[Bp_certs] CERT/CSISRT toolbox

Green, Patrick P.Green at warwick.ac.uk
Thu Jul 24 07:00:11 EDT 2014 

Hi,

Interesting question ... I have now set up 3 CERT/CSIRTs (within institutions) and have had differing success with the use of tools and approaches. I revised the technique that I use each time and follow a process, which includes;

Decide on the initial services the CERT will provide, based on page 25 of this handbook;

http://resources.sei.cmu.edu/asset_files/Handbook/2003_002_001_14102.pdf

This decision will be down to various factors, such as the size and make-up of the constituency, the size of the proposed CERT and other factors.

Once I have that, I can then look at the tools that are needed, and build up a requirements list. Generally, these fall into two camps;

Tools for business - these are non-negotiable, they are the very core of the work of the team, and they require certain software and hardware. In this category will be monitoring software (flow, IDS, IPS etc), forensic software, and scanning systems.

Tools for management - these are the ones like ticketing systems. For this, I take a list of requirements that the tools need (eg: confidentiality for investigations) and ask for the existing IT systems to meet those requirements. If they can, that's great! If not, there is good grounds for putting in a system which is non-standard. At this point, the CERT is a customer, and it is for the IT systems to meet the requirements.

Where possible, I will use standard IT supplied systems (it's one less thing that the team has to manage). 

Once the systems are in place, it then becomes an issue of building up the processes and procedures that the CERT will work to.

Hope that helps,

Patrick 

> -----Original Message-----
> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of El
> Yassem, T (Tarik)
> Sent: 24 July 2014 09:57
> To: bp_certs at intgovforum.org
> Subject: [Bp_certs] CERT/CSISRT toolbox
> 
> Hi all,
> 
> Great discussions so far, I'd like to hear your thoughts and experiences with
> regards to the specific tools we need to be effective as a CERT/CSIRT.
> 
> I have found that tools are essential in order to be effective and make a
> difference. However, in many organisations the CERT/CSIRT is just a tiny
> group of people with not that much influence and usually viewed as an odd
> bunch that wants to do things differently.
> 
> What I have seen in quite some places is that the CERT/CSIRT spends a lot of
> effort in the struggle to get even the most basic tools running because the IT
> department is not supporting it, or 'already have a (helpdesk) ticketing
> system'. But CERT/CSIRTs need to use more specific tools such as OTRS or
> RTIR or other tools that need to integrate with a production environment.
> Much of the tools we need are not suited for enterprise environements, and
> making the case for IT to allow the use of them is hard once things are not
> packaged, maintained, documented etc.
> 
> When people are establishing the CERT/CSIRT they often think that tools are
> something that are details to be decided on once a CERT/CSIRT has been
> established. I think it would be helpful for a CERT/CSIRT to adress this issue
> during the creation of it.
> 
> What are your experiences with this and do you have any thoughts how we
> could improve on that as a community?
> 
> Greetings,
> 
> Tarik El Yassem, MSc
> Senior Security Intelligence Analyst
> Global Security Operations Centre
> Rabobank International
> 
> E: tarik.el.yassem at rabobank.com
> T: +31 (0)30 71 22673
> M: +31 (0)61 93 03884
> A: Europalaan 44, 3526 KS Utrecht
> 
> 
> --------------------------------------------------------------------------------
> This email (including any attachments to it) is confidential, legally privileged,
> subject to copyright and is sent for the personal attention of the intended
> recipient only. If you have received this email in error, please advise us
> immediately and delete it. You are notified that disclosing, copying,
> distributing or taking any action in reliance on the contents of this
> information is strictly prohibited. Although we have taken reasonable
> precautions to ensure no viruses are present in this email, we cannot accept
> responsibility for any loss or damage arising from the viruses in this email or
> attachments. We exclude any liability for the content of this email, or for the
> consequences of any actions taken on the basis of the information provided
> in this email or its attachments, unless that information is subsequently
> confirmed in writing.
> --------------------------------------------------------------------------------
> 
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org

More information about the Bp_certs mailing list