Cloud computing in south africa reality or fantasy
Isc2conferancepremay15final
1. SOC & BUSINESS DRIVEN CYBER THREATS
Mahmoud Yassin
Lead Security Eng. SOC& NOC
National Bank of Abu Dhabi
2. v Business Today
v What's business affect on security community
v Cyber threats and Business target
v new trends in cyber threats
v Approach to target new cyber threats
v Security management in Dynamic environment
v SOC or OPSOC
v Recommended Action for SOC in New Threats
4. TODAY’S BUSINESS CLIMATE
• Running a business in the 21st Century isn’t easy!
• Security Regulations are abound
• 62% of companies spend more on compliance than protection*
• Evolution of technology and business demands has resulted
in highly diverse environments
• Managing increasing number of vulnerabilities in the face of
sophisticated threats
• Difficulties in aligning People, Process and Technology
• Challenges in leveraging security knowledge and business
process
*Source: Riren
5. IT SPRAWL HAS BUSINESS AT
THE BREAKING POINT
Business innovation throttled to 30%
• Time to revenue
• Cost of lost time, effort, opportunity
• Unpredictable business cycles
70% captive in operations and maintenance
• Rigid & aging infrastructure
• Application & information complexity
• Inflexible business processes
92% 84% 8 out of 10
Believe business cycles will continue to Agree innovation is critical to Business & technology approach
be unpredictable in coming few years success in the new economy needs to be more flexible to meet
changing customer needs
6. TOMORROW’S BUSINESS WILL BE BUILT ON
A CONVERGED INFRASTRUCTURE
Security is framework for ALL
Unleash the potential
Storage Servers
• Any application, anywhere
• Flex resources on demand
• Unlock productivity
• Predictable continuity of service
• Faster time to business value
Power & Network
cooling
Building on what you
have today All on
Management secure Platform
software
Virtualized • Resilient • Orchestrated • Optimized • Modular and Secure
6
8. SECURITY AND BUSINESS INFRASTRUCTURE
Vendors Partners
Business Cloud Business
Cloud
Clients Cloud Business demands strain IT
Diversity of IT and Security
and Security in the light of
diversity
Multi-Tier Application Traditional application
Architecture Web application
security development complicates
security visibility
Security begins to diverge
Client Server Security is
Client / Server as systems become more
client base
Mainframes distributed
Mainframe Centralized Business security
Security incorporated into the system
Pre 1980’s 1980’s-1990’s 2000s 2010’s
9. SECURITY WORRIES
• I worry about a hacker gaining access to our Oracle data base and coping social security
numbers
• I worry about, a converged network, if the network goes down you loose both voice and
data, increasing the risk and worry
• I worry about staff, I can't protect the network from internal sabotage, disgruntled network
administrators, IT personal, etc
• I worry about new computers being plugged into the network after they have been off net
• I worry about the new wide range of handheld IP devices which people plug in at will from
near and far flung locations
• I worry about security in public cloud
• I Worry about Virtual environment it have 60 % of my server power
• I worry about employees working at home bridging networks via WLANs opening up
access to our network
Source: Nick Lippis, Trusted Networks Symposium
10. GETTING THERE
v Technical / Tactical
q “Build Success Early”
Establish meaningful, early-win
q Risk Management
Risk Approach
q Define Threats Landscape
v Management
Align People & Process to “Organize and Architect”
meet multiple Regulations o Information Security Management
Framework
v Technical / Strategic
Increase technical visibility, “Actionable Foundation”
command and control o Integrated Security Operations Capability
o Network Access Control
v Business Management
Employ metrics to measure o “Balanced Approach to the Business”
against the business goals o Security Services Management
11. SECURITY PAIN
• Security investments based on ROSI
• Executives growing weary
• Less talk, more revenue
• Diminishing expectations of security investments
• “More money? What did you do with the last check?”
• Constant deluge of “new” security problems
• Regulatory compliance challenges
• Cultural challenges inside and outside IT
• Cyber Security & Advanced Persistence threat
13. CYBER RISKS ARE AN INCREASING THREAT TO SOURCES OF
ENTERPRISE CAPABILITY AND BRAND COMPETITIVENESS
Extortion • Phishing and pharming driving increased Now
customer costs, especially for financial
services sector
• DDOS extortion attacks
Loss of intellectual • National security information/export controlled
property/data information
• Sensitive competitive data
• Sensitive personal/customer data Now
Potential for disruption • E-Business and internal administration
• As part of cyber conflict • Connections with partners
(i.e. Estonia) • Ability to operate and deliver core services
• As target of cyber protest
(i.e. anti-globalization)
Potential accountability for • Reputational hits; legal accountability Emerging
misuse (i.e. botnets)
Potential for data corruption • Impact operations or customers through data
Terrorism • DDOS and poisoning attacks
• Focused attacks coordinated with physical Now
attacks 13
14. MASS-SCALE HACKING
• It's ROI focused..
• It's not personal. Automated attacks against mass targets, not specific individuals.
• It's multilayer. Each party involved in the hacking process has a unique role and uses a
different financial model.
• It's automated. Botnets exploit vulnerabilities and extract valuable data, conduct brute
force password attacks, disseminate spam, distribute malware and manipulate search
engine results.
• Common attack types include:
• Data theft or SQL injections.
• Business logic attacks.
• Denial of service attacks.
Source: Amichai Shulman
14
15. RECENT INCIDENTS: RISE OF THE PROFESSIONALS
• Estonia: As part of unrest and pro-Russian riots in Tallinn, the Internet-
embracing nation undergoes massive online attacks from ethnic Russians
• Zeus Trojan: Zeus Trojan, capable of defeating the one-time password systems
used in the finance sector, targets commercial bank accounts and has gained
control of more than 3 million computers, just in the US
• Stuxnet : Stuxnet is a computer worm discovered in June 2010. It initially spreads via
Microsoft Windows, and targets Siemens industrial software and equipment. While it is not
the first time that hackers have targeted industrial systems,[1] it is the first discovered
malware that spies on and subverts industrial systems,[2] and the first to include a
programmable logic controller (PLC) rootkit.[3][4]
15
19. 2010 - THE YEAR HACKING BECAME A BUSINESS
2010 was the year hacking stopped being a hobby and became a lucrative profession
practiced by underground of computer software developers and sellers.
It was the year when cyber-criminals targeted everything from MySpace to Facebook.
Are you one of the victim in June?
19
20. WE ARCHIVED 1,419,202 WEB-SITES DEFACE-MENTS
Attacks by month
Year 2010
Jan
53,915
Feb
57,867
Mar
73,712
Apr
95,078
May
83,182
Jun
81,865
Jul
87,364
Aug
63,367
Sep
185,741
Oct
194,692
Nov
258,355
Dec
184,064
Total 1,419,202
Source : trend Micro
20
21. HACKING AS BUSINESS
Hacking isn't a kid's game anymore
It had price …$$$...
The Black Market USD
Trojan program to steal online account information $980-$4,900
Credit card number with PIN $490
Billing data, including account number, address, Social Security $78-$294
number, home address, and birth date
Driver's license $147
Birth certificate $147
Social Security card $98
Credit card number with security code and expiration date $6-$24
PayPal account logon and password $6
21 Data source: Trend Micro
22. HACKING AS SERVICES
v DDoS attacks
The price usually depends on the attack time:
1 hour - US$10-20 (depends on the seller)
2 hours - US$20-40
1 day - US$100
+ 1 day - From US$200 (depends on the complexity of the job)
It is worth highlighting that they normally offer 10 minutes testing, this means that if you are interested, you tell them
the server and they will perform a DoS attack for 10 minutes, so that you can evaluate the ‘service’.
v Spam Hosting: US$200
Dedicated spam server US$500
10,000,000 Mails per day US$600
SMS spam (per message) US$0.2
ICQ (1,000,000) US$150
v Hiding of executable files. To avoid antivirus programs and firewalls (They guarantee that the files won’t be
detected even by the antivirus updates of the date of purchase): From US$1 to US$5 per executable file (cheap, isn’t
it?)
v Rapid Share premium accounts: (Server hosting)
1 month - US$5, 2 months - US$8, 3 months - US$12, 6 months - US$18, 1 year - US$28
22
23. HACKING AS ORGANIZED CRIME
Cyber Criminals have become an organized bunch.
they use peer-to-peer payment systems just like they're buying and selling on eBay,
and they're not afraid to work together.
Software as a Service for criminals
Attackers use sophisticated trading interfaces to classify the stolen accounts by the
FTP server’s country of origin and the compromised site’s Google page ranking. This
information enables attackers to determine cost of the compromised FTP credentials
for resale to cybercriminals or to leverage themselves in an attack against the more
prominent Web sites.
Malware that encrypts data and then demands money to provide the decryption key –
FileFixPro
23
24. YEAR 2011 Date
Site
2011-04-04
Anonymous Engages in Sony DDoS Attacks Over GeoHot PS3 Lawsuit
2011-04-20
Sony PSN Offline
SONY Cases - April-June 2011
2011-04-26
2011-04-26
2011-04-27
PSN Outage caused by Rebug Firmware
PlayStation Network (PSN) Hacked
Ars readers report credit card fraud, blame Sony
2011-04-28
Sony PSN hack triggers lawsuit Sony says SOE Customer Data Safe
2011-05-02
Sony Online Entertainment (SOE) hacked SOE Network Taken Offline
2011-05-03
Sony Online Entertainment (SOE) issues breach notification letter
Anonymous leaks Bank of America
2011-05-05
2011-05-06
2011-05-07
Sony Brings In Forensic Experts On Data Breaches
Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony
Sony succumbs to another hack leaking 2,500 "old records"
e-mails 2011-05-14
2011-05-17
2011-05-18
Sony resuming PlayStation Network, Qriocity services
PSN Accounts still subject to a vulnerability
Prolexic rumored to consult with Sony on security
2011-05-20
Phishing site found on a Sony server
2011-05-21
Hack on Sony-owned ISP steals $1,220 in virtual cash
2011-05-22
Sony BMG Greece the latest hacked Sony site
2011-05-23
LulzSec leak Sony's Japanese Websites
Lulz Security hackers target Sun website
2011-05-23
2011-05-24
2011-06-02
PSN breach and restoration to cost $171M, Sony estimates
Sony says hacker stole 2,000 records from Canadian site (Sony Erricson)
LulzSec versus Sony Pictures
2011-06-02
Sony BMG Belgium (sonybmg.be) database exposed
2011-06-02
Sony BMG Netherlands (sonybmg.nl) database exposed
2011-06-02
Sony, Epsilon Testify Before Congress
Hong Kong Stock Exchange Website
2011-06-03
2011-06-05
2011-06-05
Sony Europe database leaked
Latest Hack Shows Sony Didn't Plug Holes
Sony Pictures Russia (www.sonypictures.ru) databases leaked
Hacked, Impacts Trades
2011-06-06
2011-06-06
2011-06-08
LulzSec Hackers Post Sony Computer Entertainment Developer Network (SCE Devnet)
LulzSec hits Sony BMG, leaks internal network maps>
Sony Portugal latest to fall to hackers
2011-06-08
Spoofing lead to fraud via shopping coupons at Sonisutoa / My Sony Club (Google Translation)
2011-06-11
Spain Arrests 3 Suspects in Sony Hacking Case
2011-06-20
SQLI on sonypictures.fr
24
2011-06-23
Class Action Lawsuit Filed Against Sony/SCEA
25. CYBER CRIME AND CYBER ESPIONAGE ARE HAVING REAL
IMPACTS
• Estimated $1 Trillion of intellectual property stolen each year (Gartner & McAfee, Jan 2010)
• Cybercrime up 63% in 2011 (McAfee)
• Topped $20 Billion at financial institutions
• Reported cyber attacks on U.S. government computer networks climbed 40% in 2011
• RAS Breaches workers breached (March 2011)
• DigiNotar Bankrupt (2011)
25
Source: Report of the CSIS Commission on Cyber security for the 44th Presidency
26. RSA
BREACH
March
11,
2011-‐Breach
detected
not
public
• Thursday
March
17,
2011
story
broke
• Threat
Intelligence
Commi@ee
Call
• Friday
March
18,
2011
• Cyber
UCG
call
• NCI
call
with
DHS
• Threat
Intelligence
Commi@ee
Call
w/RSA
• FS-‐ISAC
Membership
Call
w/RSA
• NCI
call
• MiMgaMon
Report
Working
Group
Calls
• MiMgaMon
Report
27. 75% OF ATTACKS OCCUR THROUGH WEB
APPLICATIONS - GARTNER
v Approximately 66 vulnerabilities per website were found for a total of 210,000
vulnerabilities over the scanned population.
v 50% of the websites with instances of high vulnerabilities were susceptible to SQL
Injection while 42% of these websites were prone to Cross Site Scripting. Other
serious vulnerabilities include Blind SQL Injection, Cross Site Scripting, CRLF
Injection and HTTP response splitting, as well as script source code disclosure.
Web Security Risk are Growing
• Sources: Computer Emergency Response Team Coordination Center (CERT/CC), National Vulnerability
Database, Open-Source Vulnerability Database, and the Symantec Vulnerability Database.
• Sources: http://www.acunetix.com/news/security-audit-results.htm
27
28. VISIBILITY OF ADVANCED PERSISTENCE THREATS
-- Invisible --
Source from : Douwe.Leguit@govcert.nl April 2010
28
29. TODAY’S THREAT LANDSCAPE
Undetected Attacks
External Attacks Vulnerabilities and compromised
Trojans, viruses, worms, phishing .. machines may lay dormant for
Not protected by firewalls. Requires months, awaiting an attacker to
IPS exploit them. Requires vulnerability
Intrusion Vulnerability awareness and end-point intelligence.
Prevention Assessment
Network
Intelligence
User
Intelligence
Network Network
Behavior Access
Porous Perimeter Analysis (NBA) Information Leakage
Control (NAC)
Every machine a peering point Point-point VPNs + desktop and
Laptops carry infection past mobile internet connections
firewalls. Requires IDS provide ample opportunity.
Requires compliance
monitoring and enforcement
31. ENTERPRISE SECURITY ARCHITECTURE
End Point Security
Network System Data Application
Security Security Security Security
Operational Security
Physical / Data Center Security
Personnel Security
Security Management
31
32. THE ENTERPRISE TODAY - MOUNTAINS OF DATA, MANY
STAKEHOLDERS
Malicious Code Detection Real-Time Monitoring
Spyware detection Troubleshooting
Access Control Enforcement Configuration Control
Privileged User Management Lockdown enforcement
Unauthorized False Positive
Service Detection Reduction
IP Leakage
Web server Web cache & proxy logs
User Monitoring activity logs
SLA Monitoring
Content management logs
Switch logs IDS/IDP logs
VA Scan logs Router logs
Windows Windows logs VPN logs
domain
logins
Firewall logs
Wireless
access
logs Linux, Unix,
Oracle Financial Windows OS logs
Logs
Mainframe Client & file
logs DHCP logs server logs
San File VLAN Access
Access & Control logs Database Logs
Logs
32
Sources from RSA
34. RISK BASE APPROACH FOR SECURITY MANAGEMENT
Risk Management : The Business Model
v Security is relative:
- Many risks and Many solutions
v Security is everyone’s Business
v Security is a process
- Things fail all the time
v Variety of options:
- Accept the risk
- Mitigate the risk with People/Procedure/Technology
- Transfer the risk
34
35. STEPS FOR BETTER SECURITY
Step 1 : Know your risks
Internal Regulatory
And And
External Compliance
Threats Force
Business
ROSI System Cost of Doing
Data
(Return on Security Asset Business
Investment)
Application
Vulnerability
and Process
- Risk Assessment / Compliance Assessment
- Vulnerability Assessment
- Web Application Assessment / PenTest
35
36. STEPS FOR BETTER SECURITY
Step 2 : Visualize your situation
System
Monitoring
Logs Intelligent and
Consolidation Correlation
SIEM Security Information & Event
Solution Management
SOC
Security Operation Center
Incident Management
ITIL Process
36
37. STEPS FOR BETTER SECURITY
Step 3 : Knowing your enemy’s behavior
You need an
Investigation Tools
• for pervasive
visibility into
content and behavior
• Providing precise
and actionable
intelligence
37
38. WHAT’S IN A SOC
What is it? What does it do? What’s a good one and
what’s a bad one? Is it worth the time/money?
39. TOP TECHNICAL ISSUES
• Increase Speed of Aggregation and Correlation
• Maximize Device and System Coverage
• Improve Ability to Respond Quickly
• Deliver 24 x 7 Coverage
(this doesn’t have to be done by the SOC!)
• Support for Federated and Distributed Environments
• Provide Forensic Capabilities
• Ensure Intelligent Integration between SOCs and NOCs
40. SOC FRAMEWORK
Industry Standards and Service Delivery Tools
Web Portal
Best Practices (Helpdesk, Monitoring, Mgmt.,
(Operational Reporting, Windows Configuration, Automation/
(ITIL, BS7799/ISO17799,
Advisories) (24x7, 8x5, 12x7 )
SANS, CERT) Workflow)
Security Center of
Excellence Command Center Knowledgebase
(Test bed, Technology (Incident & Problem Mgmt.,
Innovation, Knowledge Mgmt., Testing, Product evaluation)
Trainings )
Infra. Mgmt. Stream Security Mgmt. Stream
Program Management Device Supervision Security
(Performance, Incident, Monitoring People Resource
(Customer interface,
Monitoring) (cross skilling, rotation,
Escalation mgmt., Strategic
training, ramp-up and scale
assistance, Operational
supervision, quality control) Security Change down)
Device
Operations
(Change, Vendor Mgmt.,
Installation, Configuration)
Security Advisory
Incident Management Service Delivery
Operational Models (Onsite, Near Shore and
(SOC and ODC)
Offshore)
Reporting
41. SOC OR OPERATIONAL SOC…
Server Engineering Business Ops. Compliance Audit Risk Mgmt. Security Ops. Desktop Ops. Network Ops. Application & Database
Report
Baseline Alert/Correlation
Asset Ident. Forensics
Compliance Operations Security Operations
Access Control Access Control Enforcement
Log Mgmt. Configuration Control SLA Compliance Monitoring Incident Mgmt.
Malicious Software False Positive Reduction
Policy Enforcements Real-time Monitoring
User Monitoring & Management Unauthorized Network Service Detection
Environmental & Transmission Security More…
All the Data
Log Management
Any enterprise IP device – Universal Device Support (UDS)
No filtering, normalizing, or data reduction
Security events & operational information
No agents required
…For
Compliance &
Security Operations
42. THE 3 (MAIN) FUNCTIONS OF A SOC
• The reason for a SOC: Business Continuity, Risk Mitigation, Cost Efficiency
• What does the SOC do?
1. Real-time monitoring / management
• Aggregate logs
• Aggregate more than logs
• Coordinate response and remediation
• “Google Earth” view from a security perspective
2. Reporting / Custom views
• Security Professionals
• Executives
• Auditors
• Consistent
3. After-Action Analysis
• Forensics
• Investigation
• Virtues of a SOC: cost efficiency, measurable improvements in availability, lower risk, relevance to the business,
transparency, passing audits, consistency, reproduce-ability
• Vices of a SOC: expensive, little meaning to the business, opacity to the business, no impact on risk, failing audits,
inconsistency
43. PRIORITIZATION AND REMEDIATION
• Deal with what’s most relevant to the business first!
• Gather asset data
• Gather business priorities
• Understand the business context of an incident
• Break-down the IT silos
• Coordinate responses
• Inform all who need to know of an incident
• Work with existing ticketing / workflow systems
• Threat * Weakness * Business Value = Risk
• Deal with BUSINESS RISK
44. SOC AND BUSINESS EXPECTATION
Historical Today's Scenario
Business Oriented
Technology Based Services
IT Risk Management
• IT Risk Dashboard
Monitoring & Management : • Sustaining Enterprise Security
• Firewalls Control
• IDS/IPS • Meeting Industry Process
• VPN Concentrators
• Antivirus Compliance Driven
• Content-Filtering
• Security Control Assessment
• Enforcing enterprise security
policies
• Log Management
• Incident Management
• Audits
45. SOC ANATOMY
ü Conduct tests to verify control is ü Monitor environment continuously for
effective new threats & vulnerabilities
ü Report residual risk ü Analyze risk is acceptable
ü Management signoff for residual risk 5
5 Monitor & &
Monitor
Verify Control Analyze
Verify Control Analyze 66
effectiveness
effectiveness
ü Identify Business units & services
ü Verify control mechanism 44 Identify &
Identify &
ü Identify Applicable Regulations
ü Control recommendation &
Define ü Discover & Classify Assets
IT Risk
Proactive Define
benefit analysis ü Assign Values to assets
ü Prepare/Modify Risk Mitigation
Risk Management
IT Risk ü Define Policies , procedures ,
Risk
Plan
Mitigation
Management 1 standards & Guidelines
ü Execute mitigation Plan /
Mitigation 1 ü Establish process
Implement new controls
Threats & ü Identify Threat sources
Threats &
Vulnerability ü Identify Potential threats
3 Impact Analysis
Impact
& Risk identification
Vulnerability ü Scan Assets for vulnerabilities
ü Analyze Likelihood of threat 3 Analysis &
determination identification ü Prioritize Vulnerabilities
exploitation Risk 2 ü Identify existing Control mechanism
ü Identify Magnitude of impact on determination 2 ü Review existing mitigation plan
business ü Review Procedures & process
ü Prioritize Risks
ü Review existing control mechanism
46. SOLUTION MAPPING TO SOC SERVICES
Threats & Vulnerability Impact Analysis & Risk Monitor &
identification(Zero Day Risk Determination Mitigation Analyze
Attack Detection)
• Vulnerability Assessment
• Penetration Testing
• Infrastructure Assessment Service
• Recommendation of Security Control
• Implementation of Security controls
• Security Device Management
• End User Security Control
• 24x7 Monitoring of security events
• Enterprise Incidence Response
• Enterprise Risk Dashboard
• Compliance Reports
• Etc, etc
47. SOC ARCHITECTURE
Data-Center 1 To Other Business Units Data-Center n
SERVER FARM SERVER FARM
Corporate WAN
SERVER FARM SERVER FARM
Storage
Storage
SOC Centralized Management
L2 Risk Monitoring
L3
Portal L1
• Threat Analysis
- Risk Mitigation Plan • Risk Assessment
- Control Verification • Manage Performance • Performance Monitoring
- Compliance impact • Manage Availability • Security Monitoring
analysis • Trend analysis and Reporting • Availability Monitoring
- Manage new requirements • Compliance Management • Scheduled Reporting
Support
Process Framework - ITIL , Best Practise - ISO 27001, SANS, FDDI
51. SOC Operational model (process)
Network SOC
Industry
Sources
Tool Foot Print
Dashboard view via portal
Firewalls N F
C
O
I
N
I T
E
O R N
L E
SD
R
HEWLETT
PACKARD
R L G
M T E
L I
A E L
A I N
L R G
I T E
I I E E
Z N O N
G R
E N C
E
S
IDS Agent Manager
Asset Asset
Syslogs Alerts & normalize Vulnerability Criticality
SNMP log data
Raw log data Information & Action
Real Time Normalised Alerts Real Time
Security Analysis Alert Management
Consolidated Logs
Response &
Remote management from -SOC
Management
52. SOC OPERATIONAL MODEL (TECHNOLOGY)
Baseline Correlated Report Realtime Interactive Integrated Incident
Alerts Forensics Query
Analysis Mgmt.
Event
Explorer
Analyze
Manage
Collect Collect Collect
UDS
Windows Netscreen Cisco Juniper Microsoft Trend Micro
Device Device
Server Firewall IPS IDP ISS Antivirus
Supported Devices Legacy
54. INTEGRATED CMDB
CMDB Data
• Configuration Management Database (CMDB)
features:
• Connectors sync data with external systems Config Work
Items Items
• Create, update, and view CIs
• Create relationships among CIs, WIs, IT staff, and
Active Directory® Domain Services (AD DS) users
Relationships
• Automatically track CI change history
• Service definition and mapping
Integrated | Efficient | Business
55. WHAT OUR CUSTOMER DATA TELLS US
21% is everything 22% are how-to
else combined related – poor /
(“unclassified” or improper
‘other’) operations of the
environment
33% were due
to Installation
issues
48%
Operational issues account Misconfiguration
for 76% of Critical
Situations (CritSits)
67% POST
installation ‘changes’
6% due to
KNOWN bugs-
3% already fixed
NEW
bugs
56. INCIDENT MANAGEMENT
KEEP USERS AND DATA CENTER SERVICES UP AND RUNNING, AND RESTORE
SERVICE QUICKLY
• Process workflows
• Escalations
• Notifications
• Customizable templates
• Knowledge & History
• Automatic incident creation
• Desired Configuration Monitor
(DCM) errors
• Operations Manager alerts
• Inbound Email
• Portal
57. CASE MANAGEMENT
ENABLES ORGANIZATIONS TO IDENTIFY AND TRACK PROBLEMS
• Problem creation from similar incidents or
Attacks
• Link Incidents and Change requests to problem
• Auto resolution of Incidents linked to the Problem
58. CHANGE MANAGEMENT
MINIMIZE ERRORS AND REDUCE RISK
• Typical Change Models
• Standard, Major, Emergency…
• Review and Manual activities
• Customizable Templates
• Workflows and Notifications
• Analyst Portal
• Approvals via Web
• Relate Change Requests to Incidents,
Problems and Configuration Items
60. INVESTIGATIONS AND FORENSICS
• Being able to investigate and manipulate data
• Visualization
• Post-event correlation
• Managing by case / incident
• Chain of custody
• Integrity of data
62. II. CISRT
- Organization decision of building a team based on size and ROSI
- Compose team or select members who can escalate and do initial necessary action.
- Train the team based on situations and scenario's the most common
- Acquire the required tools
62