Bollinger Jeff - Crafting the infosec playbook [security monitoring and incident response master plan]

by Jeff Bollinger , Brandon Enright , and Matthew Valites

Copyright 2015 Jeff Bollinger, Brandon Enright, and Matthew Valites. All rights reserved.

Printed in the United States of America.

Published by OReilly Media, Inc. , 1005 Gravenstein Highway North, Sebastopol, CA 95472.

OReilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://safaribooksonline.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com .

• Editors: Mike Loukides, Katie Schooling,
  and Amy Jollymore
• Production Editor: Kristen Brown
• Copyeditor: Jasmine Kwityn
• Proofreader: Marta Justak
• Indexer: Wendy Catalano
• Interior Designer: David Futato
• Cover Designer: Karen Montgomery
• Illustrator: Rebecca Demarest

• June 2015: First Edition

See http://oreilly.com/catalog/errata.csp?isbn=9781491949405 for release details.

The OReilly logo is a registered trademark of OReilly Media, Inc. Crafting the InfoSec Playbook, the cover image of an American crocodile, and related trade dress are trademarks of OReilly Media, Inc.

While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

978-1-491-94940-5

[LSI]

Over the past decade, Ciscos Computer Security Incident Response Team (CSIRT) has participated in countless customer meetings where we sat down and explained how we had protected one of the most attacked and interconnected companies in the world. As we reviewed the tools, people, and process for protecting large organizations, the playbook featured heavily. At the end of each one of these sessions, the group we were sharing with always asked, Can I have a copy of this playbook? We initially distributed some early sanitized versionsbut soon it got too big, too company specific, and too full of things that were impossible to sanitize to share. Now, with this book, we can finally answer yes, you can!

When I started the Cisco CSIRT at the beginning of this century, I had always hoped we could do something that had more relevance than protecting one company. Cisco has benefited from the interconnectivity it has provided, and I felt we had a responsibility to use some of those resources to help protect the same people we had connected. More specifically, I wanted to help groups that may not be able to afford a large CSIRT. Cisco has been very supportive of the teams efforts to share cybersecurity information and has provided resources and time to allow us to realize my hope.

At the time this book was written in 2014, the world witnessed a cataclysmic failure of cybersecurity efforts across the board, with large organizations seemingly hacked at will. Extremely damaging hacks to large retailers, entertainment companies, restaurant chains, and hundreds of others have ushered in the end of reliance on automated incident detection tools like security information and event management (SIEM) systems .

The Cisco CSIRT was at the forefront of the idea that people, not tools, were the answer to protecting organizations. This book details what some of the smartest people in this field have done to detect, identify, isolate, and mitigate cyber security threats. It started simply enoughif we had an incident that we didnt detect, we would look and see if there was any commonality about the attack that we could detect with normally available detection tools (intrusion detection systems, packet capture, logs, etc.). If there was, we would string together a detection method, or play, to look for it. If the play was useful, we would keep it. If not, we would drop it. Then it would eventually be added to the daily work of our security operations center. So the body of work this book represents was baked in the crucible of ongoing attacks and response over a very busy decade.

I am more proud of the work that this team has done than anything else in my professional career. I am really excited they took the time and effort to share the work at this level and depth. The information provided here can be used as a baseline for both new and old teams facing similar challenges. I hope that sharing like this can signal another watershed in the history of cybersecuritywhen the good guys started hitting back.

Gavin Reid
Vice President of Threat Intelligence
Lancope