Computer Security Incident Response Team Development and Evolution

Ruefle, Robin; Dorofee, Audrey; Mundie, David A.; Householder, Allen D.; Murray, Michael; Perl, Samuel J.

doi:10.1109/msp.2014.89

Cited by 56 publications

(37 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…With the purpose to accomplish this, the Academic CSIRT has: (i) reactive services, which have been designed to generate alerts and warnings, as well as provide adequate management of incidents and vulnerabilities; (ii) proactive service, with the objective of providing technological surveillance, security assessments, development of security tools, intrusion detection service, security-related dissemination, configuration and maintenance of security tools, applications and infrastructure; (iii) Security Quality Management Services, which establish security consultancies, security awareness, in addition to security education and training [2]. However, due to the amount of malicious event data, by which the Academic CSIRT handles non-automatically and together with the need to provide to their members with a tool, which allows them to effectively analyze the traffic of their respective network, this project presents a solution by using BI, in order to generate incident management services based on security presentation and data analysis.…”

Section: Definition Of Requirementsmentioning

confidence: 99%

See 1 more Smart Citation

An Integral Model to Provide Reactive and Proactive Services in an Academic CSIRT Based on Business Intelligence

Fuertes

Collazo-Reyes

Valladares

et al. 2017

Systems

View full text Add to dashboard Cite

Cyber-attacks have increased in severity and complexity. That requires, that the CERT/CSIRT research and develops new security tools. Therefore, our study focuses on the design of an integral model based on Business Intelligence (BI), which provides reactive and proactive services in a CSIRT, in order to alert and reduce any suspicious or malicious activity on information systems and data networks. To achieve this purpose, a solution has been assembled, that generates information stores, being compiled from a continuous network transmission of several internal and external sources of an organization. However, it contemplates a data warehouse, which is focused like a correlator of logs, being formed by the information of feeds with diverse formats. Furthermore, it analyzed attack detection and port scanning, obtained from sensors such as Snort and Passive Vulnerability Scanner, which are stored in a database, where the logs have been generated by the systems. With such inputs, we designed and implemented BI systems using the phases of the Ralph Kimball methodology, ETL and OLAP processes. In addition, a software application has been implemented using the SCRUM methodology, which allowed to link the obtained logs to the BI system for visualization in dynamic dashboards, with the purpose of generating early alerts and constructing complex queries using the user interface through objects structures. The results demonstrate, that this solution has generated early warnings based on the level of criticality and level of sensitivity of malware and vulnerabilities as well as monitoring efficiency, increasing the level of security of member institutions.

show abstract

Section: Definition Of Requirementsmentioning

confidence: 99%

“…The lack of coherent and rigorous management has led to government institutes, companies and universities to be targeted by cyber-attacks [2]. In addition, the speed with which an institution has been able to recognize, analyze and respond to an incident will decrease recovery costs and reduce the potentially generated damage [3].…”

Section: Introductionmentioning

confidence: 99%

An Integral Model to Provide Reactive and Proactive Services in an Academic CSIRT Based on Business Intelligence

Fuertes

Collazo-Reyes

Valladares

et al. 2017

Systems

View full text Add to dashboard Cite

show abstract

“…The job of incident responder is further conflated by claims that responders may specialize in related areas such as forensics, data mining, reverse engineering, configuration of countermeasures, or penetration testing [5]. One study has recognized the need to distinguish the incident response role (and skills used in that role) by the type of incident (routine or non-routine) [17].…”

Section: Literature Reviewmentioning

confidence: 99%

“…For example, hardware and software vendors (such as Cisco, Intel, Juniper, and IBM) have created incident response teams to address vulnerabilities in their products; organizations in many other industries have formed incident response teams to address attacks against their information and communication technology (ICT) assets or to respond when they lose customer data; and governments have created response teams to coordinate efforts around remediating vulnerabilities. Some experts observe that as incident response teams have become more common, the role has become much more specialized [4], [5].…”

Section: Introductionmentioning

confidence: 99%

Capabilities and Skill Configurations of Information Security Incident Responders

McLaughlin

D’Arcy

Cram

et al. 2017

Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

View full text Add to dashboard Cite

show abstract

“…Həmin hücumlara cəld və effektiv cavab vermək bəzən çətin ola bilər. Təşkilatın tələblərinə görə bu komandalar bir neçə seqmentdə insident idarəetmə funksiyaları və fəaliyyətlərini yerinə yetirirlər [2].…”

Section: Introductionunclassified