Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Global CSIRT Capabilities Barbara Laswell, Ph. D

Published byAllison Lynch Modified over 6 years ago

Similar presentations

Presentation on theme: "Building Global CSIRT Capabilities Barbara Laswell, Ph. D"— Presentation transcript:

1 Building Global CSIRT Capabilities Barbara Laswell, Ph. D
Building Global CSIRT Capabilities Barbara Laswell, Ph.D. September 2003 CERT® Centers Software Engineering Institute Carnegie Mellon Pittsburgh, PA Sponsored by the U.S. Department of Defense

2 CERT Coordination Center
The CERT/CC was established in 1988 with a mission to: respond to security emergencies on the Internet, serve as a focal point for reporting and facilitating the corrections to security vulnerabilities, analyze security-related data to develop and disseminate countermeasures and prevention techniques, serve as a model to help others establish incident response teams, raise awareness and understanding of security trends and issues

3 Growth in Number of Incidents Reported to the CERT/CC

4 Growth in Number of Vulnerabilities Reported to the CERT/CC

5 Growth in CSIRTs

6 Response Teams Around the World

7 Impact on CSIRTs Today’s dynamic environment means less time for CSIRTs to react. Therefore, teams require a method for quick notification established and understood policies and procedures automation of incident handling tasks methods to collaborate and share information with others easy and efficient way to sort through all incoming information

8 Current Situation Many organizations do not have a formalized incident response capability. There is a shortage of effective CSIRTs and trained staff to respond to current and emerging computer security threats. A growing number of organizations are being mandated or required by laws/regulations to have an incident response plan in place proactively seeking to implement a CSIRT as a part of their information security program.

9 Stages of CSIRT Development
Stage 1 Educating the organization Stage 2 Planning effort Stage 3 Initial implementation Stage 4 Operational phase Stage 5 Peer collaboration Stage 2 Planning Stage 4 Operation Stage 3 Implementation Stage 5 Collaboration Stage 1 Education Expert Novice

10 General Categories of CSIRTs
Internal CSIRT Educational Governmental Commercial Coordination Centers Country State Region Analysis Centers Vendor Incident Response Provider

11 CSIRT Organization Examples
CERT Coordination Center (CERT/CC) Forum of Incident Response and Security Teams (FIRST) Federal Computer Incident Response Center (FedCIRC) Australian Computer Emergency Response Team (AusCERT) Department of Defense CERT (DOD-CERT) German Research Network CERT (DFN-CERT) Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) IBM Business Continuity and Recovery Services (IBM-ERS) continuity/recover1.nsf/mss/ incident+management

12 CSIRT Collaborations FIRST: http://www.first.org/team-info/
European CSIRT Directory: Asia Pacific:

13 Range of CSIRT Services
Mandatory Services: Incident Handling Common CSIRT Services: Alerts and Announcements Vulnerability Analysis and Response Artifact Analysis Education and Training Incident Tracing Intrusion Detection Auditing and Penetration Testing Security Consulting Risk Analysis Security Product Development Collaboration Coordination

14 Information Flow

15 What is Reported?

16 Incident Handling Life Cycle
Other IDS Information Request Triage Incident Report Hotline/ Phone Analyze Vulnerability Report Obtain Contact Information Coordinate Information and Response Provide Technical Assistance

17 CSIRT Related Projects
State of the Practice of CSIRTs IETF Incident Handling Working Group (INCH WG) and Intrusion Detection Working Group (IDWG) Automated Incident Reporting (AirCERT) Incident Detection, Analysis, and Response (IDAR) Project Clearing House for Incident Handling Tools (CHIHT) Common Advisory Interchange Format (CAIF) Best Practices Documents State of the Practice of CSIRTs – Technical Report will be forthcoming IETF Incident Handling Working Group (INCH WG) IETF Intrusion Detection Working Group AirCERT (Automated Incident Reporting) Incident Detection, Analysis, and Response (IDAR) Project Clearing House for Incident Handling Tools (CHIHT) Common Advisory Interchange Format (CAIF) Best Practices: RFC 3227 – Guidelines for Evidence Collection and Archiving RFC 2350 – Expectations for Computer Security Incident Response

18 Current CSIRT Discussion Topics
Legal issues and impacts Automation and standardization of CSIRT tools Data sharing and collaboration Certification for incident handlers and teams Regionalization efforts There continues to be interest and considerable discussion in a variety of different venues discussing the effects of various laws and regulations and their impact on CSIRT activities. US teams, as well international teams, are trying to find the right balance and best approaches for meeting the requirements of these new laws and regulations as they apply to the individual organizations and their incident response plans. These discussions are being held in every sector: from commercial organizations to universities to federal & local government agencies, as well as multinational companies and other international organizations. Data sharing: information sharing and analysis efforts of the CERT Centers (AirCERT) is one such effort, others include for example, ISACs, DShield.org, Incidents.org. Launched in 2003, for more information about the CERT-certified Computer Security Incident Handler Certification program see Regionalization efforts: TERENA CSIRT Coordination Task Force Europe (TF-CSIRT) Forum of Incident Response and Security Teams (FIRST) Trusted Introducer Service for CSIRTs in Europe (TI) Asia Pacific Computer Emergency Response Team (APCERT) Regionalization of the “Americas” (just beginning to emerge)

19 Visit www.cert.org/csirts/
Publications and links to resources to help you create and manage your CSIRT Creating a Computer Security Incident Response Team: A Process for Getting Started Creating a Financial Institution CSIRT: A Case Study The Handbook for Computer Security Incident Response Teams (CSIRTs) (pdf) CSIRT Services CSIRT Frequently Asked Questions Responding to Intrusions Expectations for Computer Security Incident Response (RFC 2350) Forming an Incident Response Team (AusCERT Publication) Avoiding the Trial-by-Fire Approach to Security Incidents NIST: Computer Systems Laboratory Bulletin NIST: Establishing a Computer Security Incident Response Capability

20 For More Information CERT® Centers Software Engineering Institute Carnegie Mellon University Pittsburgh, PA USA +1 (412)

Download ppt "Building Global CSIRT Capabilities Barbara Laswell, Ph. D"

Similar presentations

Clara CSIRTs in Latin America and the Caribbean CCIRN 2004 Cairns, Australia July 2004 Michael Stanton CLARA Technical Committee RNP- Brazil (material.

Clara CSIRTs in Latin America and the Caribbean CCIRN 2004 Cairns, Australia July 2004 Michael Stanton CLARA Technical Committee RNP- Brazil (material.
© 2004 APCERT APCERT Activity Update Yurie Ito JPCERT/CC (On behalf of the APCERT Secretariat)

© 2004 APCERT APCERT Activity Update Yurie Ito JPCERT/CC (On behalf of the APCERT Secretariat)
1 ASEAN Regional Forum Meeting 28 – 30 April 2010 Bandar Seri Begawan, Brunei CERT-Ins Initiative on International Information Security Dr A S Kamble Director.

1 ASEAN Regional Forum Meeting 28 – 30 April 2010 Bandar Seri Begawan, Brunei CERT-Ins Initiative on International Information Security Dr A S Kamble Director.
Philippine Cybercrime Efforts

Philippine Cybercrime Efforts
Computer Emergency Response Teams

Computer Emergency Response Teams
Evolution of CSIRTs: how to engage Critical Infrastructures and cooperate beyond borders Giza, 19th December 2011.

Evolution of CSIRTs: how to engage Critical Infrastructures and cooperate beyond borders Giza, 19th December 2011.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Joint efforts in incident response in AP region and future work with RIR Suguru Yamaguchi JPCERT/CC.

Joint efforts in incident response in AP region and future work with RIR Suguru Yamaguchi JPCERT/CC.
© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.

© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.
Building Capabilities for Incident Handling and Response

Building Capabilities for Incident Handling and Response
CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 SEI is sponsored by the U.S. Department of Defense ©

CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA SEI is sponsored by the U.S. Department of Defense ©
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
1  Carnegie Mellon University System Security and U. Rich Pethia Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

1  Carnegie Mellon University System Security and U. Rich Pethia Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security Controls – What Works

Security Controls – What Works
1 Case Study ESTABLISHING NATIONAL CERT By Saleem Al-Balooshi Etisalat - AE.

1 Case Study ESTABLISHING NATIONAL CERT By Saleem Al-Balooshi Etisalat - AE.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
JPCERT/CC May. 2003. Fixed-Point Auto Data Collecting System Getting more accurate Scan and Prove data to provide more accurate network traffic analysis.

JPCERT/CC May Fixed-Point Auto Data Collecting System Getting more accurate Scan and Prove data to provide more accurate network traffic analysis.
1 2003-05-19 Experiences from establishing a national Centre for Information Security in Norway TERENA Networking Conference 2003 Maria Bartnes Dahl &

Experiences from establishing a national Centre for Information Security in Norway TERENA Networking Conference 2003 Maria Bartnes Dahl &
EGEE is a project funded by the European Union under contract IST-2003-508833 JRA3 - Incident Response General Issues Yuri Demchenko MWSG2 June 16, 2004.

EGEE is a project funded by the European Union under contract IST JRA3 - Incident Response General Issues Yuri Demchenko MWSG2 June 16, 2004.

Similar presentations

Ads by Google