Developing CSIRTs in Brazilian NREN
RNP Mission: To promote the innovative use of advanced networks. Education and research community: Universities; National Libraries; Research Institutes; Museums; Teaching hospitals; Others;
CAIS
CAIS Lines of action Technical Security Incident Expertise Handling Information Security Security Vulnerability Awareness handling CSIRT Development
PFSI Information Security Strengthening Program in RNP Customers
PFSI Information Security Strengthening Program in RNP Customers Incident Security Management System (SGIS) Malicious Activity Combat Security Awareness Actions Support to Develop Security Policy Documents Support to Create and Develop CSIRTs
Motivation Co Corpo porate e sec ecurity tea team and CSI CSIRT i is th the s e same th thing?
Motivation Security incidents and critical vulnerabilities Security overview grew last years. Security Need to increase InfoSec capability in Brazilian Strengthening NREN. PROJECT CSIRTs in RNP Customers Compliance with Brazilian legal regulations, Brazilian NREN especially for organizations that are part of Federal Public Administration Incident handling Corporate security team ≠ CSIRT focus
Goals CSIRTs in RNP Customers Project Create a default and generic template to CSIRT Template of CSIRT establishment, applicable to Brazilian NREN environment. Define a security incident management template, Incident with process and procedures to all steps of incident Management handling lifecycle. PROJECT CSIRTs in RNP Customers Provide a guide and checklist to support Guide establishment of new CSIRTs. Promote interaction between new and existing Interaction CSIRT teams.
Technical Background ABNT ISO/IEC 27002:2013 Guidelines of Security Incident Management. Normative Instruction GSI/PR Nº1:2008 - Procedures and responsibilities; Standards - Security Information Events evaluation; RFC 2350 - Security Information Incidents response; - Evidence collection. ISO/IEC 27035:2016
Technical Background Normative Instruction GSI/PR Nº1:2008 Disciplines creation of new CSIRT Complementary teams in Brazilian Federal Public Standard Administration departments and Standards nº 05/IN01/DSIC/GSIPR entities. Establishes guidelines for Incident Complementary Management in Brazilian Federal Standard Public Administration departments nº 08/IN01/DSIC/GSIPR and entities.
Technical Background RFC 2350 Best Practices of CSIRTs Standards Mission statement and scope CSIRT Policies and procedures Security Communications Relationships between different CSIRTs
Technical Background ABNT ISO/IEC 27035:2016 Security Incident Management guideline to Standards external organizations who provides Information security incident management services.
Where to start? ? ? ? ? ?
Methodology Planning Development Operation Implementation
Step 1: Planning SWOT Analysis Methodology used to analyze internal and external environment of an organization. Data analysis with strategically positioning goal of an organization.
Step 1: Planning Need to be Influence continuously involved Stakeholders and keep informed of Keep they all development - Project team informed, without direct - Board of directors involvement - InfoSec Management Commitee Interest - Legal team Keep they - Heritage sector Monitor the informed, without - IT Team attendance of its critical needs. responsibilities. - Employees - Students
Step 2: Development Name of CSIRT
Step 2: Development Constituency Mission Services Vision
Step 2: Development Organizational Model Authority Organizational Structure
Step 3: Implementation 1) Infrastructure 2) People Management 3) Funding 4) Policies and procedures
Step 3: Implementation Infrastructure Recursos REDE EXTERNA REDE DE DADOS INTERNA DO CSIRT - External network - Hardware REDE DMZ - DMZ LOCAL EXTERNA - Software /securit rity - Internal Servers - Network - Testing SERVIÇOS PÚBLICOS DO CSIRT - LAN FIREWALL REDE DE TESTES SERVIDORES INTERNOS TESTE DE SOLUÇÕES E NOVOS SERVIÇOS SERVIÇOS INTERNOS DO CSIRT
Step 3: Implementation People Management Hir Hirin ing Professi ssional develo lopme ment - Curriculum analysis - Follow up / coaching - Job interview - Events - Contract details * CERT.br Brazilian Forum of CSIRTs * Career path * SBSeg (Security Brazilian Society) * Workload (8x5? 24x7? Weekends?) * Security Leaders - Professional ethic * LACNIC / LACSEC Fir irin ing * FIRST Technical Colloquium - Delete user/e-mail account - Notice to organization
Step 3: Implementation Funding FINANCIAMENTO - Specific budget to CSIRT - Partnership with other CSIRTs - Sale of services to customers - Submit projects to Research Funding Organizations Policies and Procedures - Information handling / Information classification - Resources usage policies - Password policies - Communication Plan - Security Awareness Plan
Step 3: Implementation Incident Management Plan ESTRUTURA NORMATIVA – Planos de Gestão Six main steps:
Step 3: Implementation Incident Management Plan ESTRUTURA NORMATIVA – Planos de Gestão Six main steps: Security incident notification channels Communication systems; Malicious activity detection; Security incident notification elements Incident description IP source / destination Ports / protocols / compromised services Date and time (with correct GMT)
Step 3: Implementation Incident Management Plan ESTRUTURA NORMATIVA – Planos de Gestão Six main steps:
Step 4: Operation Disclosure Formalization - E-mail marketing - CSIRT formalization document template - Website - Awareness lectures Analysis - Statistics - Indicators * Incidents by time / category * Incidents closed in/out time * More used protocols * Incidents closed in certain period * IP address involved * Time spent to close incidents
Step 4: Operation CSIRT formalization document sample Formalização
Results – Establishment CSIRTs in Brazilian NREN Best Practices Guide
Results – Establishment CSIRT Checklist
Results – Documentation template
Results
Results
Results
Cases Salvador/BA Santa Maria/RS
Cases TRIIF – Incident Response Team of Instituto Federal Farroupilha
Cases TRIIF – Incident Response Team of Instituto Federal Farroupilha http://triif.iffarroupilha.edu.br
Cases UFBA – Federal University of Bahia
Cases UFBA – Federal University of Bahia
Cases UFBA – Federal University of Bahia
CSIRTs establishment support service
Thanks! RNP – Brazilian Educational and Research Network CAIS – RNP Incident Security Response Team Rildo Souza Yuri Alexandro Security Analyst Security Analyst rildo.souza@rnp.br yuri.ferreira@rnp.br
Recommend
More recommend