Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evolution of CSIRTs: how to engage Critical Infrastructures and cooperate beyond borders Giza, 19th December 2011.

Similar presentations


Presentation on theme: "Evolution of CSIRTs: how to engage Critical Infrastructures and cooperate beyond borders Giza, 19th December 2011."— Presentation transcript:

1 Evolution of CSIRTs: how to engage Critical Infrastructures and cooperate beyond borders Giza, 19th December 2011

2 2 In the last years the number, type and impact of security incident is increasing  Internet distributed denial of service attack. 6 of the 13 root servers that form the foundation of the Internet were affected, two badly  Suxnet worm infect industrial control system with a worldwide geographic distribution  A series of cyber attacks that swamped websites of Estonian parliament, banks, ministries, newspapers and broadcasters  A series of coordinated cyber attacks against major government, media, and financial websites in South Korea and the USA  Major videogames companies under attacks Security Incident timeline /20092/ /2011  Main SSL Certificate has been violated  Massive DNS cache poisoning attack that affected millions of users in Brazil  Titan Rain, a series of coordinated attacks on US army, navy and missile units systems / /2011 2/2011  Cyber-attack hits Canadian government computers 2007  Operation Aurora, sophisticated and targeted attack international organizations  Cyber-attack hits Canadian government computers

3 3 Relevant CERTs was born to prevent and response to incident… European CERTs Map 2011

4 4 …they extended their services from being a only reaction force to a more complete security service provider, including preventive and quality services.. Reactive ServicesProactive ServicesArtifact Handling Alerts and warning Incident Handling Incident Analysis Incident Response Support Incident Response Coordinator Incident Response on site Vulnerability Handling Vulnerability Analysis Vulnerability Response Vulnerability Response Coordination Announcements Technology Watch Security Audits or Assessments Configuration and Maintenance of Security Development of Security Tools Intrusion Detection Services Security-Related Information Dissemination Artifact Analysis Artifact Response Artifact Response Coordination Security Quality Management Risk Analysis Business Continuity and Disaster Recovery Security Consulting Awareness Building Education/Training Product Evaluation or Certification CERT Services

5 5 …and at national, regional and international level are started CERTs cooperation initiatives but no one only for national private sector CIRCA National forum of cooperation from public and private sector CIRCA National forum of cooperation from public and private sector O-IRT-o the Dutch o-IRT-o initiative associates CERT teams including 31 organizations from public and private sector O-IRT-o the Dutch o-IRT-o initiative associates CERT teams including 31 organizations from public and private sector Polish Abuse Forum Abuse Forum assembles a group of CERTs and security teams of Polish ISP and ICP (Incident Content Providers) Polish Abuse Forum Abuse Forum assembles a group of CERTs and security teams of Polish ISP and ICP (Incident Content Providers) Main cooperation initiatives CERT-Verbund the initiative associates German security and incident response teams from various sectors CERT-Verbund the initiative associates German security and incident response teams from various sectors UKCERTS the British UKCERTs alliance is an informal forum of CERTs from different sectors UKCERTS the British UKCERTs alliance is an informal forum of CERTs from different sectors CEENet Central and Eastern European Association comprised of 23 national research/education networks CEENet Central and Eastern European Association comprised of 23 national research/education networks EGC a group of CERTs with governmental constituencies and national responsibilities in their countries. EGC a group of CERTs with governmental constituencies and national responsibilities in their countries. APCERT a CERTs coalition that ensures network security and incident response activities in the Asia Pacific Region. APCERT a CERTs coalition that ensures network security and incident response activities in the Asia Pacific Region. NORDUnet CERT assembles Scandinavian CERTs within the NORDUnet (cooperation of Nordic national research networks) NORDUnet CERT assembles Scandinavian CERTs within the NORDUnet (cooperation of Nordic national research networks) TERENA TF-CSIRT a task force organised under the TERENA TERENA TF-CSIRT a task force organised under the TERENA FIRST the biggest international forum of CERTs and other security teams FIRST the biggest international forum of CERTs and other security teams National initiativesRegional/international initiatives

6 6 Indeed today CERTs have still lack of engagement, services, investment, mutual aid and coordination As is To Be No engagement No involvement in Incident Response Lack of coordination at the international level Only one-way services Lack of information sharing Lack of mutual aid No shared incident management policies and procedures No shared incident management strategies and framework No engagement No involvement in Incident Response Lack of coordination at the international level Only one-way services Lack of information sharing Lack of mutual aid No shared incident management policies and procedures No shared incident management strategies and framework Engagement Involvement in Incident Response Coordination at the international level Inter-sector and intra-sector cooperation Two-ways services Information sharing and shared situational awareness Incident management mutual aid Shared incident management policies and procedures Shared incident management framework Engagement Involvement in Incident Response Coordination at the international level Inter-sector and intra-sector cooperation Two-ways services Information sharing and shared situational awareness Incident management mutual aid Shared incident management policies and procedures Shared incident management framework CERTs improvement needs

7 7 Responding to issues and in accordance with common points of national strategies, GCSEC intent to create a Cyber Incident Response Coordination Capabilities (CIRC2) involving private sector Common key Points and Recommendations national cyber security strategy Relevant Sectors to involve in the first stage Energy Company Transportation Company Finance Company Telco Company

8 8 information sharing on threats, vulnerabilities, warnings, alerts, methodologies and tools for incident management Definition of shared incident management policies and procedures Mutual aid to directly enforce the CIRC2 member’s capabilities of incident response Contribution to definition of national and international regulatory and policy framework Objectives of CIRC2 are information sharing, mutual aid, definition of shared policies/procedures, contribution to regulatory framework, private cooperation Representation in international context and facilitation of coordination between public and private stakeholders CIRC2 Objectives

9 9 Only in the second stage, the CIRC2 could be transformed in an effective Incident Response Joint Team of Private Sector To became an effective IR Joint Team, the IR Capability should take several actions as: establish the legal form of the organization (e.g. consortium) define the mission and the range and level of services that IRT will offer (e.g. proactive or reactive services) define a funding model identify an organizational model define interactions/interfaces define incident response processes implement secure information systems and network infrastructures identify required resources IRT Energy Company IRT Transportation Company IRT Finance Company Incident Response Joint Team (Private Sector) During the second stage of the project, a capability assessment of each IRT will be performed by GCSEC, in order to align them to the best practice Public National Italian Response Team Out of scope Comments

10 10 CIRC2 is based on a model composed of organization, processes and tools Organization Processes Tools CIRC2 Model

11 11 Legal entity Funding Model Non disclosure agreements (NDAs) Mutual Aid and Assistance Agreement … Organizational model and structure Reporting structure, authority Roles and responsibilities Staff … Information sharing policy Incident classification and communication policy Trust communication policy Resource management policies Incident handling guidelines Risk management policy Interoperability policy … The model includes strategies, legal and administrative framework, organizational model and policies… Mission, vision, goals, objectives, constraints Participation strategy (members and other National Stakeholders) and minimum capability’s level Risk Management strategies Trust Model … Strategies Legal & admin framework Organization model Policies Organization main aspects Illustrative

12 12 Information sharing process Mutual aid and assistance process Communication and coordination process Risk management process Incident reporting process Incident classification process Incident coordinated response process Performance measurement process Shared resources (personnel, equipment, facilities, supplies, and other) management process Escalation process Emergency management process Post incident evaluation process Lessons learned and improvement process Incident management exercise process … … management processes of CIRC2 … Processes main aspects Illustrative

13 13 Information sharing platform Technological instruments to support trust Early warning system Instruments for secure communications Incident forensics tools Other tools …all tools needed for cooperation, information sharing and incident management Tools main aspects Illustrative

14 14 Each member will draw benefits from participation in the CIRC2 More effectively and efficiently some processes that if they had implemented individually (e.g. forensics and post incident analysis) Information knowledge and information sharing Better incident response through mutual aid and assistance Incident exercises and awareness building across private sector Shared technologies and common automated platform for security vulnerabilities identification and communication, alerts and warning Cost reduction Resource sharing and staff exchange More effectively and efficiently some processes that if they had implemented individually (e.g. forensics and post incident analysis) Information knowledge and information sharing Better incident response through mutual aid and assistance Incident exercises and awareness building across private sector Shared technologies and common automated platform for security vulnerabilities identification and communication, alerts and warning Cost reduction Resource sharing and staff exchange CIRC2 member benefit

15 15 Other organizations/governments can benefit CIRC2 project Be informed on CIRC2 development Support requirements definition Join the Pilot project Be informed on CIRC2 development Support requirements definition Join the Pilot project How to participate


Download ppt "Evolution of CSIRTs: how to engage Critical Infrastructures and cooperate beyond borders Giza, 19th December 2011."

Similar presentations


Ads by Google