You are on page 1of 20

Creating the Enterprise CSIRT: Building

the eCrime Response Platform

Lic. Julio C. Ardita, CISM
jardita@cybsec.com

May 2010
Counter-eCrime Operations Summit (CeCOS) IV
Sao Paulo, Brasil

Creating the Enterprise CSIRT: Building the eCrime Response Platform

© 2010

Agenda

- Experiences in Incident Handling in Latinamerica

- Reaction Time

- Building of an Internal CSIRT in Latinamerican Companies

2

Uruguay. Bolivia and Ecuador. 3 .Creating the Enterprise CSIRT: Building the eCrime Response Platform Experiences in Incident Handling in Latinamerica © 2010 FT365 Incident Handling (*) Jan-Apr Operating areas: Argentina. Paraguay. Chile.

documentation. finance. insurance. retail and e-commerce companies. 4 . When an internal CSIRT is (or should be) created? Collaboration between internal CSIRTs and Government CSIRT. Cultural Impact: Planning.Creating the Enterprise CSIRT: Building the eCrime Response Platform Experiences in Incident Handling in Latinamerica © 2010 Internal CSIRT in LA companies Incident handling: The situation in Latinamerica (LA). trust in people. etc. communication. We have observed “internal CSIRTs” in: banks.

Attacks to individuals (identity theft) 5 .Threats and false accusations through fake e-mails .Denial of service due to virus and worms .Creating the Enterprise CSIRT: Building the eCrime Response Platform Experiences in Incident Handling in Latinamerica © 2010 Internal CSIRT in LA companies Limited knowledge about legal aspects.Corporate sabotage (trojan horses) . digital evidence management and forensic analysis. Types of incidents handled: .Financial fraud .Theft and loss of notebooks with sensitive data .Theft of sensitive information .Phishing attacks to local banks and companies .

Creating the Enterprise CSIRT: Building the eCrime Response Platform Experiences in Incident Handling in Latinamerica © 2010 Internal CSIRT Maturity in LA Do nothing (85%) Incident management disorganized (8%) Formal incident management for the picture (meet audits) (4%) Formal incident management for real (2%) Internal CSIRT (<1%) 6 .

52/2007 Superintendencia Financiera.Colombia: Circ. Ext. 7 .PCI for processors. . merchants.etc… .Paraguay: MCIIEF of BCP. etc.Creating the Enterprise CSIRT: Building the eCrime Response Platform Experiences in Incident Handling in Latinamerica © 2010 Current regulations .Chile: SBIF regulations. e-commerce. .Argentina: A4609 of BCRA. . .

Creating the Enterprise CSIRT: Building the eCrime Response Platform Experiences in Incident Handling in Latinamerica © 2010 Current regulations . 8 . and warning" teams. build the capacity of CSIRT personnel in Member States to comply effectively with the requirements established in the OAS Comprehensive Inter- American Strategy to Combat Threats to Cyber Security.ISO 27001/2 . watch.OAS / OEA Help Member States establish national 24/7 "alert. also known as Computer Security Incident Response Teams (CSIRT) through technical assistance and training. and facilitate the creation and maintenance of a hemispheric network of CSIRT to promote the sharing of information and best practices.

Creating the Enterprise CSIRT: Building the eCrime Response Platform Experiences in Incident Handling in Latinamerica © 2010 Which are the usual activities of an internal CSIRT in a LA company? 9 .

Creating the Enterprise CSIRT: Building the eCrime Response Platform Reaction Time © 2010 Reaction time during a security incident During the first hours of an incident we will have all the company’s attention on us. Nivel de Atención de la Gerencia durante un Incidente 120 100 0 hs % Nivel de Atención 80 12 hs 60 24 hs 40 20 48 hs 72 hs 0 96 hs Tiempo 10 . Is essential to make the most of that momentum as attention will start to decline (very) quickly.

Key reasons are: . . .Creating the Enterprise CSIRT: Building the eCrime Response Platform Building of an Internal CSIRT in Latinamerican Companies © 2010 Most of LA organizations do not have formal response teams for incident handling Since 2008 a growing number of companies have started to create internal CSIRTs. 11 .CSO proactively shows the need.Companies had and still have serious incidents.Regulation requires having incident response plans.

No idea about incident handling issues until a serious incident happens.Creating the Enterprise CSIRT: Building the eCrime Response Platform Building of an Internal CSIRT in Latinamerican Companies © 2010 Most common issues Lack of knowledge of what a CSIRT is and does. “CSIRT” is an “evolution” from Incident Management. CSIRT maintenance over time within the organization. most organizations turn to external private information security companies and incidents rarely end up in Court. 12 . When a serious incident occurs.

Operational testing.Creating the Enterprise CSIRT: Building the eCrime Response Platform Building of an Internal CSIRT in Latinamerican Companies © 2010 Experiences in building an internal CSIRT in LA Considerable coaching to explain the need and scope of an internal CSIRT. 13 . Procedures development taking into account the organization. Training of all areas and levels involved. Development and adaptation of Incident Handling Policies and of a CSIRT Framework (no need to reinvent the wheel).

Creating the Enterprise CSIRT: Building the eCrime Response Platform Building of an Internal CSIRT in Latinamerican Companies © 2010 Security Incident Handling Policies Topics to considerate: 1. Security Incident tracking 3. Disciplinary process 14 . Detection and notification of Security Incidents 2. Recovery process of affected systems 5. Evidence gathering 4.

Management .Information Security .Internal Audit .System Administrator .Users .Help Desk .Creating the Enterprise CSIRT: Building the eCrime Response Platform Building of an Internal CSIRT in Latinamerican Companies © 2010 Internal Incident Management Procedure: flow diagram Responsibilities .Legal Affairs .Human Resources .Phisical Security .Others areas 15 .

Creating the Enterprise CSIRT: Building the eCrime Response Platform Building of an Internal CSIRT in Latinamerican Companies © 2010 Internal Incident Management Procedure: flow diagram 16 .

3) Develop a CSIRT project plan. and infrastructure. and organizational model. 7) Secure funding for CSIRT operations. 8) Decide on the range and level of services the CSIRT will offer. equipment. 9) Determine the CSIRT reporting structure. 2) Obtain management support and sponsorship. authority. Creating the Enterprise CSIRT: Building the eCrime Response Platform Building of an Internal CSIRT in Latinamerican Companies © 2010 Action List for Developing a Computer Security Incident Response Team (CSIRT) (*) 1) Identify stakeholders and participants. 17 (*) http://www. 5) Identify the CSIRT constituency.cert. 10) Identify required resources such as staff.html . 6) Define the CSIRT mission.org/csirts/action_list. 4) Gather information.

16) Announce the CSIRT when it becomes operational. 17) Define methods for evaluating the performance of the CSIRT. 14) Develop policies and corresponding procedures. 12) Define roles.org/csirts/action_list. 18) Have a backup plan for every element of the CSIRT. Creating the Enterprise CSIRT: Building the eCrime Response Platform Building of an Internal CSIRT in Latinamerican Companies © 2010 Action List for Developing a Computer Security Incident Response Team (CSIRT) (*) 11) Define interactions and interfaces.cert. responsibilities. 19) Be flexible. 15) Create an implementation plan and solicit feedback.html . 18 (*) http://www. and the corresponding authority. 13) Document the workflow.

CSO should be supported by regulations and create consciousness in senior management on Incident Handling.Creating the Enterprise CSIRT: Building the eCrime Response Platform Conclusions © 2010 The creation of CSIRTs within private organizations is growing due to increasingly security incident occurance. 19 . Is key to take advantage of the moment in which an incident occurs within the organization to promote an internal CSIRT.

com May 2010 Counter-eCrime Operations Summit (CeCOS) IV Sao Paulo. Julio C. Ardita. Brasil . CISM jardita@cybsec.Thank You!!! / Obrigado!!! / Gracias!!! Lic.