORATE non-IT personnel: collection or use of identifying the purpose
financial or personal information purposes other than
verification
ifi ti
External agent collecting the information from logical or
physical CORPORATE infrastructure
Unauthorized Information such as financial or required finance reporting Unavailability of financial Policy and process for retention and
information not retained in accordance with CORPORATE or required restricted and disposal schedules is required.
Disposal
standard requirements. confidential information
Unavailability of personal
information
Unauthorized CORPORATE application or a user uses data mining or Use of financial, finance Policy should be defined for application
other process for purposes other than those defined. reports, credit card related, function should be enumerated
Use
Unauthorized correlation of information personal information and
CORPORATE non-IT personnel: use of financial or any other confidential or
personal information for purposes other defined. restricted information
8. Incident Type Definition
Incident Examples Security or Privacy Breach Notes
Infrastructure An attack that prevents or impairs the authorized use of Unavailability Unavailability of financial, finance
networks, systems, or applications by exhausting resources, reports, credit card related and
Attack
e.g. distributed denial of service attack or active WLAN personal information must be reported
attack. and notification take place in
accordance with CORPORATE
standard requirements. SLAs should
identify reporting requirements.
Malicious Code A code-based malicious entity (virus, worm, trojan horse, Compromise See above - corruption or compromise
malformed applet, rootkit, time-bombs etc) that infect or of financial, credit card and personal
and Malware o Theft/ Removal
destroy a host. information requires detection and
o Destruction ti
reporting.
o Modification
o Copying
o Use
Unavailability
Infrastructure Any found critical vulnerabilities that expose critical financial May cause unavailability , or loss of Possible unavailability of financial,
and personal information financial or personal information that is finance reports, credit card related and
Vulnerabilities
deemed confidential or restricted personal information must be dealt
(found during with promptly.
vulnerability
management
process) )
Compliance CEO&CFO Key controls and PCI key controls that could not CORPORATE exposed to not compliant Impact to financial bottom line and
be classified as one of the incident type categories specified environment and may incur penalties possible executive prosecution.
Specific
in this matrix
System Health Specific to each operational tool with specific health Security monitoring unavailable Impact to security group ability to detect
incidents. Security tools can have specific issues that may incidents and increased risk to
Specific
impact security monitoring organization. Business is not impacted,
but monitoring must be restored as
soon as possible.
9. Function Based Alerting
Incident Type Alert Scenario Events
Unauthorized Access x failed logins by a user in y mins Windows failed login attempts
AIX failed login attempts
HP-UX failed login attempts
DB failed login attempts
ACS failed login attempts
Security Tools NIC failed login attempts
Checkpoint FW failed login attempts
Mainframe failed login attempts
Wireless S itch failed login attempts
Switch
Success after X failed logins by IP Windows failed login attempts
AIX failed login attempts
HP-UX failed login attempts
DB failed login attempts
RADIUS failed login attempts
Security Tools NIC failed login attempts
Checkpoint FW failed login attempts
Mainframe failed login attempts
Wireless Switch failed login attempts
Successful Login as the built-in Windows login
administrator account has been AIX login
detected HP-UX login
DB login
g
RADIUS login
Security Tools login
Checkpoint FW login
Mainframe login
Wireless Switch login
10. Asset Classification
Importance
Asset Group Integrity Confidentiality Vulnerability
(Availability)
10 10 10 1
CKA & PCI
8 8 8 1
CKA
8 8 8 1
PCI
6 6 6 1
Production
3 3 3 1
QA
3 3 3 1
Development
LEGEND:
Low 1-3
Medium 4-6
High 7-8 Align incident response urgency to
Very High 9-10 the business for resolution
11. Streamline Incident Ticket & Severity
Streamline Incident Ticket & Severity
Server XNXX
S XNXX
Unauthorized Success After X
Windows Platform Classified –
Access Failed Logins per IP Severity
10 CIA V1
Level 2
Incident Ticket – Identified Security Incident
The Efficient Scenario of Function Based Alerting
• First responders know what type of ticket it is
• Ticket sent to Security Operations with proper
severity level
it l l
• Security operations understand server
classification and take appropriate action
classification and take appropriate action
12. Streamline Incident Ticket & Severity
Streamline Incident Ticket & Severity
Server XNXX
Unauthorized Success After X
Windows Platform Classified –
Access Failed Logins per IP
10 CIA V1
10 CIA V1
Severity
Level 1
Server UNYY
Unauthorized Success After X
UNIX Platform Classified –
Access Failed Logins per IP
10 CIA V1
10 CIA V1
Incident Tickets – Identified Multiple Security Incidents
The Real Life Benefit of Function Based Alerting
• First responders saw two severity 2 alerts and one severity
1 alerts from SEIM – Automatic escalation
• Alert escalated to Security Operations with proper severity
level
• Security operations take incident seriously and engage
Security operations take incident seriously and engage
severity 1 level response team
13. Steps to Function Based Alerting
• Align incident types and function based
alerting across all security tools
alerting across all security tools
Start first with: SEIM then add IDS, HIDS
Align vulnerability tools: VA, Secure Configuration
Align vulnerability tools: VA, Secure Configuration
Management, File Integrity Management
• By aligning threat and exposure achieve
y g g p
quantitative operational risk metrics
• Align Risk & Governance with security
g y
operational risk using same threat and
vulnerability function based alerting
14. Streamline Incident Response
Streamline Incident Response
Standardized approach for incident investigation,
containment and resolution is achieved by:
containment and resolution is achieved by:
Function Based Alerting
Function Based Alerting
Detailed, standardized information supporting 1st and n‐
level responders
l l d
Enabling efficient and effective security operations
• Consistent severity assignment
Consistent severity assignment
• Consistent investigation
• Consistent resolution
15. Benefits
• Aligned security incident types to actions by incident
responders
d
• Structured incident types approach enables completeness
check on alert set
• Efficient and streamlined security incident detection and
response
• Minimizes gaps in detection capability across security tools
g p p y y
• Standardized baseline approach for statistical incident
analysis
• Structured approach to threat modelling
Structured approach to threat modelling
• Facilitates identification of new and enhanced security
controls
16. Conclusion
• Statistical analysis of incidents
• g
Straightforward threat modeling g
• Consistent operational security reporting
• Foundation for enhanced:
Foundation for enhanced:
– Preventative controls
– Detective controls
PROACTIVE REACTIVE
Improve
p Incident
Posture Response
Balance Investment Against Risk Appetite