Foundstone Incident Response Service
The Incident Response Challenge to a World Leading
Financial Services Firm
Foundstone Incident Response Service
> Incident Response Services
> IR Policy & Procedure Programs
> IR Security Training
> Forensics & Litigation Support
The Incident Response Challenge to a World-Leading Financial Services Firm
Foundstone was hired by a global financial services firm to design and implement an effective
Incident Response program.
Companies spend millions of dollars each year on products designed to prevent and detect security breaches
from both internal and external threats. Because the promise of 100 percent security will never be realized,
companies need to determine what to do when their defenses are compromised. A malicious intruder can
attack critical digital assets with grim consequences, or cleverly exploit an organization’s IT infrastructure to
mount covert digital assaults on an unsuspecting third party.
“Foundstone’s Incident Response program represents the pinnacle of digital
forensic technology and services, providing the highest level of court-admissible
evidence to support potential litigation or administrative action.”
− Chris Prosise, VP of Professional Services, Foundstone
These are some of the issues that a one billion-dollar financial institution was seeking to address when it hired
Foundstone to design an Incident Response (IR) program. This North America-based firm offers a diverse mix
of banking, securities and brokerage services worldwide that depend heavily on online transactions. These
business processes rely on a solid technology, application and digital security infrastructure, which together
constitute an enormous investment. Therefore, protecting it and building a program to optimize business
continuity in the event of an incident is critical.
Foundstone’s new client needed a blueprint for proactively averting potential threats, as well as successfully
dealing with actual incidents. Digital risk can come from anywhere − computer viruses and hackers, identity
abuse or fraud, or processes that can compromise customer privacy. So, to address these issues effectively, the
client needed the highest level of expertise. Based on Foundstone’s world-class reputation in strategic security
and forensics, the financial services giant was certain that they could establish the essential practices necessary
to help them manage risk by protecting against, and responding to, threats to critical information assets.
After an intensive three month process with various security groups within the client’s organization,
Foundstone established and documented thorough IR policies, and rigorously trained the staff to respond
consistently formalized procedures that would enable them to efficiently resolve any new threat.
www.foundstone.com © 2003 Foundstone, Inc. All Rights Reserved | 1
> Large, international financial services institution, offering banking, securities and brokerage services
> Headquartered in North America with offices in 27 countries
> Significant existing investment in technology infrastructure, including e-commerce applications and
> Numerous information security groups supporting geographically-dispersed locations and business units
> Challenged to proactively address and rapidly handle the widest range of digital assaults, including viruses,
hackers, fraud, identity theft, employee misconduct, and other threats
Leading financial services institution engaged digital risk management experts from Foundstone to design and
implement a world-class Incident Response (IR) program.
About the Companies
Foundstone, experts in strategic security, offers a unique combination of software, services, and education to
help organizations continuously and measurably protect the most important assets from the most critical
threats. The company has one of the most dominant security talent pools ever assembled with headquarters in
Orange County, CA.
Billion dollar financial services institution headquartered in North America, with offices in 27 countries
worldwide, offers a full range of financial products and services to over 10 million customers through three
major lines of business: banking, brokerage services and securities trading.
Background and Challenge
Geographically diverse information security groups lacked a unified, formal IR program that could be
consistently applied throughout the global organization. Standard documentation that could have allowed the
organization to identify and analyze information and trends was nonexistent. Most importantly, senior
management was not familiar with, or aware of, the range and scope of security weaknesses and threats that
the organization faced, and thus did not always support the security group’s efforts.
www.foundstone.com © 2003 Foundstone, Inc. All Rights Reserved | 2
Pain Points / Business Need
Situational Analysis: Client Issues before Implementing Foundstone IR Program
Although the skills of this client’s IR team were excellent, their IR response plan was not developed or
documented. It lacked consistency across the organization based on three critical factors: first, the technical
environments varied from one business unit to another, and, to further complicate matters, the organization
had acquired or merged with a diversity of other businesses over time, each with its own structure and
operational approaches. Additionally, several security groups operated independently – based on geography or
business unit – with no centralized reporting structure, so information could not be consolidated to enable
enterprise-wide vulnerability assessment, tracking, and trend analysis.
“Even the most secure networks can face increasing acts of fraud, theft, and other
abuses, yet few organizations have developed the sophistication to simultaneously
handle the legal and technical challenges. Untrained assessors may violate privacy
laws, fail to discover critical clues, or accidentally destroy valuable evidence.
Foundstone’s Incident Response team meticulously retrieves, analyzes, and stores
evidence to maintain a proper chain-of-custody for future litigation.”
− Kevin Mandia, Director of Incident Response Program, Foundstone
This lack of formality and consistency was a recipe for future disaster, and led to numerous breakdowns in
communication and reduction in overall effectiveness of each independent security group. When the
organization faced enterprise-level incidents, the lack of coordination across teams delayed recognition and
escalation of issues, preventing timely responses.
Foundstone was able to communicate these issues to senior management and make them aware of how they
can disrupt vital business processes and impact customer trust.
www.foundstone.com © 2003 Foundstone, Inc. All Rights Reserved | 3
The financial services client gave Foundstone consultants complete access to the organization’s technology
infrastructure, determination and prioritization of critical assets, assessment of current security skills, and
review of existing documentation and formal security incident reporting within each major business unit.
Foundstone spent several months working with the global IR team members to identify, analyze, develop and
implement effective IR policies across the enterprise.
Foundstone implemented consistent IR guidelines across the organization and trained security personnel to
collect and analyze computer forensic information. The client centralized incident history information,
standardized processes and identified the responsibilities of each of the various security teams. In addition,
forensic analysis processes were formalized, and the client was trained to properly retrieve, analyze and store
evidence of a system break-in or fraud attempt, for use in litigation if necessary.
Benefits and Value
Foundstone consultants are specially qualified to implement IR programs and respond to events. The
company’s published works, such as Incident Response: Investigating Computer Crime, by Chris Prosise and
Kevin Mandia, are referenced regularly by industry practitioners. In the case of this financial services client,
Foundstone’s IR program improved the client’s ability to respond quickly and appropriately to digital security
incidents of any type, and encouraged executive support for both present and future security investments.
Organizations that rely on information technology to conduct or improve business processes can rely on
Foundstone to deliver a complete IR plan and forensic services that will mitigate the impact of any computer
www.foundstone.com © 2003 Foundstone, Inc. All Rights Reserved | 4
Steps Taken / Process
Foundstone Implements Accountable Incident Response Program for Global 2000 Financial Firm
Developing an IR process sounds relatively straightforward, yet it may actually represent one of the most
complex undertakings of any IT organization. The challenge becomes exponentially more difficult when the
program is being designed to meet the needs of a multinational organization with billions of dollars’ worth of
assets under management, across numerous divisions. The level and variety of threats range from productivity-
sapping viruses to determined hackers, corporate espionage attempts, and distributed denial-of-service (DoS)
exploits. In all cases, business continuity is compromised and corporate reputation comes under fire, and this
financial services institution – like any other in the industry – cannot afford that kind of risk.
Foundstone was engaged by the firm to document a single digital security IR process that could be used
consistently across the entire organization. Technical personnel needed to be trained to collect and analyze
information in a number of common security incident scenarios to determine best responses. It was also crucial
to increase awareness among both executive and technical groups of the myriad threats facing the organization.
“Technical knowledge is essential, but not sufficient, for successful computer
security Incident Response. Organizations must have clear guidelines for engaging
the response team, formulating the response strategy, and collecting evidence.
Without these formal guidelines, organizations cannot use their technical skills
−Steve Surdu, Director of Consulting – Washington, DC, Foundstone
Following in-depth interviews with the client’s personnel, Foundstone acquired a thorough understanding of
the organization’s existing computer security incident roles, responsibilities, processes, tools, skill levels, issues
and program requirements. This provided the foundation of a formal IR program, with guidelines for process
descriptions, pre-incident preparation activities, forms, checklists, reporting, and evidence handling procedures.
With new processes in place, technical training was conducted to educate security and other technical staff on
the most common types of information security incidents and methods in collecting and analyzing evidence.
Client personnel were then equipped to prepare live response toolkits for key operating environments, which
came in handy when Foundstone put the client’s team through simulated scenarios: a limited number of
computer security drills were conducted to test the client’s technical skills as well as evaluate its understanding
of the response process.
Finally, Foundstone organized program awareness presentations to educate management on organizational
threats and the benefits provided by a more formal IR program.
www.foundstone.com © 2003 Foundstone, Inc. All Rights Reserved | 5
As a result, communication among the different security groups was vastly improved, allowing them to better
work in concert − especially on threats that impact all business units. This procedural shift was bolstered by a
new, central repository of IR data and the institution of consolidated management reporting for the enterprise.
By establishing a formal and consistent information security IR approach that could be used across the entire
organization, the financial services giant was assured of faster response times and greater confidence in its
ability to react efficiently to any security threat. By applying consistent IR procedures across the organization,
a company can substantially lower its exposure to incidents and intrusions. With proper planning, incidents
that inevitably surface will be met head-on by measures that resolve them in an effective, legal manner that
Any corporation that relies on information technology must be ever-vigilant to the threat of internal and
external exploits. Working with Foundstone provides a level of preparedness that enables business continuity
and safeguards critical assets and corporate reputations.
www.foundstone.com © 2003 Foundstone, Inc. All Rights Reserved | 6
About Foundstone® Professional Services
Foundstone Professional Services provides security-related professional services to clients ranging from early-
stage startups to the largest Fortune 500 corporations. Services include network assessment services, product
testing, risk assessment, and incident response, among others. Foundstone enables its clients to address their
immediate security concerns and develop a strong, long-term security foundation. The company’s professional
services team consists of recognized experts and authors with broad security backgrounds in corporate
multinationals, the public sector, and the US military.
About Foundstone ® Forensic Services
As part of its Professional Services solutions, Foundstone offers a renowned Computer Forensics team that
regularly performs sensitive investigations and provides litigation support for government and private
organizations. Widely regarded as the foremost security experts, Foundstone provides forensics and litigation
training for a variety of organizations, including the FBI, RCMP, NSA, and all AUSA Cyber-crime Prosecutors.
About Foundstone® Education Offerings
Empowering students with the knowledge and skill to protect the most important assets from the most critical
threats is Foundstone’s primary educational goal. Utilizing industry-recognized experts, Foundstone security
courses bring real-world experiences to the classroom. Our instructors have performed hundreds of network,
Web, e-commerce and application security assessments and managed security programs for government and
corporate environments. Each “Hands On” class relies heavily on student labs, exercises, and extensive
student-instructor interaction to reinforce critical security issues with real-world scenarios.
About Foundstone® Enterprise Risk™ Solutions
Foundstone Enterprise Risk Solutions offers organizations a true enterprise-class security system engineered to
mitigate the business risks associated with security vulnerabilities; such as mis-configurations, unsafe
transactions, and business continuity. Delivered as software or managed service, Foundstone Enterprise Risk
Solutions manage the entire vulnerability lifecycle − from discovery to remediation, quickly reducing an
organization’s exposure to security breaches.
Find Out How
Find out how Foundstone Incident Response Services can help secure your organization.
Please visit us on the Web at www.foundstone.com, email firstname.lastname@example.org
or call 1 877 91 FOUND for more information.
www.foundstone.com © 2003 Foundstone, Inc. All Rights Reserved | 7