Transcript IR Awakens - WordPress.com

IR Awakens
What's this Talk About?
• Common problems IR teams face
• What actions we took to address them and results.
About me
•
•
•
•
Worked in State Law Enforcement (5)
Manage SOC for USC (11)
Internet Storm Center Handler (3)
SANS GSE #76
Environment
Enrollment ~42,000
Fac/Staff FT&PT ~ 18,000
8 Campus System
Distributed IT
• Each Campus
• Each Department
Centrally Manage ~3,000 Desktops
Challenges
•
•
•
•
•
•
Staff (Projects/IR/Engineering/GRC)
Slow response time
Slow time to collect
Slow analysis
Distributed environment
Unnecessary Response
Opportunity for Change
What did we do?
2 year project to implement change
• New technologies
• SIEM
• Full Packet Capture
• Remote IR Tool
• Data Discovery
• Minimum security standard
• Data Discovery (All Systems)
• Remote IR tool (Restricted and Compliance)
New Staff
We doubled our staff
• Added 2 IR staff (5)
• Added 2 GRC staff (3)
• Added 1 PR staff (1)
Training
•
•
•
•
•
SANS
Product Training
Tech Talks (Bi-monthly)
Mentoring
~18 Months to get staff self-reliant
Slow Response Time
• Added a SIEM
• Moved from home-grown syslog solution
• Automated prioritization
• More eyes on glass
Slow Analysis
• Changed IR analysis process
• (ISC Post 2016-Aug-24)
FW
Log
IDS
Phish
Web Shell
S
S
C&C
S
S
Data
Exfil
S
Logged-in
user
HID
BRO DHCP
S
S
P
Full
Packet
SMTP
Logs
DNS
P
P
P
S
P
P
P
P
S
P
S
P (Primary) S (Secondary)
NAC
P
AD
P
P
DLP
Slow Analysis
• Reduced number of whole disk collection
• Due to new remote IR tool
• Compliance, HR, Legal or Confirmed loss
• Full packet capture
• Quickly determine what happened on network
Hours Per Incident
Time from Data Collection to Analysis
2013 (2+ Days)
• Try to lookup who owned
managed the system (~ 10k
lines)
• Check NAC,DHCP,NMAP
• Contact Admin & Contact
User
2015 (Within Minutes)
• Pre-deployed IR tool
• Slightly improved IP mgmt
contact
• Network Manager/User
isn’t informed until after
confirmed compromised
Days to Close
Based on 24hrs a Day
Distributed Environment
• Policy requirement for centrally managed tools
• Meeting and informing Deans and Department heads what
is expected
• Tools that self-update and little overhead
Unnecessary Response
2013
• Rely on the admin/users to
tell us of sensitive data
• In most cases we
investigated all confirmed
compromises
2015
• Systems with commodity
malware and no sensitive
data we typically don’t
investigate
• Untold number of hours
saved
Key Takeaways
• Start gather metrics
• Develop a plan to reduce key metrics
• Have requests ready when incidents happen
• Submit them more than once (change the date)
• Staff Retention
• Training
• Progression Path
• Quality of Life
What Had the Most Impact
1.Data Discovery Tool
2.Endpoint Forensics
3.Full Packet Capture
4.SIEM
Note: We already had other standard tech in place (FW,
SecurityOnion, Syslog)
What's next
• Additional position to manage systems
• Reduce response time
• Automation of quarantine
• Reduce response time
• Hunting
• Better use of and collection of Threat Intel
Special Thanks
•
•
•
•
•
Richard Hackley
Jonathan Martin
Brian Payne
James Perry
Jeff Whitson
Questions?
@twsecblog
[email protected]
https://github.com/tcw3bb