Presentation is loading. Please wait.

Presentation is loading. Please wait.

Growing Your Incident Response Toolbox

Published bySara Alexandrina Paul Modified over 6 years ago

Similar presentations

Presentation on theme: "Growing Your Incident Response Toolbox"— Presentation transcript:

1 Growing Your Incident Response Toolbox
Jonny Sweeny, GSEC GCWN GCIH GWAS Incident Response Manager June 24, 2018 Copyright 2009, Trustees of Indiana University. This work is the intellectual property of IU. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 What do IR tools get us? Decreased detect-to-block times
Improved ability to track down users and computers End-user self-service remediation

3 Main Content Area Bullet point one Bullet point two Bullet point three
Bullet point four Bullet point five

4 What this talk is not about:
Proactive tools to identify/notice activity (i.e. IDS)

5 Outline How to grow the toolbox Categories of tools: Lookup/processing
Communications Blocking Self-Service How IU implemented these tools

6 Clicking, double-clicking
You have to know about tools before you can grow your toolbox This video clip of The IT Crowd is © Channel Four Television Corporation

7 How to grow the toolbox Start collecting connection logs (Syslog)
NetFlow or SFlow data Other login records too (DNS, AD, LDAP, Kerberos, Webmail, CAS) Consider log retention rollover Get the logs into a database Write event query code Streamline notification (canned messages) Streamline blocking Provide easy lookup for support staff Provide self-service remediation At #1, talk about who/where to get logs from. -- show of hands: who is collecting this data now? --FOIA requests == a reason to *not* store for too long At #2, talk about *how* to import to a database. Mention named pipes. 7

8 Are you from the past? The importance of clear communications
This video clip of The IT Crowd is © Channel Four Television Corporation

9 Communications tools

10 Blocking tools Disable Accounts DHCP AD Group WDDX VPN Dialup
~Tracking blocks – we log all block actions. Helps us see machines that keep showing up. ~Make sure and point out how blocking can be complicated but unifying it helps a lot. ~Compare: scramble versus disable. MAC Address SuperBlock Scripted https post SOAP Null route injections WPA2 802.1x Scramble Passphrase 10

11 Self-Service

12 Self-Service Unblocks
Unblocking used to take a lot of our time. Now users do it themselves. 12

13 Demonstrate Smite, Notify & Remediation
I will now attempt a live demo…wish me luck!!

14 Demo processing of sample DMCA notice

15 DMCA quiz

16 DMCA Automation

17 DMCA User Maintenance

18 Demonstrate Charts

19 Demonstrate Database

20 Whitelist / Blacklist

21 SOAP Services

22 Tech Specs Future plans Written in Perl 12,800 lines of code
Has been a side project; first went live Oct 2007 Future plans Digital signatures Better notification to support teams at block time

23 Questions? Jonny Sweeny jsweeny@iu.edu
Webmail spammer (and brute force) detection scripts Keyboard shortcuts Juggle Jonny Sweeny

Download ppt "Growing Your Incident Response Toolbox"

Similar presentations

Interactive Teaching Javed Iqbal University of British Columbia.

Interactive Teaching Javed Iqbal University of British Columbia.
Culture Change: What IT Takes to Create a Quality Customer Service Environment Presented By: Anne Agee, Executive Director, Division of Instructional and.

Culture Change: What IT Takes to Create a Quality Customer Service Environment Presented By: Anne Agee, Executive Director, Division of Instructional and.
What Students Say About Emerging Practices and Learning Technology Anthony Potoczniak - Rice University Sarah E. Smith - North Carolina State University.

What Students Say About Emerging Practices and Learning Technology Anthony Potoczniak - Rice University Sarah E. Smith - North Carolina State University.
Tools for Help Desk Management: Assessment & Guidance Karen Pothering Elinor Pennsylvania State University Copyright.

Tools for Help Desk Management: Assessment & Guidance Karen Pothering Elinor Pennsylvania State University "Copyright.
What Does the Net Generation Expect From Us? SAC August 8, 2005 SAC August 8, 2005 Copyright © 2005, Joel L. Hartman. This work is the intellectual property.

What Does the Net Generation Expect From Us? SAC August 8, 2005 SAC August 8, 2005 Copyright © 2005, Joel L. Hartman. This work is the intellectual property.
© Copyright Computer Lab Solutions 2006. All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.

© Copyright Computer Lab Solutions All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.
Cut Costs and Increase Productivity in your IT Organization with Effective Computer and Network Monitoring. Copyright © T3 Software Builders, Inc 2004.

Cut Costs and Increase Productivity in your IT Organization with Effective Computer and Network Monitoring. Copyright © T3 Software Builders, Inc 2004.
Net Snippets The Leading Internet Research and Information Management Platform Copyright 2003. This work is the intellectual property of the author. Permission.

Net Snippets The Leading Internet Research and Information Management Platform Copyright This work is the intellectual property of the author. Permission.
Design & Development Scott Battaglia Application Developer Enterprise Systems and Services Rutgers, the State University of New Jersey

Design & Development Scott Battaglia Application Developer Enterprise Systems and Services Rutgers, the State University of New Jersey
EDUCAUSE Security Professionals Conference 2007 Monkey-in-the-Middle Attacks on Campus Networks Andrew J. KortySean KrulewitchIndiana University April.

EDUCAUSE Security Professionals Conference 2007 Monkey-in-the-Middle Attacks on Campus Networks Andrew J. KortySean KrulewitchIndiana University April.
Copyright Sylvia Maxwell and Michael White, 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared.

Copyright Sylvia Maxwell and Michael White, This work is the intellectual property of the author. Permission is granted for this material to be shared.
Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.

Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.
Emergency Notification Systems - ISU Alert EDUCAUSE Midwest Regional 2008 1 ISU Alert Carol McDonald Information Systems Leader Information Technology.

Emergency Notification Systems - ISU Alert EDUCAUSE Midwest Regional ISU Alert Carol McDonald Information Systems Leader Information Technology.
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.

Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
Office of the Vice President Copyright Notice Copyright Greg Hedrick, Matthew Wirges 2004. This work is the intellectual property of the author. Permission.

Office of the Vice President Copyright Notice Copyright Greg Hedrick, Matthew Wirges This work is the intellectual property of the author. Permission.
Educause Security Professionals Conference Network Access Control through Quarantine, Remediation, and Verification Jonny Sweeny Incident Response Manager.

Educause Security Professionals Conference Network Access Control through Quarantine, Remediation, and Verification Jonny Sweeny Incident Response Manager.
Educause Security 2007ISC Information Security Copyright Joshua Beeman, 2007. This work is the intellectual property of the author. Permission is granted.

Educause Security 2007ISC Information Security Copyright Joshua Beeman, This work is the intellectual property of the author. Permission is granted.
Copyright Statement © Jason Rhode and Carol Scheidenhelm. 2006. This work is the intellectual property of the authors. Permission is granted for this material.

Copyright Statement © Jason Rhode and Carol Scheidenhelm This work is the intellectual property of the authors. Permission is granted for this material.
Dana C. Voss Manager, Decision Support Services, UIS University Information Technology Services INDIANA UNIVERSITY May 2003 Copyright Dana C. Voss, 2003.

Dana C. Voss Manager, Decision Support Services, UIS University Information Technology Services INDIANA UNIVERSITY May 2003 Copyright Dana C. Voss, 2003.
Developing a Successful Model for Online and Tech-Enhanced Learning Mamie How Janet Willett Patricia Delich Presented April 27, 2005 Copyright Patricia.

Developing a Successful Model for Online and Tech-Enhanced Learning Mamie How Janet Willett Patricia Delich Presented April 27, 2005 Copyright Patricia.

Similar presentations

Ads by Google