UNIVERSITY OF OKLAHOMA
Effective Incident Response Teams: Two
Case Studies
Tuesday, April 05, 2005
10:00 a.m. - 11:00 a.m.
Imperial Room I (lower level)
David Escalante, Director of Computer Policy & Security,
Boston College
Calvin Weeks, Director, OU Cyber Forensics Lab, University of
Oklahoma
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 1
UNIVERSITY OF OKLAHOMA
Summary
»
»
»
»
»
»
»
Why you need/want incident response
What is best practice
Problems with best practice for Higher Ed
OU established model
BC established model
Roles
What works and what does not
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 2
UNIVERSITY OF OKLAHOMA
Why You Need Incident Response
» Compliance with laws and regulations




Gramm-Leach Bliley Act (GLBA)
Sarbanes-Oxley (SOX)
Health Information Privacy Portability Act (HIPPA)
FERPA
» Security improvement
» Improve network and system uptime
» What is an “incident” for the purposes of this presentation?
» Strong incident response cultures




Government (in some places)
ISPs
Financials (recently)
ISACs
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 3
UNIVERSITY OF OKLAHOMA
Resources
»
SEI/CERT


http://www.cert.org/csirts/Creating-A-CSIRT.html
http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html
»
O’Reilly book
»
FIRST: The Forum of Incident Response and Security Teams

»
»
»
RFC 2196, Site Security Handbook
RFC 2350, Expectations for Computer Security Incident Response
NIST

»
»
http://www.first.org/
http://csrc.nist.gov/topics/inchand.html
NSA
Educause

http://www.educause.edu/Browse/645?PARENT_ID=660
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 4
UNIVERSITY OF OKLAHOMA
Summary of Best Practices
»
»
»
»
»
Create a Dedicated team
Have clearly Defined roles
Build a formal Reporting structure
Write a series of Defined plans
Publish the team’s interfaces widely
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 5
UNIVERSITY OF OKLAHOMA
Issues for Higher Ed
» Dedicated Team?


And what’s your budget!
If team is multi-departmental, those politics come into
play
» Define Roles…

OK. Who will fill them?
» Reporting Structure.

OK, but who is in charge or who has the authority? EDUs
tend to be non-hierarchical
» Defined Plans

The best laid plans are almost never followed.
» Publish Contact & other Information


Communications channels in EDUs are diffuse
Audience is different technical levels
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 6
UNIVERSITY OF OKLAHOMA
Oklahoma Structure
University
Of
Oklahoma
Norman
Campus
Health
Science
Center
Campus
Departments Colleges ResearchDepartments Colleges
Tulsa
Campus
Hospital Departments Colleges
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 7
UNIVERSITY OF OKLAHOMA
OU Iterative Approach
» Phase one – 2001

Assign Security Officer
» Phase two – 2002

Establish Computer Assessment Response Team (CART)
» Phase three – 2002

Established Field Security Officers (FSO)
» Phase four – 2003

Approved Computer Security Incident Response Team
(CSIRT)
» Phase five – 2003

Established IT Service Centers
» Phase six – 2004

Established OU Cyber Forensics Lab (OUCFL)
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 8
UNIVERSITY OF OKLAHOMA
BC Structure
President
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 9
UNIVERSITY OF OKLAHOMA
BC Iterative Approach
» Phase 1 - 2002

Senior Management recognizes need for security office due to serious
computer security incident
» Phase 2 - 2003

Office of Computer Policy & Security established and staffed
» Phase 3 - 2003

Create “best practice” style incident response team
» Phase 4 - 2004

Refine team based on real-world experience
» Phase 5 - 2005

Re-define incidents and response based on cultural issues on
campus, moving toward universal culture of security
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 10
UNIVERSITY OF OKLAHOMA
Phase 3 -- 2003
» Use the resources on the earlier slide to define
Computer Security Incident Response Team (CSIRT)

And immediately run into problems
» Everyone wanted to be on the team

Management vs. practitioners issue
» When a real incident came up, didn't need whole team,
and sometimes needed other resources not on team

Lack of tools in an incident
» Team runs into exhaustion, lack of interest, or both
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 11
UNIVERSITY OF OKLAHOMA
Phase 4 -- 2004
» Stop using formal team from Phase 3
» Resolve management vs. practitioner issue by setting
up senior management team interface with intermediary
to incident team
» Security group declares team in the course of declaring
incident
» Clarify responsibilities (Security is the boss)
» Flexibility and understanding of process is more
important than who's doing what role in a given incident
-- in our last major incident, CIO was boss, not Security,
all worked the same since everyone understood roles
and just people were swapped
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 12
UNIVERSITY OF OKLAHOMA
Phase 5 -- 2005
» Security group has too many incidents to make
progress on other, strategic tasks
» Need to empower other parts of IT and university to
run “minor” incidents

Framework and tools for doing this
» Improve incident reporting such that we achieve better
coverage and more accurate classification
» Improve initial handling of people and technology issues
when incident occurs
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 13
UNIVERSITY OF OKLAHOMA
OU Workflow
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 14
UNIVERSITY OF OKLAHOMA
OU Roles
» CART – Executive oversight
» Service Centers – Direct Customer Support during
incident
» Security Team – Handle and execute security response
plan
» FSO – Coordinate with response efforts
» OUCFL – Perform any forensics, investigations, and/or
law enforcement communications.
» CSIRT – is the handbook that we use only as a
reference and guide.
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 15
UNIVERSITY OF OKLAHOMA
OU Response Cost Relation Model
80%
Security Model
and Posture
Quantitative
40%
Reactive
20%
10%
5%
COSTS and5%10% 20%40% 80%
80%40%20%10% 5%
Resource
Utilization
5%
10%
20%
Proactive
40%
Qualitative
80%
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 16
UNIVERSITY OF OKLAHOMA
What works/does not work?
» User is very happy
» Easier to track response capability
» Large or sensitive incidents is a new learning process
every time
» Better control over desired actions or reactions to the
incident
» Sometimes the whole process is slower than desired
» Better and more information is achieved
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 17
UNIVERSITY OF OKLAHOMA
Questions
Calvin Weeks, EnCE, CISSP, CISM
OU Cyber Forensics Lab
[email protected]
http://cfl.ou.edu
David Escalante, CISSP
[email protected]
© 2005 The Trustees of Boston College & Calvin Weeks   Slide 18