I don’t actually run this SOC (or any other) 🙂 But…but, as a certified “blue team” member, I’m pretty excited with the crop of new companies and ideas that are springing up in the area of SOC analysis, Deception technology, Lateral/external movement, etc. Some of the cool new(ish) vendors that I am falling deeply in love with will be briefly enumerated below…If I was running a SOC, here are some vendors (or technologies) that I would have to add on top of the existing players (centralized logging, scan vuln data, IDS/IPS data, firewall/proxy data, etc.)
“The Florentine Deception”, Carey Nachenberg, 2015, 978-1-5040-0924-9,
%A Carey Nachenberg http://florentinedeception.com
%C 345 Hudson Street, New York, NY 10014
%G 978-1-5040-0924-9 150400924X
%I Open Road Distribution
%O U$13.49/C$18.91 www.openroadmedia.com
%O Audience n+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P 321 p.
%T “The Florentine Deception”
It gets depressing, after a while. When you review a bunch of books on the basis of the quality of the technical information, books of fiction are disappointing. No author seems interested in making sure that the technology is in any way realistic. For every John Camp, who pays attention to the facts, there are a dozen Dan Browns who just make it up as they go along. For every Toni Dwiggins, who knows what she is talking about, there are a hundred who don’t.
So, when someone like Carey Nachenberg, who actually works in malware research, decides to write a story using malicious software as a major plot device, you have to be interested. (And besides, both Mikko Hypponen and Eugene Spafford, who know what they are talking about, say it is technically accurate.)
I will definitely grant that the overall “attack” is technically sound. The forensics and anti-forensics makes sense. I can even see young geeks with more dollars than sense continuing to play “Nancy Drew” in the face of mounting odds and attackers. That a vulnerability can continue to go undetected for more than a decade would ordinarily raise a red flag, but Nachenberg’s premise is realistic (especially since I know of a vulnerability at that very company that went unfixed for seven years after they had been warned about it). That a geek goes rock-climbing with a supermodel we can put down to poetic licence (although it may increase the licence rates). I can’t find any flaws in the denouement.
But. I *cannot* believe that, in this day and age, *anyone* with a background in malware research would knowingly stick a thumb/jump/flash/USB drive labelled “Florentine Controller” into his, her, or its computer. (This really isn’t an objection: it would only take a couple of pages to have someone run up a test to make sure the thing was safe, but …)
Other than that, it’s a joy to read. It’s a decent thriller, with some breaks to make it relaxing rather than exhausting (too much “one damn thing after another” gets tiring), good dialogue, and sympathetic characters. The fact that you can trust the technology aids in the “willing suspension of disbelief.”
While it doesn’t make any difference to the quality of the book, I should mention that Carey is donating all author profits from sales of the book to charity:
copyright, Robert M. Slade 2015 BKFLODEC.RVW 20150609
In our world today, we have an abundance of many things, among which are –unexpected events. Falling meteorites, terrorist attacks, hacktivist demonstrations, blackouts, tsunamis…. well, you get the point.Now, although the majority of events I just mentioned probably fall into a Disaster Recovery category, they are nonetheless events that greatly impact our personal lives and disrupt the normal ebb and flow of the daily routine.On the professional side of life, there are also incidents that,although classified on a lower scale than a disaster, still create much disruption and depending on how they are handled, can have a long-lasting impact to the flow of business. The purpose of this article is to discuss some suggested methods of how to go about building an incident response team and related procedures that will enable this group to respond to these events expeditiously.
Before we start to discuss the mechanics behind building this elite group of technical emergency responders, let’s understand what we’re up against. First of all, let’s get our terminology straight. What exactly am I referring to when I use the term – “event” and “incident“? To give this article some context, consider the following definitions courtesy of Merriam Webster…
- An incident is defined as “an occurrence […] that is a separate unit of experience”.
- An event can be defined as “something that happens: an occurrence” or “a noteworthy happening”.
Let’s break this down;if we use the example of a small electrical fire in the basement of a building, this can be categorized as an individual “incident” or as a “separate unit of experience”. Now, if this incident is not handled properly, it can escalate and possibly grow to become a fire so large that it consumes the entire building. The incineration of the building can be categorized as an “event“, which is sort of an umbrella term that groups causes and effects for the entire disaster or “noteworthy happening” into one category.
Applying this understanding to the enterprise, items such as a data breaches, hacking attempts, critical server crashes, website defacement or social engineering attempts can be classified as individual “incidents”. This is because they may affect business or the corporate reputation but may not completely halt the business flow of the company. If not addressed properly, these incidents,although small,could escalate and succeed in completely halting the business,resulting in a disaster or large scale “event“. Hopefully, this explanation clarifies the difference between events and incidents as this understanding will determine how each occurrence is handled. This now brings us to our next section…
PLANNING AN INCIDENT RESPONSE PROCESS
This step can seem daunting if you’ve never been involved with Incident Response or you’re trying to decide where a process like this might fit in to your particular environment. How can we go about organizing all the related business groups, technical areas and how can we find out if we’re missing anything?The good news is that in the majority of cases, there is already some type of set process that is followed whenever incidents occur. Some problems that come up, however, could be that the process may not be documented and since it’s an informal process, there is a great chance that core response components are missing or have been overlooked. The benefit to identifying any existing process that your organization may have is that it is much easier to train employees using a foundation with which they are already accustomed to. It may also be much easier to gain upper management’s support and buy-in for a process that is actively being followed albeit – informally.This support is necessary because management’s support will be needed for any funding that is required and for the allocation of time for the individuals that will be forming part of the official team. Without this support, it’s possible that your project will never get off its feet or after all the hard work,the process could be scrapped or drastically changed and then it’s back to the proverbial drawing board. This can beextremely frustrating so be sure to do your homework, identify any area that may already be built and if appropriate, incorporate this into your draft IR process.This way you’ll have a deep understanding of how the process should flow when having discussions with upper management and be able to defend any modifications, enhancements or complete overhauls.
Keep in mind that when speaking with management, your initial draft is just that – a draft. Be prepared to have a detailed conversation so you can understand what their expectations are and that you properly define what your incident process is providing. It’s possible that in these initial conversations you will identify areas that need to be modified or added.If this step is not accomplished correctly,it’s possible that the functions of your future IR team will not be understood or properly recognized.This could result in your process not being properly advertised to the enterprise, in which case it simply becomes just another “informal process”. Be sure to gain managements approval, communicate and advertise your new structure so that when an incident does occur, your new framework will be used.This will eliminate any overlap and ensure that the authority of the members of your future IR team remains fully recognized.
Some other questions that you may ponder along the way:
- How far will IR processes be able to reach?
- Who will make up the IR Team’s client base?
The first question relating to the reach of the IR process speaks to cases where critical services and applications are provided by external third parties. In these cases, you will have to decide on how far the IR process will flow and if a “hand-off” needs to occur. This needs to be explored at length since this will make your resolution process dependent on the efforts of an outside entity.
Questions like these are highly important because in the case of many enterprise environments, there are multiple areas that are critical to business operations. This brings us to the second question regarding the IR client base. This refers to subsidiaries or operating companies that, although separate, may fall under the auspices of the parent organization. You need to understand the relationship to these companies and if they provide critical applications, services and other related business functions. More than likely, these entities will also have to fall under the scope of your IR process and it will be necessary to identify key stakeholders at those locations to support your IR. This begs the question… who should form part of the Incident Response team?
INCIDENT RESPONSE ROLES AND RESPONSIBILITIES
Depending on what you read, you may find different titles and roles for Incident Response. The following listing is an outline of some roles and responsibilities that I used when building an IR plan at a past employer. Each environment is unique, so you will need to research your own requirements and then tailor a plan that meets your needs. Generally, the types of roles that should exist within an IR function are:
Incident Response Officer – This individual is the Incident Response champion that has ultimate accountability for the actions of the IR team and IR function. This person should be an executive level employee such as a CISO or other such corporate representatives. It would be very beneficial if this individual has direct reporting access to the CEO and is a peer of other C-level executives.
Incident Response Manager – This person is the individual that leads the efforts of the IR team and coordinates activities between all of its respective groups. Normally, this person would receive initial IR alerts and be responsible for activating the IR team and managing all parts of the IR process, from discovery, assessment, remediation and finally resolution. This individual reports to the Incident Response Officer.
Incident Response Assessment Team – This group of individuals is composed of the different areas serviced by the IR team. This allows expertise from every critical discipline to weigh in on classifications and severity decisions once an incident has been identified. It is very beneficial to have representatives from IT, Security, Application Support and other business areas. In the event of an incident, the IR Manager would gather details of the incident from the affected site, begin tracking and documentation (possibly through an internal ticket management system) and then activate the Assessment Team. This group would then discuss the details of the incident and based on their expertise and knowledge of the business, would then be able to assign an initial severity. This team reports to the IR Manager.
Remote Incident Response Coordinator – This role should be assigned to qualified and capable individuals that are located in other geographic areas. These individuals ultimately report to the Incident Response Manager but in their geographic region, they are recognized as IR leaders. This will allow these assistants to manage the efforts of local custodians during an incident. This configuration is very useful, especially for organizations that have offices in multiple time zones. If an IR Manager is located in the United States but an incident occurs in a Malaysian branch, it will be helpful to have a local security leader that is able to direct efforts and provide status updates to the Incident Manager. This way, regardless of the time zone the correct actions will be invoked promptly.
Incident Response Custodians – These individuals are the technical experts and application support representatives that would be called upon to assist in the remediation and resolution of a given incident. They report to the Incident Response Manager or to the Remote IR Coordinator(s) depending on their location(s).
Once you’ve been able to identify the proper stakeholders that will form your team, you will have to provide an action framework they’ll be able to use when carrying out their responsibilities. Think of this “action framework” as a set of training wheels that will guide your IR team. What does this mean? Let’s move on to the next section to discuss this…
INCIDENT RESPONSE PROCESS FLOW
A part of outlining this framework involves the identification of IR Severity Levels. These levels will help your team understand the severity of an event and will govern the team’s response. Some suggestions for these levels are the following:
|SEVERITY LEVEL||LEVEL OF BUSINESS IMPACT||RESOLUTION EFFORT REQUIRED|
|SEVERITY 1||LOW||LOW EFFORT|
|SEVERITY 2||MODERATE||MODERATE EFFORT|
|SEVERITY 3||HIGH||EXTENSIVE, ONGOING EFFORT|
|SEVERITY 4||SEVERE||DISASTER RECOVERY INVOKED|
Earlier in this article, I mentioned the benefit of identifying any existing informal process that your company may already be following. If so, it will now be necessary for you to step through that process mentally, keeping in mind your identified severity levels so that you can start to document each step of the process. You will undoubtedly start to remove irrelevant portions of the informal process but may opt to keep certain items in place. (For example, certain notification procedures may still be useful and you may continue to use these in your new IR process to alert members of your team). If you don’t have a starting point like this and you’re starting from scratch, then perhaps the following suggestions can provide some direction.
Start to create a documented action script that will outline your response steps so your IR Manager can follow them consistently. Your script should show steps similar to the following:
|2||IR Manager alerted|
|3||IR Manager begins information gathering from affected site|
|4||IR Manager begins tracking and documentation of incident|
|5||IR Manager invokes Assessment Team
(Details of call bridge or other communication mechanism)
|6||Assessment Team reviews details and decides on Severity Level of incident.|
|7||IF SEV 1 = PROCEED TO STEP #11.0|
|8||IF SEV 2 = PROCEED TO STEP #12.0|
|9||IF SEV 3 = PROCEED TO STEP #13.0|
|10||IF SEV 4 = PROCEED TO STEP #14.0|
|FOR SEVERITY LEVEL 1 – Proceed with following sequence|
|11.0||Determine attack vectors being used by threat|
|11.1||Determine network locations that are impacted|
|11.2||Identify areas that fall under “Parent Organization”|
|11.3||Identify systems or applications that are impacted|
|FOR SEVERITY LEVEL 2 – Proceed with following sequence|
|12.0||Determine attack vectors being used by threat|
|12.1||Alert Incident Officer to Severity 2 threat|
This of course is an extremely high level example, but as you can see, it is possible to flesh out the majority of the process with specific action items for each severity level. Be sure to thoroughly research your unique environment to develop a process that fits your needs. You may have to add custom steps to cover incidents that span multiple countries and subsidiaries. Once you’ve created your process.you may want to consider developing small wallet size scripts for the members of your Assessment Team and other key players on which you will need to depend to make this run efficiently. In this way, each member will have necessary information on hand that will allow them to respond as expected.
This article just scratches the surface of the work that is required to build a full IR process but hopefully this has given you some direction and additional areas to explore when planning your next IR project!
- O’Reilly Incident Response – Kenneth R. vanWyk and Richard Forno
Email retention policies are no longer just about conserving space on your Exchange server. Today you must take into account how your email retention controls increase or decrease risk to your company.
Pros and Cons of Short and Long Email Retention Policies
Generally speaking, longer email retention policies increase the risk that a security vulnerability or unauthorized user could expose your company’s secrets or embarrassing material. Long policies also increase your company’s exposure to legal examination that focuses on conversations and decisions captured in emails (this is also known as the “paper trail” in an “eDiscovery” process).
Shorter email retention policies help avoid these problems and are cheaper to implement, but they have their own significant disadvantages as well. First, short policies tend to annoy long-term employees and often executives, who rely on old email chains to recollect past decisions and the context in which they were made. Second, short policies may violate federal, state, local and/or industry regulations that require certain types of information to be retained for a minimum period of time – often years!
Best Practices to Develop Your Email Retention Policy
Obviously, you must balance these factors and others when you develop your own email retention policy, but there are a number of best practices that can help you draft and get support for a solid email retention policy. Today, I’ll be covering five practices often used by effective professionals and managers.
Email Retention Policy Best Practice #1: Start With Regulatory Minimums
Your email retention policy should begin by listing the various regulations your company is subject to and the relevant document retention requirements involved with each regulation.
Every industry is regulated differently, and businesses are often subject to different tax, liability and privacy regulations depending on the locations in which they do business. However, some common recommended retention periods include:
- Internal Revenue Service (US IRS): seven (7) years
- Payment Card (PCI DSS): one (1) year
- California Franchise Tax Board (CA FTB): four (4) years
- DISA Security Technical Implementation Guides (STIG): one (1) year
- Many State Revenue Departments: three (3) years
- HIPAA Section 164: six (6) years
If a retention period is not known for a particular type of data, seven years (the minimum IRS recommendation) is often used as a safe common denominator.
Email Retention Policy Best Practice #2: Segment As Necessary To Avoid Keeping Everything For the Legal Maximum
As you can see from the list above, recommended retention periods vary widely even within highly regulated industries. With that in mind, it often pays to segment different types or uses of email into different retention periods to avoid subjecting your entire online email store to the maximum email retention period.
Segmentation by type of content looks something like this:
- Invoices – 7 years
- Sales Records – 5 years
- Petty Cash Vouchers – 3 years
Segmentation by type of use looks something like this:
- Administrative correspondence (e.g., human resources) – 5 years
- Fiscal correspondence (e.g., revenue and expenses) – 4 years
- General correspondence (e.g., customer interactions, internal threads) – 3 years
- Ephemeral correspondence (e.g., everything else business-related) – 1 year
- Spam – not retained
Mixed segmentation is also often common and looks something like this:
- Human resources – 7 years
- Transaction receipts – 3 years
- Executive email – 2 years
- Spam – not retained
- Everything else (e.g., “default retention policy”) – 1 year
The rules and technologies you use to inspect, classify and segment can vary from simple sender- and subject-matching to sophisticated engines that intuit intent and history. (Unfortunately, space does not permit us to examine these technologies here, but trust me – they exist!)
Email Retention Policy Best Practice #3:
Draft a Real Policy…But Don’t Include What You Won’t Enforce
A written policy, approved by legal counsel and senior management, will give you the requirements and authority to implement all the IT, security and process controls you need. If you haven’t seen a full retention policy yet, please take the time to search the web for a few, such as this template from the University of Wisconsin. (Go Badgers! Sorry…proud alum.)
Note that many “email retention policy” documents (including the UW template) cover much more than email! In general, this is OK because a “document policy” gives you what you need to implement an “email policy”, but you’ll want to make a point of talking the “document vs. email” terminology through with your legal team before you finalize your policy.
A good written policy (again, including the UW template) always contains these sections:
- Purpose: why does this policy exist? If specific regulations informed the creation of this policy, they should all be listed here.
- Retention time, by segment: how long various types of content or content used in a particular manner must be retained (the UW template segments by type of content). Durations are often listed in years, may include triggers (e.g., “after X”) and may even be “Permanent”.
- Differences between “paper” and “electronic” documents: ideally, none.
- What constitutes “destruction”: usually shredding and deleting, often “secure deletion” (e.g., with overwriting) and degaussing of media where applicable.
- Pause destruction if legal action imminent: your legal department will normally add this for you, but you can show off your legal bona fides by including a clause instructing IT to pause automatic email deletion if the company becomes the subject of a claim or lawsuit (this is also called a “litigation hold”).
- Who is responsible: typically everyone who touches the documents, often with special roles for certain titles (e.g., “Chief Archivist”) or groups (e.g., “legal counsel”).
Good written policies omit areas that you won’t or can’t support, especially types of segmentation you will not be able to determine or support. Good policies also refer to capabilities and requirements (e.g., offsite archival) rather than specific technologies and processes (e.g., DAT with daily courier shipments).
Email Retention Policy Best Practice #4: Price Preferred Solution and Alternatives By Duration and Segment
Let’s pretend that you have a policy like the following:
- All email: retain on fast storage for 18 months
- Purchase transaction emails : also archive to offline storage until 5 years have passed
- Legal emails: also archive to offline storage until 7 years have passed
- “Fast storage” = accessible through end user’s email clients through “folders”; normally only individual users can access, but administrators and archival specialists (e.g., the legal team) can access too
- “Offline storage” = accessible through internal utility and search; only administrators and archival specialists (e.g., the legal team) can access
To price an appropriate solution, you would restate your requirements based on number of users, expected volume of email and expected rate of growth. For example, in a 500-person company where each user averaged 1MB and 100 messages of email a day, there were 5000 additional transaction emails (total 50MB) a day and 100 additional legal emails (total 20MB) a day, and volumes were expected to increase 10% per year, here’s how we might estimate minimum requirements for the next seven years:
- All email: 18 months x 1MB/day-person x 30 days/month x 500 people = 270GB x 1.8 (about 10% increase in 6 years) = 486GB email server storage
- Purchase transaction emails: 5 years x 12 months/year x 30 days/month x 50MB/day = 90GB x 1.8 = 162GB email archive storage
- Legal emails: 7 years x 12 months/year x 30 days/month x 20MB/day = 50GB x 1.8 = 91GB email archive storage
- TOTAL: 486GB server + 253GB archive
However, after you’ve priced out your preferred solution, you still need to be prepared to handle alternatives that may result from discussions with legal or your executive team. For example, if the executive team pushes your 18 month blanket retention to 3 years and the legal team “requires” that its emails are always in near-term email storage, how would that change your requirements and pricing?
- All email: 36 months x 1MB/day-person x 30 days/month x 500 people = 540GB x 1.8 (about 10% increase in 6 years) = 972GB email server storage
- Purchase transaction emails: 5 years x 12 months/year x 30 days/month x 50MB/day = 90GB x 1.8 = 162GB email archive storage
- Legal emails: 7 years x 12 months/year x 30 days/month x 20MB/day = 50GB x 1.8 = 91GB email server storage
- TOTAL: 1063GB server + 192GB archive (e.g., DOUBLE your realtime storage!)
Long story short, if you can figure out your own rule-of-thumb per-GB price for the various types of storage necessary to support your archiving scheme (as well as licensing considerations, including any per-message or per-type-of-message rules) you’ll be better prepared for “horse trading” later in the approval process.
Email Retention Policy Best Practice #5: Once You Draft Your Policy, Include Legal Before the Executives
If you’re still reading this, chances are good that you (like me) are a senior IT or security professional, or are perhaps even a manager. If you’ve drafted other IT policies, such as an “acceptable use” policy, your first instinct might be to keep your legal team out of the process until your new policy has snowballed down from your IT-based executive sponsor. This is almost always a mistake.
The main reason legal should be included as soon as you have a draft is that two of the best practices listed above (regulatory minimums and viability of segmentation) are really legal’s call – not yours! You will have saved legal a lot of legwork by researching the main drivers of email retention policy and the technical controls you can use to enforce the policy, but at the end of the day legal will be called upon to defend the company’s decision to keep or toss critical information, so legal will need to assign the final values to your policy limits.
A second reason to include legal before your executives is that you want to present a unified front (as IT and legal) on your maximum retention limits. Once you get into negotiations with your executive team, legal will likely be pushing for even shorter limits (because it limits the threat of hostile eDiscovery) and the executives will be pushing for even longer limits (because email is their old document storage). This puts you (as IT) in the rational middle and gives your policy a good chance of making it through the negotiations relatively unscathed.
The final reason you want to include legal early is that their calls may force you to reprice the options you laid out before you talked to them, and may cause you to take some options off the table. If you reversed the process and got executives to sign off on a solution that got vetoed by legal and sent back to the executive team for a second round of “ask,” I think you know that no one would be happy.
Conclusion: Your Email Retention Policy Will Be Your Own
Given all the different constraints your organization faces and all the different ways your interactions with your legal and executive team could go, it would be impossible for me to predict what any company’s email retention policy would be. However, if you follow these five best practices when you develop your own, you stand a better-than-average chance of drafting an email retention policy that’s sensible, enforceable, and loved by legal and top management alike.