Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2005 The Trustees of Boston College & Calvin Weeks   Slide 1 UNIVERSITY OF OKLAHOMA Effective Incident Response Teams: Two Case Studies Tuesday, April.

Published byEan Clower Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2005 The Trustees of Boston College & Calvin Weeks   Slide 1 UNIVERSITY OF OKLAHOMA Effective Incident Response Teams: Two Case Studies Tuesday, April."— Presentation transcript:

1 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 1 UNIVERSITY OF OKLAHOMA Effective Incident Response Teams: Two Case Studies Tuesday, April 05, 2005 10:00 a.m. - 11:00 a.m. Imperial Room I (lower level) David Escalante, Director of Computer Policy & Security, Boston College Calvin Weeks, Director, OU Cyber Forensics Lab, University of Oklahoma

2 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 2 UNIVERSITY OF OKLAHOMA Summary »Why you need/want incident response »What is best practice »Problems with best practice for Higher Ed »OU established model »BC established model »Roles »What works and what does not

3 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 3 UNIVERSITY OF OKLAHOMA Why You Need Incident Response »Compliance with laws and regulations o Gramm-Leach Bliley Act (GLBA) o Sarbanes-Oxley (SOX) o Health Information Privacy Portability Act (HIPPA) o FERPA »Security improvement »Improve network and system uptime »What is an “incident” for the purposes of this presentation? »Strong incident response cultures o Government (in some places) o ISPs o Financials (recently) o ISACs

4 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 4 UNIVERSITY OF OKLAHOMA Resources »SEI/CERT  http://www.cert.org/csirts/Creating-A-CSIRT.html  http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html »O’Reilly book »FIRST: The Forum of Incident Response and Security Teams  http://www.first.org/ »RFC 2196, Site Security Handbook »RFC 2350, Expectations for Computer Security Incident Response »NIST  http://csrc.nist.gov/topics/inchand.html »NSA »Educause  http://www.educause.edu/Browse/645?PARENT_ID=660

5 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 5 UNIVERSITY OF OKLAHOMA Summary of Best Practices »Create a Dedicated team »Have clearly Defined roles »Build a formal Reporting structure »Write a series of Defined plans »Publish the team’s interfaces widely

6 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 6 UNIVERSITY OF OKLAHOMA Issues for Higher Ed »Dedicated Team? o And what’s your budget! o If team is multi-departmental, those politics come into play »Define Roles… o OK. Who will fill them? »Reporting Structure. o OK, but who is in charge or who has the authority? EDUs tend to be non-hierarchical »Defined Plans o The best laid plans are almost never followed. »Publish Contact & other Information o Communications channels in EDUs are diffuse o Audience is different technical levels

7 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 7 UNIVERSITY OF OKLAHOMA University Of Oklahoma Norman Campus DepartmentsCollegesResearch Health Science Center Campus DepartmentsCollegesHospital Tulsa Campus DepartmentsColleges Oklahoma Structure

8 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 8 UNIVERSITY OF OKLAHOMA OU Iterative Approach »Phase one – 2001 o Assign Security Officer »Phase two – 2002 o Establish Computer Assessment Response Team (CART) »Phase three – 2002 o Established Field Security Officers (FSO) »Phase four – 2003 o Approved Computer Security Incident Response Team (CSIRT) »Phase five – 2003 o Established IT Service Centers »Phase six – 2004 o Established OU Cyber Forensics Lab (OUCFL)

9 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 9 UNIVERSITY OF OKLAHOMA BC Structure President

10 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 10 UNIVERSITY OF OKLAHOMA BC Iterative Approach »Phase 1 - 2002  Senior Management recognizes need for security office due to serious computer security incident »Phase 2 - 2003  Office of Computer Policy & Security established and staffed »Phase 3 - 2003  Create “best practice” style incident response team »Phase 4 - 2004  Refine team based on real-world experience »Phase 5 - 2005  Re-define incidents and response based on cultural issues on campus, moving toward universal culture of security

11 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 11 UNIVERSITY OF OKLAHOMA Phase 3 -- 2003 »Use the resources on the earlier slide to define Computer Security Incident Response Team (CSIRT)  And immediately run into problems »Everyone wanted to be on the team  Management vs. practitioners issue »When a real incident came up, didn't need whole team, and sometimes needed other resources not on team  Lack of tools in an incident »Team runs into exhaustion, lack of interest, or both

12 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 12 UNIVERSITY OF OKLAHOMA Phase 4 -- 2004 »Stop using formal team from Phase 3 »Resolve management vs. practitioner issue by setting up senior management team interface with intermediary to incident team »Security group declares team in the course of declaring incident »Clarify responsibilities (Security is the boss) »Flexibility and understanding of process is more important than who's doing what role in a given incident -- in our last major incident, CIO was boss, not Security, all worked the same since everyone understood roles and just people were swapped

13 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 13 UNIVERSITY OF OKLAHOMA Phase 5 -- 2005 »Security group has too many incidents to make progress on other, strategic tasks »Need to empower other parts of IT and university to run “minor” incidents o Framework and tools for doing this »Improve incident reporting such that we achieve better coverage and more accurate classification »Improve initial handling of people and technology issues when incident occurs

14 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 14 UNIVERSITY OF OKLAHOMA OU Workflow

15 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 15 UNIVERSITY OF OKLAHOMA OU Roles »CART – Executive oversight »Service Centers – Direct Customer Support during incident »Security Team – Handle and execute security response plan »FSO – Coordinate with response efforts »OUCFL – Perform any forensics, investigations, and/or law enforcement communications. »CSIRT – is the handbook that we use only as a reference and guide.

16 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 16 UNIVERSITY OF OKLAHOMA OU Response Cost Relation Model Reactive ProactiveQualitative COSTS and Resource Utilization Quantitative 5% 10% 20% 40% 80% Security Model and Posture

17 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 17 UNIVERSITY OF OKLAHOMA What works/does not work? »User is very happy »Easier to track response capability »Large or sensitive incidents is a new learning process every time »Better control over desired actions or reactions to the incident »Sometimes the whole process is slower than desired »Better and more information is achieved

18 © 2005 The Trustees of Boston College & Calvin Weeks   Slide 18 UNIVERSITY OF OKLAHOMA Questions Calvin Weeks, EnCE, CISSP, CISM OU Cyber Forensics Lab cweeks@ou.edu http://cfl.ou.edu David Escalante, CISSP david.escalante@bc.edu

Download ppt "© 2005 The Trustees of Boston College & Calvin Weeks   Slide 1 UNIVERSITY OF OKLAHOMA Effective Incident Response Teams: Two Case Studies Tuesday, April."

Similar presentations

Philippine Cybercrime Efforts

Philippine Cybercrime Efforts
IT Security Policy Framework

IT Security Policy Framework
A presentation for CIOs. What are the biggest challenges that face a modern CIO? (Lets list them…)

A presentation for CIOs. What are the biggest challenges that face a modern CIO? (Lets list them…)
Copyright Kathy J. Lang and Ed Mahon, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared.

Copyright Kathy J. Lang and Ed Mahon, This work is the intellectual property of the authors. Permission is granted for this material to be shared.
The Value of a Project Management Office Copyright: Kathy J. Lang, 2004.

The Value of a Project Management Office Copyright: Kathy J. Lang, 2004.
12 August 2004 Strategic Alignment By Maria Rojas.

12 August 2004 Strategic Alignment By Maria Rojas.
Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.
CHAPTER 7 Business Management.

CHAPTER 7 Business Management.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.

Overview of Priorities and Activities: Shared Services Canada Presentation to the Information Technology Infrastructure Roundtable June 17, 2013 Liseanne.
Cyber Forensics: Find Out What You Are Missing Calvin Weeks, CISSP, CISM, EnCE University of Oklahoma Director, Cyber Forensics Lab Sean Ensz, CISSP, GSEC.

Cyber Forensics: Find Out What You Are Missing Calvin Weeks, CISSP, CISM, EnCE University of Oklahoma Director, Cyber Forensics Lab Sean Ensz, CISSP, GSEC.
Security and Personnel

Security and Personnel
Strategies for Crafting Effective IT Security Policies CIO Forum March 12, 2003 Dennis Maloney & Marin Stanek The University of Colorado at Boulder.

Strategies for Crafting Effective IT Security Policies CIO Forum March 12, 2003 Dennis Maloney & Marin Stanek The University of Colorado at Boulder.
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID THE NETWORK SECURITY CHALLENGE Jack Suess CIO University of Maryland Baltimore.

1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID THE NETWORK SECURITY CHALLENGE Jack Suess CIO University of Maryland Baltimore.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Security Controls – What Works

Security Controls – What Works
1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.

1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Similar presentations

Ads by Google