Developing CSIRTs in Brazilian NREN RNP Mission: To promote the - - PowerPoint PPT Presentation

developing csirts in brazilian nren rnp
SMART_READER_LITE
LIVE PREVIEW

Developing CSIRTs in Brazilian NREN RNP Mission: To promote the - - PowerPoint PPT Presentation

Aug 29, 2023 146 likes •604 views

Developing CSIRTs in Brazilian NREN RNP Mission: To promote the innovative use of advanced networks. Education and research community: Universities; National Libraries; Research Institutes; Museums; Teaching hospitals;

slide-1
SLIDE 1

Developing CSIRTs in Brazilian NREN

slide-2
SLIDE 2

RNP

Mission: To promote the innovative use of advanced networks.

Education and research community:  Universities;  National Libraries;  Research Institutes;  Museums;  Teaching hospitals;  Others;

slide-3
SLIDE 3

CAIS

slide-4
SLIDE 4

CAIS

Lines of action

Security Vulnerability handling Security Incident Handling CSIRT Development Information Security Awareness Technical Expertise

slide-5
SLIDE 5

PFSI

Information Security Strengthening Program in RNP Customers

slide-6
SLIDE 6

Incident Security Management System (SGIS) Malicious Activity Combat Security Awareness Actions

Support to Develop Security Policy Documents

Support to Create and Develop CSIRTs

PFSI

Information Security Strengthening Program in RNP Customers

slide-7
SLIDE 7

Motivation

Co Corpo porate e sec ecurity tea team and CSI CSIRT i is th the s e same th thing?

slide-8
SLIDE 8

 Security incidents and critical vulnerabilities

grew last years.

 Need to increase InfoSec capability in Brazilian

NREN.

 Compliance with Brazilian legal regulations,

especially for organizations that are part of Federal Public Administration

 Corporate security team ≠ CSIRT

Motivation

Security overview Security Strengthening Brazilian NREN Incident handling focus

CSIRTs in RNP Customers PROJECT

slide-9
SLIDE 9

 Create a default and generic template to CSIRT

establishment, applicable to Brazilian NREN environment.

 Define a security incident management template,

with process and procedures to all steps of incident handling lifecycle.

 Provide a guide and checklist to support

establishment of new CSIRTs.

 Promote interaction between new and existing

CSIRT teams.

Goals

CSIRTs in RNP Customers Project

Template of CSIRT Incident Management Guide Interaction

CSIRTs in RNP Customers PROJECT

slide-10
SLIDE 10

ISO/IEC 27035:2016 Normative Instruction GSI/PR Nº1:2008 RFC 2350 ABNT ISO/IEC 27002:2013

Technical Background

Guidelines of Security Incident Management.

  • Procedures and responsibilities;
  • Security Information Events evaluation;
  • Security Information Incidents response;
  • Evidence collection.

Standards

slide-11
SLIDE 11

Establishes guidelines for Incident Management in Brazilian Federal Public Administration departments and entities.

Complementary Standard nº 08/IN01/DSIC/GSIPR

Disciplines creation of new CSIRT teams in Brazilian Federal Public Administration departments and entities.

Complementary Standard nº 05/IN01/DSIC/GSIPR

Normative Instruction GSI/PR Nº1:2008

Technical Background

Standards

slide-12
SLIDE 12

RFC 2350

Technical Background

Mission statement and scope CSIRT Policies and procedures Security Communications Relationships between different CSIRTs

Best Practices of CSIRTs

Standards

slide-13
SLIDE 13

ABNT ISO/IEC 27035:2016

Technical Background

Security Incident Management guideline to external organizations who provides Information security incident management services.

Standards

slide-14
SLIDE 14

Where to start?

? ? ? ? ?

slide-15
SLIDE 15

Planning Development Implementation Operation

Methodology

slide-16
SLIDE 16

Methodology used to analyze internal and external environment of an organization.

Data analysis with strategically positioning goal of an organization.

SWOT Analysis

Step 1: Planning

slide-17
SLIDE 17

Step 1: Planning

  • Project team
  • Board of directors
  • InfoSec Management Commitee
  • Legal team
  • Heritage sector
  • IT Team
  • Employees
  • Students

Stakeholders

Interest Influence Need to be continuously involved and keep informed of all development Keep they informed, without direct involvement Keep they informed, without critical responsibilities. Monitor the attendance of its needs.

slide-18
SLIDE 18

Step 2: Development

Name of CSIRT

slide-19
SLIDE 19

Step 2: Development

Mission Vision Constituency Services

slide-20
SLIDE 20

Step 2: Development

Organizational Model Organizational Structure Authority

slide-21
SLIDE 21

1) Infrastructure 2) People Management 3) Funding 4) Policies and procedures

Step 3: Implementation

slide-22
SLIDE 22

Recursos

  • Hardware
  • Software
  • Network

/securit rity

REDE EXTERNA DMZ EXTERNA REDE DE TESTES SERVIDORES INTERNOS REDE LOCAL FIREWALL

SERVIÇOS INTERNOS DO CSIRT TESTE DE SOLUÇÕES E NOVOS SERVIÇOS SERVIÇOS PÚBLICOS DO CSIRT REDE DE DADOS INTERNA DO CSIRT
  • External network
  • DMZ
  • Internal Servers
  • Testing
  • LAN

Step 3: Implementation

Infrastructure

slide-23
SLIDE 23

Hir Hirin ing

  • Curriculum analysis
  • Job interview
  • Contract details

* Career path * Workload (8x5? 24x7? Weekends?)

  • Professional ethic

Fir irin ing

  • Delete user/e-mail account
  • Notice to organization

Step 3: Implementation

People Management

Professi ssional develo lopme ment

  • Follow up / coaching
  • Events

* CERT.br Brazilian Forum of CSIRTs * SBSeg (Security Brazilian Society) * Security Leaders * LACNIC / LACSEC * FIRST Technical Colloquium

slide-24
SLIDE 24

FINANCIAMENTO

  • Specific budget to CSIRT
  • Partnership with other CSIRTs
  • Sale of services to customers
  • Submit projects to Research Funding Organizations
  • Information handling / Information classification
  • Resources usage policies
  • Password policies
  • Communication Plan
  • Security Awareness Plan

Step 3: Implementation

Funding Policies and Procedures

slide-25
SLIDE 25

Six main steps:

ESTRUTURA NORMATIVA – Planos de Gestão

Step 3: Implementation

Incident Management Plan

slide-26
SLIDE 26

ESTRUTURA NORMATIVA – Planos de Gestão

  • Security incident notification channels
  • Communication systems;
  • Malicious activity detection;
  • Security incident notification elements
  • Incident description
  • IP source / destination
  • Ports / protocols / compromised services
  • Date and time (with correct GMT)

Step 3: Implementation

Incident Management Plan

Six main steps:

slide-27
SLIDE 27

ESTRUTURA NORMATIVA – Planos de Gestão

Step 3: Implementation

Incident Management Plan

Six main steps:

slide-28
SLIDE 28
  • CSIRT formalization

document template

Step 4: Operation

Formalization Disclosure Analysis

  • E-mail marketing
  • Website
  • Awareness lectures
  • Statistics

* Incidents by time / category * More used protocols * IP address involved

  • Indicators

* Incidents closed in/out time * Incidents closed in certain period * Time spent to close incidents

slide-29
SLIDE 29

Formalização

Step 4: Operation

CSIRT formalization document sample

slide-30
SLIDE 30

– Establishment CSIRTs in Brazilian NREN Best Practices Guide

Results

slide-31
SLIDE 31

– Establishment CSIRT Checklist

Results

slide-32
SLIDE 32

– Documentation template

Results

slide-33
SLIDE 33

Results

slide-34
SLIDE 34

Results

slide-35
SLIDE 35

Results

slide-36
SLIDE 36

Cases

Salvador/BA Santa Maria/RS

slide-37
SLIDE 37

Cases

TRIIF – Incident Response Team of Instituto Federal Farroupilha

slide-38
SLIDE 38

Cases

TRIIF – Incident Response Team of Instituto Federal Farroupilha

http://triif.iffarroupilha.edu.br

slide-39
SLIDE 39

Cases

UFBA – Federal University of Bahia

slide-40
SLIDE 40

Cases

UFBA – Federal University of Bahia

slide-41
SLIDE 41

Cases

UFBA – Federal University of Bahia

slide-42
SLIDE 42
slide-43
SLIDE 43

CSIRTs establishment support service

slide-44
SLIDE 44

Thanks!

RNP – Brazilian Educational and Research Network

CAIS – RNP Incident Security Response Team

Yuri Alexandro

Security Analyst yuri.ferreira@rnp.br

Rildo Souza

Security Analyst rildo.souza@rnp.br