Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chronic Workload Problems in Computer Security Incident Response Teams Johannes Wiik, Jose J. Gonzalez University of Agder, Norway Pål I. Davidsen University.

Published byJodie Jordan Modified over 8 years ago

Similar presentations

Presentation on theme: "Chronic Workload Problems in Computer Security Incident Response Teams Johannes Wiik, Jose J. Gonzalez University of Agder, Norway Pål I. Davidsen University."— Presentation transcript:

1 Chronic Workload Problems in Computer Security Incident Response Teams Johannes Wiik, Jose J. Gonzalez University of Agder, Norway Pål I. Davidsen University of Bergen, Norway Klaus-Peter Kossakowski SEI Europe, Carnegie Mellon University, Germany

2 Computer security incidents Low-priority incidents Such as port scans, spam, fake email, and other nuisances Nevertheless, a significant challenge owing to their large volume Dynamics: quite accurately described as exponentially growing Essential point: Cannot be matched by staff increase and CSIRT- funding High-priority incidents Such as attacks on net infrastructure, serious new worms, viruses, botnets, sniffers, account compromisers, etc Low volume, but very serious Dynamics: basically oscillatory

3 CSIRTs Computer Security Incidence Response Teams (CSIRTs/CERTs) provide one or more services: incident analysis incident response on site, support & coordination nowadays increasing emphasis on proactive services Chronic situation for CSIRTs since their inception in 1988 CSIRTs are underfunded, understaffed CSIRT staff is overworked Worsening situation for CSIRTs in recent years Increasing volume of (mainly low-priority) incidents, automation and speed of new attack tools give CSIRT staff less and less time to react Instabilities in high-priority security incident reports from the constituency (internal sites) and affected external sites

4 High priority incidents Instabilities in incident reports  instabilities in workload  inefficient use of resources Problems to retain the CSIRT constituency (  funding problems) See posters # 1193 and 1212 1993 20002005 2015 Preferred? Expected? Feared?

5 Low-priority incidents Work LoadHuman Resources Overwhelming increase in the rate of low-priority incidents The workload increases accordingly Human resources cannot keep pace

6 Modeling process Close collaboration with one of the oldest and largest “coordinating” CSIRTs Initial research questions What factors limit the effectiveness of the incident response service in the CSIRT What policies can improve the effectiveness of the incident response service in the CSIRT? What constitutes effective incident response in the CSIRT? The management and staff of the CSIRT participated in 5 face-to-face working sessions of 1 – 4 days over a 1 ½ year period: Eliciting of mental, written and numerical information, incl. reference behavior modes Review of model structure Model verification, validation & policy testing

7 Reference behavior modes Idealized reference behavior derived from time series data and from interviews with CSIRT management and staff

8 Policy structure diagram

9 Base run

10 Policy analysis scenarios Fixed resource split: The CSIRT separates the workforce into two fixed workgroups instead of using it as a shared resource between tool development and incident response Only automation: The CSIRT only offers automatic response Maintain manual handling: The CSIRT refuses to change the service scope and only provides manual handling

11 Policy runs

12 Thank you!

Download ppt "Chronic Workload Problems in Computer Security Incident Response Teams Johannes Wiik, Jose J. Gonzalez University of Agder, Norway Pål I. Davidsen University."

Similar presentations

Computer Emergency Response Teams

Computer Emergency Response Teams
Information Technology Awareness Wayne Donald IT Security Officer.

Information Technology Awareness Wayne Donald IT Security Officer.
IMPROVING THE INTERNATIONAL COMPARABILITY OF STATISTICS PRODUCED BY CSIRTs Developing Cybersecurity Risk Indicators panel 26 th Annual FIRST Conference.

IMPROVING THE INTERNATIONAL COMPARABILITY OF STATISTICS PRODUCED BY CSIRTs Developing Cybersecurity Risk Indicators panel 26 th Annual FIRST Conference.
 Minimum System Requirements  Updates to Proctor Caching  Updates to Configure TestNav  Setting Up Your Infrastructure  System Check Utility  Resources.

 Minimum System Requirements  Updates to Proctor Caching  Updates to Configure TestNav  Setting Up Your Infrastructure  System Check Utility  Resources.
Solidcore Harness the Power of Change John Sebes CTO Solidcore Systems, Inc. Case Study:

Solidcore Harness the Power of Change John Sebes CTO Solidcore Systems, Inc. Case Study:
© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.

© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.
Building Capabilities for Incident Handling and Response

Building Capabilities for Incident Handling and Response
RADAR EVALUATION Goals, Targets, Review & Discussion Jaime Carbonell & soon Full SRI/CMU/IET RADAR Team 1-February-2005 School of Computer Science Supported.

RADAR EVALUATION Goals, Targets, Review & Discussion Jaime Carbonell & soon Full SRI/CMU/IET RADAR Team 1-February-2005 School of Computer Science Supported.
Presentation for China Migrant Labour Occupational Health and Safety Project – June 2009 Healthy Workplaces A Comprehensive Approach to Wellness and Productivity.

Presentation for China Migrant Labour Occupational Health and Safety Project – June 2009 Healthy Workplaces A Comprehensive Approach to Wellness and Productivity.
Future Work Needed Kenneth Wade Najim Yaqubie. Outline 1.Model is simple 2.Too many assumptions 3.Conflicting internal architectures 4.Security Challenges.

Future Work Needed Kenneth Wade Najim Yaqubie. Outline 1.Model is simple 2.Too many assumptions 3.Conflicting internal architectures 4.Security Challenges.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
JPCERT/CC May. 2003. Fixed-Point Auto Data Collecting System Getting more accurate Scan and Prove data to provide more accurate network traffic analysis.

JPCERT/CC May Fixed-Point Auto Data Collecting System Getting more accurate Scan and Prove data to provide more accurate network traffic analysis.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
“When out of ammo, Reload” CYBERSECURITY CHALLENGES AND THREATS Ahmed Husain Managing Director.

“When out of ammo, Reload” CYBERSECURITY CHALLENGES AND THREATS Ahmed Husain Managing Director.
Manage Engine: Q Engine. What is it?  Tool developed by Manage Engine that allows one to test web applications using a variety of different tests to.

Manage Engine: Q Engine. What is it?  Tool developed by Manage Engine that allows one to test web applications using a variety of different tests to.
PREPAREDNESS AND RESPONSE TO CYBER THREATS REQUIRE A CSIRT By Jaco Robertson, Marthie Lessing and Simon Nare*

PREPAREDNESS AND RESPONSE TO CYBER THREATS REQUIRE A CSIRT By Jaco Robertson, Marthie Lessing and Simon Nare*
1 Phases in Software Development Lecture 04. 2 Software Development Lifecycle Let us review the main steps –Problem Definition –Feasibility Study –Analysis.

1 Phases in Software Development Lecture Software Development Lifecycle Let us review the main steps –Problem Definition –Feasibility Study –Analysis.
SYSTEM DYNAMICS MODELING OF AGILE CONTINUOUS DELIVERY PROCESS 資工 4A 鄭鈞輿.

SYSTEM DYNAMICS MODELING OF AGILE CONTINUOUS DELIVERY PROCESS 資工 4A 鄭鈞輿.

Similar presentations

Ads by Google