Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Florida Incident Tracking and Reporting Kathy Bergsma

Similar presentations

Presentation on theme: "University of Florida Incident Tracking and Reporting Kathy Bergsma"— Presentation transcript:

1 University of Florida Incident Tracking and Reporting Kathy Bergsma

2 About UF Land-grant institution Research, education, and extension Over 50,000 students Over 50,000 network nodes First dedicated IT security position in 1999. Now 4 FTE.

3 Your Institution How many are from institutions with greater than 30,000 students? Is your institution de-centralized? Does your institution… have incident response standards and procedures? track IT contacts? track incidents? deliver incident reports?

4 Contact Tracking Contact database Network managers Server managers Information Security Managers Information Security Administrators Much more

5 UF Incident Response Standard response-rewrite.html An incident is “an event that impacts or has the potential to impact the confidentiality, availability, or integrity of UF IT resources.” Describes eight incident response steps from discovery to resolution Establishes UF Incident Response Team and their responsibility Defines Unit responsibility Specific procedures for each incident type

6 Incident Identification Sources IDS Email abuse complaints Flow data Honeypots

7 Incident Tracking Critical fields tracked IP address Unit Incident type Incident severity Time to contain Time to resolve

8 Ticket Creation Manual: Web form interface to Remedy on the backend. Some fields such as contacts are automatically populated Semi automated: Batch processing scripts for ircbots or IP lists Fully automated: Daedalus home-grown automated ticket creation.

9 Daedalus Message processor using threat configs Input IDS event Flow event Email notification Output Remedy ticket Email notification

10 Incident Resolution Daily reports to UF incident response team identifying open tickets Bi-weekly automated reminders about open tickets to ticket owners

11 Vulnerability Detection Continuous Nessus top-20 scans Results tracked in SQL No Remedy ticket because next scan will usually identify resolution Recidivism reports identify unresolved vulnerabilities.

12 Incident Reports Cover letter includes Request to update contact information List and description of graphs General campus trends Link to detailed ticket information Confidentiality statement Periodic survey of report value

13 Incident Reports Each of the following graphs compares the unit to the 5 most active units: Number of incidents Number of incidents adjusted for unit size Average number of days to contain incidents Number of critical vulnerabilities Number of critical vulnerabilities adjusted for unit size

14 Incident Reports Number of each incident type Comparison of current semester to same semester last year of: Number of incidents Average days to contain Number of critical vulnerabilities








22 Executive Incident Summary Table listing all units Total Number of Incidents Containment Time Total Number of Vulnerabilities

23 Survey of Report Value Of the units that responded to the survey: 100% found reports useful 85% approved of report frequency 46% made changes to their information security program as a result of the reports Ways in which the reports are used: 33% compliance review 26% risk assessment 22% strategic planning 19% budget planning

24 Survey of Report Value Cause of incident increase or decrease: 34% awareness and training 21% policy and procedures 21% security infrastructure 14% security staff 10% other 100% were familiar with UF policy Degree of policy compliance 57% very compliant 36% mostly compliant 7% somewhat compliant

25 Questions? Thank you, Kathy Bergsma

Download ppt "University of Florida Incident Tracking and Reporting Kathy Bergsma"

Similar presentations

Ads by Google