{"id":1261,"date":"2016-12-09T00:00:00","date_gmt":"2016-12-09T00:00:00","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2016\/12\/09\/ir-soc-news-8-december-2016\/"},"modified":"2021-12-30T11:39:03","modified_gmt":"2021-12-30T11:39:03","slug":"ir-soc-news-8-december-2016","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2016\/12\/09\/ir-soc-news-8-december-2016\/","title":{"rendered":"IR SOC News 8 December 2016"},"content":{"rendered":"","protected":false},"excerpt":{"rendered":"<h2><a id=\"a_toc\" name=\"a_toc\">Table of Contents<\/a><\/h2>\n<ul>\n&nbsp; <\/p>\n<li><font color=\"darkblue\">Resolver Expands its Global Footprint, Opening Offices in London and Christchurch, NZ as it Acquires Assets Related to Multiple Risk Management Apps<\/font><\/li>\n<p>&nbsp; <\/p>\n<li style=\"list-style: none\"><\/li>\n<p>&nbsp; <\/p>\n<li><font color=\"darkblue\">Navigating the Five Stages of Threat Hunting<\/font><\/li>\n<p>&nbsp; <\/p>\n<li style=\"list-style: none\"><\/li>\n<p>&nbsp; <\/p>\n<li><font color=\"darkblue\">The 4 Cs of Automated Incident Response<\/font><\/li>\n<p>&nbsp; <\/p>\n<li style=\"list-style: none\"><\/li>\n<p>&nbsp; <\/p>\n<li><font color=\"darkblue\">Pivoting Toward Cognitive Security: Benefits and Challenges<\/font><\/li>\n<p>&nbsp; <\/p>\n<li style=\"list-style: none\"><\/li>\n<p>&nbsp; <\/p>\n<li><font color=\"darkblue\">When the Boundary Isn\u2019t Enough: Accelerating Discovery, Investigation and Response<\/font><\/li>\n<p>&nbsp; <\/p>\n<li style=\"list-style: none\"><\/li>\n<p>&nbsp; <\/p>\n<li><font color=\"darkblue\">First CYBERPOL Security Operations Center to Open in USA with Protecting Tomorrow<\/font><\/li>\n<p>&nbsp; <\/p>\n<li style=\"list-style: none\"><\/li>\n<p>&nbsp; <\/p>\n<li><font color=\"darkblue\">Canada: Data Security Incident Response Plans \u2013 Some Practical Suggestions<\/font><\/li>\n<p>&nbsp; <\/p>\n<li style=\"list-style: none\"><\/li>\n<p>&nbsp; <\/p>\n<li><font color=\"darkblue\">10 Tips for Planning, Leading and Learning From a Cybersecurity Tabletop Exercise<\/font><\/li>\n<p>&nbsp; <\/p>\n<li style=\"list-style: none\"><\/li>\n<p>&nbsp; <\/p>\n<li><font color=\"darkblue\">Canadian Cyber Threat Exchange ready to start membership push<\/font><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.przoom.com\/favicon.ico\" width=\"16\" height=\"16\" \/> <b>Resolver Expands its Global Footprint, Opening Offices in London and Christchurch, NZ as it Acquires Assets Related to Multiple Risk Management Apps<\/b><br \/>\nFollowing the voluntary administration process of Wynyard Group Limited of Auckland New Zealand (wynyardgroup.com), Resolver finalizes the acquisition of Wynyard\u2019s Risk Management suite of products.<br \/>\nResolver has greatly expanded its customer base and global reach with the acquisition of the Wynyard Risk Management (WRM), Kairos Risk Management and Methodware Enterprise Risk Assessor (ERA) applications.<br \/>\nOver 150 customers using the WRM products will be provided continual support and long-term product roadmap through Resolver.<br \/>\nResolver will continue to offer customers on the WRM, Kairos, and ERA applications with continual product support including product enhancements with the WRM product.<br \/>\nResolver is committed to building industry leading applications with best-in-class capabilities for risk assessment, risk management, audit, and compliance, incident management, security operations center management, and investigations. \u201cWe are committed to the continued development of WRM to support the needs existing customers.<br \/>\nAt the same time, we\u2019re releasing our next generation technology to provide long-term direction for all Resolver customers,\u201d states Anderson.<br \/>\n<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"http:\/\/www.przoom.com\/news\/161942\/\">http:\/\/www.przoom.com\/news\/161942\/<\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/Blank.ico\" width=\"16\" height=\"16\" \/> <b>Navigating the Five Stages of Threat Hunting<\/b><br \/>\n<i>Tim Bandos<\/i><br \/>\nWelcome to another installment in our Guide to Threat Hunting series.<br \/>\nIn my previous posts in this series I have covered the fundamentals of threat hunting, what you should do to prepare to hunt for threats, and the tools and skills you\u2019ll need for threat hunting success.<br \/>\nThis post will cover the five stages of threat hunting and provide tips for each one.<br \/>\nThe day has come.<br \/>\nYou\u2019ve committed as a security organization to embark on an active threat hunting mission.<br \/>\nYou\u2019ve laid the groundwork with incident response processes and procedures, built a defensive architecture, and acquired the tools and skills you need for a successful hunt.<br \/>\nNow put on your camouflage and grab your ammo!<br \/>\nThe threat hunting process can be broken down into the following five stages:<br \/>\nStage One: Hunt for Known Prey<br \/>\nStage Two: Watch for Unknown Prey<br \/>\nStage Three: Bird Dog the Threats<br \/>\nEvery hunter needs a trusty hunting dog.<br \/>\nBird dogs are highly trained and bred specifically for the job at hand.<br \/>\nThe characteristics of a good bird dog (and how they apply to threat hunting) are:<br \/>\nStage Four: Ready, Aim<br \/>\nStage Five: Prepare for the Next Threat<br \/>\nAfter the threat passes and you resolve the incident, here are a few recommendations of things you should do to be ready to confront the next threat.<br \/>\n<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"https:\/\/digitalguardian.com\/blog\/navigating-five-stages-threat-hunting\">https:\/\/digitalguardian.com\/blog\/navigating-five-stages-threat-hunting<\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.infosecisland.com\/favicon.ico\" width=\"16\" height=\"16\" \/> <b>The 4 Cs of Automated Incident Response<\/b><br \/>\n<i>Nathan Burke,Vice President of Marketing, Hexadite<\/i><br \/>\nIt\u2019s almost a certainty that you\u2019ve heard of the 4 Cs of diamond quality.<br \/>\nCreated by the Gemological Institute of America (GIA) in 1953 as an international standard for judging the most valuable characteristics of a diamond, the 4 Cs are cut, color, clarity and carat weight.<br \/>\nIt\u2019s also a clever mnemonic device to easily remember the four categories of evaluation.<br \/>\nIt\u2019s almost a certainty that you\u2019ve heard of the 4 Cs of diamond quality.<br \/>\nCreated by the Gemological Institute of America (GIA) in 1953 as an international standard for judging the most valuable characteristics of a diamond, the 4 Cs are cut, color, clarity and carat weight.<br \/>\nIt\u2019s also a clever mnemonic device to easily remember the four categories of evaluation.<br \/>\nThe First C: Connection<br \/>\nAny solution that intends to automate the process of responding to security alerts to investigate threats and remediate incidents must be able to integrate with its customers\u2019 existing security tools.<br \/>\nThe Second C: Capacity<br \/>\nAutomating incident response should add capacity.<br \/>\nThe Third C: Capability<br \/>\nAny automated incident response solution worth its weight (pun intended) should provide new capabilities that simply weren\u2019t possible otherwise.<\/p>\n<p>An automated system that can immediately launch parallel investigations based on what it learns from investigating one alert<br \/>\nA solution that can use artificial intelligence to compare and incriminate threats against intelligence feeds<br \/>\nA tool that can stop a ransomware attack in-progress<br \/>\nThe Fourth C: Confidence<br \/>\nAny automated IR system should be able to investigate everything in a timely way in order to give the customer the confidence that a front page headline isn\u2019t hiding in the backlog.<br \/>\n<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"http:\/\/www.infosecisland.com\/blogview\/24856-The-4-Cs-of-Automated-Incident-Response.html\">http:\/\/www.infosecisland.com\/blogview\/24856-The-4-Cs-of-Automated-Incident-Response.html<\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/securityintelligence.com\/favicon.ico\" width=\"16\" height=\"16\" \/> <b>Pivoting Toward Cognitive Security: Benefits and Challenges<\/b><br \/>\n<i>Christophe Veltsos<\/i><br \/>\nSecurity leaders point to the incremental improvements they have made to increase their incident response capabilities and response times.<br \/>\nBut while defenders are making progress, albeit slow progress, attackers are keeping ahead, both in terms of attack frequency and their ability to evolve their approaches to thwart defenses and responders.<br \/>\nAnyone who has been in the field of information security long enough to track trends likely has that uneasy feeling that things haven\u2019t been getting better.<br \/>\nOn the defense side, we\u2019re barely keeping up.<br \/>\nAdditionally, organizations struggle to fill new security positions or even just retain their existing security staff.<br \/>\nThe following image illustrates the tough position IT is in today:<br \/>\nCognitive computing has the potential to shake up the cybersecurity landscape.<br \/>\nThis isn\u2019t lost on the security leaders surveyed for the IBM Institute for Business Value (IBV) report, \u201cCybersecurity in the Cognitive Era: Priming Your Digital Immune System.\u201d Given that many identified incident response and resolution speed as a top security concern, 57 percent of respondents pointed to the potential of cognitive computing to significantly slow the efforts of cybercriminals.<br \/>\nWhen the IBV team analyzed the patterns in the responses, three main groups emerged, corresponding to different classes of readiness on the path toward adopting cognitive security: organizations that are Pressured, those that are Prudent, and those that are Primed.<br \/>\nThe Pressured (52 percent) reported funding and staffing challenges and appeared to be less familiar with the benefits of cognitive computing than the other two tiers.<br \/>\nThe Prudent (27 percent) can be thought of as the middle ground.<br \/>\nThe Primed (22 percent) group is much more familiar with cognitive security benefits, has more confidence in the value it can bring and appears to command \u2014 or benefit from, depending on your perspective \u2014 the highest slice of funding relative to the IT budget.<br \/>\nNinety-two percent of Primed organizations reported having over 10 percent of the IT budget dedicated to security, compared to 81 percent for the Prudent, and only 55 percent for the Pressured.<br \/>\nThe Primed group also reported being more effective at communicating risk exposure effectively to executives and boards of directors (81 percent), compared to Prudent (67 percent) and Pressured (55 percent) organizations.<br \/>\nSimilarly, the Primed group reported having defined metrics to assess security operations for accuracy and productivity (74 percent), versus 62 percent for the Prudent and 57 percent for the Pressured.<br \/>\n<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"https:\/\/securityintelligence.com\/pivoting-toward-cognitive-security-benefits-and-challenges\/\">https:\/\/securityintelligence.com\/pivoting-toward-cognitive-security-benefits-and-challenges\/<\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.infosecurity-magazine.com\/favicon.ico\" width=\"16\" height=\"16\" \/> <b>When the Boundary Isn\u2019t Enough: Accelerating Discovery, Investigation and Response<\/b><br \/>\n<i>Noam Rosenfeld, Verint Systems<\/i><br \/>\nBy taking very specific steps, you can significantly accelerate your discovery and response.<br \/>\n1. Create a unified threat picture<br \/>\n2. Mind the gap<br \/>\n3. Gather your data wisely<br \/>\n4. Think AI<br \/>\n5. Streamline your forensics<br \/>\n6. Strengthen team communications<br \/>\n7. Learn from your discoveries<br \/>\n8. Get automated<br \/>\n<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"http:\/\/www.infosecurity-magazine.com\/opinions\/accelerating-discovery\/\">http:\/\/www.infosecurity-magazine.com\/opinions\/accelerating-discovery\/<\/a><\/p>\n<p><b>First CYBERPOL Security Operations Center to Open in USA with Protecting Tomorrow<\/b><br \/>\nSAN DIEGO, Calif., Dec. 7, 2016 \/PRNewswire\/ CYBERPOL, The International Cyber Policing Organization, with headquarters currently located in the United Kingdom, announces a strategic partnership with Protecting Tomorrow, a United States Cyber Protection Organization whose headquarters are established in San Diego, California.<br \/>\nIn recent months, CYBERPOL received endorsements from major international players in the cyber security domain with involvement from both public and private sector organizations.<br \/>\nIn addition, CYBERPOL received support from law enforcement agencies active in the international cyber security landscape that have recognized the need for cross-border collaboration in support of the fight against global cyber crime.<br \/>\n<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"http:\/\/www.broadwayworld.com\/bwwgeeks\/article\/First-CYBERPOL-Security-Operations-Center-to-Open-in-USA-with-Protecting-Tomorrow-20161207\">http:\/\/www.broadwayworld.com\/bwwgeeks\/article\/First-CYBERPOL-Security-Operations-Center-to-Open-in-USA-with-Protecting-Tomorrow-20161207<\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.mondaq.com\/favicon.ico\" width=\"16\" height=\"16\" \/> <b>Canada: Data Security Incident Response Plans \u2013 Some Practical Suggestions<\/b><br \/>\n<i>Bradley J. Freedman<\/i><br \/>\nA data security incident response plan (an &#8220;IRP&#8221;) is a written plan, comprised of instructions, procedures, protocols and guidelines, designed to enable an organization to respond to, and recover from, various kinds of data security incidents in a way that minimizes resulting harm, reduces recovery time and costs and allows the organization to benefit from lessons learned.<br \/>\nIn many circumstances, an organization may be under a legal obligation \u2013 imposed by statute (e.g. personal information protection laws), contract (e.g. contractual confidentiality and data security obligations) or generally applicable common law or civil law (e.g. a duty of care) \u2013 to have an appropriate IRP.<br \/>\nIn those circumstances, failure to have an IRP may expose the organization and its directors and officers to potentially significant financial liability and other adverse consequences.<br \/>\nFollowing are some practical recommendations for an IRP:<br \/>\nBasic Requirements: An IRP should identify the incident response team members (both internal personnel and external advisors and consultants) and their respective roles and responsibilities, and set out the procedures they should follow to respond to and recover from a data security incident, to assess and mitigate the business and legal risks resulting from the incident and to take appropriate measures to prevent the same or a similar incident in the future.<br \/>\nActionable\/Practicable: An IRP should be a short, simple document that specifies reasonable tasks and achievable outcomes, assigns accountability to specific incident response team members, and provides guidance and advice to help the incident response team make important technical, business and legal decisions in a timely manner.<br \/>\nBest Practices\/Guidance: An IRP should be consistent with current best practices and guidance issued by relevant regulators and self-regulatory organizations.<br \/>\nFor recent examples, see BLG bulletins<br \/>\nLegal Compliance: An IRP should be consistent with applicable laws (including laws of general application and relevant sector-specific laws) in each relevant jurisdiction (e.g. jurisdictions where the organization is located and jurisdictions where customers are located) and obligations imposed by the organization&#8217;s contracts and commitments (e.g. the organization&#8217;s privacy policy).<br \/>\nLegal Advice and Legal Privilege: An IRP should mandate the involvement of legal counsel throughout the incident response process and should specify procedures to establish and maintain legal privilege protection for legal advice and technical investigations conducted for legal purposes.<br \/>\nInternal Communications: An IRP should include procedures and protocols for communications among incident response team members and for communications between incident response team members and other organization personnel, so that those communications are effective, secure and confidential even if the organization&#8217;s standard communications systems are compromised by the incident.<br \/>\nRecord Keeping: An IRP should include procedures and protocols for the incident response team&#8217;s creation of secure and confidential records regarding the incident and related response activities for use by the team while responding to the incident and to enable the organization to comply with legal record retention and breach notification requirements.<br \/>\nEvidence Collection: An IRP should include a protocol for the incident response team&#8217;s collection and preservation of physical and electronic evidence (e.g. system log files and surveillance tapes) for use in regulatory investigations and legal proceedings.<br \/>\nNotification and Information Sharing: An IRP should include guidelines for determining whether, when and how the organization should give notice of a data security incident to affected individuals, organizations, regulators (e.g. privacy commissioners), law enforcement and other persons (e.g. insurers).<br \/>\nReview: An organization should review its IRP on a regular basis to ensure that the IRP is consistent with the organization&#8217;s current circumstances, satisfies applicable business, technical and legal requirements, and reflects lessons learned from previous data security incidents and the organization&#8217;s testing, training and exercise program.<br \/>\nAn organization should have a testing, training and exercise (&#8220;TT&amp;E&#8221;) program to help ensure that the organization&#8217;s IRP is up-to-date and the organization&#8217;s personnel and information technology systems are in a state of readiness, so that the organization is able to respond to data security incidents in a timely, effective and lawful manner.<br \/>\n<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"http:\/\/www.mondaq.com\/canada\/x\/551144\/Security\/Data+Security+Incident+Response+Plans+Some+Practical+Suggestions\">http:\/\/www.mondaq.com\/canada\/x\/551144\/Security\/Data+Security+Incident+Response+Plans+Some+Practical+Suggestions<\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.corpcounsel.com\/favicon.ico\" width=\"16\" height=\"16\" \/> <b>10 Tips for Planning, Leading and Learning From a Cybersecurity Tabletop Exercise<\/b><br \/>\n<i>\ufeffMarcus Christian, Jeffrey Taft and Joshua Silverstein<\/i><br \/>\nEffective responses to cybersecurity incidents rely in large part upon three key elements: personnel, planning and practice.<br \/>\nAn organization&#8217;s incident response team must include capable personnel with the appropriate authority to act, requisite expertise and adequate training.<br \/>\nAn organization also needs a written plan customized to meet its business, industry and regulatory environment, among other things.<br \/>\nThe National Institute of Standards and Technology (NIST) recommends that organizations not only develop incident response plans, but also maintain them in a &#8220;state of readiness&#8221; and engage in exercises to &#8220;validate their content.&#8221; The potential vehicles for such tests can take many forms, but one of the most common and easy to implement is a &#8220;tabletop exercise.&#8221;<br \/>\nHere are 10 tips for planning, leading and learning from a tabletop exercise.<br \/>\n1. When to conduct a tabletop: To maintain and practice a plan, businesses should consider conducting a tabletop exercise on at least an annual basis, depending upon the organization&#8217;s threat profile.<br \/>\n2. How to initiate: &#8230; requires management buy-in and a commitment from participants.<br \/>\n3. What to focus on: A tabletop is a limited exercise; it cannot explore every threat or response process.<br \/>\n4. What to include: To add realism, tabletop scenarios can test coordination with other key programs, such as business continuity, disaster recovery and\/or compliance.<br \/>\n5. Whom to include: The participants should include all members of the incident response team and other appropriate stakeholders and parties.<br \/>\n6. How to plan: The value of this exercise will increase exponentially in relation to how much planning goes into it.<br \/>\n7. What type of scenarios: &#8230;. simulate events that would demand unexpected combinations of response activities, disrupt normal business or contingency processes, and\/or challenge participants to adapt the procedures they have already developed to novel or unfamiliar problems.<br \/>\n8. How to facilitate: Effective planning can help ensure that participants engage meaningfully in the scenario and fulfill their roles as if the event were real.<br \/>\n9. How to conclude: Every tabletop should conclude with an &#8220;after action review,&#8221; discussing what worked well and what aspects of the incident response plan or other policies need improvement.<br \/>\n10. What to do afterward: Lessons learned from tabletop exercises must then be incorporated into relevant plans and policies.<br \/>\n<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"http:\/\/www.corpcounsel.com\/id=1202774236308\/10-Tips-for-Planning-Leading-and-Learning-From-a-Cybersecurity-Tabletop-Exercise?slreturn=20161108201639\">http:\/\/www.corpcounsel.com\/id=1202774236308\/10-Tips-for-Planning-Leading-and-Learning-From-a-Cybersecurity-Tabletop-Exercise?slreturn=20161108201639<\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.itworldcanada.com\/favicon.ico\" width=\"16\" height=\"16\" \/> <b>Canadian Cyber Threat Exchange ready to start membership push<\/b><br \/>\n<i>Howard Solomon<\/i><br \/>\nAfter months of planning the country\u2019s first national IT threat service has issued its first threat report to a few early members and is ready to launch a campaign to expand its numbers, including lowering its fee for small businesses.<br \/>\nFor the lower fee members will still get threat reports, but won\u2019t be allowed to download electronic data feeds into their systems.<br \/>\nGordon said it was felt small companies wouldn\u2019t benefit from that service.<br \/>\nThe exchange will discuss with these companies if there are other services that can be added.<br \/>\nMid-size businesses can join for $20,000 a year and will be allowed to exchange threat data electronically (when it goes live early next year) and named access to the exchange\u2019s proprietary knowledge database.<br \/>\n<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"http:\/\/www.itworldcanada.com\/article\/canadian-cyber-threat-exchange-ready-to-start-membership-push\/389034\">http:\/\/www.itworldcanada.com\/article\/canadian-cyber-threat-exchange-ready-to-start-membership-push\/389034<\/a><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1261","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1261","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1261"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1261\/revisions"}],"predecessor-version":[{"id":3748,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1261\/revisions\/3748"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}