Tuesday, August 21, 2007

Abe Singer Highlights from USENIX Class

I didn't get to attend Abe Singer's talk Incident Response either, but again I managed to get a copy of his slides. They confirmed what I planned to do with my new company CIRT (fortunately), but I wanted to highlight some elements that I hadn't given much thought until I saw them in Abe's slides.

Abe pointed out that it's important to have incident response policies in place prior to an incident. I had always thought in terms of a plan, tools, and team, but not policies. Let me list a few items to explain.

Using language Abe secured for his university as a template, I plan to try to gain approval for something like this as a blanket incident detection and response policy at my company:

The Director of Incident Response and authorized designees have the authority to take actions necessary to contain, detect, and respond to computer incidents involving company assets.

These actions will be consistent with company policies and applicable laws.


Please note the original language said "prevent" instead of "contain," but my company has a separate security services arm. "Contain," as in "limit the damage," is more appropriate for my team's scope.

Abe also recommends explicit policies for the following:

  • Monitoring

  • Data collection and retention (I would add destruction too)

  • Node blocking and disconnection

  • Account suspension

  • Password changes

  • Reinstallation

  • Data sharing


Abe's point is that pre-coordination is essential to giving the CIRT the ability to rapidly execute its response and containment mission during an incident. Signing these policies also sets expectations for the businesses as CIRT customers.

No comments: