Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.

Published byJoshua Clark Modified over 10 years ago

Similar presentations

Presentation on theme: "© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training."— Presentation transcript:

1 © 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training and Education Center Sponsored by the U.S. Department of Defense August 7, 2003 CERT ® Centers Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

2 © 2003 Carnegie Mellon University slide 2 What is a CSIRT? An organization or team within a defined constituency that provides services and support for preventing and responding to computer security incidents.

3 © 2003 Carnegie Mellon University slide 3 The Old “Net”

4 © 2003 Carnegie Mellon University slide 4 Early History* *Timeframe: 1988. Approximate number of hosts: 60,000K

5 © 2003 Carnegie Mellon University slide 5 Initial Formation of Teams FIRST Founding Members* Air Force Computer Emergency Response Team (AFCERT) CERT Coordination Center Defense Communication Agency/Defense Data Network Department of Army Response Team Computer Incident Advisory Capability (CIAC) Goddard Space Flight Center NASA Ames Research Center NASA Space Physics Analysis Network (SPAN CERT) Naval Computer Incident Response Team (NAVCIRT) National Institute of Standards and Technology Computer Security Resource and Response Center (CSRC) SPAN-France *Timeframe: 1990. Number of DNS advertised hosts: 340K

6 © 2003 Carnegie Mellon University slide 6 Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html The New “Net”

7 © 2003 Carnegie Mellon University slide 7 Attack Sophistication vs. Required Intruder Knowledge

8 © 2003 Carnegie Mellon University slide 8 Growth in Number of Incidents Reported to CERT/CC

9 © 2003 Carnegie Mellon University slide 9 Growth in Number of Vulnerabilities Reported to CERT/CC

10 © 2003 Carnegie Mellon University slide 10 Impact on CSIRTs Today’s dynamic environment means less time for CSIRTs to react. Therefore, teams require a method for quick notification established and understood policies and procedures automation of incident handling tasks methods to collaborate and share information with others easy and efficient way to sort through all incoming information

11 © 2003 Carnegie Mellon University slide 11 Current Situation Many organizations do not have a formalized incident response capability. There is a shortage of effective CSIRTs and trained staff to respond to current and emerging computer security threats. A growing number of organizations are being mandated or required by laws/regulations to have an incident response plan in place proactively seeking to implement a CSIRT as a part of their information security program.

12 © 2003 Carnegie Mellon University slide 12 Number of Known Teams* *Timeframe: 2002. Number of DNS advertised hosts: 171.6 billion. Note: These are teams we know about, there are many more teams that exist.

13 © 2003 Carnegie Mellon University slide 13 Growth in CSIRTs by Region

14 © 2003 Carnegie Mellon University slide 14 Geographic Dispersion

15 © 2003 Carnegie Mellon University slide 15 Where Do You Start?

16 © 2003 Carnegie Mellon University slide 16 Stages of CSIRT Development Stage 1Educating the organization Stage 2Planning effort Stage 3Initial implementation Stage 4Operational phase Stage 5Peer collaboration Stage 2 Planning Stage 4 Operation Stage 3 Implementation Stage 5 Collaboration Stage 1 Education Expert Novice

17 © 2003 Carnegie Mellon University slide 17 CSIRT Related Projects A sample of current CSIRT projects include State of the Practice of CSIRTs IETF Incident Handling Working Group (INCH WG) and Intrusion Detection Working Group (IDWG) Automated Incident Reporting (AirCERT) Incident Detection, Analysis, and Response (IDAR) Project Clearing House for Incident Handling Tools (CHIHT) Common Advisory Interchange Format (CAIF) Best Practices Documents (RFC 3227, 2350)

18 © 2003 Carnegie Mellon University slide 18 Current CSIRT Discussion Topics Legal issues and impacts Automation and standardization of CSIRT tools Data sharing and collaboration Certification for incident handlers and teams Regionalization efforts

19 © 2003 Carnegie Mellon University slide 19 AirCERT Components include: sensor(s) and site database(s) at a participating organization - a set of defined attack signatures - a central database at the CERT/CC - a mechanism for the transmission of data between sensors and the site database between the site and central databases communication protocols - sensor-to-site database - site database-to-central database

20 © 2003 Carnegie Mellon University slide 20 Benefits of AirCERT For participants: collect information on activity within their organizations receive aggregated feedback from the CERT/CC use defined methods of collecting and sharing incident information* For the Internet community: receive and collate data in near real-time provide timely information about attacks faster release of new attack signatures provide structured and statistically significant data *IETF, Intrusion Detection Message Exchange Requirements

21 © 2003 Carnegie Mellon University slide 21 For More Information CSIRT Development Team CERT ® Training and Education Center CERT® Centers Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 USA +1 (412) 268-7090 http://www.cert.org/training http://www.cert.org/csirts/

Download ppt "© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training."

Similar presentations

Clara CSIRTs in Latin America and the Caribbean CCIRN 2004 Cairns, Australia July 2004 Michael Stanton CLARA Technical Committee RNP- Brazil (material.

Clara CSIRTs in Latin America and the Caribbean CCIRN 2004 Cairns, Australia July 2004 Michael Stanton CLARA Technical Committee RNP- Brazil (material.
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Computer Emergency Response Teams

Computer Emergency Response Teams
Evolution of CSIRTs: how to engage Critical Infrastructures and cooperate beyond borders Giza, 19th December 2011.

Evolution of CSIRTs: how to engage Critical Infrastructures and cooperate beyond borders Giza, 19th December 2011.
Tanzania Communications Regulatory Authority - TCRA Response to Cyber incidences in Tanzania: Where are we? Presented at Cyber Security Mini Conference.

Tanzania Communications Regulatory Authority - TCRA Response to Cyber incidences in Tanzania: Where are we? Presented at Cyber Security Mini Conference.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Joint efforts in incident response in AP region and future work with RIR Suguru Yamaguchi JPCERT/CC.

Joint efforts in incident response in AP region and future work with RIR Suguru Yamaguchi JPCERT/CC.
Building Capabilities for Incident Handling and Response

Building Capabilities for Incident Handling and Response
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 SEI is sponsored by the U.S. Department of Defense ©

CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA SEI is sponsored by the U.S. Department of Defense ©
© 2007-2011 Carnegie Mellon University The CERT Insider Threat Center.

© Carnegie Mellon University The CERT Insider Threat Center.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
1  Carnegie Mellon University System Security and U. Rich Pethia Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

1  Carnegie Mellon University System Security and U. Rich Pethia Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
The Six Centripetal Forces for Successful Global Software Telecommunication Infrastructure Collaborative Technology.

The Six Centripetal Forces for Successful Global Software Telecommunication Infrastructure Collaborative Technology.
1 Case Study ESTABLISHING NATIONAL CERT By Saleem Al-Balooshi Etisalat - AE.

1 Case Study ESTABLISHING NATIONAL CERT By Saleem Al-Balooshi Etisalat - AE.
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon.

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
seminar on Intrusion detection system

seminar on Intrusion detection system

Similar presentations

Ads by Google