Presentation on theme: "University of Florida Incident Tracking and Reporting Kathy Bergsma"— Presentation transcript:
University of Florida Incident Tracking and Reporting Kathy Bergsma firstname.lastname@example.org
About UF Land-grant institution Research, education, and extension Over 50,000 students Over 50,000 network nodes First dedicated IT security position in 1999. Now 4 FTE.
Your Institution How many are from institutions with greater than 30,000 students? Is your institution de-centralized? Does your institution… have incident response standards and procedures? track IT contacts? track incidents? deliver incident reports?
Contact Tracking Contact database Network managers Server managers Information Security Managers Information Security Administrators Much more
UF Incident Response Standard http://www.it.ufl.edu/policies/security/uf-it-sec-incident- response-rewrite.html An incident is “an event that impacts or has the potential to impact the confidentiality, availability, or integrity of UF IT resources.” Describes eight incident response steps from discovery to resolution Establishes UF Incident Response Team and their responsibility Defines Unit responsibility Specific procedures for each incident type
Incident Tracking Critical fields tracked IP address Unit Incident type Incident severity Time to contain Time to resolve
Ticket Creation Manual: Web form interface to Remedy on the backend. Some fields such as contacts are automatically populated Semi automated: Batch processing scripts for ircbots or IP lists Fully automated: Daedalus home-grown automated ticket creation.
Incident Resolution Daily reports to UF incident response team identifying open tickets Bi-weekly automated reminders about open tickets to ticket owners
Vulnerability Detection Continuous Nessus top-20 scans Results tracked in SQL No Remedy ticket because next scan will usually identify resolution Recidivism reports identify unresolved vulnerabilities.
Incident Reports Cover letter includes Request to update contact information List and description of graphs General campus trends Link to detailed ticket information Confidentiality statement Periodic survey of report value
Incident Reports Each of the following graphs compares the unit to the 5 most active units: Number of incidents Number of incidents adjusted for unit size Average number of days to contain incidents Number of critical vulnerabilities Number of critical vulnerabilities adjusted for unit size
Incident Reports Number of each incident type Comparison of current semester to same semester last year of: Number of incidents Average days to contain Number of critical vulnerabilities
Executive Incident Summary Table listing all units Total Number of Incidents Containment Time Total Number of Vulnerabilities
Survey of Report Value Of the units that responded to the survey: 100% found reports useful 85% approved of report frequency 46% made changes to their information security program as a result of the reports Ways in which the reports are used: 33% compliance review 26% risk assessment 22% strategic planning 19% budget planning
Survey of Report Value Cause of incident increase or decrease: 34% awareness and training 21% policy and procedures 21% security infrastructure 14% security staff 10% other 100% were familiar with UF policy Degree of policy compliance 57% very compliant 36% mostly compliant 7% somewhat compliant