Incident Response

CSG September 2004 Harvard University

What is it?

• Response to pre-defined (or not) technology events by applying pre-defined (or not) policies and procedures.

• All campuses have incident response functions, formal or informal.

IT Events

• Abuse • Misuse • Security • Service complaints

Organization issues

• Leader • Authority • Charter • Scope • Incident categories • Rules of engagement per category • Action Team – dedicated or distributed • Support team – PR, legal, etc.

• Procedures

Iterative Response

• Proactive – defining the response capability • Proactive – detection • Proactive – prevention • Reactive – receipt/triage • Reactive – incident tracking • Reactive – incident resolution • Reactive – post mortem

Office of the Vice President for Information Technology and Chief Information Officer Indiana University 09/01/2004

Adam Herbert

President

Michael McRobbie

VP/CIO, VPR Human Resources Officer Finance Officer Chief of Staff/ Communications and Planning Officer Chief IT Security and Policy Officer Campus Chancellor AVP for Teaching and Learning Info Technologies AVP for Research and Academic Computing AVP for University Information Systems AVP for Telecommunications University Information Technology Services Regional Campus CIOs

Information Technology Policy Office Office of the Vice President for Information Technology and Chief Information Officer Indiana University 09/01/2004

Doug Pearson

Dir, REN-ISAC

Michael McRobbie

VP/CIO, VPR

Mark Bruhn

Chief IT Security and Policy Officer

Linda McNabb

Admin Asst

Marge Abels

Disaster Recovery Program Manager

Stacie Wiegand

Data Administrator Cross-Unit Recovery Planning Team Information Protection CID/CDS Support REN-ISAC Support CACR Support

Merri Beth Lavagnino

Deputy IT Policy Officer

Laura Klein

Manager, IT Accounts Admin

Incident Response

Christine Conklin (B) Tammy Grubb (B) Tom Jagatic (B) Jason Abels (I) Rose Ann Hasty (B) Robb Whitt (B) Barbara Hanes (I) Chasadee Castillo-Soto (I)

Tom Davis

IT Security Officer Andrew Korty (I) Sean Krulewitch (B) *Marge Abels (B) Dave Monnier (B) Dave Greenberg (I) Vacant (B) IT Security Office

ITSO

• Highly capable in various technologies • Detection (netflow, etc.) • Create auto-processes that distribute vulnerable or likely compromised host lists, daily options registration, etc.)  ITPO • Strategic prevention (firewall, border filters, etc.) • Consults with computing dept or departmental technicians on security and security issues and • Works with the computing department on infrastructure security (security CDs, device

• • • • • • • • • • • • •

ITPO

Less technical – more coordinative (is that a word?) Handles all manner of IT abuse, misuse, and security incidents Develops and administers IT policies, including security policy (of course, w/Security Officer) Interprets and defends policy for individuals and departments Assesses recommended security controls or actions against user/functional issues (e.g., privacy) Works in web-based incident response application and database (RT - Request Tracker) Works to locate specific misbehaving devices Administer tactical filters (dhcp lease blocks, disabling data jacks and usernames, etc.) Interacts with department technicians and individual users about issues with specific devices Reviews and works through lists from ITSO Coordinates large responses with computing dept units and department technicians Works to identify specific misbehaving individuals, based on complaints/allegations Passes technical evidence to appropriate campus offices for action

So…

• …the IU philosophy is to dedicate security engineers to complex and difficult technical problems, and have them pass information along to, and interact with, the incident response staff • Unless some new vulnerability/exploit is evident – IU security engineers never work on p2p file sharing issues – IU security engineers do not have to work on student behavior issues – IU security engineers do not worry about spam and spam filtering – IU security engineers do not have to interact with specific students or staff about problems on their specific computers – Etc.