Building CSIRT Capabilities



Similar documents
Defining Incident Management Processes for CSIRTs: A Work in Progress

Creating and Managing Computer Security Incident Handling Teams (CSIRTs)

CERT/CC Overview & CSIRT Development Team Activities

New Zealand Security Incident Management Guide for Computer Security Incident Response Teams (CSIRTs)

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

Creating and Managing Computer Security Incident Response Teams (CSIRTs)

State of the Practice of Computer Security Incident Response Teams (CSIRTs)

Incident Management Capability Metrics Version 0.1

Department of Information and Technology Management

Advanced Risk Analysis for High-Performing Organizations

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Organizational Models for Computer Security Incident Response Teams (CSIRTs)

Plan-Driven Methodologies

IT Governance Overview

Central Project Office: Charter

Risk Management Framework

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

The detailed process of becoming a FIRST member is described at

Business Process Design As-Is and To-Be Checklists Introduction

Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE SM ) Framework, Version 1.0

Data Management Maturity Model. Overview

aecert Roadmap Eng. Mohammed Gheyath Director, Technical Affairs TRA

Information Security Incident Management Guidelines

VRDA Vulnerability Response Decision Assistance

Concept of Operations for the Capability Maturity Model Integration (CMMI SM )

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

ITS Project Management

CalPERS Budget Policy

Information Technology Strategic Plan

CRR Supplemental Resource Guide. Volume 6. Service Continuity Management. Version 1.1

CHANGE MANAGEMENT for Continuous Improvement. Guidance Document

Interpreting Capability Maturity Model Integration (CMMI ) for Service Organizations a Systems Engineering and Integration Services Example

The Value of Vulnerability Management*

Process-Based Business Transformation. Todd Lohr, Practice Director

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

Office of the Chief Information Officer

Business Continuity / Disaster Recovery Context

Use of Measurements and Metrics for the Project Management Office (PMO)

How To Develop An Enterprise Architecture

The ITIL Foundation Examination

This article provides an overview of Organization Change Management (OCM)

ITIL: Service Operation

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Yale University Request Management Process Guide

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

BUSINESS CONTINUITY PLANNING

Computing Services Network Project Methodology

The ITIL Foundation Examination

An Introduction to Organizational Maturity Assessment: Measuring Organizational Capabilities

Behaviors and Actions That Support Leadership and Team Effectiveness, by Organizational Level

Business Continuity Position Description

ISE Northeast Executive Forum and Awards

GEARS Cyber-Security Services

CERT Cybersecurity Training & Education

HHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC)

Management Consulting: Improving Organizational Performance and Delivery of Quality Service

Capability Maturity Model Integration (CMMI ) Overview

State Board of Equalization 2015 SLAA REPORT

ITIL Service Lifecycle Operation

BUSINESS PROCESS OPTIMIZATION IN THE CONTACT CENTER

CMS INFORMATION SECURITY (IS) CERTIFICATION & ACCREDITATION (C&A) PACKAGE GUIDE

IA Metrics Why And How To Measure Goodness Of Information Assurance

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

FCMAT Chief Executive Officer Joel D. Montero

Treasury Board of Canada Secretariat (TBS) IT Project Manager s Handbook. Version 1.1

California Enterprise Architecture Framework

The Fast Track Project Glossary is organized into four sections for ease of use:

Practical IT Service Management: Rapid ITIL Without Compromise

Best Practices For Assigning First Call Responsibilities For Healthcare Networking Issues

Rally Integration with BMC Remedy through Kovair Omnibus Kovair Software, Inc.

An Application of an Iterative Approach to DoD Software Migration Planning

Using Rational Software Solutions to Achieve CMMI Level 2

DNS Security Survey for National Computer Security Incident Response Teams December 2010

US Department of Education Federal Student Aid Integration Leadership Support Contractor January 25, 2007

Five Fundamental Data Quality Practices

Enterprise Architecture Governance Procedure

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

Designing and Developing an Application for Incident Response Teams

Project Management Office Best Practices

The University of Alabama at Birmingham. Information Technology. Strategic Plan

INTERMEDIATE QUALIFICATION

Business Process Reengineering Overview

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Using the Agile Methodology to Mitigate the Risks of Highly Adaptive Projects

OE PROJECT CHARTER Business Process Management System Implementation

Utica College. Information Security Plan

Transcription:

Building CSIRT Capabilities CERT CSIRT Development Team CERT Training and Education Center CERT Program Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 2005 by Carnegie Mellon University Building CSIRT Capabilities 1

Who We Are: The CERT CSIRT Development Team (CDT) http://www.cert.org/csirts/ 2005 by Carnegie Mellon University 2 The CERT CSIRT Development Team is part of the CERT Education and Training area of the CERT Program within the Software Engineering Institute Building CSIRT Capabilities 2

Our Vision and Mission Vision Sufficient CSIRTs exist to meet the demand to protect the resources of the organizations they support Mission Foster the growth of global incident management capabilities Assist commercial, governmental, educational, national and international organizations in establishing effective CSIRTs Help existing CSIRTs improve their services and operations through training, mentoring, and collaboration 2005 by Carnegie Mellon University 3 Building CSIRT Capabilities 3

What Do We Do? -1 As part of the SEI, the CERT CSIRT Development Team researches the current incident management environment, looking to synthesize existing information and best practices into guides, standards, and methodologies for performing incident handling processes and functions works with teams to develop strategies to plan and implement CSIRTs develop best practices for operating CSIRTs adopt CSIRT policies and standard operating procedures develop incident management publications, guides, templates, and checklists engages with customers to assist in planning and designing incident management capabilities assist in developing an implementation plan evaluate and assess incident management capabilities 2005 by Carnegie Mellon University 4 Building CSIRT Capabilities 4

What Do We Do? -2 We also develop and teach courses related to CSIRTs license courses to organizations and train their trainers to deliver the materials provide a CERT-Certified Computer Security Incident Handler certification 2005 by Carnegie Mellon University 5 Building CSIRT Capabilities 5

CSIRT Related Courses Courses we provide Creating a CSIRT Managing CSIRTs Fundamentals of Incident Handling for Technical Staff Advanced Incident Handling for Technical Staff 2005 by Carnegie Mellon University 6 Building CSIRT Capabilities 6

CERT -Certified Computer Security Incident Handler Requirements for earning certification A three-course sequence from the SEI or its licensees (transition partners) Information Security for Technical Staff (5 days) or Advanced Information Security for Technical Staff (5 days) Fundamentals of Incident Handling (5 days) Advanced Incident Handling (5 days) Three years of experience in the incident handling area (management and/or technical) Submission of application for certification and successful completion of the review process Letter of recommendation from current or previous manager Successful completion of evaluation administered by the Software Engineering Institute 2005 by Carnegie Mellon University 7 Building CSIRT Capabilities 7

Products and Publications 2005 by Carnegie Mellon University 8 The CERT CSIRT Development Team has created products based on the collective CERT/CC experiences in incident and vulnerability handling as well as artifact analysis. These products enable us to help organizations identify effective processes for incident management provide guidance to organizations for developing global CSIRT capabilities develop, promote, and expand best practices for CSIRTs identify transition partners for licensing CSIRT courses to broaden our global reach Building CSIRT Capabilities 8

Publications Include Handbook for CSIRTs http://www.cert.org/archive/pdf/csirt-handbook.pdf Steps for Creating National CSIRTs http://www.cert.org/archive/pdf/nationalcsirts.pdf CSIRT Services List http://www.cert.org/csirts/services.html State of the Practice of Computer Security Incident Response Teams (CSIRTs) http://www.cert.org/archive/pdf/03tr001.pdf Organizational Models for Computer Security Incident Response Teams http://www.cert.org/archive/pdf/03hb001.pdf Staffing Your Computer Security Incident Response Team What Basic Skills Are Needed? http://www.cert.org/csirts/csirt-staffing.html 2005 by Carnegie Mellon University 9 Building CSIRT Capabilities 9

Defining Incident Management Processes for CSIRTs: A Work in Progress http://www.sei.cmu.edu/publications/documents/04.reports/04tr015.html 2005 by Carnegie Mellon University 10 Since the release of this report we have evolved our thinking on incident management and its definition. A computer security incident management capability is the ability to provide end-to-end management of computer security events and incidents. For computer security incident response to occur in an effective and successful way, all the tasks and processes being performed must be viewed from an enterprise perspective. This means identifying how tasks and processes relate, how information is exchanged, and how actions are coordinated, no matter who is performing the work. Looking only at the response part of the process misses key actions that if not done in a timely, consistent, and quality-driven manner will impact the overall response, possibly delaying actions due to the confusion of roles and responsibilities, ownership of data and systems, and authority. Response can also be delayed or ineffective because of communications problems (not knowing whom to contact) and even due to poor quality information about the event or incident. Any impact on the response timeliness and quality can cause further damage to critical assets and data during an incident. This bigger picture of activity is what is meant as incident management. Identifying and defining these interfaces and the roles and responsibilities of the various participants across the enterprise is a key part of setting up any incident management capability. We define incident handling as one service that involves all the processes or tasks associated with handling events and incidents. Incident handling includes multiple functions: detecting, reporting, triage, analysis, and incident response. Incident response, as noted in the list above, is one process, the last step, that is involved in incident handling. It is the process that encompasses the planning, coordination, and execution of any appropriate mitigation and recovery strategies and actions. Building CSIRT Capabilities 10

Incident Management Process Model 2005 by Carnegie Mellon University 11 The CSIRT Development Team in the CERT Program has defined a best practice set of processes for incident management. To do this we determined processes outlined processes via workflow diagrams provided details and requirements of each process This model is presented and described in SEI Technical Report CMU/SEI-2004-TR-015, Defining Incident Management Processes: A Work in Progress. This report is available at: http://www.cert.org/archive/pdf/04tr015.pdf This model documents a set of processes that outline various incident management functions. From this work a methodology for assessing and benchmarking an organization s incident management processes can be developed. This methodology and resulting assessment instrument will enable teams to evaluate their incident management performance for the following processes: Prepare/Improve/Sustain (Prepare) Protect Infrastructure (Protect) Detect Events (Detect) Triage Events (Triage) Respond. Building CSIRT Capabilities 11

Incident Management Incident Handling* General indicators If event is reassigned outside of If event is reassigned outside of incident-handling process To other incident-handling process To other organizational organizational Reassigned event Reassigned event process process If event requires further If event requires further D Detect incident-handling action T Triage incident-handling action R Respond events Event information events Assigned event to incident To PC: Prepare, If a postmortem review of the incident is required Sustain, and CSIRT process changes Improve CSIRT Incident information Process Response actions and decisions If event or incident is reassigned outside of incidenthandling process To other Reassigned events organizational Reassigned incidents process From PI: Protect Infrastructure Event reports If event is closed Closed events Archive If event is closed Closed events Archive If internal and external stakeholders need to be notified To stakeholders Incident information Response actions and decisions If event or incident is closed Archive Incident information Response actions and decisions Closing rationale CSIRT process needs If a CSIRT capability is initially being established Initial CSIRT capability From any activity within the CSIRT process or from activities outside of the CSIRT process Current CSIRT capability CSIRT process changes PC Prepare, sustain, and improve CSIRT process If the current CSIRT capability is not modified or improved If the current CSIRT capability is modified or improved Current CSIRT capability Modified CSIRT capability From R: Respond to Incidents CSIRT process changes Incident information Response actions and decisions If improvements to the infrastructure are required If internal and external stakeholders need to be notified To PI Protect Infrastructure protection improvements Infrastructure To stakeholders Lessons learned Current infrastructure If archival of lessons learned is required Lessons learned Archive From PC: Prepare, sustain, and improve CSIRT process Infrastructure protection improvements PI Protect infrastructure If a potential incident is identified during the evaluation Event reports If the current infrastructure is not improved Current infrastructure To D: Detect Events From any activity within the CSIRT process or from activities outside of the CSIRT process Infrastructure protection improvements If the current infrastructure is improved Hardened infrastructure * Incident Handling: Detect Events, Triage Events, and Respond to Incidents 2005 by Carnegie Mellon University 12 Responding to computer security incidents does not happen in isolation. Actions taken to prevent or mitigate ongoing and potential computer security events and incidents can involve tasks performed by a wide range of participants; this can include network and system administrators, human resources, public affairs, information security officers (ISOs), C-level managers (such as chief information officers [CIOs], chief security officers [CSOs], chief risk officers [CROs], and other similar types of managers) and even constituent representatives. This question is one that is often asked by organizations as they plan their incident management strategy. They want to know what organizational units should be involved, what types of staff will be needed to perform the functions, and what types of skills that staff must have. They also want a way to identify what organizational units are already doing this type of work and want to understand the critical interfaces and interactions between different parts of the organization, different security functions, and the incident management process, in an effort to be able to build effective capabilities. Incident management, then, is an abstract, enterprise-wide capability, potentially involving every business unit within the organization. As such, it is a subset of Security Management activities and functions, and therefore often crosses into and includes some general security tasks and practices. Building CSIRT Capabilities 12

Process Model Swimlane Diagram Detect Triage Respond System Users Notice event Provide additional information Help Desk Receive Report Possible event report Event report If no response is needed Closed report CSIRT Triage Event report Analyze Event If no response is needed Closed event If technical response is needed Categorized, prioritized, assigned event Coordinate Plan Technical Response If response is complete Closed event Execute Technical Response General Indicators IT Department Proactive Detect Event report Plan Technical Response Execute Technical Response Management External Experts and Organizations If management or legal response is needed Management Response Provide advice and guidance If response is complete Closed event 2005 by Carnegie Mellon University 13 Example of a Swimlane Diagram. The process workflow diagrams and descriptions in the Best Practice Incident Management process model are very generic in nature. As organization customizes the processes to match their own situation, they would begin to add in the roles and responsibilities associated with each process. Using this organization-specific information, the process workflow for an organization will look different from our generic workflows. It will show the workflow or routes of the work and who is responsible for performing the work. This type of diagram is called a swimlane diagram. Building CSIRT Capabilities 13

Strategies for Building, Improving, or Evaluating Capabilities Our Incident Management Model and Framework help organizations: define their As-Is or current state of incident management processes perform a gap analyses of their current state develop the To-Be or future state of their incident management processes this is process improvement define processes, policies, procedures, and training needed to fill gaps and reach the To-Be state 2005 by Carnegie Mellon University 14 Perform a traditional process gap analysis by looking for characteristics such as missing or poorly defined handoffs missing or poorly defined aspects of each process activity bottlenecks in the process poorly defined activity flows single points of failure Building CSIRT Capabilities 14

Current Projects Working with U.S. Federal Agencies to create a set of incident management metrics for process improvement based on DoD CNDS metrics Working with California State University (CSU) system to create a CSIRT Framework for their 23 campuses Working with others on developing incident management process improvement plans just finished a gap analysis Course Redesign: Fundamentals and Advanced Incident Handling courses over the next six months Updating the CSIRT services list and corresponding documents (e.g., the Organizational Models document) Delivering approximately 20+ classes over the next 18 months 2005 by Carnegie Mellon University 15 Building CSIRT Capabilities 15

For More Information CERT CSIRT Development Team CERT Centers Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 USA +1 412 268 7090 csirt-info@cert.org http://www.cert.org/training/ http://www.cert.org/csirts/ 2005 by Carnegie Mellon University 16 Building CSIRT Capabilities 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information