Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Implementing CSIRT based on some frameworks and maturity model

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Wird geladen in …3
×

Hier ansehen

1 von 27 Anzeige

Implementing CSIRT based on some frameworks and maturity model

Herunterladen, um offline zu lesen

We implemented CSIRT based on some frameworks and maturity model including FIRST Service Framework, SIM3 and some document devised in Japan. We will explain how to use these documents in this presentation.

We implemented CSIRT based on some frameworks and maturity model including FIRST Service Framework, SIM3 and some document devised in Japan. We will explain how to use these documents in this presentation.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Ähnlich wie Implementing CSIRT based on some frameworks and maturity model (20)

Weitere von Rakuten Group, Inc. (20)

Anzeige

Aktuellste (20)

Implementing CSIRT based on some frameworks and maturity model

  1. 1. Implementing CSIRT based on some framework and maturity model Jun 7, 2020 Akitsugu Ito Cyber Security Defense Department (CSDD) Rakuten, Inc.
  2. 2. 2 Who am I? Akitsugu Ito (@springmoon6) Specialty I’ve worked security industry for 9 years. - information security management / incident handling - product security / quality assurance Previous Presentation - OWASP SAMM v2 Introduction (02/08/2020) https://speakerdeck.com/springmoon6/owasp-samm-ver-dot-2-introduction-en - Introduction of PSIRT Framework (08/29/2020) https://speakerdeck.com/springmoon6/psirt-service-framework-falsegoshao-jie
  3. 3. 3 Agenda General Flow Directions Roles & Services Dissemination Operation Future Tasks
  4. 4. 4 General Flow Direction Define Services Services & Roles Dissemination Operation JPCERT/CC CSIRTマテリアル (11/26/2015) https://www.jpcert.or.jp/csirt_material/ Concept Build Operation
  5. 5. 5 Background CSIRT for communicating with external stakeholders Each industry has an exclusive security community, such as ICT-ISAC.They have hold very important information inside members limitedly. It is necessary to establish new Rakuten Mobile CSIRT to catch the cyber threat information from exclusive security community, and enhance the communication with external stakeholders to fight against malicious activity like Phishing. Rakuten HQ - CSDD Rakuten-CERT Tech Community - System Security Lead IPA Dept. Dept. Dept. Dept. Dept. JPCERT/CC CSIRT Promotion Div. Rakuten-MobileCSIRT Rakuten Mobile Development Team ICT-ISAC, NISC, JAIPA Police CSIRT for Telecom industry in Japan External Stakeholders Rakuten Mobile Security Team 1. Direction
  6. 6. 6 Relationship between Stakeholders Business FunctionCorporate Function CSIRT Promotion Div. Broad sense of Rakuten-Mobile CSIRT Rakuten Mobile Security Team Service Experience Center (SXC) Narrow sense of Rakuten-Mobile CSIRT InfoSec Promotion Div. Legal UX Mobile PR Representative Director/CEO Narrow sense of Rakuten Mobile CSIRT is CSIRT Promotion office. Broad sense of RM-CSIRT is a virtual team across the company. 1. Direction
  7. 7. 7 CSIRT Services (CMU) ・RiskAnalysis ・Business Continuity and Disaster Recovery Planning ・Security Consulting ・Awareness Building ・Education /Training ・Product Evaluation or Certification ・Announcements ・TechnologyWatch ・SecurityAudits or Assessments ・Configuration and Maintenance of SecurityTools, Applications, and Infrastructures ・Development of SecurityTools ・Intrusion Detection Services ・Security-Related Information Dissemination ・Alert and Warning ・Incident Handling - IncidentAnalysis - Incident response on site - Incident response support - Incident response coordination -Vulnerability Handling -Vulnerability analysis -Vulnerability response -Vulnerability response coordination ・Artifact Handling - Artifact analysis - Artifact response - Artifact response coordination Reactive Service Proactive Service Security Quality Management Service 1. Direction CSIRT Promotion Div. Rakuten Mobile Security Team CSIRT Services (11/2002) https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=53046
  8. 8. 8 Define roles and responsibility We defined our roles of CSIRT (broad sense) based on Nippon CSIRT Association (NCA) materials. We separate roles into two categories, War Time and Peace Time. Narrow sense of CSIRT is Point of Contacts (PoC). 2. Roles CSIRT 人材の定義と確保(03/13/2017) https://www.nca.gr.jp/activity/imgs/recruit-hr20170313.pdf
  9. 9. 9 Commander CSIRT General Manager PoC Coordinate with internal & external Stakeholders Notification Coordination with related departments Executives / External Stakeholders Internal system / related system Self Assessment Risk Assessment , Vulnerability Management Incident Manager Analysis the status of incidents Solution Analysts Design System Security , Assess the effectiveness Triage Coordinate affected systems Information Aggregation Status of response Explain current status Define Priority Implement Investigator Investigate Forensic Inquiry Instruct Response Inquiry Information Aggregation Define the effected area Information Aggregation Report the affected area Planning / Promote If you need legal confirmation or advice on a daily basis, each role will request assistance from a legal advisor. Information Sharing Incident Handler Vendor Management / Incident response Coordinate Researcher Information gathering / Monitoring Production Environment / Analysis Solid line : Information flow Dotted line : Information flow if necessary CSIRT Promotion Div. Rakuten Mobile Security Team Service Experience Center (SXC) InfoSec Promotion Div. Roles of CSIRT (War Time) 2. Roles CSIRT 人材の定義と確保(03/13/2017) https://www.nca.gr.jp/activity/imgs/recruit-hr20170313.pdf
  10. 10. 10 Roles of CSIRT (Peace Time) Executives / External Stakeholders Researcher Information gathering / Monitoring Production Environment / Analysis Vulnerability Assessor Information Aggregation Judge security risk Confirm status Confirm status Feedback Training Regularly implemented Information Sharing Information Aggregation Define the effected area PoC Coordinate with internal & external Stakeholders Notification Coordination with related departments Internal system / related system Coordinate affected systems Commander CSIRT General Manager Solution Analysts Design System Security , Assess the effectivenessImplement Incident Manager Analysis the status of incidents Self Assessment Risk Assessment , Vulnerability Management Information Aggregation Report the affected area Planning / Promote Trainer Coordinate Explain current status Gather Information Incident Handler Vendor Management / Incident response If you need legal confirmation or advice on a daily basis, each role will request assistance from a legal advisor. Solid line : Information flow Dotted line : Information flow if necessary CSIRT Promotion Div. Rakuten Mobile Security Team Service Experience Center (SXC) InfoSec Promotion Div. 2. Roles CSIRT 人材の定義と確保(03/13/2017) https://www.nca.gr.jp/activity/imgs/recruit-hr20170313.pdf
  11. 11. 11 Creating Detailed Service Lists FIRST Services Framework are high level documents detailing possible services CSIRTs and PSIRTs may provide. FIRST Services Framework https://www.first.org/standards/frameworks/ 2. Services
  12. 12. 12 Structure of CSIRT Service Framework Service Area Service Service Service Function Function Function Function Function Support Service CSIRT Services Framework 2.1.0 (11/2019) https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1 2. Services
  13. 13. 13 Service Areas 2. Services CSIRT Services Framework 2.1.0 (11/2019) https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1
  14. 14. 14 Detailed Service Lists CSIRT Service Category CSIRT Services CSIRT Service Framework v2 v2 Service Area CSIRT Service Framework v2 v2 Services Reactive Service Alerts and warning Information security event management Monitoring and Detection Analyzing Incident response support Information security incident management Information security incident report acceptance Incident response coordination Information security incident coordination Vulnerability response coordination Vulnerability management Vulnerability report intake Vulnerability coordination Vulnerability disclosure Proactive Service Announcements Information security incident management Information security incident coordination Vulnerability coordination Security related information dissemination Situational Awareness Data Acquisition Analyze and interpret Communication 2. Services CSIRT Promotion Div. Rakuten Mobile Security Team Service Experience Center (SXC) InfoSec Promotion Div.
  15. 15. 15 What should we implement with high priority? We referred maturity model (Global CSIRT Maturity Framework based on SIM3). 2. Services Open CSIRT – SIM3 SelfAssessment http://sim3-check.opencsirt.org/#/
  16. 16. 16 SIM3 (Security Incident Management Maturity Model ) The European Union Agency for Cybersecurity (ENISA) uses SIM3 to strengthen the national CSIRT of each EU country and also provides an online assessment tool based on SIM3. We can measure the maturity and/or capability of security incident management. The maturity model is built on three basic elements - Maturity Parameters (44) - Maturity Quadrants (4) - Maturity Levels (0-4) Each Parameter belongs to one of four Quadrants - the Quadrants are therefore the main four categories of Parameters: 2. Services Organization Human Tools Process SIM3 : Security Incident Management Maturity Model mkXVIII (03/30/2015) https://www.trusted-introducer.org/SIM3-Reference-Model.pdf
  17. 17. 17 Global CSIRT Maturity Framework (GCMF) The Global CSIRT Maturity Framework is an approach from the GFCE for stimulating the development and maturity enhancements of national CSIRTs. Although it’s aimed toward national CSIRTs, the methodology and concepts can also be applied to other CSIRTs or incident response teams. The framework relies on two building blocks: the Security Incident Management Maturity Model (SIM3) and a three-tier CSIRT maturity approach by ENISA. - Basic - Intermediate - Advanced We set the our first goal on Basic Level. Organization Human Tools Process Measure and Improve the Maturity ofYour Incident Response Team (11/06/2019) https://securityintelligence.com/articles/measure-and-improve-the-maturity-of-your- incident-response-team/ 2. Services
  18. 18. 18 Comparison table between CSIRT Service framework and SIM3 2. Services CSIRT Service Framework v2 Service Area CSIRT Service Framework v2 Services SIM3 ENISA/GCMF Basic Level Support Service - 3 Information security event management Monitoring and Detection Analyzing 1 Information security incident management Information security incident report acceptance 2 Information security incident coordination 3 Vulnerability management Vulnerability report intake Vulnerability coordination Vulnerability disclosure 1 Information security incident management Information security incident coordination Vulnerability coordination 3 Situational Awareness Data Acquisition Analyze and interpret Communication 2
  19. 19. 19 Enhance Support Service with PSIRT Framework The detail of support service is not described in CSIRT Framework. So we will enhance support service with Operational Foundation in PSIRT Framework. PSIRT framework has similar structure with CSIRT Service framework. Operation foundation is same service area with operational foundation and has more detailed services. 2. Services Service Area Service Service Service Function Function Function Function Function Support Service PSIRT Services Framework version 1.1 (Spring 2020) https://www.first.org/standards/frameworks/psirts/psirt_services_framework_v1.1 Service Area Service Service Service Function Function Function Function Function Operational Foundations CSIRT Service Framework PSIRT Service Framework
  20. 20. 20 Comparison table between Enhanced Support Service and GCMF 2. Services CSIRT Service Framework v2 Service Area CSIRT Service Framework v2 Services SIM3 ENISA/GCMF Basic Level Support Service – Strategic Executive Sponsorship 3 Stakeholder 3 Charter 3 Organizational Model 3 Management and Stakeholder Support 3 Support Service – Tactical Budget - Staff 3 Resources and Tools 1 Support Service – Operational Policies and Procedures 2 Evaluation and improvement 1
  21. 21. 21 Making KSA of Narrow sense of CSIRT Staff service requires defining detailed tasks and KSA (Knowledge, Skills and Ability) of CSIRT Promotion Office. We implement it based on SECBOK. SECBOK is a KSA lists based on NICE Framework. JNSA セキュリティ知識分野(SecBoK2019)(03/18/2019) https://www.jnsa.org/result/2018/skillmap/ 2. Services
  22. 22. 22 Dissemination and Coordination training 3. Dissemination Briefing session at All Hands Meeting Simple CoordinationTraining
  23. 23. 23 4. Operation Advanced Appropriate Target Immature Organization Human Tools Process Assessment with GCMF
  24. 24. 24 Future Tasks (1) Increase maturity of each area especially proactive services. - CSIRT Service Framework covered reactive service well but proactive service is not enough.
  25. 25. 25 Future Tasks (2) Mature some PSIRT related areas - SIM3 covered vulnerability management but it’s not enough for development organization Software Assurance Maturity Model (OWASP SAMM) https://owaspsamm.org/
  26. 26. 26 Summary - Thank you for listening We implemented CSIRT based on some frameworks and maturity model. - JPCERT/CC CSIRTマテリアル - CSIRT Services (CMU) - CSIRT 人材の定義と確保 - FIRST Services Framework (CSIRT / PSIRT) - SecBok - SIM3 - Global CSIRT Maturity Framework (GCMF) We plan to improve our CSIRT using some OWASP outputs. - OWASP SAMM

Hinweis der Redaktion

  • Japanese National CSIRT JPCERT/CC offers the JPCERT/CC CSIRT Material at their web-site. This manual includes how to implement CSIRT at an organization. This material has three steps. Concept, Build and Operation. We referred this manual and built CSIRT in four stages, Direction, Define Services & Roles, Dissemination and Operation. I will explain each stages from now on.

×