Target-style Breaches – An Incident Response Case Study

Incident Response Management with Co3, HP ArcSight, and iSIGHT Partners

We all know that Target-like breaches aren't completely preventable. But does that mean we're doomed and powerless? Not even close. A decisive response effort can dramatically reduce the impact of a breach, potentially stopping attacks in their tracks before sensitive data is lost. 

We’ve partnered with HP ArcSight and iSIGHT Partners to transform the incident response process by connecting timely detection and threat intelligence with incident response management. The resulting combination can dramatically reduce the impact of a breach, potentially stopping attacks in their tracks before sensitive data is lost.

HP ArcSight is one of the most popular SIEM tools on the market today; it provides security analytics and alerting that yields actionable decisions from a network of noise.  Co3’s integration with ArcSight allows organizations to easily escalate incidents that require action into Co3 along with related artifacts like IP addresses, malware hashes, etc. 

iSIGHT Partners provides exceptional threat intelligence. In fact, during the recent Target breach, iSIGHT was called on to provide expert analysis of the malware that infected Target’s point of sale systems. Threat intelligence like iSIGHT’s can be invaluable in understanding what’s happening in your infrastructure, who might be behind it, and why. iSIGHT intelligence is one of several threat feeds available through Co3. 

These integrations transform the incident response process from a manual, people-bound, error-prone process to one that is automated, intelligent, and highly efficient. Using the Target breach as a case study dramatically demonstrates the power of this approach. 

Workflow

A security analyst working in ArcSight identifies an event that needs the attention of the Incident Response team. A Point-of-Sale system has a strange file on it. The MD5 hash appears in the ArcSight console. The analyst right-clicks this event in ArcSight, chooses the “Escalate to Co3” option and the file’s MD5 and other pertinent event information is automatically collected from ArcSight and sent to Co3. Co3 then automatically builds a detailed incident response plan based on the specific parameters of this incident and notifies the incident response team. 

ArcSight

Co3 then automatically compare all artifacts against our threat feeds. In this case there is a hit from iSIGHT – it flags the artifact as a sample of the infamous POSRAM malware. Once escalated, this process is completely automated. The target has gone from an initial indication to an incident determination with deployed IR plan and a team already in motion. Responders in Co3 can now assign tasks to the Incident Response group to isolate and contain the threat and drive the incident to closure. The entire incident response process can easily be managed from Co3, following both company and industry best practices. 

iSight

The average time to respond to serious incidents is currently counted in months. Using Co3, HP ArcSight, and iSIGHT Partners, we’ve just alerted and responded in minutes, before a security event grew into a company disaster. 

Co3

To learn more about how you can respond and even prevent these types of attacks, please join our upcoming webinar here:

https://www4.gotomeeting.com/register/306177295

Categories: 

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Invalid Entry