1 / 10

Incident Response

Incident Response. CSG September 2004 Harvard University. What is it?. Response to pre-defined (or not) technology events by applying pre-defined (or not) policies and procedures. All campuses have incident response functions, formal or informal. IT Events. Abuse Misuse Security

ranger
Download Presentation

Incident Response

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Incident Response CSG September 2004 Harvard University

  2. What is it? • Response to pre-defined (or not) technology events by applying pre-defined (or not) policies and procedures. • All campuses have incident response functions, formal or informal.

  3. IT Events • Abuse • Misuse • Security • Service complaints

  4. Organization issues • Leader • Authority • Charter • Scope • Incident categories • Rules of engagement per category • Action Team – dedicated or distributed • Support team – PR, legal, etc. • Procedures

  5. Iterative Response • Proactive – defining the response capability • Proactive – detection • Proactive – prevention • Reactive – receipt/triage • Reactive – incident tracking • Reactive – incident resolution • Reactive – post mortem

  6. Office of the Vice President for Information Technology and Chief Information Officer Indiana University 09/01/2004 Adam Herbert President Michael McRobbie VP/CIO, VPR Human Resources Officer Finance Officer Chief of Staff/ Communications and Planning Officer Chief IT Security and Policy Officer Campus Chancellor AVP for Teaching and Learning Info Technologies AVP for Research and Academic Computing AVP for University Information Systems AVP for Telecommunications Regional Campus CIOs University Information Technology Services

  7. Information Technology Policy Office Office of the Vice President for Information Technology and Chief Information Officer Indiana University 09/01/2004 Michael McRobbie VP/CIO, VPR Linda McNabb Admin Asst Doug Pearson Dir, REN-ISAC Mark Bruhn Chief IT Security and Policy Officer Tom Davis IT Security Officer Marge Abels Disaster Recovery Program Manager Stacie Wiegand Data Administrator Merri Beth Lavagnino Deputy IT Policy Officer Andrew Korty (I) Sean Krulewitch (B) *Marge Abels (B) Dave Monnier (B) Dave Greenberg (I) Vacant (B) Cross-Unit Recovery Planning Team Information Protection CID/CDS Support REN-ISAC Support CACR Support Laura Klein Manager, IT Accounts Admin Incident Response IT Security Office Christine Conklin (B) Tammy Grubb (B) Rose Ann Hasty (B) Barbara Hanes (I) Chasadee Castillo-Soto (I) Tom Jagatic (B) Jason Abels (I) Robb Whitt (B)

  8. ITSO • Highly capable in various technologies • Detection (netflow, etc.) • Create auto-processes that distribute vulnerable or likely compromised host lists, daily  ITPO • Strategic prevention (firewall, border filters, etc.) • Consults with computing dept or departmental technicians on security and security issues and options • Works with the computing department on infrastructure security (security CDs, device registration, etc.)

  9. ITPO • Less technical – more coordinative (is that a word?) • Handles all manner of IT abuse, misuse, and security incidents • Develops and administers IT policies, including security policy (of course, w/Security Officer) • Interprets and defends policy for individuals and departments • Assesses recommended security controls or actions against user/functional issues (e.g., privacy) • Works in web-based incident response application and database (RT -- Request Tracker) • Works to locate specific misbehaving devices • Administer tactical filters (dhcp lease blocks, disabling data jacks and usernames, etc.) • Interacts with department technicians and individual users about issues with specific devices • Reviews and works through lists from ITSO • Coordinates large responses with computing dept units and department technicians • Works to identify specific misbehaving individuals, based on complaints/allegations • Passes technical evidence to appropriate campus offices for action

  10. So… • …the IU philosophy is to dedicate security engineers to complex and difficult technical problems, and have them pass information along to, and interact with, the incident response staff • Unless some new vulnerability/exploit is evident • IU security engineers never work on p2p file sharing issues • IU security engineers do not have to work on student behavior issues • IU security engineers do not worry about spam and spam filtering • IU security engineers do not have to interact with specific students or staff about problems on their specific computers • Etc.

More Related