Ashley Madison, Sony, Kapersky Labs, LastPass, CentreLink, G20 event in Brisbane…What do they all have in common? They were victims of data breaches. And as you probably know by now, some were handled better than others. In this session we will talk about strategies, from mitigation to handling, used when a data breach happens (not “if”) and what controls do we have if you are using Office 365.
1. Slide 1 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 1
When a Data Breach
Happens,
What’s Your Plan ?
Edge Pereira
ES2 Solutions Architect
edge@es2.com.au
Twitter: @superedge
Stuart Mills
ES2 Director
stuart@es2.com.au
2015
2. Slide 2 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 2
Our Plan for Today
• Making Sense of Threats
• Cloud Breaching Incident Plan
• What to do After the Incident?
• Recommendations
• Q & A
3. Slide 3 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 3
Making Sense of Threats
Outsider
End User
Insider
Secure Design
Secure Code
Protections against attacks
Assume Breach
Contain Attackers
Detect Attackers
Remediate Attacks
Built controls
DLP, Encryption, etc.
Auditing
4. Slide 4 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 4
Internet cafes in
vacation spots
Every time you connect to the internet
Wonderful Internet
Services
Ideological
Movements
Organized
Crime
Nation
States
5. Slide 5 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 5
Hacking in the Good Old Days
6. Slide 6 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 6
Data Breaches
Source: Liam Clearly BRK2142 Microsoft Ignite
7. Slide 7 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 7
Numerous, Active, and Evolving Threats…
8. Slide 8 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 8
…Very Active Threats
Social media giants Facebook, LinkedIn, among others, get hacked… repeatedly.
9. Slide 9 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 9
“The personal details of world leaders – including David Cameron, Barack Obama and Vladimir Putin –
have been accidentally revealed in an embarrassing privacy breach.”
It has been discovered that an employee at the Australian immigration department mistakenly sent personal information of
all world leaders attending the G20 Summit to organisers of the Asian Cup football tournament.
And the heads of government were kept in the dark about the employee’s blunder.
The passport numbers and visa details of United States president, Barack Obama, the Russian president, Vladimir Putin,
the German chancellor, Angela Merkel, the Chinese president, Xi Jinping, the Indian prime minister, Narendra Modi, the
Japanese prime minister, Shinzo Abe, the Indonesian president, Joko Widodo, and the British prime minister, David
Cameron, were all exposed.
Source: http://www.independent.co.uk/news/world/personal-details-of-obama-putin-cameron-and-merkel-sent-to-wrong-email-address-by-g20-summit-organiser-10142539.html
Leaks and Training
10. Slide 10 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 10
Source: http://www.canberratimes.com.au/national/public-service/federal-privacy-authorities-called-in-over-centrelink-breach-20140818-105hjw
Leaks and Training
11. Slide 11 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 11
The Evolution of Attacks
Targeting
Sophistication
Volume and impact
Script kiddies
BLASTER, SLAMMER
Motive: mischief
2003–2004
12. Slide 12 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 12
The Evolution of Attacks
2005–PRESENT
Organized crime
RANSOMWARE,
CLICK-FRAUD,
IDENTITY THEFT
Motive: profit
Sophistication
Targeting
13. Slide 13 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 13
The Evolution of Attacks
Organized crime
RANSOMWARE,
CLICK-FRAUD,
IDENTITY THEFT
Motive: profit
2012–BEYOND
Nation states,
activists,
terror groups
BRAZEN,
COMPLEX,
PERSISTENT
Motives:
IP theft,
damage,
disruption
Sophistication
Targeting
14. Slide 14 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 14
Defining Risk
Vulnerability Threat Consequence
Risk
The U .S. Department of Homeland Security (DHS) defines risk as
a vulnerability coupled with a threat that creates a consequence
15. Slide 15 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 15
Writing a Cloud Breach Incident Plan
• What is the problem you are solving?
• No executive sponsor? No worries
• Advisory committee
• Know your audience
16. Slide 16 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 16
Sample Plan
• Foreword
• Objective
• Scope
• Assumptions
• Ownership
• Execution command topologies
• Plan structure
17. Slide 17 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 17
Plan Structure
17
Preparation
Detection
& analysis
Declaration
&
mobilization
Technical
actions
Supporting
actions
Incident
containment
Post
incident
Plan
Maintenance
18. Slide 18 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 18
Incident Preparation
• Crystal ball exercise
• What kind of information could you share with 3rd party or law
enforcement?
• If you loose PCI or PII data, how would you notify them? Who in the
community can help you?
• For credit monitoring, what would be the services, costs involved, and
to whom?
• Compile these into one or more documents. Label it crisis response.
19. Slide 19 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 19
Incident Detection and Analysis
• Sources of information
• Define what is an “incident”, “alert”, “suspicious events”
• Define severities
• Peer-review with IT, InfoSec and Legal
20. Slide 20 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 20
Incident Response
• “Who does what when”
• Tiger team and decision making structure
• Battle rhythm. Everyone needs to know what to do and not wait.
• Time to make decisions not longer than executing
• Declaration of end of incident
21. Slide 21 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 21
Incident Response - Tiger Team
Team Leader
•Oversee all team
work
•Keep team focused
on damage
containment
Lead
Investigator
•Collect & Analyzes
evidence
•Root cause
•Manages the
business continuity
plan
Comms Lead
•Messaging for all
audiences
•Inside and outside
the company
Documentation
and Timeline
Leader
•Investigations
•Discovery and
recovery
•Documents
timeline events
HR/Legal
Leader
•Criminal charges
developments
22. Slide 22 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 22
Plan Post-Incident
• Lessons learned
• Recommendation #1: test the plan once an year
23. Slide 23 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 23
Recommendations
• Expand the use of Encryption
• Workforce training and awareness programs
• Strengthening of perimeter controls
• Implement identity and access management solutions (privileged access first)
• Strong endpoint security solutions
• Implement data loss prevention solutions
• Get a security certification or independent audit
How to Mitigate the Risk and Consequences of a Data
Breach
24. Slide 24 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 24
Q & A
25. Slide 25 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 25
Recap
• Making Sense of Threats
• Cloud Breaching Incident Plan
• What to do After the Incident?
• Recommendations
• Q & A
26. Slide 26 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 26
Learn More
• Office 365 Trust Portal
• ES2 website www.es2.com.au
• Computer Incident Response, NK McCarthy
• BRK2159 Office 365 today and beyond, TechEd NA
• www.superedge.net
Useful Material and Links
27. Slide 27 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 27
Hour of Code - https://code.org/learn
28. Slide 28 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 28
Thank You
29. Perth Head Office
“The Factory” 69 King Street
Perth, WA 6000
Perth Business Centre
Level 27, 44 St Georges Terrace
Perth, WA 6000
Brisbane Business Centre
Level 18, 123 Eagle Street,
Brisbane, QLD, 4000
Sydney Business Centre
Level 12, 95 Pitt Street,
Sydney NSW, 2000
Paris Business Centre
4 rue Neuve de la Chardonnière, 75018,
Paris, FRANCE
www.es2.com.au
31. Slide 31 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 31
Common Myths About the Cloud
Myths
• On-premises is more secure
• Data is used for mining (i.e.. Advertising)
• It’s not compliant with industry regulations
• Control of data in the cloud is lost
Office 365
• Built to provide a level of security that exceeds most
customers on infrastructure and scale
• The first to comply with ISO/IEC 27018. Prohibits use of
PII for ads and marketing
• Compliant with HIPAA, FISMA, MPAA etc (industries and
governments)
• Designed for complete customer data control.
• You own the data, MS manages it for you.
32. Slide 32 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 32
Government Access to Cloud Data
Microsoft will not…
• Provide any government with direct or unfettered
access to customer data
• Assist any government’s efforts to break cloud
encryption
• Provide any government with encryption keys
• Engineer back doors into the cloud products (MS will
take steps to ensure governments can independently verify this)
• If governments are engaging in broader
surveillance of communications, MS is not involved
and it is taking steps to enhance the security of
customer’s data
Microsoft will…
http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/
• Disclose enterprise customer data only by a
valid legal order and only for the data required
• Publish a law enforcement request report every
six months
20.8%
7.84%
71.36%
Disclosed content
Only subscriber/transactional data
No data found
Rejected
Australia
34. Slide 34 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 34
Encryption at Rest and In-Transit
• Data Loss Prevention
• Search
• Insights
• Content analysis
35. Slide 35 of 11ENTERPRISE SECURITY ENTERPRISE SHAREPOINTSlide 35
Controls Implemented After a Data Breach
35
48
46
40
35
27 26 25
23
21
18
48
41
43
26
22 23
30
19 18
21
52
35
42
23
19 20
32
34
14 15
0
10
20
30
40
50
60
Use of encryption Additional manual
procedures and
controls
Training and
awareness programs
Strenghtening
perimeter controls
Identity and access
management solutions
Other system control
practices
Endpoint security
solutions
Security intelligence
solutions
Data loss prevention
solutions
Security certification or
audit
2013 2014 2015