Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS
Building or modernising own CSIRT/SOC: Practical tips
Dr. Vilius Benetis
CEO
BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 2 I NRDCS.LT
Our project geography
South Asia
AfricaSouth America
Europe
BUILDING CYBERSECURITY
CENTERS (CSIRTS) FROM 1998.
CSIRT/SOC TEAMS
ESTABLISHMENT GLOBALLY TO
CONFRONT CYBERATTACKS
AND CYBER CRIME.
CURRENTLY FULLY-PACKAGED
TEAM TRUSTED BY ITU FOR
THE JOB, GLOBALLY.
BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 3 I NRDCS.LT
True needs for CSIRT/SOC
1. When attack hits:is there a skilled team ready to respond and handle cyber-incidents using well known and internationally accepted Incident Response method?
2. Cyber crime is international:is your team trusted by international community to provide support during your investigations?
BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 4 I NRDCS.LT
Who should have CSIRT/SOC?
When organisation is substantially digital, i.e.:
1. Processes a lot of data Especially sensitive: personal, financial, etc.
2. Automates processes heavily
3. Is part of critical infrastructure
4. Is highly susceptible to the cyber threats
BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 5 I NRDCS.LT
IT Security Teams mature into:Computer Security Incident Response Teams (CSIRT) synonymous to:
CERTComputer
Emergency
Response
Team
PSIRTProduct
Security
Incident
Response Team
CIRTCybersecurity
Incident
Response
Team
ISACInformation
Sharing and
Analysis
Center
Security Operations Center (SOC) is:A partial operations of CSIRT model, primarily focused on internal monitoring, detection and
triage
Defining CSIRT/SOC/CERT/ISAC
BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 6 I NRDCS.LT
HOWTO MAKE IT WORK?
BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 7 I NRDCS.LT
Establishing CSIRT/SOC
BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 8 I NRDCS.LT
Different CSIRT/SOC stacks
BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 9 I NRDCS.LT
Lesson #1: Mandate is the key enabler
▪ Most difficult part is to get it signed/adopted
▪ It empowers to act
▪ Sometimes it comes only after tangible results have been achieved
▪ Iterative approach then: Data centre gov. national
▪ It triggers related essential components to be established:
▪ Technology
▪ Processes
▪ Skills
Mandates are different and unique:
▪ Central Bank of Egypt CSIRT vs. Bangladesh e-GOV CSIRT vs. Cyprus National CSIRT
Lessons learned
BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 10 I NRDCS.LT
Lesson #2: Leadership / passion inside CSIRT team is the second key
enabler
▪ To lead though uncertainty and growth, recognition
▪ Clear vision and focus on execution (relates to the Mandate)
▪ Focus on trust/reputation establishment
Lessons learned (cont.)
BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 11 I NRDCS.LT
Lesson #3: Do a few things well
(at least initially)
▪ Select services from the list
and concentrate on them
Lessons learned (cont.)
BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 12 I NRDCS.LT
5 key things to take away
1. Definitions matter:
Cybersecurity, CSIRT/SOC, Incident, Mandate, Cybercrime…
2. CSIRT/SOC
is a de-facto framework for cybersecurity operations
3. Experience ensures success,
however it still will take at least a year to build operations
4. There are experienced consultants to help you on your
journey, however the actual work is done by you
5. Despite your size you should start now!
BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 13 I NRDCS.LT
Why work with NRD Cyber Security?
1. Focused on building strong capable CERT/CSIRT/SOC teams
2. Constructing relevant visibility for technical and policy decision making on
cyber security and metrics
3. Proven track record of success around the world
4. Very cost competitive
Let’s have a chat [email protected]
www.nrdcs.lt
Stand X149
The photos used in the presentation are either the property of NRD Cyber Security or have been downloaded from www.pexels.com
BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 14 I NRDCS.LT
Invitation to Vilnius!
▪ NRD Cyber Security is ITU Centre of Excellence for European Region 2019-22
▪ Training course for your calendars: Incident Response Practice
▪ Dates and place: 17-20th September, Vilnius, Lithuania
▪ Designed for: CSIRT/SOC members, all incident handlers, IT professionals and
anyone who is interested in incident handling and response
▪ Delivered by:
Marius Urkis
NRD CSIRT lead, cybersecurity incident
response and forensics expert
Rimtautas Černiauskas
Technical cybersecurity consultant,
investigator