10 Steps to Better Security Incident Detection


hello everyone and welcome to today's

webcast ten steps to better security

incident detection with brightening

leading security information consultant

and I'm hearing more with tripwire your

moderator and host before we begin the

presentation I'd like to run through a

few housekeeping questions and if you

would like to ask any questions during

the webcast please do so by clicking on

the questions tab at the top of your

screen all questions are directed to the

presenter and cannot be viewed by the

live audience they will be crated and

answered at the end of the presentation

if you'd like to leave any feedback at

the end of the presentation then please

do so by clicking on the ratings tab I'd

now like to introduce your presenter

Brian Honan brian is recognized

internationally as an expert in the

field of information security and has

worked with numerous companies in the

private sector and with government

departments in Ireland Europe and

throughout the United Kingdom he has

also provided advice to the European

Commission on matters relating to

information security and is on the

advisory board for a number of

innovative information security

companies like to welcome Brian and I

hope you enjoy the presentation thanks

Marion and working on everybody and

thank you for taking time out of your

busy days to attend the webcast so we're

going to talk today is about the ten

steps to better security instant

detection I suppose the reason we have

to think about these things because just

like everybody else in the world there

are two certainties in life death and

taxes but for those of us who are

involved in information security at some

stage in our career or wherever we're

based we're going to suffer a security

breach so being prepared for it security

is important but I think equally as

important if not more so is having early

indications that we've got a security

breach because the sooner we know about

a breach the sooner we can react the

sooner we can react the sooner we can

contain the breach and which use the

impact and damage that may cost


so you know all our systems won't a

constant threat we have the traditional

sets of spyware fishing hackers spam

coming in viruses Trojans you know we're

constantly being bombarded by by various

different external attacks and internal

threats as well we have careless users

who may lose USB sticks leave laptops

lying around we may have IT teams who

make configuration changes to systems

leave the security hole open and we end

up with a security breach application

security may not be dealt with properly

in our applications by deploying

resulting the security breach to rescue

an injection to the web application so

we are secured professionals we have to

cause to keep an eye on what's gone and

the treads are evolving at they have

changed over quite a number of years and

I've seen that both in my own business

work and consulting side border I also

run and head Ireland's computer emerge

response team and we have seen the

number of cuts against organizations

increase and the types of target change

over over time as well so suppose

historically speaking back in the mid

80s when most computers still named

frame-based or a Heaton on mid-range

computing base the trips once the one a

whole lot that's barely there was a

attacks hour or maybe touch too strong

or Birla research our experimentation

being done out of curiosity really to

see how these computer systems worked

and where were the weeks in those

systems not necessarily maybe to exploit

them for any financial gain but more so

to see what this is a problem the

computer let's see how we can fix it and

that kind of worked through the eighties

on to the late 80s for people started

going well maybe we can get become

famous about this maybe we know a bit I

can become a bit more well known because

of hacked into such a website are

area and that was pretty stable for the

early 90s then as the Internet's grew we

saw more hackers coming out people still

a person say looking for person same but

maybe people you know criminal elements

getting involved and the beginning in

late nineties that was very much

individuals a group of individuals just

seeing opportunities and hacking into

websites trying to get money out of us

so we see that change now on in since

the turn of the century and particular

in the last two or three years if their

crime gangs are getting a lot more heavy

involved in organized crime so the

attacks have become more sophisticated

will become more targeted we still have

to worry about the the other tests such

as that the curious hacker is the script

kiddies but criminals are getting heavy

involved and we also have treads

Facebook us now from international spies

being that at the corporate level or the

government level as well so the treads

were facing are increasing all the time

love so we have the traditional treads

because bar area around but we also have

many new or the chest come along and in

the last 12 to 18 months we indeed to be

seeing the rise in the resurgence of

hacktivism where we group like anonymous

load circuit cetera have you know lash

there are targeted companies for very

different reasons to expose me about

security in them or to support their

calls in some way shape or form and that

has resulted in bad press are bad issues

for the effective organizations our

traditional security model as well has

also focused on the perimeter we've very

good as maybe perimeter security we put

in firewalls we put in intrusion

detection systems we protect our

perimeter quite well we put locks on our

and our windows security guards or data

centers so our perimeter may be quite

strong but how we do business is

changing and our organizations do

business is changing we now have cloud

computing we now have people using

mobile devices we're trying to pull the

extra nets and internet with with

different partners and different

companies and customers so we'll make

our data available to more more entities

and the perimeter is slowly crumbling

away and hours of focus on des has to

change as well interesting if we look at

the any analysis of breach detections

and security breaches and in particular

if we use the verizon data breach

investigators report from 2012 they

highlight a number of interesting if not

worrying trends that we should be aware

of firstly one of the things they show

is that ninety two percent of instance

that organization suffered while you

want detected by those organizations but

were detected by third parties be the

customers be that they were informed by

partner companies a hosting provider or

a supplier or indeed being informed by

law enforcement that they've actually

suffered a security breach so that's

quite a larger companies large number

companies but i'm not aware they've had

a security breach The Times discovers

security breaches is what is quite

worrying that in that eighty-five

percent of those instance it took more

than a week for the instant to become

known about to the organization so think

about there's at least a wheelchair for

eighty-five percent those companies

where the attackers have free rein with

inside the systems can maybe establish a

large a beachhead to break into other

systems to compromise more systems and

add steam more data or cause mode more

tonic soda there is quite and that's

quite a large number on a worrying

statistic as well is that it takes on

average over a week for

a organization to Detective card

security instant XE worry is that ninety

seven percent of those breaches could

have been avoided using simple controls

so the media headlines we see those

advanced persistent threats or cyber

warfare cyber terrorism or all these

hyped up events they probably uh thought

we should be having a focus on a focus

should be more on the simple things on

the basics and use no central controls

ninety-seven percent of all instance

report it into the verizon database

investigations report could have been

avoided and the difficulty used to

exploit those weaknesses was rated is

not difficult so the problem we have to

think about here is what's going wrong

why are we so bad as infant detection

and some of the examples we have here in

quite famous ones and indeed these are

just a name maybe a few the more

well-known ones but these instance

highlight again how not detecting an

infant early on and reacting to quickly

can lead to bad tea or damage and other

damages to two organizations so did you

notice for example they were a

certificate authority based out of

Holland and they gosh breached by an

attacker who gained access to their

certificate service and was able to

issue certificates under any

organization name the attacker wanted so

he created certificates for skype for

Gina for Microsoft and lots of other

organizations potentially use n and the

middle attacks against various different

different people and needham the

majority of people who were compromises

in those certificates were based in Iran

now the impact that security Beach were

done for months did you know we're not

aware of the having beach for nearly two

months as a result of that breach and

subscribe but pure and they various

different browser manufacturers not

trusting did you notice certificate

anymore did you know varnel out of

business TK Maxx three years ago

announced they added and make security

breach and again the attackers were in

those networks for part number months

before they're detectives Sony suffered

numerous attacks last year and the

previous year as a result of an

anonymous setting their sights on them

and those again those breaches and in

case in many cases the large beaches

went undetected for quite a while or as

a softer Beach this time last year where

attackers were able to infiltrate our

phase network by using a phishing email

with an excel attachment which when

opened exploited of Sichuan ability but

again it went a few weeks before being

detected and before or as a rated able

to respond and I'm sorry the final

example there is a very sign again

another to take photography now owned by

semantic and semantic in its annual sec

reports which is the report a semantic

have to give the u.s. Stock Exchange

Commission to highlight any major issues

are risk to the business one item they

put in the report was that their various

verisign subsidiary had suffered a

security breach for a number of months

before they were aware which not I said

it it debated in effect their

certificate authority systems and was at

a non crucial system but again another

instance of an instant now being

detectives for quite a number of our

weeks so why are we so bad in detecting

instance you know what is wrong are we

using the wrong tools are they not fit

for purpose are we not working properly

can we not analyze the information

properly so there's a lot of questions I

think we have to look at

say well why is it that we're so badly

detecting these instance and what can we

do to fix it one of the problems I think

we have is the sheer volume of

information that we face if you look at

any system that you deploying out there

are log files available in every system

via firewalls your servers your Reuters

switches pcs application never auto logs

your audio systems all these systems are

stealing out data and huge amounts of

volume and that can be a problem because

it results in our security honest maybe

drowning too much data there's just so

much information that we just kind of

get a grasp on a public and I think this

needs what i would like to call the room

starts effect if if we remember the

infamous US vice president wrote one

since we talked about how there were

known unknowns and we know what the

unknowns are but we don't know what the

owners are you know if you look at it

that way we have so much data at our

fingertips but maybe do we have too much

are we looking the wrong areas do we not

know what we're supposed to be looking

for or what is the problem so we end up

with this huge confusion and an amount

of information and we just can't cope

this which can result in you being

responsible information security being

the one that is in the line of fire so

how does get true compromise the systems

and because we have mere to deal with

the issue are detected earlier on the

blame is shifted to us as opposed to

where the real issue is so one fine day

was trying to go what ways can we

address this problem so how do we make

things that are how do we make things

more secure how do we improve our

instant response how do we reduce that

one leak detection right down to

hopefully days of not ours how do we

ensure that we're the ones who are

of what our security incidents are

enough third parties and the following

ten steps are ways that I think we can

we can exploit to better enhance our

instant detection response and

capabilities so as well fortunately do

is detect the instance as early as

possible the earlier we detect them the

better we can respond and under the the

impact can be be minimized as much as

possible as well so the first thing I

would suggest is we need to understand

our business I want to say our business

I you know even if you're working in a

government department are in university

or education establishment once a

business is what I mean is what does

your organization do what does it do to

survive while is its bread-and-butter

how is the business organized where are

the edge and flows in business

activities so you know for certain

business there may be huge amounts of

activity around the end of quarter each

year as sales records have to be put in

place or there may be product launches

or press announcements that are going to

happen how often do these happen and how

we're of you of how that goes on you

know are you aware our friend your

organization is going to make a major

press announcement is it going to

sponsor something is it going to

announce in your product is it going to

change those business you know and these

things can't be triggers but could maybe

make you a target for somebody to attack

you you know again taking a hat to this

viewpoint your organization with press

release they don't write the content and

organize a an online protest against

your organization as a result if you're

not prepared for that well then you're

in response is not going to be as well

the predator should be but also how does

your organization work on a day-to-day

basis you know what are the patterns


people in the in the business work to it

do you have a lot of remote users do you

have branch offices are the ebbs and

flows in when people are more active and

not active so you know for example have

you got people in your account sir

problem that work remotely well if you

don't and use that you see people log

you know user IDs for keeping accounts

Department login and remotely on a

Sunday morning well then that should

trigger an alert you know it could be

legitimate business use but at least if

you're aware of it you can investigate

and figure out what you speak to take

and so the first step I would suggest is

understand your business and appreciate

what your business doing and what does

nothing need need to be too much hard

work their work way to do that of the GS

would be to contact your peers so go to

the head of departments in each area in

your sales department or your HR

department in the accounts department p

or admin I just talked to you period

bingham out for lunch out and what other

their concerns for other business

drivers there for you the governor's

standing out that and and and you can

appreciate it better and also there's

looking at the annual report for your

organization have you read it lately do

you know what what the business goals

are for the organization are wild plans

in the next 6 12 18 16 cetera so once

you understand your business and how it

works well then analyze your network

patterns and see how does that support

the business so you know if people are

working nine to five I'm predominant to

file from one location well then your

network pattern should reflect that you

sure your net repairing should respect

where does the ebb and flow of the

organization happen it should be your

ever for the network traffic should be

in line with the business though and

anything outside that normal behavior

can indicate there is a potential

problem so what tools do people use to

do their business you know a lot of

people on the road I work remotely will

may have to install

the computer skype or instant messaging

etc so is that traffic normal on your

network and if it is well then there may

be legitimate reason for but if it's not

done that but again that is something to

be to be examined how does your you know

does your organization have to transfer

files or send information to various

different locations around the world if

you still need to type network traffic

ftp nor dunno file transfer or

peer-to-peer traffic to IP addresses

outside your organization in regions you

may not be doing business with well then

that should trigger an alert an alarm

you should figure we'll hang on what's

happening here why are we have to being

far as to that size in Eastern Europe or

in Asia is there a legitimate reason

behind it and if not well then let's

investigate and see do we have a

potential Bleacher i will also look at

once you've identified your network

patterns and you know even very closely

together with this one is signature

information try and identify where the

information is held on your network

where are your core assets do you know

what it is you're supposed to be

protecting so are all your database

servers located in one place or are they

stretched across the organization

different locations different data

centers are different floors in the

building where are these servers or

caters and can you cygnet that both

those locations from that maybe could

isolate certain traffic to those

segments ideally will be great if we

could segment all the database servers

into one network area if your email

service another in a query farlam prints

etc so therefore you can monitor your

your database network and david segments

and anything outside of database traffic

should trigger an alert so if you're

monitoring your database segment and you

see email traffic Oh hitting your

servers or web traffic trying to hit

your service well that maybe should

indicate that there's something

and this and we shouldn't need to be

investigated as well now it can be

difficult to do this I acknowledge

particular with networks to have been

set up by mega evolves over time but at

the very least do try and identify where

your key assets are where the key

information is and then monitor the

traffic to those areas and keep it keep

keep a close eye on us for any unusual

pattern of changes I not going to do is

to harden your systems so have you

looked at its various different servers

and so figure out well how do I make

this system more secure how do I make

sure it can't be hacked into and

traditionally look at Harding systems we

do can to just look at servpro energy

and 0 on the internet zones it's

generally thought to be good practice to

do it that way so what about your key

servers inside your organization because

you know again in ginger introduction we

talked about how our premises are

dissolving unchanging so you know once

attackers and find our network well then

anything inside that never could be

quite easy attack itself referred to as

eminem security nice and crunchy on the

outside but soft in the middle so is

your network soft in the middle if it is

look at your key server that you

identified in the previous slide I'm

figure we'll let harden those systems

and make them more secure and you know

via Microsoft or UNIX or whatever

platforms are using there are good

resources out there and guys on how to

hide in those systems to disable serves

you don't need to make sure their past

regularly to maybe isolate network

traffic to them based on IP address or

mac addresses that's quite a lot you can

do to secure and harden those devices I

know we talked around with the amount of

data that that we have come true but

still it still surprise me sometimes

when I go in investigate instance to

discover that people don't even have the

log files turned on so have you got the

luck for us turned on on the key systems

and applications that you're

to monitor and if you have what is it

you're you're you're capturing how do

you set down untellable what it what

events what type of instance do I want

to to be worried about and then just

record those to the logs so we can strip

away a lot of the information that we

potentially don't want or don't need or

analyze and just identify the key events

that we want a martyr them quite

aggressively as we can and then use the

security tools that we have so what

about the security event instant

management systems are we are this

configuring set up properly our IDs

system set up properly if there are not

well then let's local ways of making

sure we are utilizing those put those

tools in those those systems properly

let's make sure we have the skills in

Hell's origin get them externally to set

those systems up the way we want them

and that we can use them properly no

point having these tools in place

provide a nice bright shiny lights

blinking in the computer room if they're

not being utilized properly so review

those tools and make sure they're

configured correctly and they're getting

information to you in the right way the

key areas well is trained staff and

partners I'm clicking your style your

staff can be a very good early warning

indicator of something is not right with

the with your systems are with the

network they may notice strange traffic

patterns they may know something strange

happened go see on the screen now some

of this yes could be just only issues

relating to network or systems but they

could also be indicative of a potential

breach and that somebody has compromised

the systems and the network and systems

aren't performing as they should as a

result of us so trained staff to to

notice when things are strange or to

report instance more so as well so did

your staff report to your support desk

finally receive a strange fish me know

you know if you go back to the RSA

example that was the spear phishing

attack those a phishing email target

certain users with the design to get

their attention are you stop trying to

identify phishing emails and FB are they

also trained to report that to the

security team or the support desk and on

top of that are the security team and

supporters trained properly to deal with

the incident in and take information

investigator puppy as well so training

staff how to identify those things early

on can be a good tool in your arsenal as

well I'd also recommend using open

source data particularly when trying to

monitor potential attacks against you by

activist organizations the motors are

parameters for a lot of these

organizations our groups is to promote

their attack on various different

platforms being a Twitter or Facebook

and they will rally people to the cause

if you're mounting those social media

net social media networks for mentions

of your organization's name or maybe

using keywords related to a product or

an advantage or sponsoring out or

whatever well that could help you

identify that you may be soon on to

attack or having a problem often one and

this happen there are data sharing sites

such as paste in which is it has been

designed for people to share information

you just cut and paste information from

your computer put into a spin and you

can share their anybody else but they've

been tastings being used a lot by

attackers to dump the information

they've compromised in to paste bin and

then to teach promote that almost media

other followers to show what their

attack has been successful if you're

mounting paste already maybe using

google alerts or there are scripts etc

that are out there to allow you to that

automatic you potentially could identify

that you've been a victim of a and

then you can react straightaway so you

could do things like will confer to

tasting for your company name maybe for

codons or prod

our products maybe names of key

employees accepted that that could be

there and then there are other open

source tools that are quite useful there

is the D shield organization represent

there by the logo of the green bus in

the red box and DeShields takes a whole

lot in open source information from

various different labs around the world

identify potential for assistance I've

been compromised all right living

attacked and by using the information is

quite you can get again be alerted to a

potential attack Arrakis is the provided

by the police or to answer similar to

identifying potential partner clients on

on the internet you know if your margin

therefore I Peters belonging to your

organization it could identify that

you've you've got machines compromised

with their children are our computer

viruses and then the google safebrowsing

us for network administrators is to

provide by Google to highlight websites

are wholesome malware and again if if

you are mocking the disabled notes for

euros specific to your organization it

could give me a good websites have been

compromised and again you can react

quickly to the problem another trick

reviews in some environments is the use

of ani ani pots and honey traps within

the network so only parts of our systems

that are set up and designed to look and

act like real life systems but in effect

are our tools used by the kids

obsessions to identify potential attacks

so because this is looks like a

resistant but you're not promoting our

broadcast no lies as a system any

traffic or any suspicious behavior in

that system wouldn't take us any good

indicator that you're under attack and

will be good tool to use to highlight

potential problems potential tags in

your environment

and then sharing the peers I think

that's one of the things we do fail a

lot of our security professionals is we

don't share information or data with our

peers so if we're working in a

particular industry if I know that a

peer organization has suffered a

particular type of attack are being

targeted by that type of talk well then

maybe I can take similar steps to

protect my organization and sharing the

information can be quite useful and it's

one of the big advantages of using the

verizon various framework which is which

is for fees the data into the verizon

data breach and the investigators report

it is actually available for free and

you can put your information into it

announcer anonymously but it actually

feeds back into the report so we can so

it can identify trends that are

happening in the industry and what types

of attacks are going on which can only

help us all to improve our own security

so you even create peer networks and

that can be something simple like going

to your local Isis Isis a meetings or

asaka meetings or all last meetings

getting to know clears in other

organizations creating trust with those

people and then sharing war stories or

information but you can use them to

protect your environment or they may be

able to give you a heads up and giving

her that something could be you know

certain type of attacks could be coming

your way likewise using your local

computer emergency response teams they

can provide you with great source of

information as well on potential attacks

so they're quite briefly and I know

we've only had a half an hour so to to

to run through those ten steps but they

would be ten steps I would recommend

that we can put in place to help us

detect instance much quicker and earlier

on and and hopefully allow us to react

better than to the issues so there is

more information available we published

a white paper on the same topic and it

goes into the information that we just

went through there

on slide in more detail and provides

more information on it so like to thank

you for your time and if there's any

questions marine I'd be quite happy to

take them thank you very much Brian and

we've got a couple questions so the

first one that come through is what is

an csrf attack how is it different from

the xss cross-site scripting ok that's a

while Greg men people should do is go to

all lost our website because it provides

a lot of good information there on the

different types of web application

attacks that are out there so you know

it would provide a lot of good

information there are not just on crs of

toxin and profits get me talks but also

SQL injection and all the type of

application based attacks as well great

thank you and the melon that's come

through is what's the better approach

setting up a firewall dropping or

rejecting unwanted packets well I think

you need to sit down and thankful part

is the best for your own particular

environment dropping packets would mean

that's a potential attacker was not will

not see your they are they're rejecting

this the tactical notice a firewall

there so but it really will depend on

what you want to do in your environment

because sometimes monitoring the traffic

that you're dropping on rejecting can

also give you good information on what

what's going on ok thanks getting

productive solutions to monitor locks in

mixed environments and with high volumes

of the task how can this be addressed

well there are lots of different ways

you can find do that I won't go into any

product sales pitches here I leave that

to the to the public experts but the

problem we do have in in the various

different log files etc is that they do

have different formats they do have

different types of

error messages from them indeed cannot

be you know aren't quite clear so what

we try and do is find convert them into

a common common language evil eye for

that better phrase may be doing using

something like this blog or whatever the

tool you're using can read and try and

get all those logs into the same format

that they can be read by your bio tools

and can be on most popular okay thanks

very much why I'm we've them already

overrun a little bit sao paulo Jesus we

didn't get around to your questions and

the slide will be sent out so am a copy

of the archive website will be sent out

to everyone that registered and today or

tomorrow and if you have any questions

then please by all means and contact

your account manager and he'll be able

to help you with any more product

information or anything more technical

and please do go to the website as Brian

suggests and download the white paper on

me ten steps to early incident detection

thank you very much Brian and thank you

everyone for joining us today okay thank