Using Anthropology to study Security Incident Response Raj Rajagopalan Xinming Ou Honeywell Kansas State U FIRST 2014 June 25, 2014.

Slides:



Advertisements
Similar presentations
Non-Classroom Teacher Evaluation Guidelines. The single most influential component of an effective school is the individual teachers within that school.
Advertisements

360 degree feedback information session
Ethnographic Fieldwork at a University IT Security Office Xinming (Simon) Ou Kansas State University Joint work with John McHugh, S. Raj Rajagopalan, Sathya.
How teachers use research– and maybe how they should? Ralf St.Clair University of Glasgow.
Scenario 7: Exploring restorative approaches
Global Enterprise Technology - Curriculum Workshop School of Information Studies Syracuse University D. Christopher Kayes, PhD Associate Professor of Management.
Empowerment Knowledge and Skills + Implementation Empowering People.
The problem with teaching Cyber security
 DB&A, Knowledge Management Within and Across Projects June 15, 2012 INNOVATION for a better world.
1 Introduction to PBS Positive Behavioral Supports Orientation DDS April 2013.
Crisis Management Team Formation– Selling the idea In this presentation: initial questions to ask team composition, duties & training examples.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
Chapter 11 Requirements Workshops
©2007 Prentice Hall Organizational Behavior: An Introduction to Your Life in Organizations Chapter 19 OB is for Life.
Chapter 2 Strategic Training
Apprenticeships for Ex-Offenders Apprenticeship Staff Support Programme This was produced as part of the Apprenticeship Staff Support Programme, which.
VOLUNTEER TRAINING HOLLY SPRINGS ELEMENTARY SCHOOL STEM ACADEMY VOLUNTEER TRAINING 1.
Reflective practice Session 4 – Working together.
SUBTITLE DAY, MONTH, YEAR Accreditation Support for Teachers Introduction to Accreditation at Proficient Teacher Module 5 of 5.
REVISED JUDGING CRITERION – AN INTRODUCTION. What is the revised judging criterion? Which Enactus team most effectively used entrepreneurial action to.
© Copyright 2011 by the National Restaurant Association Educational Foundation (NRAEF) and published by Pearson Education, Inc. All rights reserved. Chapter.
Intel Teach Elements Collaboration in the Digital Classroom Charity I. Mulig First Webinar Session October 18, :00 – 9:30 pm.
Using Ripple Effects Mapping to Determine Community Capitals Outcomes Debra Hansen Lorie Higgins Mary Emery.
WE  Cooperation WE  Cooperation  Problem Solving WE
Foundations of Educating Healthcare Providers
G O D D A R D S P A C E F L I G H T C E N T E R NASA Case Study Initiative Using Case Studies to Drive Organizational Learning Dr. Ed Rogers, CKO GSFC.
What factors enhance student teacher understanding of tacit knowledge when working with experienced teachers? Nicola Warren-Lee Background – Ed D research.
Fill Em’ Up Austin Graham. Service-Learning Service-learning is a method of teaching, learning and reflecting, frequently youth service, throughout the.
Putting People First – Do we? Barney Cooper 2014 CE - CCT.
+ REFLECTIVE COACHING APRIL 29, Goals for Today Check in on where everyone is in our self-guided learning and practice with reflective coaching.
Civil Air Patrol Presented By Col Rick Greenhut At... Presented By Col Rick Greenhut At... The Future of The Future of Public Affairs Public Affairs.
Reflect and Revise: Evaluative Thinking for Program Success Tom DeCaigny and Leah Goldstein Moses.
Programs That Succeed “Building Student Leadership Teams” The Key to Building Ownership in the Classroom John Chevalier CTE Instructor / Apple Certified.
Cooperation, Problem Solving, & Team Building WE
Co-operative Education & Career Services , ext Uniting Co-operative Education with Career Services.
VOLUNTEER TRAINING Holly Springs Elementary School STEM Academy
Purposes of Evaluation Why evaluate? Accountability: Justify trust of stakeholders (funders, parents, citizens) by showing program results (Summative)
By: Kaylon Harrell. Service Learning  Service-Learning is a teaching and learning strategy that integrates meaningful community service with instruction.
M.M. El-FoulyAmman-Jordan 4/2011 Approaches and Experiences Arabic Perspective Mohamed M. El-Fouly National Research Centre Cairo – Egypt IDEAS General.
What Makes a Successful Program Manager? Dr. Owen C. Gadeken.
Think about how the world has changed in the last 20 years. What will teaching and learning look like in the next 5, 10, 20+ years?
A Model Workplace: Critical Conversations August 6, 2013.
 The Promotion of a positive, safe and secure learning environment that makes educational provision for each student as a unique individual.
Positively Influencing Provider Behavior Julie McBride, PSI Presented at The First Global Conference on Social Franchising 11 November 2011.
The study of Knowledge-sharing in CSIRTs using Anthropology Raj Rajagopalan Xinming Ou Honeywell Kansas State U FIRST 2014 (DRAFT)
Professional Learning Teams Cascade High School September 18, 2015.
1 Professional Development Starts Now! 2 Community of Scholars Welcome to be beginning of your professional and educational future! All steps taken now.
We are all learners: changing a school culture Tanya Thompson and Keith Jackson St Andrews Middle School.
The Logic Model An Outcomes-Based Program Model. What is a Logic Model? “a systematic and visual way to present and share your understanding of the relationships.
Literacy Coaching: An Essential “Piece” of the Puzzle.
1 Case study 3 – Project development – (Simon Jones) How to suck eggs… Simon’s 15 minute guide to the bloody obvious… My instructions: “talk about how.
Representation training Example presentation slides
LEADERSHIP UPDATE for EPMC Dr. Owen C. Gadeken
Welcome Douglas College and Career Institute Ford NGL Follow Up September 14, 2011.
Copyright © 2014 by The University of Kansas Community-based Participatory Action.
Job Coaching in Practice. Learning Objectives At the completion of this session participants will be able to: Define the steps, activities and supports.
Positive Behavior Supports 201 Developing a Vision.
Title of your BIP Business Improvement Project presented to: SUIC & UPVD as partial fulfillment of the requirement for the degrees of MBA in Hotel and.
Indiana Corporate Development Webinar Series 2: Provider Coalitions & CDU Training 5.
 Traditional ethnographic research to help learn the perspectives held by those you are studying.
Chapter 14 - Analyzing a Case and Writing a Case Report 1 Understanding the Case Method of Learning What is the case method?  Applies the ancient Socratic.
Copyright © Education Resource Group, Inc. All Rights reserved. Patent Pending Page 1 Copyright © Education Resource Group, Inc. All.
Creating Effective Learning Outcomes in Higher Education Dr. Laura McLaughlin Taddei.
An Introduction to the USENIX Association The Advanced Computing Systems Association.
Session 3 June Key Features of a Solution Oriented Conversation Session 3.
Requirements Analysis Scenes
What lessons to be learnt from reflective learning journals written by students to improve learning and intercultural awareness? Lars Peter Jensen Associated.
LEADERSHIP UPDATE for EPMC Dr. Owen C. Gadeken
Balancing Administrative & Clinical Supervision
Using Data – Oh, The Places You’ll Go!
Presentation transcript:

Using Anthropology to study Security Incident Response Raj Rajagopalan Xinming Ou Honeywell Kansas State U FIRST 2014 June 25, 2014

The Team Sathya Chandran, Mike Wesch, Simon Ou (KSU) John McHugh (RedJack) Dan Moor (HP) Raj Rajagopalan (Honeywell) Partially supported by an NSF grant. Opinions are those of the authors.

SOCs and CSIRTs are the heart of our cyber defense and yet … we cannot articulate how they thrive

E.g. We don’t know how to make incident handling more automated how to train new analysts quickly how to share knowledge effectively

To do this we have to know what makes a SOC/CSIRT really work But don’t we know that already? But first a little story…

Back in 2006 a group of intrepid security researchers were on a mission to find out how to build an effective IDS So they went to the nearest SOC/CSIRT which happened to be the one on campus What did they learn?

What we saw We observed the SOC handle a malware incident affecting campus servers. What we saw was not what we expected

What we saw SOC analysts don’t use high tech tools! Most of the work is grubby manual work Most of the analysis is based on personal experience

What we learned Security analysis is a people problem more than a technology problem! Academic security research is well- separated from the practice of cyber security. Vendors to the SOC were not doing much better.

What we did We asked the SOC analysts how they did their jobs How did that work? Not well. What did we miss?

What we set out to observe

What we became

Time for Reflection The researchers could not get time of day from the SOC staff SOC personnel were too busy and too suspicious SOC skills are learned primarily via a master- apprentice model The researchers were on the outside looking in!

The Professional Observer Dr. Mike Wesch, Socio-cultural Anthropologist to the rescue!

Introduction to Anthropology The study of all people in all times in all places See the big picture and the small picture at the same time.

1. What we think Anthropologists do!

1. Other things Anthropologists do!

What Anthropology teaches us Get rid of your familiar biases!

How did we apply Anthropology to studying CSIR? Our Embeds 1. Worked initially on the sidelines 2. Built tools for the SOC analysts 3. Gained the trust of SOC analysts 4. Co-created tools with the SOC analysts over the course of 18 months!

What does Anthropology tell us about studying the CSIRT? People know more than they can tell Knowledge is held in the community Converting tacit knowledge to explicit knowledge requires systematic study.

It is not enough to live there. You have be one of them. Participant observation is the key.

Knowledge comes when the observer achieves the perspective of the observed. The key is to record that journey.

How to observe what is being said S-P-E-A-K-I-N-G Setting and Scene Participants Ends Act Sequence Key (tone, manner, or spirit of the event) Instrumentalities (forms and styles used) Norms (social rules governing the action) Genre

it’s not what’s being said … it’s what what’s being said says

What we learned when we applied Ant hropological techniques 1. SOC analysts’ knowledge is very tribal, there is no alternative to experience. 2. Analysts are not always aware of their own knowledge, which comes out in interactions. 3. It is necessary and possible to become a SOC “insider” to learn how it really works 4. SOC management need to empower and incentivize knowledge sharing among analysts 5. Tool co-creation is the best way to transfer technology into a SOC

Some short-term outcomes of our Anthropological work so far SOC staff discuss their problems with the researchers today Our participant observer built a tool for a unique problem they were facing. A SOC analyst participated in the tool design. The solution did not require sophisticated or new tools. The solution reduced the time spent dramatically. The SOC uses the tool!

Is Anthropology necessary? The SOC is a unique socio-cultural environment where the activity is very human-centric. SOC culture is closed and suspicious by necessity. A short or superficial look at SOC operations would have been misleading. We have to separate the problems rooted in human behaviors from the technology. Anthropology give us a methodology to conduct long-term human-oriented study.

Further work We have an upcoming article in IEEE Magazine Special Issue on CSIRTs. The systematic work was limited to one SOC in a university environment. We have now expanded the study to include two corporate SOCs. We need to conduct the study at more SOCs.

An Invitation to the FIRST Community We would like to invite participation from the FIRST community SOCs/CSIRTs. Study participation can benefit both the participating SOC/CSIRT and the community.

What we hope to achieve in the long run Deeper understanding of how security analysis works by converting tacit knowledge into explicit Learn to make our SOC/CSIRT more effective Learn to train our analysts better Create a SOC/CSIRT community that learns to observe itself and share better

How and when we share knowledge in our communities is not so different after all

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.