University of Florida Incident Tracking and Reporting
Kathy [email protected]
About UF
Land-grant institution Research, education, and extension
Over 50,000 students Over 50,000 network nodes First dedicated IT security position
in 1999. Now 4 FTE.
Your Institution How many are from institutions with
greater than 30,000 students? Is your institution de-centralized? Does your institution…
have incident response standards and procedures?
track IT contacts? track incidents? deliver incident reports?
Contact Tracking
Contact database Network managers Server managers Information Security Managers Information Security Administrators Much more
UF Incident Response Standardhttp://www.it.ufl.edu/policies/security/uf-it-sec-incident-response-rewrite.html
An incident is “an event that impacts or has
the potential to impact the confidentiality, availability, or integrity of UF IT resources.”
Describes eight incident response steps from discovery to resolution
Establishes UF Incident Response Team and their responsibility
Defines Unit responsibility Specific procedures for each incident type
Incident Identification Sources
IDS Email abuse complaints Flow data Honeypots
Incident Tracking
Critical fields tracked IP address Unit Incident type Incident severity Time to contain Time to resolve
Ticket Creation
Manual: Web form interface to Remedy on the backend. Some fields such as contacts are automatically populated
Semi automated: Batch processing scripts for ircbots or IP lists
Fully automated: Daedalus home-grown automated ticket creation.
Daedalus
Message processor using threat configs Input
IDS event Flow event Email notification
Output Remedy ticket Email notification
Incident Resolution
Daily reports to UF incident response team identifying open tickets
Bi-weekly automated reminders about open tickets to ticket owners
Vulnerability Detection
Continuous Nessus top-20 scans Results tracked in SQL No Remedy ticket because next
scan will usually identify resolution Recidivism reports identify
unresolved vulnerabilities.
Incident Reports
Cover letter includes Request to update contact
information List and description of graphs General campus trends Link to detailed ticket information Confidentiality statement Periodic survey of report value
Incident Reports Each of the following graphs compares
the unit to the 5 most active units: Number of incidents Number of incidents adjusted for unit size Average number of days to contain
incidents Number of critical vulnerabilities Number of critical vulnerabilities adjusted
for unit size
Incident Reports
Number of each incident type Comparison of current semester to
same semester last year of: Number of incidents Average days to contain Number of critical vulnerabilities
Executive Incident Summary
Table listing all units Total Number of Incidents Containment Time Total Number of Vulnerabilities
Survey of Report Value Of the units that responded to the survey:
100% found reports useful 85% approved of report frequency 46% made changes to their information
security program as a result of the reports Ways in which the reports are used:
33% compliance review 26% risk assessment 22% strategic planning 19% budget planning
Survey of Report Value Cause of incident increase or decrease:
34% awareness and training 21% policy and procedures 21% security infrastructure 14% security staff 10% other
100% were familiar with UF policy Degree of policy compliance
57% very compliant 36% mostly compliant 7% somewhat compliant
Questions?
Thank you,Kathy [email protected]