Building Global CSIRT Capabilities

Transcription

1 Building Global CSIRT Capabilities Barbara Laswell, Ph.D. September 2003 CERT Centers Software Engineering Institute Carnegie Mellon Pittsburgh, PA Sponsored by the U.S. Department of Defense Carnegie Mellon University

2 CERT Coordination Center The CERT/CC was established in 1988 with a mission to: respond to security emergencies on the Internet, serve as a focal point for reporting and facilitating the corrections to security vulnerabilities, analyze security-related data to develop and disseminate countermeasures and prevention techniques, serve as a model to help others establish incident response teams, raise awareness and understanding of security trends and issues Carnegie Mellon University

3 Growth in Number of Incidents Reported to the CERT/CC Carnegie Mellon University

4 Growth in Number of Vulnerabilities Reported to the CERT/CC Carnegie Mellon University

5 Growth in CSIRTs Carnegie Mellon University

6 Response Teams Around the World Carnegie Mellon University

7 Impact on CSIRTs Today s dynamic environment means less time for CSIRTs to react. Therefore, teams require a method for quick notification established and understood policies and procedures automation of incident handling tasks methods to collaborate and share information with others easy and efficient way to sort through all incoming information Carnegie Mellon University

8 Current Situation Many organizations do not have a formalized incident response capability. There is a shortage of effective CSIRTs and trained staff to respond to current and emerging computer security threats. A growing number of organizations are being mandated or required by laws/regulations to have an incident response plan in place proactively seeking to implement a CSIRT as a part of their information security program Carnegie Mellon University

9 Stages of CSIRT Development Stage 1 Stage 2 Stage 3 Stage 4 Stage 5 Novice Educating the organization Planning effort Initial implementation Operational phase Peer collaboration Expert Stage 1 Education Stage 2 Planning Stage 3 Implementation Stage 4 Operation Stage 5 Collaboration Carnegie Mellon University

10 General Categories of CSIRTs Internal CSIRT Educational Governmental Commercial Coordination Centers Country State Region Analysis Centers Vendor Incident Response Provider Carnegie Mellon University

11 CSIRT Organization Examples CERT Coordination Center (CERT/CC) Forum of Incident Response and Security Teams (FIRST) Federal Computer Incident Response Center (FedCIRC) Australian Computer Emergency Response Team (AusCERT) Department of Defense CERT (DOD-CERT) German Research Network CERT (DFN-CERT) Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) IBM Business Continuity and Recovery Services (IBM-ERS) continuity/recover1.nsf/mss/ incident+management Carnegie Mellon University

12 CSIRT Collaborations FIRST: European CSIRT Directory: Asia Pacific: Carnegie Mellon University

13 Range of CSIRT Services Mandatory Services: Incident Handling Common CSIRT Services: Alerts and Announcements Vulnerability Analysis and Response Artifact Analysis Education and Training Incident Tracing Intrusion Detection Auditing and Penetration Testing Security Consulting Risk Analysis Security Product Development Collaboration Coordination Carnegie Mellon University

14 Information Flow Carnegie Mellon University

15 What is Reported? Carnegie Mellon University

16 Incident Handling Life Cycle Other IDS Triage Information Request Hotline/ Phone Vulnerability Report Coordinate Information and Response Incident Report Analyze Obtain Contact Information Provide Technical Assistance Carnegie Mellon University

17 CSIRT Related Projects State of the Practice of CSIRTs IETF Incident Handling Working Group (INCH WG) and Intrusion Detection Working Group (IDWG) Automated Incident Reporting (AirCERT) Incident Detection, Analysis, and Response (IDAR) Project Clearing House for Incident Handling Tools (CHIHT) Common Advisory Interchange Format (CAIF) Best Practices Documents Carnegie Mellon University

18 Current CSIRT Discussion Topics Legal issues and impacts Automation and standardization of CSIRT tools Data sharing and collaboration Certification for incident handlers and teams Regionalization efforts Carnegie Mellon University

19 Visit Publications and links to resources to help you create and manage your CSIRT Creating a Computer Security Incident Response Team: A Process for Getting Started Creating a Financial Institution CSIRT: A Case Study The Handbook for Computer Security Incident Response Teams (CSIRTs) (pdf) CSIRT Services CSIRT Frequently Asked Questions Responding to Intrusions Expectations for Computer Security Incident Response (RFC 2350) Forming an Incident Response Team (AusCERT Publication) Avoiding the Trial-by-Fire Approach to Security Incidents NIST: Computer Systems Laboratory Bulletin NIST: Establishing a Computer Security Incident Response Capability Carnegie Mellon University

20 For More Information CERT Centers Software Engineering Institute Carnegie Mellon University Pittsburgh, PA USA +1 (412) Carnegie Mellon University