Chronic Workload Problems in Computer Security Incident Response Teams Johannes Wiik, Jose J. Gonzalez University of Agder, Norway Pål I. Davidsen University.

Slides:

Advertisements

Similar presentations

Computer Emergency Response Teams

Advertisements

Information Technology Awareness Wayne Donald IT Security Officer.

IMPROVING THE INTERNATIONAL COMPARABILITY OF STATISTICS PRODUCED BY CSIRTs Developing Cybersecurity Risk Indicators panel 26 th Annual FIRST Conference.

 Minimum System Requirements  Updates to Proctor Caching  Updates to Configure TestNav  Setting Up Your Infrastructure  System Check Utility  Resources.

Solidcore Harness the Power of Change John Sebes CTO Solidcore Systems, Inc. Case Study:

© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.

Building Capabilities for Incident Handling and Response

RADAR EVALUATION Goals, Targets, Review & Discussion Jaime Carbonell & soon Full SRI/CMU/IET RADAR Team 1-February-2005 School of Computer Science Supported.

Presentation for China Migrant Labour Occupational Health and Safety Project – June 2009 Healthy Workplaces A Comprehensive Approach to Wellness and Productivity.

Future Work Needed Kenneth Wade Najim Yaqubie. Outline 1.Model is simple 2.Too many assumptions 3.Conflicting internal architectures 4.Security Challenges.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.

JPCERT/CC May Fixed-Point Auto Data Collecting System Getting more accurate Scan and Prove data to provide more accurate network traffic analysis.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

“When out of ammo, Reload” CYBERSECURITY CHALLENGES AND THREATS Ahmed Husain Managing Director.

Manage Engine: Q Engine. What is it?  Tool developed by Manage Engine that allows one to test web applications using a variety of different tests to.

PREPAREDNESS AND RESPONSE TO CYBER THREATS REQUIRE A CSIRT By Jaco Robertson, Marthie Lessing and Simon Nare*

1 Phases in Software Development Lecture Software Development Lifecycle Let us review the main steps –Problem Definition –Feasibility Study –Analysis.

SYSTEM DYNAMICS MODELING OF AGILE CONTINUOUS DELIVERY PROCESS 資工 4A 鄭鈞輿.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Experience to create and manage Computer Security Incident Response Team in Latvia Egils Stūrmanis DDIRV (VITA CSIRT) manager State Joint Stock Company.

What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.

VULNERABILITY ASSESSMENT FOR THE POLICE DEPARTMENT’S NETWORK.

Denial of Service (DoS) DoS attacks are aggressive attacks on an individual computer or groups of computers with the intent to deny services to intended.

Preparing for the Implementation of the MiFID at the Warsaw Stock Exchange Split, 15 June 2007.

CERT AM: Securing NREN in Armenia. Armenian NREN ASNET AM – Connecting more than 40 academic institutes of NAS RA and more than 10 other research, educational.

IRT Co-ordination in Europe Brian Gilmore The University of Edinburgh.

Partnership Learnings Partnering is a complex and time- consuming process that may achieve outcomes that single entities may not be able to achieve independently.

This Project is funded by the European Union Project implemented by Human Dynamics Consortium This project is funded by the European Union Projekat finansira.

Conficker Update John Crain. What is Conficker? An Internet worm  Malicious code that is self-replicating and distributed over a network A blended threat.

Incident Response November 2015 Navigating a Cybersecurity Incident.

MANUAL TESTING KS SESSION PRESENTED BY 26/11/015 VISHAL KUMAR.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Computer Security Status Update FOCUS Meeting, 28 March 2002 Denise Heagerty, CERN Computer Security Officer.

ICANN Strategic Initiatives for Security, Stability and Resiliency - DNS CERT Posted for Public Comment at 1.

International Cyber Warfare & Security and B2B Conference Participation of Brazilian Cyber Defense Centre ( )

Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.

IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Post Diagnostic Support HEAT Measurement Workshop Workforce Planning and Costings 6 th February 2013 Welcome Mental Health Division QuEST Quality and Efficiency.

Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.

The Alloy Analyzer June 14 th Alloy small modelling notation that can express a useful range of structural properties is easy to read and write.

Computer Security Status C5 Meeting, 2 Nov 2001 Denise Heagerty, CERN Computer Security Officer.

1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.

Computer Policy and Security Report to Faculty Council Jeanne Smythe ATN Director for Computing Policy March 26,2004.

ClASS MODULES: BREAKOUT SESSIONS. ClASS COUNSELING AND TESTING MODULE.

Planning for LCG Emergencies HEPiX, Fall 2005 SLAC, 13 October 2005 David Kelsey CCLRC/RAL, UK

Cognitive & Organizational Challenges of Big Data in Cyber Defence. YALAVARTHI ANUSHA 1.

1 Network Security By Alan S H Lam 2003/7/29. 2 Outlines Threat and Attack trends Attackers’ Activities (live demo) Forensic Tools (live demo) IT-Related.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security aspects (based on Romain Wartel’s.

1  Carnegie Mellon University Overview of the CERT/CC and the Survivable Systems Initiative Andrew P. Moore CERT Coordination Center.

CIRTL Data Sharing 10/9/15. New Opportunities The CIRTL Network Commons (CNC) offers the potential for easier access to data for evaluation purposes.

Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –

Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,

Stop Those Prying Eyes Getting to Your Data

Copyright © 2005 M. E. Kabay. All rights reserved.

Preserving a balanced CSIRT constituency

Security Engineering.

Securing Cisco Networks with Threat Detection and Analysis practice-questions.html.

Securing Cisco Networks with Threat Detection and Analysis practice-questions.html.

Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.

Information Security Session October 24, 2005

Threat Trends and Protection Strategies Barbara Laswell, Ph. D

Coordinated Security Response

Computer Emergency Response Team

The Estonian experience with ex-ante evaluation – set-up and progress

Capitalize on Your Business’s Technology

Presentation transcript:

Chronic Workload Problems in Computer Security Incident Response Teams Johannes Wiik, Jose J. Gonzalez University of Agder, Norway Pål I. Davidsen University of Bergen, Norway Klaus-Peter Kossakowski SEI Europe, Carnegie Mellon University, Germany

Computer security incidents Low-priority incidents Such as port scans, spam, fake , and other nuisances Nevertheless, a significant challenge owing to their large volume Dynamics: quite accurately described as exponentially growing Essential point: Cannot be matched by staff increase and CSIRT- funding High-priority incidents Such as attacks on net infrastructure, serious new worms, viruses, botnets, sniffers, account compromisers, etc Low volume, but very serious Dynamics: basically oscillatory

CSIRTs Computer Security Incidence Response Teams (CSIRTs/CERTs) provide one or more services: incident analysis incident response on site, support & coordination nowadays increasing emphasis on proactive services Chronic situation for CSIRTs since their inception in 1988 CSIRTs are underfunded, understaffed CSIRT staff is overworked Worsening situation for CSIRTs in recent years Increasing volume of (mainly low-priority) incidents, automation and speed of new attack tools give CSIRT staff less and less time to react Instabilities in high-priority security incident reports from the constituency (internal sites) and affected external sites

High priority incidents Instabilities in incident reports  instabilities in workload  inefficient use of resources Problems to retain the CSIRT constituency (  funding problems) See posters # 1193 and Preferred? Expected? Feared?

Low-priority incidents Work LoadHuman Resources Overwhelming increase in the rate of low-priority incidents The workload increases accordingly Human resources cannot keep pace

Modeling process Close collaboration with one of the oldest and largest “coordinating” CSIRTs Initial research questions What factors limit the effectiveness of the incident response service in the CSIRT What policies can improve the effectiveness of the incident response service in the CSIRT? What constitutes effective incident response in the CSIRT? The management and staff of the CSIRT participated in 5 face-to-face working sessions of 1 – 4 days over a 1 ½ year period: Eliciting of mental, written and numerical information, incl. reference behavior modes Review of model structure Model verification, validation & policy testing

Reference behavior modes Idealized reference behavior derived from time series data and from interviews with CSIRT management and staff

Policy structure diagram

Base run

Policy analysis scenarios Fixed resource split: The CSIRT separates the workforce into two fixed workgroups instead of using it as a shared resource between tool development and incident response Only automation: The CSIRT only offers automatic response Maintain manual handling: The CSIRT refuses to change the service scope and only provides manual handling

Policy runs

Thank you!