Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2005 The Trustees of Boston College & Calvin Weeks   Slide 1 UNIVERSITY OF OKLAHOMA Effective Incident Response Teams: Two Case Studies Tuesday, April.

Similar presentations


Presentation on theme: "© 2005 The Trustees of Boston College & Calvin Weeks   Slide 1 UNIVERSITY OF OKLAHOMA Effective Incident Response Teams: Two Case Studies Tuesday, April."— Presentation transcript:

1 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 1 UNIVERSITY OF OKLAHOMA Effective Incident Response Teams: Two Case Studies Tuesday, April 05, :00 a.m. - 11:00 a.m. Imperial Room I (lower level) David Escalante, Director of Computer Policy & Security, Boston College Calvin Weeks, Director, OU Cyber Forensics Lab, University of Oklahoma

2 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 2 UNIVERSITY OF OKLAHOMA Summary »Why you need/want incident response »What is best practice »Problems with best practice for Higher Ed »OU established model »BC established model »Roles »What works and what does not

3 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 3 UNIVERSITY OF OKLAHOMA Why You Need Incident Response »Compliance with laws and regulations o Gramm-Leach Bliley Act (GLBA) o Sarbanes-Oxley (SOX) o Health Information Privacy Portability Act (HIPPA) o FERPA »Security improvement »Improve network and system uptime »What is an “incident” for the purposes of this presentation? »Strong incident response cultures o Government (in some places) o ISPs o Financials (recently) o ISACs

4 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 4 UNIVERSITY OF OKLAHOMA Resources »SEI/CERT   »O’Reilly book »FIRST: The Forum of Incident Response and Security Teams  »RFC 2196, Site Security Handbook »RFC 2350, Expectations for Computer Security Incident Response »NIST  »NSA »Educause 

5 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 5 UNIVERSITY OF OKLAHOMA Summary of Best Practices »Create a Dedicated team »Have clearly Defined roles »Build a formal Reporting structure »Write a series of Defined plans »Publish the team’s interfaces widely

6 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 6 UNIVERSITY OF OKLAHOMA Issues for Higher Ed »Dedicated Team? o And what’s your budget! o If team is multi-departmental, those politics come into play »Define Roles… o OK. Who will fill them? »Reporting Structure. o OK, but who is in charge or who has the authority? EDUs tend to be non-hierarchical »Defined Plans o The best laid plans are almost never followed. »Publish Contact & other Information o Communications channels in EDUs are diffuse o Audience is different technical levels

7 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 7 UNIVERSITY OF OKLAHOMA University Of Oklahoma Norman Campus DepartmentsCollegesResearch Health Science Center Campus DepartmentsCollegesHospital Tulsa Campus DepartmentsColleges Oklahoma Structure

8 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 8 UNIVERSITY OF OKLAHOMA OU Iterative Approach »Phase one – 2001 o Assign Security Officer »Phase two – 2002 o Establish Computer Assessment Response Team (CART) »Phase three – 2002 o Established Field Security Officers (FSO) »Phase four – 2003 o Approved Computer Security Incident Response Team (CSIRT) »Phase five – 2003 o Established IT Service Centers »Phase six – 2004 o Established OU Cyber Forensics Lab (OUCFL)

9 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 9 UNIVERSITY OF OKLAHOMA BC Structure President

10 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 10 UNIVERSITY OF OKLAHOMA BC Iterative Approach »Phase  Senior Management recognizes need for security office due to serious computer security incident »Phase  Office of Computer Policy & Security established and staffed »Phase  Create “best practice” style incident response team »Phase  Refine team based on real-world experience »Phase  Re-define incidents and response based on cultural issues on campus, moving toward universal culture of security

11 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 11 UNIVERSITY OF OKLAHOMA Phase »Use the resources on the earlier slide to define Computer Security Incident Response Team (CSIRT)  And immediately run into problems »Everyone wanted to be on the team  Management vs. practitioners issue »When a real incident came up, didn't need whole team, and sometimes needed other resources not on team  Lack of tools in an incident »Team runs into exhaustion, lack of interest, or both

12 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 12 UNIVERSITY OF OKLAHOMA Phase »Stop using formal team from Phase 3 »Resolve management vs. practitioner issue by setting up senior management team interface with intermediary to incident team »Security group declares team in the course of declaring incident »Clarify responsibilities (Security is the boss) »Flexibility and understanding of process is more important than who's doing what role in a given incident -- in our last major incident, CIO was boss, not Security, all worked the same since everyone understood roles and just people were swapped

13 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 13 UNIVERSITY OF OKLAHOMA Phase »Security group has too many incidents to make progress on other, strategic tasks »Need to empower other parts of IT and university to run “minor” incidents o Framework and tools for doing this »Improve incident reporting such that we achieve better coverage and more accurate classification »Improve initial handling of people and technology issues when incident occurs

14 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 14 UNIVERSITY OF OKLAHOMA OU Workflow

15 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 15 UNIVERSITY OF OKLAHOMA OU Roles »CART – Executive oversight »Service Centers – Direct Customer Support during incident »Security Team – Handle and execute security response plan »FSO – Coordinate with response efforts »OUCFL – Perform any forensics, investigations, and/or law enforcement communications. »CSIRT – is the handbook that we use only as a reference and guide.

16 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 16 UNIVERSITY OF OKLAHOMA OU Response Cost Relation Model Reactive ProactiveQualitative COSTS and Resource Utilization Quantitative 5% 10% 20% 40% 80% Security Model and Posture

17 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 17 UNIVERSITY OF OKLAHOMA What works/does not work? »User is very happy »Easier to track response capability »Large or sensitive incidents is a new learning process every time »Better control over desired actions or reactions to the incident »Sometimes the whole process is slower than desired »Better and more information is achieved

18 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 18 UNIVERSITY OF OKLAHOMA Questions Calvin Weeks, EnCE, CISSP, CISM OU Cyber Forensics Lab David Escalante, CISSP


Download ppt "© 2005 The Trustees of Boston College & Calvin Weeks   Slide 1 UNIVERSITY OF OKLAHOMA Effective Incident Response Teams: Two Case Studies Tuesday, April."

Similar presentations


Ads by Google