CERT.be Brussels 2011

Size: px

Start display at page:

Download "CERT.be Brussels 2011"

Jerome King
5 years ago
Views:

2 What?

3 CERT Computer Emergency Response Team CSIRT : Computer Security Incident Response Team = The Belgian National CERT 3

4 Our Mission s mission is to help Belgian key resources, critical information providers and the Belgian public protect their IT infrastructure, by: Providing information about incidents, Giving support in handling incidents, Coordinating the response to large-scale incidents, Helping them to develop CSIRT activities, Sharing data and knowledge 4

5 Our Role (Reactive) Handling of Computer and Network Security Incidents (Proactive) Publication of Information about IT Security Create Awareness Share information and knowledge 5

6 Reactive Services

7 Incident Handling Incident Analysis Evaluate threat Publish report Incident Response Support 7

8 Incident Handling Incident Response Coordination: e.g. DNS.be 8

9 Alerts and Warnings RSS Feed for security advisories 9

10 CERT s problems Abundance of new sources & source types Abusix, Clean-MX, Shadowserver, Dshield,... Old school approach 1-on-1, redundancy, not efficient Valuable resources and information get lost Manual triage, follow-up overhead, ticketing clutter 10

11 CERT s conculsion We need to automate! We need to change our output channels! We need to collaborate! CERT s Constituents ISP s 11

12 AbuseHelper Generic open source framework scalable system of chat rooms & bots Flexible input & output means Automated incident reporting 12

13 Proactive Services 13

14 Announcements 14

15 Technology Watch Default activity: Monitor web sites Mailing lists Study new technologies Feeds other publications and actions: White papers Advisories etc... 15

16 Security Related Information Dissemination 16

17 Education / Training CSIRT setup 17

18 Awareness Building Conferences Workshops 18

19 Who?

20 Who s behind Operated by BELNET, the Belgian Research and Education Network Funded by FEDICT Coordination with BIPT Collaboration with FCCU 20

21 Who s behind Coordinator Ad Interim: Christian Van Heurck Security Analysts: Koen Van Impe Jérôme Devigne David Durvaux Yorkvik Jacqmin Jacqueline Dulmaine Belnet team: Support 21

22 Phasing

23 Not big bang, but a phased project Phase 1 Start September Priorities: Critical Infrastructure Phase 2 Start: January 2010 Extension to Greater Public 23

24 Next phases Phase 3 Start: July, 2011 Office hours extension Phase 4 Start: July, 2012 More Services 24

25 What changes?

26 Changes for YOU YOU are still responsible for your networks and systems At second glance: Neutral source of information Support in case of incidents Someone to turn to with questions 26

27 Reporting incidents matters! You may not be the only one under attack Others may have found solutions that could work for you Your solution might work for others s role as central point of contact makes this information sharing possible 27

28 Reporting incidents Web form: Telephone:

29 my How to contact you? General Serious Big Incidents How can we help? Feed, Dashboard, Mails, chat,? AbuseHelper FCCU What can we share? Data Legal Knowledge ISAC 29

30 ISAC Information Sharing and Analysis Centre Place where people with similar interests / background can exchange information, experiences, even if it s sensitive Main activities: discussion and presentation meetings, three times a year Governed by a small set of rules Logistics and secretariat is handled by the staff 30

31 Traffic Light Protocol The Traffic Light Protocol governs how and if an information can be further disseminated RED information is limited to people present in a meeting where the information is given, or the direct recipient of any form of mail containing the information. AMBER information may be shared with others within the recipient s organisation, on a need-to-know basis. The originator may specify limits to the sharing GREEN information can be widely circulated within a community. However, it cannot be published on the internet, nor released outside of the community. WHITE information sharing is not restricted - at least within the limits of legality (e.g. copyright). 31

32 Thank you! Questions?

RFC2350 TLP1: WHITE. Έκδοση National CSIRT-CY RFC2350

RFC2350 TLP1: WHITE. Έκδοση National CSIRT-CY RFC2350 Έκδοση 1.2-2018.02.14 TLP1: WHITE 1 TLP Sources may use TLP: WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.