tactical and practical incident response in the
play

Tactical and Practical Incident Response in the Cybersecurity Age - PowerPoint PPT Presentation

Aug 03, 2023 •232 likes •676 views

Tactical and Practical Incident Response in the Cybersecurity Age Nationwide Childrens Hospital a Complex Organization 1.2 Million annual visits 60+ locations > 15k user accounts More than a hospital HIPAA, FISMA,

  1. Tactical and Practical Incident Response in the Cybersecurity Age

  2. Nationwide Children’s Hospital… a Complex Organization • 1.2 Million annual visits • 60+ locations • > 15k user accounts • More than a hospital • HIPAA, FISMA, PCI, FDA and other compliance requirements

  3. So…things can happen!

  4. And NCH is not alone! • The total number of reported data breaches reached an all time high of 3,930 in 2015, exposing over 736 million records. (https://blog.datalossdb.org/analysis/) • 2015 healthcare security breaches: a long list (http://www.healthcareitnews.com/slideshow/2015- healthcare-security-breaches-long-list) • As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are now posted in a new, more accessible format…( 83 in Q1 2016)

  5. Incident Response is a MUST Have! 1. Fulfills a compliance requirement 2. Minimizes the Impact of an event to the organization 3. Protects the organization and the brand 4. Communicates with customers 5. Facilitates people knowing their role 6. Brings impacted services back online ASAP

  6. Objectives • Understand key roles and relationships within the incident response team as well as how the incident response team should relate to C-level governance structures • Gain insights and ideas to effectively test the incident response team and incorporate the lessons learned into the incident response program • Come away with some concrete ideas on how to make an incident response plan actionable

  7. Agenda • Preparation* – Incident response teams – Governance, roles & responsibilities – Testing the response • Detection & Analysis • Containment, Eradication, and Recovery • Post-Incident Activity* – Breach Analysis * Focus Areas

  8. Preparation

  9. Getting Started • Use a framework & guidance! - NIST 800-61 Computer Security Incident Handling Guide • Build relationships with key roles • Share knowledge and discuss industry events. What if that happened HERE?? • Be Satisfied with progress, because it won’t be perfect! • Everybody loves “the dirt”

  10. Incident Response Teams

  11. Incident Response Team Roles and Responsibilities • Team coordination and IR plan development Information • reporting incidents to governance team Security • Ensuring security related incidents are Officer managed effectively • Providing guidance on issues related to privacy • Developing appropriate communication to Privacy Officer impacted parties • Ensuring privacy related incidents are managed effectively • Ensuring legal obligations are met • Ensuring regulation is properly interpreted Legal and implemented

  12. Incident Response Team Roles and Responsibilities • Ensuring compliance obligations are met • Ensuring reporting is effective Compliance • Ensuring incidents are treated with consistency • Providing guidance regarding personnel issues HR • Communicating appropriate corporate messaging Public Relations/ Communication to internal and external parties • Providing physical security capability Physical • Facilitating communication to the CPD Security • Ensuring clinical staff is considered in all aspects Clinical of incident response • Ensuring the research institute is considered in all Research aspects of incident response

  13. External Team

  14. Technical Incident Response • Privacy and Confidentiality expectations • Small teams with broad knowledge – reach out to SME as needed • Tech team need training too – Right sizing security – Chain of Custody – Current events – Red Team practice • Tools and governance • Communication

  15. Governance Privacy & Security Advisory Committee Chief Operating Officer (COO) Chief Financial Officer (CFO) VP Research Operations Chief Information Officer (CIO) Corporate Compliance Officer (CCO) Privacy Officer Senior VP Legal Services Internal Audit Director Corporate Chief Information Compliance Officer Officer (CCO) (CIO) • Incident Response • Risk Management • Awareness & Training Information Security Officer • Policy • Vendor Management • Strategy

  16. Test the teams The following is a scenario created by the information security team at Nationwide Children’s Hospital for the sole purpose of testing the incident response team. None of these incidents are real, but they are realistic.

  17. Assign a clear owner Provide Guardrails Expect Excellence Expect Creativity

  18. Present a Scenario…and provide time to react ! Listen carefully, I represent an organization that has acquired significant amount if information from your hospital over several weeks. We require a payment from you to us in the amount of $5M. If you are willing to comply place a 1 inch solid black star in the upper right corner of your home page at nationwidechildrens.org. Contact will be made will be made with money transfer information at that time. Do not involve the police and do not ignore us. You have 8 hours.

  19. Add some Time Pressure You have not yet complied with our demands. If you chose not to we will release the 17,387 records in our possession onto the internet. To show you that we’re serious we have already released 25 of them for public viewing. You have one hour.

  20. Add Some New Information…make it real!

  21. Add a dash of Media…and some more information.

  22. Add a social media component, and create the need to escalate!

  23. Force a Decision

  24. Serve Lunch

  25. Debrief. Issue After Action Report • Executive Summary – Share with the governance team • Major Strengths • Primary Areas of Improvement • Areas requiring more education • Develop content and actions for your next team meetings

  26. Detection & Analysis

  27. Some Considerations • What are the likely sources of information in your environment? • Chain of Custody & eDiscovery • Who needs to be involved when staff are being interviewed? • When does a security event turn into a privacy issue? • Escalation to HICS

  28. Containment Eradication & Recovery

  29. Business Meets Technology - Containment • Unplug the Internet ??? • Who has authority to make the call? • Has the incident response team run enough scenarios to understand your organization’s complexity? • Are you confident your governance team supports you? • What communication is needed?

  30. Eradication & Recovery • How do I know it is gone? Use a risk-based approach to decide. • Can you recover?

  31. Post Incident Activity

  32. A BREACH… …an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information ….[and] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised…

  33. 4 Factors of Risk Assessment 1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2. The unauthorized person who used the protected health information or to whom the disclosure was made; 3. Whether the protected health information was actually acquired or viewed; and 4. The extent to which the risk to the protected health information has been mitigated.

  34. Exceptions to the definition of “breach.” …unintentional acquisition, access, or use of protected health 1. information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. …the inadvertent disclosure of protected health information by 2. a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. …if the covered entity or business associate has a good faith 3. belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

  35. Breach or no Breach? If suspected event Compromise occurred, preform indicated – compromise report as required assessment Exception – Did the disclosure meet one of the exceptions? Factor 3 - Whether the protected health information was actually acquired or viewed; Close – no reporting required

  36. Impact Analysis – Factor 1 Financial Reputational Personal • • • ID Theft (SSN, Sensitive Sensitive DL, CC) diagnosis diagnosis High • • Employer Revealing notified photos • • • MRN General Physician's Medium prescriptions Name • • • Publicly available Unidentifiable Appointment Low information photo reminder, non- sensitive Factor 1 - The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May 22, 2015 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response

407 views • 13 slides
Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Management Management Management Management CIPS Brandon Chapter November 28 2002 Dr. Marc Rogers PhD,

629 views • 27 slides
GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

6/19/2015 Incidents Are Not Necessarily Emergencies Incident Laboratory Incidences and An event thats likely to have adverse consequences Emergency Response Programs Emergency Unanticipated circumstances resulting in

564 views • 5 slides
Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016 Agenda Evaluation of Cybersecurity risks The attackers playbook Case study What can you do today Page 2 Evaluation of

622 views • 12 slides
BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

5/20/2014 COURSE OUTLINE Purpose Building Incident Response Team Expectations BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF BIRT PURPOSE OF BIRT Prepare units to respond to a

342 views • 4 slides
T&R establish a MUTCD-compliant Traffic Incident Management Area Linear/Block Tactical

T&R establish a MUTCD-compliant Traffic Incident Management Area Linear/Block Tactical

MUTCD requires LE, F/R, EMS & T&R establish a MUTCD-compliant Traffic Incident Management Area Linear/Block Tactical Positioning Linear Positioning : This means that incident responder vehicles are positioned in a straight line

267 views • 22 slides
Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I? Professorial Lecturer Carnegie Mellon University 95-856 Incident Response Master of Information System Management The George Washington

1.29k views • 60 slides
Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council Traditional Incident Response But at the national level, incident response is a different game Implications for Misunderstandings between geeks and

541 views • 27 slides
BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT MIRG OOERATIONAL GUIDELINES The project developed the following operational guidelines: 1. Assessing the Safety Status of a Vessel

598 views • 16 slides
Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored By: Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Visit www.advisenltd.com at the end of this webinar to

498 views • 18 slides
Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security Engineer/Incident Responder Open source contributor (github.com/javuto) Former IBM, Facebook, Uber and Airbnb Current BitMEX Agenda Part 1:

981 views • 59 slides
PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub egan {husakm|cegan}@ics.muni.cz ECTCM 2014 Fribourg, Switzerland Outline Introduction, Phishing incident response, PhiGARo (phishing

270 views • 23 slides
Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline College NSF Grant Award #1800999 Agenda Background on Coastline College Need for Incident Response Professionals Overview Advisory

571 views • 14 slides
Tactical, SWAT, Emergency Response Operations 2013 Decision to Use the Team Subjective by

Tactical, SWAT, Emergency Response Operations 2013 Decision to Use the Team Subjective by

Legal & Liability Management Tactical, SWAT, Emergency Response Operations 2013 Decision to Use the Team Subjective by supervisor Risk Assessment Matrix Scoring Issues FAIRFAX, Va. -- The family of an optometrist who was

593 views • 23 slides
SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance

SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance

SW District Incident Response 1 Incident Management Coordinator 4 Motorist Assistance Operators 3 FillIn Motorist Assistance Operators from Maintenance 1 Work Zone Coordinator 2 MoDOT TMC Operators 1 City of Springfield

404 views • 24 slides
Center for Internet Security Confidence in the Connected World Northeast Headquarters 31 Tech

Center for Internet Security Confidence in the Connected World Northeast Headquarters 31 Tech

Center for Internet Security Confidence in the Connected World Northeast Headquarters 31 Tech Valley Dr., East Greenbush, NY 12061 Mid-Atlantic Headquarters 1700 North Moore St., Suite 2100, Arlington, VA 22209 Center for Internet Security 2

205 views • 19 slides
Resources for State, Local and Tribal Governments Greta Noble Senior Program Specialist MS-ISAC

Resources for State, Local and Tribal Governments Greta Noble Senior Program Specialist MS-ISAC

Federally-funded Cyber Threat Resources for State, Local and Tribal Governments Greta Noble Senior Program Specialist MS-ISAC 518.880.0740 Greta.noble@cisecurity.org State, Local, Tribal, or Territorial Government Entity 2 TLP: WHITE

562 views • 20 slides
Incident Response and its role in Protecting Critical Infrastructures Dr. Kaleem Ahmed Usmani

Incident Response and its role in Protecting Critical Infrastructures Dr. Kaleem Ahmed Usmani

Incident Response and its role in Protecting Critical Infrastructures Dr. Kaleem Ahmed Usmani Officer-In-Charge, Computer Emergency Response Team of Mauritius (CERT-MU) Presentation Outline What CERT-MU does? Critical Infrastructures

604 views • 32 slides
Cluster in Rhode Island Prepared by: In association with: June 14, 2010 Who We Are Boston

Cluster in Rhode Island Prepared by: In association with: June 14, 2010 Who We Are Boston

Evaluating a Video Game Cluster in Rhode Island Prepared by: In association with: June 14, 2010 Who We Are Boston headquartered global provider of technology-based research and consulting services. Practice area in digital media and

405 views • 12 slides
What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary 1 Confidential & Proprietary Ransomware Overview Malware that blocks access to a system, device, or file until a ransom is paid

248 views • 11 slides
Power Production Quarterly Commission Update 10/8/19 Powering our way of life. Department

Power Production Quarterly Commission Update 10/8/19 Powering our way of life. Department

Power Production Quarterly Commission Update 10/8/19 Powering our way of life. Department Purpose and Goal Purpose: Provide safe, secure, economical, reliable and compliant power generation under the Priest Rapid Project Federal Energy

884 views • 53 slides
Community Preparedness Month September 2016 Compliment National Preparedness Month and Arizona

Community Preparedness Month September 2016 Compliment National Preparedness Month and Arizona

Community Preparedness Month September 2016 Compliment National Preparedness Month and Arizona Preparedness Month Get Citizens and Businesses thinking about personal preparedness Make them aware of various projects that the County is doing

404 views • 6 slides
Larry Clinton Barry Foer President Director of Policy & Membership lclinton@isalliance.org

Larry Clinton Barry Foer President Director of Policy & Membership lclinton@isalliance.org

Larry Clinton Barry Foer President Director of Policy & Membership lclinton@isalliance.org bfoer@isalliance.org 703-907-7028 703-907-7799 202-236-0001 ISA Board of Directors J. Michael Hickey , 1st Vice Chair Ty Sagalow, Esq ., Chairman

446 views • 43 slides

More recommend