1 / 25

University of Florida Incident Tracking and Reporting

University of Florida Incident Tracking and Reporting. Kathy Bergsma kbergsma@ufl.edu. About UF. Land-grant institution Research, education, and extension Over 50,000 students Over 50,000 network nodes First dedicated IT security position in 1999. Now 4 FTE. Your Institution.

vail
Download Presentation

University of Florida Incident Tracking and Reporting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. University of Florida Incident Tracking and Reporting Kathy Bergsma kbergsma@ufl.edu

  2. About UF • Land-grant institution • Research, education, and extension • Over 50,000 students • Over 50,000 network nodes • First dedicated IT security position in 1999. Now 4 FTE.

  3. Your Institution • How many are from institutions with greater than 30,000 students? • Is your institution de-centralized? • Does your institution… • have incident response standards and procedures? • track IT contacts? • track incidents? • deliver incident reports?

  4. Contact Tracking • Contact database • Network managers • Server managers • Information Security Managers • Information Security Administrators • Much more

  5. UF Incident Response Standard http://www.it.ufl.edu/policies/security/uf-it-sec-incident-response-rewrite.html • An incident is “an event that impacts or has the potential to impact the confidentiality, availability, or integrity of UF IT resources.” • Describes eight incident response steps from discovery to resolution • Establishes UF Incident Response Team and their responsibility • Defines Unit responsibility • Specific procedures for each incident type

  6. Incident Identification Sources • IDS • Email abuse complaints • Flow data • Honeypots

  7. Incident Tracking • Critical fields tracked • IP address • Unit • Incident type • Incident severity • Time to contain • Time to resolve

  8. Ticket Creation • Manual: Web form interface to Remedy on the backend. Some fields such as contacts are automatically populated • Semi automated: Batch processing scripts for ircbots or IP lists • Fully automated: Daedalus home-grown automated ticket creation.

  9. Daedalus • Message processor using threat configs • Input • IDS event • Flow event • Email notification • Output • Remedy ticket • Email notification

  10. Incident Resolution • Daily reports to UF incident response team identifying open tickets • Bi-weekly automated reminders about open tickets to ticket owners

  11. Vulnerability Detection • Continuous Nessus top-20 scans • Results tracked in SQL • No Remedy ticket because next scan will usually identify resolution • Recidivism reports identify unresolved vulnerabilities.

  12. Incident Reports • Cover letter includes • Request to update contact information • List and description of graphs • General campus trends • Link to detailed ticket information • Confidentiality statement • Periodic survey of report value

  13. Incident Reports • Each of the following graphs compares the unit to the 5 most active units: • Number of incidents • Number of incidents adjusted for unit size • Average number of days to contain incidents • Number of critical vulnerabilities • Number of critical vulnerabilities adjusted for unit size

  14. Incident Reports • Number of each incident type • Comparison of current semester to same semester last year of: • Number of incidents • Average days to contain • Number of critical vulnerabilities

  15. Executive Incident Summary • Table listing all units • Total Number of Incidents • Containment Time • Total Number of Vulnerabilities

  16. Survey of Report Value • Of the units that responded to the survey: • 100% found reports useful • 85% approved of report frequency • 46% made changes to their information security program as a result of the reports • Ways in which the reports are used: • 33% compliance review • 26% risk assessment • 22% strategic planning • 19% budget planning

  17. Survey of Report Value • Cause of incident increase or decrease: • 34% awareness and training • 21% policy and procedures • 21% security infrastructure • 14% security staff • 10% other • 100% were familiar with UF policy • Degree of policy compliance • 57% very compliant • 36% mostly compliant • 7% somewhat compliant

  18. Questions? Thank you, Kathy Bergsma kbergsma@ufl.edu

More Related