Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Capabilities for Incident Handling and Response

Published byKatrina Jennings Modified over 9 years ago

Similar presentations

Presentation on theme: "Building Capabilities for Incident Handling and Response"— Presentation transcript:

1 Building Capabilities for Incident Handling and Response

2 Purpose To provide an overview of CSIRT development issues
introduction to the incident handling process and the nature of incident response activities Building Capabilities for Incident Handling and Response -slide 2 Building Capabilities for Incident Handling and Response

3 Intended Audience Computer Security Incident Response Team (CSIRT) managers of all kinds prospective new existing Other individuals who need or would like an understanding of CSIRT management issues Individuals tasked with creating a CSIRT Individuals interested in learning more about CSIRTs Building Capabilities for Incident Handling and Response -slide 3 Building Capabilities for Incident Handling and Response

4 What is a CSIRT? An organization or team that provides, to a defined constituency, services and support for both preventing and responding to computer security incidents Building Capabilities for Incident Handling and Response -slide 4 Building Capabilities for Incident Handling and Response

5 What Does a CSIRT Do? In general a CSIRT A CSIRT’s goal is to
provides a single point of contact for reporting local problems identifies and analyzes what has happened including the impact and threat researches solutions and mitigation strategies shares response options, information, and lessons learned A CSIRT’s goal is to minimize and control the damage provide or assist with effective response and recovery help prevent future events from happening No single team can be everything to everyone! Building Capabilities for Incident Handling and Response -slide 5 Building Capabilities for Incident Handling and Response

6 Motivation Motivators driving the establishment of CSIRTs include
a general increase in the number of computer security incidents being reported and in the number and type of organizations being affected by computer security incidents a more focused awareness by organizations on the need for security policies and practices as part of their overall risk- management strategies new laws and regulations that impact how organizations are required to protect information assets the realization that systems and network administrators alone cannot protect organizational systems and assets the realization that a prepared plan and strategy is required Building Capabilities for Incident Handling and Response -slide 6 Building Capabilities for Incident Handling and Response

7 Stages of CSIRT Development
Stage 1 Educating the organization Stage 2 Planning effort Stage 3 Initial implementation Stage 4 Operational phase Stage 5 Peer collaboration Stage 2 Planning Stage 4 Operation Stage 3 Implementation Stage 5 Collaboration Stage 1 Education Expert Novice Building Capabilities for Incident Handling and Response -slide 7 Building Capabilities for Incident Handling and Response

8 Building an Effective CSIRT
Building Capabilities for Incident Handling and Response -slide 8 Building Capabilities for Incident Handling and Response

9 Management/ Constituency Buy-in
Building Your Vision Constituency Organization Model Resources Services Funding Management/ Constituency Buy-in Mission Building Capabilities for Incident Handling and Response -slide 9 Building Capabilities for Incident Handling and Response

10 Basic Implementation Steps
Gather information. Identify the CSIRT constituency. Determine the CSIRT mission. Secure funding for CSIRT operations. Determine CSIRT range and levels of service. Determine CSIRT reporting structure, authority and organizational model. Identify interactions with key parts of the constituency. Define roles and responsibilities for interactions. Create a plan, obtain feedback on the plan. Identify and procure personnel, equipment and infrastructure resources. Develop policies and procedures. Train your CSIRT staff and your constituency. Announce the CSIRT. Communicate your mission and services. Get feedback. Review and improve CSIRT framework. Building Capabilities for Incident Handling and Response -slide 10 Building Capabilities for Incident Handling and Response

11 Existing Resources That May Help
Available resources that may provide information organization charts for the enterprise and specific business functions topologies for organizational or constituency systems and networks critical system and asset inventories existing disaster recovery or business continuity plans existing guidelines for notifying the organization of a physical security breach any existing incident response plans any parental or institutional regulations Building Capabilities for Incident Handling and Response -slide 11 Building Capabilities for Incident Handling and Response

12 Who Needs to Be Involved: Internal CSIRT
Building Capabilities for Incident Handling and Response -slide 12 Building Capabilities for Incident Handling and Response

13 Where Do You Begin? What’s already in place – create a matrix of expertise. What expertise exists? What tools are already in place? Brainstorm and discuss – design the workflow. What is the desired response and notification strategy? What needs to be changed with the addition of a CSIRT? How does the CSIRT fit into any disaster recovery or business continuity plans? Implementation – build staff and processes. Develop the interim plan. Develop the long-term plan. Building Capabilities for Incident Handling and Response -slide 13 Building Capabilities for Incident Handling and Response

14 Achieve Consensus Definition of CSIRT
mission services roles and responsibilities authority interactions Definition of computer security incidents classifications priorities escalation criteria Building Capabilities for Incident Handling and Response -slide 14 Building Capabilities for Incident Handling and Response

15 Some Basic Costs Costs may include
incident reporting and tracking system communications mechanisms hotline or helpdesk web site and/or ftp site mailing distribution lists cell phones and pagers secure communications mechanisms PGP keys or digital certificates for signing CSIRT documents and mailings secure phones intranets or extranets secured access to CSIRT facilities Building Capabilities for Incident Handling and Response -slide 15 Building Capabilities for Incident Handling and Response

16 Range of CSIRT Services
Building Capabilities for Incident Handling and Response -slide 16 Building Capabilities for Incident Handling and Response

17 Example Policies security policy open reporting environment policy
incident reporting policy incident handling policy external communications policy media relations policy information disclosure policy information distribution policy human error policy training and education policy CSIRT acceptable use policy Building Capabilities for Incident Handling and Response -slide 17 Building Capabilities for Incident Handling and Response

18 Example Procedures standard operating procedures (SOPs)
accepting and tracking incident reports answering the hotline incident and vulnerability handling gathering, securing, and preserving evidence configuration of CSIRT networks and systems system and network monitoring and intrusion detection backing up and storing incident data notification processes (how information is packaged, distributed, archived, etc.) training and mentoring Building Capabilities for Incident Handling and Response -slide 18 Building Capabilities for Incident Handling and Response

19 Common Problems Failure to Organizational battles
include all involved parties achieve consensus develop an overall vision and framework outline and document policies and procedures Organizational battles Taking on too many services Unrealistic expectations or perceptions Lack of time, staff, and funding Building Capabilities for Incident Handling and Response -slide 19 Building Capabilities for Incident Handling and Response

20 Evaluating the CSIRT’s Effectiveness -1
The CSIRT will need to develop a mechanism to evaluate the effectiveness of the CSIRT. This should be done in conjunction with management and the constituency. The results can be used to improve CSIRT processes. Feedback mechanisms can include benchmarking general discussions with constituency representatives evaluation surveys distributed on a periodic basis to constituency members creation of a set of criteria or quality parameters that is then used by an audit or third-party group to evaluate CSIRT Building Capabilities for Incident Handling and Response -slide 20 Building Capabilities for Incident Handling and Response

21 Evaluating the CSIRT’s Effectiveness -2
Information collected for comparison may include number of reported incidents response time or time-to-live of an incident amount of incidents successfully resolved amount of information reported to constituency about computer security issues or ongoing activity security posture of the organization preventative techniques and security practices in place Building Capabilities for Incident Handling and Response -slide 21 Building Capabilities for Incident Handling and Response

22 Methodology Prepare/Sustain/Improve Detect Respond Protect
create initial incident management or CSIRT capability sustain the capability improve the capability Detect notice and report events receive reported events perform proactive monitoring analyze indicators triage suspicious event information Respond analyze event(s) plan response strategy coordinate response communicate with others close event/incident Protect implement best practices install technical defenses perform proactive scanning perform security/risk evaluations Building Capabilities for Incident Handling and Response -slide 22 Building Capabilities for Incident Handling and Response

23 Information People Want to Know
How serious is the threat? How much damage can be done? Is it global in scope? How does it work? How can you prevent it? How can you fix it? How fast is it spreading or how wide-spread is the activity? How does it compare to other attacks? Can the attacker be traced? Where was it first reported from? Who is affected? What systems are vulnerable or affected? Where do I go for help? What resources are available? What software versions or OS versions are vulnerable or affected? How many reports have been received? How much damage has been reported? What’s the estimated cost of the activity? How to report activity or vulnerable systems? Building Capabilities for Incident Handling and Response -slide 23 Building Capabilities for Incident Handling and Response

24 What’s Missing? CSIRTs need
a framework, a model, something against which to place and measure themselves (current state), and reference themselves to others improvement approaches and a path to reach their desired state a coherent, organized community of practitioners and artifacts to help guide the work Building Capabilities for Incident Handling and Response -slide 24 Building Capabilities for Incident Handling and Response

25 Process Versus Technology
Building Capabilities for Incident Handling and Response -slide 25 Building Capabilities for Incident Handling and Response

26 Research Motivations Questions that need answered
Where do I start and what steps do I take to create a CSIRT or incident handling capability? Where does incident management occur in the organizational enterprise? Building Capabilities for Incident Handling and Response -slide 26 Building Capabilities for Incident Handling and Response

27 Where Does Incident Management Occur?
We’ve asked this question to many different groups of people inside and outside of our organization. Some answer that it is related to one particular part of an organization such as an IT department or a security group. But more and more answer: Everywhere – throughout and across an organization or enterprise. Building Capabilities for Incident Handling and Response -slide 27 Building Capabilities for Incident Handling and Response

28 Defining Incident Management Processes
Determine processes Outline processes via workflow diagrams Provide details and requirements of each process Identify risks and impacts for each process Building Capabilities for Incident Handling and Response -slide 28 Building Capabilities for Incident Handling and Response

29 Process Details Include mission and objectives triggers for process
completion criteria general policies and rules inputs and outputs process requirements written procedures people technologies other or miscellaneous information or actions Building Capabilities for Incident Handling and Response -slide 29 Building Capabilities for Incident Handling and Response

30 How Can It Be Applied to CSIRT Operations? -1
Map your CSIRT process through comparison to a “standardized” model of CSIRT best practices Identify strengths, weaknesses, risks, and compensating factors process, technology, people interfaces and handoffs environmental factors operational considerations Use as a foundation for future improvements Building Capabilities for Incident Handling and Response -slide 30 Building Capabilities for Incident Handling and Response

31 How Can It Be Applied to CSIRT Operations? -2
Can also be used to help benchmark what CSIRT processes an organization already has in place. This will allow for the determination of current gaps – to help focus any CSIRT development or improvement activities. Organizations can also use our concepts and processes to do customized mapping. Building Capabilities for Incident Handling and Response -slide 31 Building Capabilities for Incident Handling and Response

32 CSIRT Risk Evaluation Process
Develop Mitigation Strategies Analyze Risks Identify Risks Risk Data Risks to the CSIRT process Prioritized list of risks Strategies for mitigating the highest-priority risks Building Capabilities for Incident Handling and Response -slide 32 Building Capabilities for Incident Handling and Response

33 Example of Evaluation Results
Detect events General indicators Event information Common Failure Mode Suspicious activity is not detected by proactive monitoring. Impact: High Probability: Medium Risk Driving Condition The process is ad hoc. Things sometimes slip through the cracks. Mitigating Condition People have extensive experience and skills in monitoring systems and networks. Building Capabilities for Incident Handling and Response -slide 33 Building Capabilities for Incident Handling and Response

34 The Status of this Project
Two pilot evaluations of the assessment/evaluation instrument. Technical report published (Sep. 03) Integrate resulting work into our course materials. Identify new work that builds on the process mapping Artifacts and tools (guides, templates, etc.) Transition to the CSIRT community to encourage use of process maps create other versions and share approaches with us Building Capabilities for Incident Handling and Response -slide 34 Building Capabilities for Incident Handling and Response

35 Challenges that Affect CSIRTs
There is less time to react There is a need for quick notification automation of incident handling tasks an easy way to collaborate and share information with others an easy and efficient way to sort through all incoming information Policies and procedures must be established, understood, and followed to ensure success. Building Capabilities for Incident Handling and Response -slide 35 Building Capabilities for Incident Handling and Response

36 Current CSIRT Discussion Topics
Regionalization efforts Certification for incident handlers and teams Legal issues and impacts Data sharing and information exchange Automation and standardization of CSIRT tools Building Capabilities for Incident Handling and Response -slide 36 Building Capabilities for Incident Handling and Response

37 CSIRT Lessons Learned Trustworthiness is paramount to success.
Most CSIRTs fail to plan for growth and are soon overwhelmed take 1-2 years to gain constituency recognition CSIRTs should share information as openly as possible set expectations repeatedly train for a marathon, not a sprint be proactive All CSIRTs differ in their mission and goals. Building Capabilities for Incident Handling and Response -slide 37 Building Capabilities for Incident Handling and Response

38 Contact Information CSIRT Development Team CERT® Training and Education Software Engineering Institute Carnegie Mellon University Fifth Avenue Pittsburgh PA USA Web: Georgia Killcrece Building Capabilities for Incident Handling and Response -slide 38 Building Capabilities for Incident Handling and Response

Download ppt "Building Capabilities for Incident Handling and Response"

Similar presentations

FMS. 2 Fires Terrorism Internal Sabotage Natural Disasters System Failures Power Outages Pandemic Influenza COOP/ Disaster Recovery/ Emergency Preparedness.

FMS. 2 Fires Terrorism Internal Sabotage Natural Disasters System Failures Power Outages Pandemic Influenza COOP/ Disaster Recovery/ Emergency Preparedness.
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Software Quality Assurance Plan

Software Quality Assurance Plan
© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.

© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security Controls – What Works

Security Controls – What Works
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.

Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.

MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
The Information Systems Audit Process

The Information Systems Audit Process
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
© 2008 Prentice Hall11-1 Introduction to Project Management Chapter 11 Managing Project Execution Information Systems Project Management: A Process and.

© 2008 Prentice Hall11-1 Introduction to Project Management Chapter 11 Managing Project Execution Information Systems Project Management: A Process and.

Similar presentations

Ads by Google