Creating and Managing Computer Security Incident Response Teams (CSIRTs)

Language:

The tutorial will be lectured in Portuguese, contents are in  English, questions may be asked in Portuguese, English and Spanish.

Presented by:

Cristine Hoepers
CERT.br
SEI Partner for CERT Courses

Klaus Steding-Jessen
CERT.br
SEI Partner for CERT Courses

Course Description:

This one-day course provided a consolidated view of information that was contained in two other CERT courses: Creating a CSIRT and Managing CSIRTs.
Its main purpose was to highlight best practices in planning, implementing, operating, and evaluating a computer security incident response team (CSIRT).

The course explored the relationship between CSIRTs, incident management, and security management and discuss how successful incident management requires an enterprise view and approach.
It presented a process-based model for structuring incident management activities and also provide an introductory view of CSIRTs to anyone new in the field.

Room

  • Room “Tuna”

Speakers

Cristine Hoepers is a Senior Security Analyst and General Manager at CERT.br, the Brazilian National CERT, maintained by NIC.br, from the Brazilian Internet Steering Committee. She has been working with Incident Management at CERT.br since 1999, where she helps the stablishment of new CSIRTs in the Country, provides training in information security and incident handling, develops best practices for system administration and user awareness materials, and is involved with the organization of regular meetings with diverse sectors in Brazil, to discuss Internet security and best practices, among other matters.  She has also been involved since 2001 with honeypots and honeynets; since 2003 with the deployment of a network of distributed honeypots in Brazil; and since 2006 with the SpamPots Project, a way to measure the abuse of end-user machines to send spam. Cristine is a CERT-Certified Computer Security Incident Handler and an authorized instructor to deliver the CERT Program courses, from the Software Engineering Institute, Carnegie Mellon University. She has a degree in Computer Science and a PhD in Applied Computing from the Brazilian National Institute for Space Research (INPE). She has been a speaker and moderator at several forums such as ITU, OAS, APWG, IGF, London Action Plan, MAAWG, LACNIC, FIRST and AusCERT Conferences.

Klaus Steding-Jessen is a Senior Security Analyst and Technical Manager at CERT.br, the Brazilian National CERT, maintained by NIC.br, from the Brazilian Internet Steering Committee. He is with CERT.br since 1999, where he works with incident handling, provides training in information security and incident management, develops best practices for system administration, and is involved with the development of tools, based on honeypots, to better understand current attack trends, correlating this data with incidents reported to CERT.br.  He has also been involved since 2001 with honeypots and honeynets; since 2003 with the deployment of a network of distributed honeypots in Brazil; and since 2006 with the SpamPots Project, which uses honeypots to measure the abuse of end-user machines to send spam. Klaus is a CERT-Certified Computer Security Incident Handler and an authorized instructor to deliver the CERT Program courses, from the Software Engineering Institute, Carnegie Mellon University. He has a degree in Computer Engineering and a PhD from Applied Computing at the Brazilian National Institute for Space Research (INPE). He has been a speaker at several forums such as ITU, LACNIC, FIRST, GovCERT.NL and Q-CERT Conferences.

Objectives:

  • Define the terms incident management and CSIRT.

  • Differentiate between incident management and incident response activities.

  • Describe activities conducted in the five processes that make up the CERT Incident Management Process Model: Prepare, Protect, Detect, Triage, and Respond.

  • Identify the type of work that CSIRT managers and staff may be expected to handle.

  • Explain the purpose and structure of CSIRTs.

  • Define the variety and level of services that can be provided by a CSIRT.

  • Identify policies and procedures that should be established and implemented for a CSIRT.

  • Apply process improvement techniques for operating and evaluating an effective CSIRT.

Topics:

General Foundational Knowledge
  • Review of the CERT Resiliency Engineering Framework
  • Review of Incident Management Process Framework
  • Relationship between Incident Management processes and CSIRTs
Creating an Effective CSIRT
  • What is a CSIRT?
  • What does a CSIRT do?
  • General categories of CSIRTs
CSIRT Components
  • Constituency
  • Mission
  • Organizational Issues
  • Funding
  • Services
  • Policies and Procedures
Operational Management Issues
  • CSIRT staffing issues
  • Managing CSIRT infrastructures
  • Evaluating the CSIRT's effectiveness
Incident Management Processes
  • Prepare
  • Protect
  • Detect
  • Triage
  • Respond

Audience:

This tutorial is designed to provide managers and other interested staff with an overview of the issues involved in creating and operating a CSIRT. It will also provide an introductory view of CSIRTs to anyone new to the field who is interested in what a CSIRT is and the type of activities a CSIRT performs.

 

LACNIC 2010
For website comments, email webmaster@lacnic.net
For general inquiries, email comunicaciones@lacnic.net
Rambla República de México 6125 :: CP 11400 Montevideo Uruguay
Tel: (+598-2) 604 2222* :: Fax: (+598-2) 604 2222 int. 4112