Cisco Connect 2018 Singapore - Cisco Incident Response Services

Peter Watson
Cisco Head of Security Services APJC
27th March 2018
Strengthen Your Readiness and Response to Attacks
Cisco Incident Response Services

Security is Fundamental to Digitization
2 in 5
Executives say privacy
and security restrict their
IoT investment
39%
“My organization halted a
mission-critical initiative
due to cybersecurity
concerns.”
71%
“Cybersecurity risks
and threats hinder
innovation in my organization.”
Innovations are moving forward,
but probably at 70%-80% of what they otherwise could if there were
better tools to deal with the dark cloud of cybersecurity threats.
Airline Industry CFO
“
”

Slower Response = Greater Risk
66%
of breaches took
months or even
years to discover
60%
of breaches have
data exfiltrated in
first 24 hours
60,000
Number of alerts
hackers set off at
Global Retailer
184
Median number
of days advanced
attackers present
before detection
27
33%
Of organizations
discover
breaches through
their own
monitoring

Time
ResponseDetection
Is Our Security Posture Effective?
Threat
Time to Detect, Time to Respond

You will get breached
Prevention is not a silver bullet
Detection is an absolute must
Speed to discovery and containment are critical
Intel isn’t just for spies anymore
Upfront Reality

Detect

Cyber Security Monitoring
Focus on the anomalies

PROTECTING CISCO
THE ENVIRONMENT
‐ Each presents its own
specific set of security
challenges that needs
to be dealt with.
‐ Security events cross
multiple boxes.
USERS
138,771
VENDOR ORGS
2690
ADMIN ACCOUNTS
4474
SERVICE ACCOUNTS
13,096
DATA CENTERS
13
OFFICES
600
COUNTRIES
102
CITIES
343
EXTRANET PARTNERS
318
CSP
296
ACQUISITIONS
8 (AVG YR)
ENDPOINTS
127,454
MOBILES
73,162
INFRA DEVICES
194,875
BUSINESS GROUPS
13,899
LABS
2370
83,78243,672

Threats Across
the Internet
Threats Inside
your Network
Hundreds of
Thousands
Customers
7.3T Threats
Blocked
Annually
250 Threat
Researchers
Tens of
Millions Users
Hundreds of
Threat Analytic
Engines
TALOS – Unmatched Visibility, Research, and
Analytics

The Internet Cisco Assets
Threats Prevented / QuarterThreat Defense
DNS RPZ
BGP Blackhole
WSA
ESA
AntiVirus
HIPS
EndPoint AMP
Prevention
1,558,649,099
39,778,560
242,805,292
229,012,330
25,802,498
3,364,08
720,52
9
Managed Incidents / Quarter  1,978Detection
CSIRT
Umbrella 421,000,000
The reverse pyramid

Response

Enhance
security
status with
regulators
Provides
protection
when its
needed most
Drives cross
architectural
and
organizational
integration
Quickly react
and respond
to security
incidents
Why Incident Response?
Every customer
should have
an Incident
Response
Plan
Open The Door

playbook |ˈplāˌbŏk|
(noun)
A prescriptive collection of repeatable queries
(reports) against security event data sources that
lead to incident detection and response.
Operationalizing and optimizing
Response Playbook

Inventory of Control’s
Security as a Service
Controls Store
• Leverage existing investments
• Always have untapped features
• Control adoption as well as threat metrics
• Security posture against required goals.
• Shift focus from risk to compliance.
“More than a risk register”

Leverage Automation
• Understanding the environment
• Testing, validation, applying a fix
• Filtering out data and helping identify what to look at
• Enable knowledge share and continuous investigations
• Update architecture templates and operational processes
• Tuning the plays and giving recommendations
AI and machine learning fail because its treated as “magic” instead of part of a
larger solution
Incident Response team members have to have the skills to determine if events
are true or false positives, and tune as necessary

IR Evolution & Maturity
Maturity
Level
Ad-hoc Maturing Strategic
As Needed
Dedicated
Part-Time Full-Time SOC/IR+ Fusion
CMM Equivalent Initial Repeatable Defined Managed Optimized
Existing IR
Capabilities
People
• 0-1 • 1-3
• Specialization
• 2-5
• Formal roles
• ~10
• Shifts (possible
24x7)
• 15+
• Intel, SOC, and IR
Teams
Process
• Chaotic and relying
on individual
heroics; reactive
• General purpose
run-book
• Tribal knowledge
• Situational run
books; some
consistency
• Email-based
processes
• Requirements and
Workflows
documented as
standard business
process
• Some improvement
over time
• Process is
measured via
metrics
• Minimal Threat
Sharing
• Shift turnover
• SLAs
• Processes are
constantly improved
and optimized
• Broad Threat
sharing
• Hunt teams
Technology
• AV
• Firewalls
• IDS/IPS
• SIEM
• Sandboxing
• Continuous
Monitoring
• Endpoint Forensics
• Tactical Intelligence
• Malware Analysis
• Additional
Intelligence
• IT Operations
Integration
• Intel+IR Drives
Security Program
• Strategic
Intelligence
• Coordination with
Physical
Security/Intelligenc
e

I need a plan for
when a data breach
occurs
IR Tabletop
Exercises
I want to know I
have a team
standing by
Incident Response
Retainers
In need help now
Emergency Incident
Response
I need to know what
is in my network
Proactive Threat
Hunting
I need to know if I
can respond
appropriately
IR Readiness
Assessments
Included in the IR Retainers
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Incident Response Services

• Invest in Intel & IR; it can be measured, evolved, and simplified.
• Intel is more than a nice to have- it is a requirement
• Think beyond IT; Partnerships are critical to success. Educate and
form alliances in the business and externally (e.g. local Law
Enforcement office, competitors, colleges)
• Communicate findings back into other functions; Defense is a team
sport
• Reward your teams!
Final Thoughts

Cisco Connect 2018 Singapore - Cisco Incident Response Services

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cisco Connect 2018 Singapore - Cisco Incident Response Services

Similar to Cisco Connect 2018 Singapore - Cisco Incident Response Services (20)

More from NetworkCollaborators

More from NetworkCollaborators (14)

Recently uploaded

Recently uploaded (20)

Cisco Connect 2018 Singapore - Cisco Incident Response Services