CSIRT Management: Triage

Security Strategies This newsletter is sponsored by SSH Communications Security Learn about protecting data-in-transit! Webinar: Join SSH and learn how SSH Tectia for IBM z/OS can help enterprises securely tunnel FTP and maintain regulatory compliance in heterogeneous environments. SSH Tectia for IBM z/OS is a robust mainframe security solution for securing data-in-transit and TN3270 tunneling without any modification to the existing infrastructure or applications. Network World's Security Strategies Newsletter, 09/18/07 CSIRT Management: Triage By M. E. Kabay This summer, I was delighted to lead an 11-week graduate course on computer security incident response team (CSIRT) management in the Master of Science in Information Assurance program in the School of Graduate Studies of Norwich University. The course used material I wrote for this column over several years and which I collected in a monograph available on my Web site. Our courses have three weekly online discussion topics from weeks 1 through 10 and I am always on the lookout for publishable work our students have created. Mani Akella and Rick Tuttle took up my suggestion that they compile commentary from a number of students of diverse backgrounds in our cohort (class) into a usable series for this column. Mani and Richard worked with their fellow students to ensure corporate approval from all the employers, and this is the first in three short articles resulting from their work. As always, I have edited the students’ work for publication. Comprehensive Network Access Control The new wave of sophisticated crimeware not only targets specific companies, but it also targets desktops and laptops as backdoor entryways into business operations and resources. Network access control enables proper configuration and security of user endpoints before they are allowed access on the corporate network. Click here to download this whitepaper. Today’s topic is triage. * * * For this cohort, many represented organizations that do not have a separate formal CSIRT. Instead, organizations use the IT help desk and associated incident-escalation process to perform CSIRT response functions. For those cases where a separate CSIRT exists, organizations often utilize a single help desk as point of contact for all incidents. Help desk staff then use the triage process to assign the incident response to the appropriate functional team. The prime business of the organization takes the leading role in determining the response and escalation process. For example, credit-card data loss is a high-priority incident for a financial organization. For these organizations, the response activity affects, and possibly stops, all other CSIRT members’ work tasks until the incident is resolved. For a retailer, the same data loss may only affect the functional area controlling transactions and sales. Management attention to the incident parallels the group response as they view the incident in terms of its disruption either of the entire organization or of the individual group. Cohort members agreed that training is vital to successful CSIRT operation. Because the help desk is the point of contact, CSIRT-provided training ensures that help desk staff capture all relevant information when creating the incident report. Training also ensures that the triage process functions appropriately. In addition, the training helps ensure that the response team captures all relevant information and evidence in a forensically correct fashion to preserve the chain of evidence. An interesting parallel was the triage processes for a medical emergency as compared to the triage process for a CSIRT. Although the individual processes may differ, the core thinking processes are the same. Student Stanley Jamrog commented: "It (triage) is a wonderful system in emergency scenarios, and adapts well to Computer Emergency Response. Now, triage generally comes into play when you have a lot of casualties, although it is also done whenever you have multiple patients. Generally, you prioritize your patients. You have those that can wait, those who need emergency and immediate care, and those who are too far gone to bother helping. It seems cruel, but to save some people you can't bother treating those who are going to die anyway. "So, you do a quick evaluation of each patient. Can they wait in the treatment area? Do they need to be treated before they are shipped, or do they need to be loaded in the helicopter and shipped immediately? "CSIRT can benefit from such an arrangement. During busy times and major incidents you need to prioritize your responses so that you can make the best use of your time. What systems and incidents need treating immediately and which can wait until you can get to them? After all, you have to seal the intrusion holes before you fix the servers, or you will just be doing it again later. "Triage is very appropriate in my opinion, and works well for most types of emergency response. Taking a few minutes to analyze the situation and prioritize your responses." Student Timothy Dzierzek responded: “I think that no matter how great an organization's procedures are, every incident will be different. That point probably is obvious, but even with a single, simple incident, a CSIRT needs to look at and see how their procedures fit into the response. In a mass incident, it gets much trickier. You have probably seen this on the medical side, though I hope not. There are not enough responders to go around. A CSIRT cannot possibly fix everything at once. So having a CSIRT that is skilled at triage is extremely important. Gary Hummel pointed out that the ENISA (European Network and Information Security Agency) "Step-by-Step Approach on How to Set Up a CSIRT" agrees (p. 49): “Triage is an essential element of any incident management capability, particularly for any established CSIRT… This process can help to identify potential security problems and prioritize the workload.” In the next segment of the discussion, coming in the next column, the students looked at problem-tracking software. * * * Mani Akella , CISSP, is President and Technical Director at Consultantgurus, a Bridgewater, N.J., organization focused on providing Information Assurance and Surveillance services to its clients. He can be reached via e-mail. His personal blog is here. Rick Tuttle is a project manager at Sasol North America Inc., a Houston chemical manufacturing company. He manages desktop software deployment, including security patches and updates, and supports the company’s business continuity and compliance efforts. Rick can be reached by e-mail.   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. One less reason to adopt IPv6? 2. Researchers flash personal aircraft, future jetpack 3. Does 802.11n spell the end of Ethernet? 4. What 'The Sopranos' taught me about tech 5. 10 IT management software companies to watch 6. SCO's Chapter 11 filing postpones Novell trial 7. Will users ever smarten up about phishing? 8. Meet the other Ciscos 9. TJX data criminal gets 5 years 10. Internet domain name outlaw faces 20 years MOST-READ REVIEW: VM management tools from Microsoft, VMware, XenSource leave room for improvement

Contact the author: M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor of Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by SSH Communications Security Learn about protecting data-in-transit! Webinar: Join SSH and learn how SSH Tectia for IBM z/OS can help enterprises securely tunnel FTP and maintain regulatory compliance in heterogeneous environments. SSH Tectia for IBM z/OS is a robust mainframe security solution for securing data-in-transit and TN3270 tunneling without any modification to the existing infrastructure or applications. ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007