This presentation discusses why and how security programs are dying. The fragmentation of people, processes, and technology. How to defrag people, processes, and technology. Then what your organization can do to resolve this.
9. 9All material confidential and proprietary
INTELSOCIRVuln
Mgmt
Risk
Mgmt
Ldership
Receives intel on
new threat
10. 10All material confidential and proprietary
INTELSOCIRVuln
Mgmt
Risk
Mgmt
Ldership
Receives intel on
new threat
IOCs trigger alert
in SIEM
11. 11All material confidential and proprietary
INTELSOCIRVuln
Mgmt
Risk
Mgmt
Ldership
Receives intel on
new threat
RFI+ research
yields more
context
Triages event,
determines
incident
IOCs trigger alert
in SIEM
12. 12All material confidential and proprietary
INTELSOCIRVuln
Mgmt
Risk
Mgmt
Ldership
Receives intel on
new threat
RFI+ research
yields more
context
IOCs trigger alert
in SIEM
Triages event,
determines
incident
Expanded
indicator set
detects
additional
affected assets
Begins response
w/affected
system
IOCs, TIPs to IR
team to aid
informed
response
Intel on exploit
capability,
vulnerability scan
Notice of risk-
relevant event
w/basic intel
report
13. 13All material confidential and proprietary
INTELSOCIRVuln
Mgmt
Risk
Mgmt
Ldership
Receives intel on
new threat
RFI+ research
yields more
context
Pivot on new info
IOCs trigger alert
in SIEM
Triages event,
determines
incident
Expanded
indicator set
detects
additional
affected assets
Expanded IOCs,
content for
monitoring
Begins response
w/affected
system
IOCs, TIPs to IR
team to aid
informed
response
Investigation
artifacts sent to
intel
Expanded IOCs,
context
Intel on exploit
capability,
vulnerability scan
Search for other
exploitable
assets
Additional exploit
target intel
Notice of risk-
relevant event
w/basic intel
report
Kicks off risk
assessment
Risk
communication
to Sr. Mgmt
14. 14All material confidential and proprietary
INTELSOCIRVuln
Mgmt
Risk
Mgmt
Ldership
Receives intel on
new threat
RFI+ research
yields more
context
Pivot on new info Complete intel
report
IOCs trigger alert
in SIEM
Triages event,
determines
incident
Expanded
indicator set
detects
additional
affected assets
Expanded IOCs,
content for
monitoring
Retroactive
search/sweeps
aka “hunting”
Begins response
w/affected
system
IOCs, TIPs to IR
team to aid
informed
response
Investigation
artifacts sent to
intel
Expanded IOCs,
context
Investigation
determines
containment,
recovery begins
Intel on exploit
capability,
vulnerability scan
Search for other
exploitable
assets
Additional exploit
target intel Determines
potential scope
Notice of risk-
relevant event
w/basic intel
report
Kicks off risk
assessment
Decision to
involve legal, 3rd
parties, etc.
Risk
communication
to Sr. Mgmt
15. 15All material confidential and proprietary
INTELSOCIRVuln
Mgmt
Risk
Mgmt
Ldership
Receives intel on
new threat
RFI+ research
yields more
context
Pivot on new info Complete intel
report
IOCs trigger alert
in SIEM
Triages event,
determines
incident
Expanded
indicator set
detects
additional
affected assets
Expanded IOCs,
content for
monitoring
Retroactive
search/sweeps
aka “hunting”
Begins response
w/affected
system
IOCs, TIPs to IR
team to aid
informed
response
Investigation
artifacts sent to
intel
Expanded IOCs,
context
Investigation
determines
containment,
recovery begins
Intel on exploit
capability,
vulnerability scan
Search for other
exploitable
assets
Additional exploit
target intel Determines
potential scope
Address exposed
vulnerabilities
Notice of risk-
relevant event
w/basic intel
report
Kicks off risk
assessment
Decision to
involve legal, 3rd
parties, etc.
Immediate
remedial actions
to lower risk
Corrective
actions to treat
risk
Risk
communication
to Sr. Mgmt
After action
review read out
to Sr. Mgmt
Risk
communication &
sign-off
After-actionreview
Incidentand
responsereport
16. 16All material confidential and proprietary
INTELSOCIRVuln
Mgmt
Risk
Mgmt
Ldership
Receives intel on
new threat
RFI+ research
yields more
context
Pivot on new info Complete intel
report
IOCs trigger alert
in SIEM
Triages event,
determines
incident
Expanded
indicator set
detects
additional
affected assets
Expanded IOCs,
content for
monitoring
Retroactive
search/sweeps
aka “hunting”
Begins response
w/affected
system
IOCs, TIPs to IR
team to aid
informed
response
Investigation
artifacts sent to
intel
Expanded IOCs,
context
Investigation
determines
containment,
recovery begins
Intel on exploit
capability,
vulnerability scan
Search for other
exploitable
assets
Additional exploit
target intel Determines
potential scope
Address exposed
vulnerabilities
Notice of risk-
relevant event
w/basic intel
report
Kicks off risk
assessment
Decision to
involve legal, 3rd
parties, etc.
Immediate
remedial actions
to lower risk
Corrective
actions to treat
risk
Risk
communication
to Sr. Mgmt
After action
review read out
to Sr. Mgmt
Risk
communication &
sign-off
After-actionreview
Incidentand
responsereport
Fragmented Actions
Fragmented Teams
Fragmented Technologies