Effectiveness of Proactive CSIRT Services Dr. Klaus-Peter - - PowerPoint PPT Presentation

effectiveness of proactive csirt services
SMART_READER_LITE
LIVE PREVIEW

Effectiveness of Proactive CSIRT Services Dr. Klaus-Peter - - PowerPoint PPT Presentation

Dec 24, 2023 314 likes •600 views

Effectiveness of Proactive CSIRT Services Dr. Klaus-Peter Kossakowski Johannes Wiik, Ph.D. Fellow Carnegie Mellon University Prof. Jos J. Gonzalez Software Engineering Institute Agder University College Frankfurt, Germany Faculty of

slide-1
SLIDE 1

Effectiveness of Proactive CSIRT Services

Johannes Wiik, Ph.D. Fellow

  • Prof. José J. Gonzalez

Agder University College Faculty of Engineering and Science Grimstad, Norway

  • Dr. Klaus-Peter Kossakowski

Carnegie Mellon University Software Engineering Institute Frankfurt, Germany

slide-2
SLIDE 2

28 June 2006 2

Overview

  • 1. Proactive CSIRT Services
  • 2. Organisational Learning
  • 3. Review of the Advisory Service
  • 4. Learning as a Feedback Process
  • 5. Conclusion
slide-3
SLIDE 3

28 June 2006

CSIRT's Mission

  • A CSIRT's mission is:

to be a focal point for preventing,

receiving and responding to computer security incidents

from: Killcrece, G., et al. (2003b). State of the Practice of Computer Security Incident Response Teams (CSIRTs). Pittsburgh, PA, USA, CMU/SEI.

slide-4
SLIDE 4

28 June 2006

Proactive Services are Key

  • CSIRTs need to deliver more proactive

services to stay effective

  • CSIRTs have historically – from the

beginning – provided such services

– the advisory service is proactive in scope and is being provided since 1989

  • there are hardly any studies related

– to what extent existing proactive services are indeed effective – or how to make them more effective

slide-5
SLIDE 5

28 June 2006

Our Approach

  • CSIRTs facilitate learning between

information providers / vendors and it's users

  • We view all proactive services as cross-
  • rganisational learning processes
  • We evaluate and compare two proactive

services:

– The common advisory service as an example of an existing service, and – Neighbourhood watch (NBHW) as a new service that builds on the advisory service.

slide-6
SLIDE 6

28 June 2006

What does NBHW mean?

  • Scan constituents for any detectable

security vulnerability (from the outside)

– on reachable systems – within defined boundaries – as agreed before

  • Provide comprehensive reporting to the

constituents about the findings

– changes in networks (i. e. new systems) – changes on systems (i.e. new ports) – changes in security posture (i.e. new vulnerability or advisory)

slide-7
SLIDE 7

28 June 2006

Research Questions

  • What are the weaknesses of the

traditional advisory service?

  • Can NBHW overcome some of these

weaknesses? Please note: We do not expect that the traditional advisory service becomes superfluous!

slide-8
SLIDE 8

28 June 2006

time

Vulnerability disclosed Patch Released Automation

  • f exploit

Incidents

Vulnerability Life Cycle

We would rather not argue on a specific time period here, but as new vulnerabilities are continuously disclosed, a hardened system will inevitably oscillate between a vulnerable state when a vulnerability is disclosed, and a hardened state when a fix or a work around has been applied.

slide-9
SLIDE 9

28 June 2006

Room for improvements?

  • The goal of any proactive service must

be –to provide the information about existing vulnerabilities and available solutions –before automation of an exploit is taking place –to allow mitigation efforts from all parties involved

slide-10
SLIDE 10

28 June 2006

What needs to be done?

  • For this to happen, a CSIRT has to help

its constituency to learn. –Indeed this is the purpose of the advisory service. –Nevertheless there seems to be several barriers that need to be

  • vercome for effective learning to

take place.

slide-11
SLIDE 11

28 June 2006

To be proactive, we must learn in advance!

A good way to start understanding cross

  • rganisational learning is to use Huber’s

framework of 4 important contributing processes for organisations to learn

 Knowledge acquisition  Information distribution  Information interpretation  Organisational memory

slide-12
SLIDE 12

28 June 2006

Advisory service – Knowledge acquisition

  • How do we know it is the right

information for the constituency?

– Lack of relevant information makes it less useful – Irrelevant information is annoying and creates overload

All relevant knowledge

Knowledge acquired

Information Received

Information interpreted correctly

Information recalled from memory?

loss loss loss loss

slide-13
SLIDE 13

28 June 2006

Advisory service – Distribution

  • How do we know that the information is

received?

– If we do not reach the right people it is less useful – Untimely information does not allow them to get the job done in time

All relevant knowledge

Knowledge acquired

Information Received

Information interpreted correctly

Information recalled from memory?

loss loss loss loss

slide-14
SLIDE 14

28 June 2006

Advisory service – Interpretation

  • How do we know that the information is

interpreted correctly?

– If they don't realize the relevance they do not act upon it – If they do not understand they cannot act upon it

All relevant knowledge

Knowledge acquired

Information Received

Information interpreted correctly

Information recalled from memory?

loss loss loss loss

slide-15
SLIDE 15

28 June 2006

Advisory service – Organisational Memory

  • How do we know that the information is

kept available?

– If it is not available it might not be used to re-install machines

All relevant knowledge

Knowledge acquired

Information Received

Information interpreted correctly

Information recalled from memory?

loss loss loss loss

slide-16
SLIDE 16

28 June 2006

Advisory Service

Information Distribution Information Distribution Information Synthesising & Interpretation Information Synthesising & Interpretation

In practise, the advisory service does not provide organisational memory!

slide-17
SLIDE 17

28 June 2006

If we know the gaps, we can reduce the loss

All relevant knowledge

Knowledge acquired

Information Received

Information interpreted correctly

Information recalled from memory?

loss

Gap

loss loss loss

Gap Gap Gap

Neigbourhood watch can facilitate all these processes on a continuous basis

slide-18
SLIDE 18

28 June 2006

Learning is a Feedback Process

Knowledge gap Actual State Learning Goal Corrective action to close the gap

slide-19
SLIDE 19

28 June 2006

Learning means “Closing the Gaps“

Relevant products currently not covered Currently supported products Goal: Support all relevant products Start to monitor

  • ther relevant products
  • 1. Aquisition

People are not acting

  • n the information

People receiving and acting on the information Goal: Reach all relevant people Find the right people who will take action

  • 2. Distribution

Match vulnerabilities to solutions in advisories Vulnerabilities pending Goal: Remove all new vulnerabilities Take corrective action to remove new vulnerabilities

  • 3. Interpretation
slide-20
SLIDE 20

28 June 2006

What is different about NBHW?

  • The CSIRT can now acquire knowledge

about actual vulnerabilities –The gap between the actual and the desired state can be identified –Reintroduced vulnerabilities will be identified accordingly

  • New advisory information can trigger

improved actions –ad hoc scans to inform administrators –assess threat level based on the past

slide-21
SLIDE 21

28 June 2006

  • Continuously learning need to take place.

–The goal is defined by the organi- sational memory of available solutions

  • Without the organisational memory no

feedback loop can be created

  • Organisational memory is instrumental

–to avoid the “out of sight out of mind” mentality –to take action before it is actually too late

Creating a Feedback loop

slide-22
SLIDE 22

28 June 2006

Neighbourhood Watch

– Learning across organisational boundaries

CSI RT Constituent Vendors

Learning Feedback Installed Solutions to Know n Vulnerabilites Rate of Publishing Advisories from CSIRT New Acquired Vulnerability Information Rate of Acquiring Relevant Vulnerability Information Solution Obsolescence Rate Organisational Memory of Solutions to Vulnerabilities Vulnerability Gap Rate of Storing Information for Future Use Rate of Correction Vulnerability Identification Through Scanning

Knowledge Acquisition Knowledge Acquisition Information Distribution Organisational Memory Information Synthesising & Interpretation Information Synthesising & Interpretation

slide-23
SLIDE 23

28 June 2006

Learning feedbacks

Advisory Service Neighbourhood Watch Vendor Information Constituency Increase accuracy

  • f information
  • Organisational memory, reuse of information
  • Synthesising information

Organisational memory

slide-24
SLIDE 24

28 June 2006

„Unlearning“

  • NBHW will enable organizations to

institutionalize more proactive measures

  • But there will be long time delays, even

when compelling evidence is available. –A lot of “unlearning” has to take place, as people have to disregard what they considered to be the “truth” before

  • Changing a mental model is

challenging!

slide-25
SLIDE 25

28 June 2006

Conclusions

  • Indeed the potential of proactive

services should be seen in a cross-

  • rganisational learning process context.
  • Only if the constituents are enabled to

learn from the experiences of the past and from others effectively, this potential will come true.

slide-26
SLIDE 26

28 June 2006

Conclusions (2)

  • All CSIRT related activities are

impacting each other and should not be seen as separate activities.

  • Current management approaches do

not consider this aspect.

  • CSIRTs need to revisit their services

and interdependencies not yet addressed in their current setup.