developing csirts in brazilian nren rnp
play

Developing CSIRTs in Brazilian NREN RNP Mission: To promote the - PowerPoint PPT Presentation

Developing CSIRTs in Brazilian NREN RNP Mission: To promote the innovative use of advanced networks. Education and research community: Universities; National Libraries; Research Institutes; Museums; Teaching hospitals;


  1. Developing CSIRTs in Brazilian NREN

  2. RNP Mission: To promote the innovative use of advanced networks. Education and research community:  Universities;  National Libraries;  Research Institutes;  Museums;  Teaching hospitals;  Others;

  3. CAIS

  4. CAIS Lines of action Technical Security Incident Expertise Handling Information Security Security Vulnerability Awareness handling CSIRT Development

  5. PFSI Information Security Strengthening Program in RNP Customers

  6. PFSI Information Security Strengthening Program in RNP Customers Incident Security Management System (SGIS) Malicious Activity Combat Security Awareness Actions Support to Develop Security Policy Documents Support to Create and Develop CSIRTs

  7. Motivation Co Corpo porate e sec ecurity tea team and CSI CSIRT i is th the s e same th thing?

  8. Motivation  Security incidents and critical vulnerabilities Security overview grew last years. Security  Need to increase InfoSec capability in Brazilian Strengthening NREN. PROJECT CSIRTs in RNP Customers  Compliance with Brazilian legal regulations, Brazilian NREN especially for organizations that are part of Federal Public Administration Incident handling  Corporate security team ≠ CSIRT focus

  9. Goals CSIRTs in RNP Customers Project  Create a default and generic template to CSIRT Template of CSIRT establishment, applicable to Brazilian NREN environment.  Define a security incident management template, Incident with process and procedures to all steps of incident Management handling lifecycle. PROJECT CSIRTs in RNP Customers  Provide a guide and checklist to support Guide establishment of new CSIRTs.  Promote interaction between new and existing Interaction CSIRT teams.

  10. Technical Background ABNT ISO/IEC 27002:2013 Guidelines of Security Incident Management. Normative Instruction GSI/PR Nº1:2008 - Procedures and responsibilities; Standards - Security Information Events evaluation; RFC 2350 - Security Information Incidents response; - Evidence collection. ISO/IEC 27035:2016

  11. Technical Background Normative Instruction GSI/PR Nº1:2008 Disciplines creation of new CSIRT Complementary teams in Brazilian Federal Public Standard Administration departments and Standards nº 05/IN01/DSIC/GSIPR entities. Establishes guidelines for Incident Complementary Management in Brazilian Federal Standard Public Administration departments nº 08/IN01/DSIC/GSIPR and entities.

  12. Technical Background RFC 2350 Best Practices of CSIRTs Standards Mission statement and scope CSIRT Policies and procedures Security Communications Relationships between different CSIRTs

  13. Technical Background ABNT ISO/IEC 27035:2016 Security Incident Management guideline to Standards external organizations who provides Information security incident management services.

  14. Where to start? ? ? ? ? ?

  15. Methodology Planning Development Operation Implementation

  16. Step 1: Planning SWOT Analysis Methodology used to analyze internal and external environment of an organization. Data analysis with strategically positioning goal of an organization.

  17. Step 1: Planning Need to be Influence continuously involved Stakeholders and keep informed of Keep they all development - Project team informed, without direct - Board of directors involvement - InfoSec Management Commitee Interest - Legal team Keep they - Heritage sector Monitor the informed, without - IT Team attendance of its critical needs. responsibilities. - Employees - Students

  18. Step 2: Development Name of CSIRT

  19. Step 2: Development Constituency Mission Services Vision

  20. Step 2: Development Organizational Model Authority Organizational Structure

  21. Step 3: Implementation 1) Infrastructure 2) People Management 3) Funding 4) Policies and procedures

  22. Step 3: Implementation Infrastructure Recursos REDE EXTERNA REDE DE DADOS INTERNA DO CSIRT - External network - Hardware REDE DMZ - DMZ LOCAL EXTERNA - Software /securit rity - Internal Servers - Network - Testing SERVIÇOS PÚBLICOS DO CSIRT - LAN FIREWALL REDE DE TESTES SERVIDORES INTERNOS TESTE DE SOLUÇÕES E NOVOS SERVIÇOS SERVIÇOS INTERNOS DO CSIRT

  23. Step 3: Implementation People Management Hir Hirin ing Professi ssional develo lopme ment - Curriculum analysis - Follow up / coaching - Job interview - Events - Contract details * CERT.br Brazilian Forum of CSIRTs * Career path * SBSeg (Security Brazilian Society) * Workload (8x5? 24x7? Weekends?) * Security Leaders - Professional ethic * LACNIC / LACSEC Fir irin ing * FIRST Technical Colloquium - Delete user/e-mail account - Notice to organization

  24. Step 3: Implementation Funding FINANCIAMENTO - Specific budget to CSIRT - Partnership with other CSIRTs - Sale of services to customers - Submit projects to Research Funding Organizations Policies and Procedures - Information handling / Information classification - Resources usage policies - Password policies - Communication Plan - Security Awareness Plan

  25. Step 3: Implementation Incident Management Plan ESTRUTURA NORMATIVA – Planos de Gestão Six main steps:

  26. Step 3: Implementation Incident Management Plan ESTRUTURA NORMATIVA – Planos de Gestão Six main steps:  Security incident notification channels  Communication systems;  Malicious activity detection;  Security incident notification elements  Incident description  IP source / destination  Ports / protocols / compromised services  Date and time (with correct GMT)

  27. Step 3: Implementation Incident Management Plan ESTRUTURA NORMATIVA – Planos de Gestão Six main steps:

  28. Step 4: Operation Disclosure Formalization - E-mail marketing - CSIRT formalization document template - Website - Awareness lectures Analysis - Statistics - Indicators * Incidents by time / category * Incidents closed in/out time * More used protocols * Incidents closed in certain period * IP address involved * Time spent to close incidents

  29. Step 4: Operation CSIRT formalization document sample Formalização

  30. Results – Establishment CSIRTs in Brazilian NREN Best Practices Guide

  31. Results – Establishment CSIRT Checklist

  32. Results – Documentation template

  33. Results

  34. Results

  35. Results

  36. Cases Salvador/BA Santa Maria/RS

  37. Cases TRIIF – Incident Response Team of Instituto Federal Farroupilha

  38. Cases TRIIF – Incident Response Team of Instituto Federal Farroupilha http://triif.iffarroupilha.edu.br

  39. Cases UFBA – Federal University of Bahia

  40. Cases UFBA – Federal University of Bahia

  41. Cases UFBA – Federal University of Bahia

  42. CSIRTs establishment support service

  43. Thanks! RNP – Brazilian Educational and Research Network CAIS – RNP Incident Security Response Team Rildo Souza Yuri Alexandro Security Analyst Security Analyst rildo.souza@rnp.br yuri.ferreira@rnp.br

Recommend


More recommend