1 / 13

TF-CSIRT: European Network Security Collaboration

TF-CSIRT promotes collaboration between CSIRTs in Europe by providing a platform for exchange of knowledge, standards, and incident response procedures. The Task Force operates through meetings every four months, involving academic, government, and commercial CSIRTs, as well as wider cooperation with organizations like the European Commission and projects like eCSIRT.net. Deliverables include the Trusted Introducer Service, Incident Object Description & Exchange Format, RIPE IRT object, incident handling tools, CSIRT training course TRANSITS, incident information exchange, and assistance to new CSIRTs.

lmusgrove
Download Presentation

TF-CSIRT: European Network Security Collaboration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TF-CSIRT Karel Vietsch TERENA Secretary General

  2. TF-CSIRT mission • To promote the collaboration between CSIRTs in Europe • Aims: • Provide a forum for exchange of experience and knowledge • Establish pilot services for the European CSIRT community • Promote common standards and procedures for responding to security incidents • Assist in the establishment of new CSIRTs and the training of CSIRTs staff • Co-ordinate other joint activities • Provide a vehicle for CSIRTs in Europe to liaise with the EC and other policy-making bodies

  3. Creation of TF-CSIRT • TERENA Task Force: • Operation defined by Terms of Reference • Two years recurring lifecycle (originally created May 2000, mandate renewed May 2002) • Members and non-members of TERENA • Active participation by TF members • Success depends on TF members’ commitment • TERENA plays role of professional facilitator

  4. TF-CSIRT way of working • Meeting every four months • Venue rotates among members who volunteer to host • Two days: • 1st day for seminars and presentations • 2nd day for Task Force business meeting • Evening in-between: dinner organised by the hosting member • Contacts between meetings provided by mailing list and project groups

  5. Who is involved? • Academic, Government, Commercial CSIRTs

  6. Participation in meetings

  7. Wider Co-operation • European Commission • Projects (eCSIRT.net, EISPP, TRANSITS) • Legal handbook for CSIRTs • Network & Information Security Agency • National governments • Government CSIRTs • Consultation on new legislation • Law enforcement • Operations and invited speakers at meetings • Other regional initiatives

  8. Deliverables and Projects • Trusted Introducer Service • Incident Object Description & Exchange Format • RIPE IRT object • Clearing House for Incident Handling Tools • CSIRT training course (TRANSITS) • Incident Information Exchange (eCSIRT.net) • Assistance to new CSIRTs (Best Current Practice) • Incident Handling Procedures

  9. Deliverables – Trusted Introducer (http://www.ti.terena.nl/) • Notion of ‘trust’ – is a contact trustworthy? • Currently, no scheme generically applicable • TF-CSIRT to work out a model of which it believes it fulfills criteria needed at operational level • Feasibility and sanity checks • Now, outsourced to a 3rd party • TF-CSIRT retains control by TI Review Board

  10. Deliverables – IODEF(http://www.terena.nl/tech/task-forces/tf-csirt/iodef.html) • Incident Object Description & Exchange Format • Cross-platform, cross-language, cross common understanding • Need for a well-understood definition of an incident • Bottom-up working group • Lots of output, among which RFC 3067 • Now transferred to IETF (INCH)

  11. Deliverables – IRT database object • Commonly perceived problem: correct points of contact in (RIPE) database • Practical approach: • what do we miss now? • how can we design it • how can we implement it? • Wishlist followed by discussion in RIPE database group • Lots of iterations, but eventually implemented and populated

  12. Deliverables – CHIHT(http://chiht.dfn-cert.de/) • Clearing House for Incident Handling Tools • Share information on tools CSIRTs use • Help new and existing teams • Website listing tools by category • Evidence gathering & investigation, system recovery, CSIRT operations, remote access, proactive tools • Plan to add procedures and best practice • Contents suggested by active CSIRTs

  13. Deliverables – TRANSITS(http://www.ist-transits.org/) • CSIRTs were seeking relevant training • Idea: best transfer of knowledge is from operational people to operational people • Conclusion: best people to write it are TF-CSIRT members • Two day course developed in modules: • Operational, legal, technical, organisational, vulnerabilities • EC funding for delivery and updating • Six presentations over three years • Materials available to CSIRTs for own use

More Related