250 likes | 360 Views
University of Florida Incident Tracking and Reporting. Kathy Bergsma kbergsma@ufl.edu. About UF. Land-grant institution Research, education, and extension Over 50,000 students Over 50,000 network nodes First dedicated IT security position in 1999. Now 4 FTE. Your Institution.
E N D
University of Florida Incident Tracking and Reporting Kathy Bergsma kbergsma@ufl.edu
About UF • Land-grant institution • Research, education, and extension • Over 50,000 students • Over 50,000 network nodes • First dedicated IT security position in 1999. Now 4 FTE.
Your Institution • How many are from institutions with greater than 30,000 students? • Is your institution de-centralized? • Does your institution… • have incident response standards and procedures? • track IT contacts? • track incidents? • deliver incident reports?
Contact Tracking • Contact database • Network managers • Server managers • Information Security Managers • Information Security Administrators • Much more
UF Incident Response Standard http://www.it.ufl.edu/policies/security/uf-it-sec-incident-response-rewrite.html • An incident is “an event that impacts or has the potential to impact the confidentiality, availability, or integrity of UF IT resources.” • Describes eight incident response steps from discovery to resolution • Establishes UF Incident Response Team and their responsibility • Defines Unit responsibility • Specific procedures for each incident type
Incident Identification Sources • IDS • Email abuse complaints • Flow data • Honeypots
Incident Tracking • Critical fields tracked • IP address • Unit • Incident type • Incident severity • Time to contain • Time to resolve
Ticket Creation • Manual: Web form interface to Remedy on the backend. Some fields such as contacts are automatically populated • Semi automated: Batch processing scripts for ircbots or IP lists • Fully automated: Daedalus home-grown automated ticket creation.
Daedalus • Message processor using threat configs • Input • IDS event • Flow event • Email notification • Output • Remedy ticket • Email notification
Incident Resolution • Daily reports to UF incident response team identifying open tickets • Bi-weekly automated reminders about open tickets to ticket owners
Vulnerability Detection • Continuous Nessus top-20 scans • Results tracked in SQL • No Remedy ticket because next scan will usually identify resolution • Recidivism reports identify unresolved vulnerabilities.
Incident Reports • Cover letter includes • Request to update contact information • List and description of graphs • General campus trends • Link to detailed ticket information • Confidentiality statement • Periodic survey of report value
Incident Reports • Each of the following graphs compares the unit to the 5 most active units: • Number of incidents • Number of incidents adjusted for unit size • Average number of days to contain incidents • Number of critical vulnerabilities • Number of critical vulnerabilities adjusted for unit size
Incident Reports • Number of each incident type • Comparison of current semester to same semester last year of: • Number of incidents • Average days to contain • Number of critical vulnerabilities
Executive Incident Summary • Table listing all units • Total Number of Incidents • Containment Time • Total Number of Vulnerabilities
Survey of Report Value • Of the units that responded to the survey: • 100% found reports useful • 85% approved of report frequency • 46% made changes to their information security program as a result of the reports • Ways in which the reports are used: • 33% compliance review • 26% risk assessment • 22% strategic planning • 19% budget planning
Survey of Report Value • Cause of incident increase or decrease: • 34% awareness and training • 21% policy and procedures • 21% security infrastructure • 14% security staff • 10% other • 100% were familiar with UF policy • Degree of policy compliance • 57% very compliant • 36% mostly compliant • 7% somewhat compliant
Questions? Thank you, Kathy Bergsma kbergsma@ufl.edu