University of Florida Incident Tracking and Reporting

1. University of Florida Incident Tracking and Reporting Kathy Bergsma kbergsma@ufl.edu

2. About UF • Land-grant institution • Research, education, and extension • Over 50,000 students • Over 50,000 network nodes • First dedicated IT security position in 1999. Now 4 FTE.

3. Your Institution • How many are from institutions with greater than 30,000 students? • Is your institution de-centralized? • Does your institution… • have incident response standards and procedures? • track IT contacts? • track incidents? • deliver incident reports?

4. Contact Tracking • Contact database • Network managers • Server managers • Information Security Managers • Information Security Administrators • Much more

5. UF Incident Response Standard http://www.it.ufl.edu/policies/security/uf-it-sec-incident-response-rewrite.html • An incident is “an event that impacts or has the potential to impact the confidentiality, availability, or integrity of UF IT resources.” • Describes eight incident response steps from discovery to resolution • Establishes UF Incident Response Team and their responsibility • Defines Unit responsibility • Specific procedures for each incident type

6. Incident Identification Sources • IDS • Email abuse complaints • Flow data • Honeypots

7. Incident Tracking • Critical fields tracked • IP address • Unit • Incident type • Incident severity • Time to contain • Time to resolve

8. Ticket Creation • Manual: Web form interface to Remedy on the backend. Some fields such as contacts are automatically populated • Semi automated: Batch processing scripts for ircbots or IP lists • Fully automated: Daedalus home-grown automated ticket creation.

9. Daedalus • Message processor using threat configs • Input • IDS event • Flow event • Email notification • Output • Remedy ticket • Email notification

10. Incident Resolution • Daily reports to UF incident response team identifying open tickets • Bi-weekly automated reminders about open tickets to ticket owners

11. Vulnerability Detection • Continuous Nessus top-20 scans • Results tracked in SQL • No Remedy ticket because next scan will usually identify resolution • Recidivism reports identify unresolved vulnerabilities.

12. Incident Reports • Cover letter includes • Request to update contact information • List and description of graphs • General campus trends • Link to detailed ticket information • Confidentiality statement • Periodic survey of report value

13. Incident Reports • Each of the following graphs compares the unit to the 5 most active units: • Number of incidents • Number of incidents adjusted for unit size • Average number of days to contain incidents • Number of critical vulnerabilities • Number of critical vulnerabilities adjusted for unit size

14. Incident Reports • Number of each incident type • Comparison of current semester to same semester last year of: • Number of incidents • Average days to contain • Number of critical vulnerabilities

22. Executive Incident Summary • Table listing all units • Total Number of Incidents • Containment Time • Total Number of Vulnerabilities

23. Survey of Report Value • Of the units that responded to the survey: • 100% found reports useful • 85% approved of report frequency • 46% made changes to their information security program as a result of the reports • Ways in which the reports are used: • 33% compliance review • 26% risk assessment • 22% strategic planning • 19% budget planning

24. Survey of Report Value • Cause of incident increase or decrease: • 34% awareness and training • 21% policy and procedures • 21% security infrastructure • 14% security staff • 10% other • 100% were familiar with UF policy • Degree of policy compliance • 57% very compliant • 36% mostly compliant • 7% somewhat compliant

25. Questions? Thank you, Kathy Bergsma kbergsma@ufl.edu