Open Source Incident Management Tool for CSIRTs

Similar documents

Incident Response & Handling

Cyber Security & Role of CERT-In. Dr. Gulshan Rai Director General, CERT-IN Govt. of India grai@mit.gov.in

Cyber Security Threats and Countermeasures

L evoluzione del Security Operation Center tra Threat Detection e Incident Response & Management

How to build and run a Security Operations Center

Creating and Managing Computer Security Incident Response Teams (CSIRTs)

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

Report on CAP Cybersecurity November 5, 2015

Designing and Developing an Application for Incident Response Teams

Sourcefire Customer Case Study Nokia Siemens Networks: Creating Actionable Security Intelligence for Global IT Infrastructures

New Zealand Security Incident Management Guide for Computer Security Incident Response Teams (CSIRTs)

Romanian National Computer Security Incident Response Team CERT-RO.

Cyber security Country Experience: Establishment of Information Security Projects.

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

aecert Roadmap Eng. Mohammed Gheyath Director, Technical Affairs TRA

Hong Kong Information Security Outlook 2015 香港資訊保安展望

DANCERT RFC2350 Description Date: Dissemination Level:

Identity Fraud: Presented by: MOHD ZABRI ADIL TALIB Head, Digital Forensics CyberSecurity Malaysia

Information Technology Policy

RFC 2350 CSIRT-TEHTRIS [CERT-TEHTRIS]

Mendix ExpertDesk, Change and Incident Management. Customer Support

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Business & Finance Information Security Incident Response Policy

Cyber security trends & strategy for business (digital?)

Information Security Incident Management Guidelines

Protecting critical infrastructure from Cyber-attack

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Global Cybersecurity Index Good Practices

Incident Reporting Guidelines for Constituents (Public)

University of Colorado at Denver and Health Sciences Center HIPAA Policy. Policy: 9.2 Latest Revision: 04/17/2005 Security Incidents Page: 1 of 9

GEARS Cyber-Security Services

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Supporting CSIRTs in the EU Marco Thorbruegge Head of Unit Operational Security European Union Agency for Network and Information Security

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Service Delivery Framework

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

Incident categories. Version (final version) Procedure (PRO 303)

BSM for IT Governance, Risk and Compliance: NERC CIP

OTRS: Issue Management System Meets Workflow of Security Team Pavel Kácha, 2007 CESNET, z. s. p. o.

An Overview of Large US Military Cybersecurity Organizations

How To Manage Security On A Networked Computer System

Cyber Security. John Leek Chief Strategist

ISE Northeast Executive Forum and Awards

Unifying Incident Response Teams Via Multi Lateral Cyber Exercise for Mitigating Cros Border Incidents: Malaysia CERT Case Study

(BDT) BDT/POL/CYB/Circular

Managed Incident Lightweight Exchange (MILE)

Data Breach Response Planning: Laying the Right Foundation

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

SIRIOS the Framework for CERTs

Incident Categories (Public) Version (Final)

Solution Briefing. Integrating the LogLogic API with NSN s Remediation & Escalation Mgmt. System

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Introduction. Helpdesk System

Mustafa AYDINLI NLO CYBER SECURITY ADVISOR

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Spyders Managed Security Services

The STAGEnet Security Model

Malicious Mitigation Strategy Guide

SapphireIMS Service Desk Feature Specification

CAPACITY BUILDING TO STRENGTHEN CYBERSECURITY. Sazali Sukardi Vice President Research CyberSecurity Malaysia

Building a Cyber Security Emergency Response Team (CERT) for the NREN Community The case of KENET CERT

TECHNICAL SUPPORT GUIDE

Cyber Security ( Lao PDR )

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Iowa Health Information Network (IHIN) Security Incident Response Plan

CERT.AZ description as per RfC 2350

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

SapphireIMS 4.0 Service Desk Feature Specification

OCIE CYBERSECURITY INITIATIVE

Critical Controls for Cyber Security.

Cybersecurity The role of Internal Audit

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Cyber intelligence exchange in business environment : a battle for trust and data

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Attachment A. Identification of Risks/Cybersecurity Governance

Policies of the University of North Texas Health Science Center

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Towards closer EU-ASEAN collaboration in cybersecurity

Information Technology General Controls And Best Practices

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Microsoft s cybersecurity commitment

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

Transcription:

An Agency Under MOSTI Open Source Incident Management Tool for CSIRTs Adli Wahid Head, Malaysia CERT (MyCERT) CyberSecurity Malaysia Copyright 2008 CyberSecurity Malaysia

Agenda About MyCERT Where do incidents come from? Open Source Incident Handling Tool Conclusion Copyright 2008 CyberSecurity Malaysia 2

About MyCERT 1997 CyberSecurity Malaysia Malaysian Internet Users 15 staff Copyright 2008 CyberSecurity Malaysia 3

MyCERT s Services Cyber999 Cyber Early Warning Research National CERT & Global Emergency Co-ordination Copyright 2008 CyberSecurity Malaysia 4

Possible Services of CSIRT Reactive Proactive Security Quality Management Services Incident Handling Services Activities Activities Copyright 2008 CyberSecurity Malaysia 5

Where do incidents come from? External Parties CSIRT Internal Parties Copyright 2008 CyberSecurity Malaysia 6

Example of Incidents Defacement Host being used to send spam Host connected to a bot command & control Scanning activities from your network Etc Internal incidents Copyright 2008 CyberSecurity Malaysia 7

SOPs Standard Operating Procedures Different for different incidents Shows workflows and Response Time (SLAs) Copyright 2008 CyberSecurity Malaysia 8

Overview of MyCERT Incident Handling Process An Agency Under Complainant lodge Security incident Complainant lodge report to MyCERT via phone, fax, sms and email: cyber999@cybersecurity.org.my or mycert@mycert.org.my MOSTI Yes Yes 1 st level resolve issue? No 2 nd level resolve issue? Analyze the report and verify sufficient information is available to proceed Provide information and guide complainant in next course of action Ensure compliance to service level: Destructive or Criminal* incidents 24-48 hours Spam/harrassment next working day Follow up with complainant until case is closed Analyze artifacts, logs, intelligence gathering, etc Provide solution/advise/recommendation based on analysis conducted No Cooperate with external parties (ISP, Vendor, Law Enforcement) Cooperation in assisting complainant to lodge official reports with respective law enforcement. Assist law enforcement & ISPs in gathering and preserving evidence Escalate to vendor should assistance is needed in getting the solution or the case is vendor-related Close Feedback to complainant and close the case * Destructive/Criminal Incidents include: Intrusion, Denial of Service, Copyright large 2008 CyberSecurity Malaysia

Artefacts Handling Logs Binaries ETC Screenshots Copyright 2008 CyberSecurity Malaysia 10

The tool that you need Incident Management Tool Copyright 2008 CyberSecurity Malaysia 11

Requirements Unique ticketing, tracking Escalation more than one user Artifacts handling Secure communication Database of contacts Copyright 2008 CyberSecurity Malaysia 12

Open Source Options OTRS RTIR AIRT Copyright 2008 CyberSecurity Malaysia 13

Incident Reporting Channel Fax ETC Email OTRS IDS Phone Web SMS Copyright 2008 CyberSecurity Malaysia 14

OTRS Modules Incident tracking module Authoring tools for advisories Vulnerabilities database Artifact database Contacts database Ticket module WebWatcher Call module IDMEFConsole Copyright 2008 CyberSecurity Malaysia 15

Screenshots OTRS in Action Copyright 2008 CyberSecurity Malaysia 16

Conclusion People, Process, Technology makes up CSIRT You need tools to support incident handling activities Choosing the right tool for your work is important Copyright 2008 CyberSecurity Malaysia 17

Thank You! adli@cybersecurity.org.my Copyright 2008 CyberSecurity Malaysia 18