1. Incident Response CSG September 2004 Harvard University

2. What is it? Response to pre-defined (or not) technology events by applying pre-defined (or not) policies and procedures. All campuses have incident response functions, formal or informal.

3. IT Events Abuse Misuse Security Service complaints

4. Organization issues Leader Authority Charter Scope Incident categories Rules of engagement per category Action Team – dedicated or distributed Support team – PR, legal, etc. Procedures

5. Iterative Response Proactive – defining the response capability Proactive – detection Proactive – prevention Reactive – receipt/triage Reactive – incident tracking Reactive – incident resolution Reactive – post mortem

6. Chief IT Security and Policy Officer Michael McRobbie VP/CIO, VPR Office of the Vice President for Information Technology and Chief Information Officer Indiana University 09/01/2004 Chief of Staff/ Communications and Planning Officer Finance Officer Human Resources Officer AVP for Telecommunications AVP for University Information Systems AVP for Research and Academic Computing AVP for Teaching and Learning Info Technologies University Information Technology Services Regional Campus CIOs Adam Herbert President Campus Chancellor

7. Mark Bruhn Chief IT Security and Policy Officer Christine Conklin (B) Tammy Grubb (B) Rose Ann Hasty (B) Barbara Hanes (I) Chasadee Castillo-Soto (I) Incident Response Tom Jagatic (B) Jason Abels (I) Robb Whitt (B) Linda McNabb Admin Asst Tom Davis IT Security Officer Michael McRobbie VP/CIO, VPR IT Security Office Andrew Korty (I) Sean Krulewitch (B) *Marge Abels (B) Dave Monnier (B) Dave Greenberg (I) Vacant (B) Cross-Unit Recovery Planning Team Laura Klein Manager, IT Accounts Admin Stacie Wiegand Data Administrator Marge Abels Disaster Recovery Program Manager Merri Beth Lavagnino Deputy IT Policy Officer Information Protection CID/CDS Support REN-ISAC Support CACR Support Information Technology Policy Office Office of the Vice President for Information Technology and Chief Information Officer Indiana University 09/01/2004 Doug Pearson Dir, REN-ISAC

8. ITSO Highly capable in various technologies Detection (netflow, etc.) Create auto-processes that distribute vulnerable or likely compromised host lists, daily  ITPO Strategic prevention (firewall, border filters, etc.) Consults with computing dept or departmental technicians on security and security issues and options Works with the computing department on infrastructure security (security CDs, device registration, etc.)

9. ITPO Less technical – more coordinative (is that a word?) Handles all manner of IT abuse, misuse, and security incidents Develops and administers IT policies, including security policy (of course, w/Security Officer) Interprets and defends policy for individuals and departments Assesses recommended security controls or actions against user/functional issues (e.g., privacy) Works in web-based incident response application and database (RT -- Request Tracker) Works to locate specific misbehaving devices Administer tactical filters (dhcp lease blocks, disabling data jacks and usernames, etc.) Interacts with department technicians and individual users about issues with specific devices Reviews and works through lists from ITSO Coordinates large responses with computing dept units and department technicians Works to identify specific misbehaving individuals, based on complaints/allegations Passes technical evidence to appropriate campus offices for action

10. So… …the IU philosophy is to dedicate security engineers to complex and difficult technical problems, and have them pass information along to, and interact with, the incident response staff Unless some new vulnerability/exploit is evident –IU security engineers never work on p2p file sharing issues –IU security engineers do not have to work on student behavior issues –IU security engineers do not worry about spam and spam filtering –IU security engineers do not have to interact with specific students or staff about problems on their specific computers –Etc.