Transcript Incident Response - Stone Soup Fresno
Incident Response
CSG September 2004 Harvard University
What is it?
• Response to pre-defined (or not) technology events by applying pre-defined (or not) policies and procedures.
• All campuses have incident response functions, formal or informal.
IT Events
• Abuse • Misuse • Security • Service complaints
Organization issues
• Leader • Authority • Charter • Scope • Incident categories • Rules of engagement per category • Action Team – dedicated or distributed • Support team – PR, legal, etc.
• Procedures
Iterative Response
• Proactive – defining the response capability • Proactive – detection • Proactive – prevention • Reactive – receipt/triage • Reactive – incident tracking • Reactive – incident resolution • Reactive – post mortem
Office of the Vice President for Information Technology and Chief Information Officer Indiana University 09/01/2004
Adam Herbert
President
Michael McRobbie
VP/CIO, VPR Human Resources Officer Finance Officer Chief of Staff/ Communications and Planning Officer Chief IT Security and Policy Officer Campus Chancellor AVP for Teaching and Learning Info Technologies AVP for Research and Academic Computing AVP for University Information Systems AVP for Telecommunications University Information Technology Services Regional Campus CIOs
Information Technology Policy Office Office of the Vice President for Information Technology and Chief Information Officer Indiana University 09/01/2004
Doug Pearson
Dir, REN-ISAC
Michael McRobbie
VP/CIO, VPR
Mark Bruhn
Chief IT Security and Policy Officer
Linda McNabb
Admin Asst
Marge Abels
Disaster Recovery Program Manager
Stacie Wiegand
Data Administrator Cross-Unit Recovery Planning Team Information Protection CID/CDS Support REN-ISAC Support CACR Support
Merri Beth Lavagnino
Deputy IT Policy Officer
Laura Klein
Manager, IT Accounts Admin
Incident Response
Christine Conklin (B) Tammy Grubb (B) Tom Jagatic (B) Jason Abels (I) Rose Ann Hasty (B) Robb Whitt (B) Barbara Hanes (I) Chasadee Castillo-Soto (I)
Tom Davis
IT Security Officer Andrew Korty (I) Sean Krulewitch (B) *Marge Abels (B) Dave Monnier (B) Dave Greenberg (I) Vacant (B) IT Security Office
ITSO
• Highly capable in various technologies • Detection (netflow, etc.) • Create auto-processes that distribute vulnerable or likely compromised host lists, daily options registration, etc.) ITPO • Strategic prevention (firewall, border filters, etc.) • Consults with computing dept or departmental technicians on security and security issues and • Works with the computing department on infrastructure security (security CDs, device
• • • • • • • • • • • • •
ITPO
Less technical – more coordinative (is that a word?) Handles all manner of IT abuse, misuse, and security incidents Develops and administers IT policies, including security policy (of course, w/Security Officer) Interprets and defends policy for individuals and departments Assesses recommended security controls or actions against user/functional issues (e.g., privacy) Works in web-based incident response application and database (RT - Request Tracker) Works to locate specific misbehaving devices Administer tactical filters (dhcp lease blocks, disabling data jacks and usernames, etc.) Interacts with department technicians and individual users about issues with specific devices Reviews and works through lists from ITSO Coordinates large responses with computing dept units and department technicians Works to identify specific misbehaving individuals, based on complaints/allegations Passes technical evidence to appropriate campus offices for action
So…
• …the IU philosophy is to dedicate security engineers to complex and difficult technical problems, and have them pass information along to, and interact with, the incident response staff • Unless some new vulnerability/exploit is evident – IU security engineers never work on p2p file sharing issues – IU security engineers do not have to work on student behavior issues – IU security engineers do not worry about spam and spam filtering – IU security engineers do not have to interact with specific students or staff about problems on their specific computers – Etc.