CPT Aneta COUFALÍKOVÁ, Ph.D.

CIRC Centre, 34.zKIS, Czech Army

Aneta.Coufalikova@army.cz

www.circ.army.cz, www.circ.acr

CIRC Technical Centre

Basic information Experience and cooperation History Structure Information Portal CIRC Monitoring Technology Incident Desk Incident and Vulnerability

Handling 

Content

Essential element The Ministry of Defense in cyber security Part of Communication and Information Systems Base Dislocated in Brno

MAIN GOALS:

Proactively identify security threats and incidents (monitoring)Analyses Rapid responseReporting among administrators of military ICT systemsShare information and alerts with relevant partners in cyber defense fieldSecurity awareness

Basic information

Participating in many exercises (ICDW, Cyber Coalition,etc.) and conferences (NIAS,CYTER, etc.)

Cooperating with many other institutions in part of cyber defense field (NCIRC TC, Nebraska University, University of Defense in Brno, Masaryk University, etc.)

Experience and cooperation

Established in 2007 as equivalent to NCIRC Technical Centre

Reached basic capability in monitoring and analyzing events in military network

Implemented IDS/IPS and NETFLOW sensors Starting professional web Portal CIRC to build security

awareness Building up testing environment Running WSUS server for patch distribution in military

networks Starting Incident desk for ticketing system

History

Structure

Security technology Cyber Security Management & Information Systems include:

• Information Portal CIRC (www.circ.acr),• External Information Portal (www.circ.army.cz),• Incident Desk,• Secure shared storage,• Link to SIEM (Security Information and event

manager)• Alerter,• Central storage for collected data,• Wiki.

CSMIS

Information Portal CIRC

Provides every day awareness of possible cyber dangers and threats

Instruct users about security threats Allows to report the security incident

Secure zone as a tool for communication between security network administrators and CIRC Technical Centre staff

Knowledge base, Link to Incident desk, cyber defence instructions for IT specialists

Portal parts: Daily News (cyber security news) Security (security threats descriptions, security

recommendetions, instructions, reports and statistics)

Software (freeware tools for detecking and removing different kind of threats)

Critical Security Paches (Microsoft, Adobe, browsers)

Publications (CIRC Bulletins, materials from workshops, dictionary …)

FAQ (the most frequent security topics) About us (departments introduction and contacts) WSUS, NTP Server (Network Time Protocol)

Information Portal CIRC

Monitoring Technology

Monitoring of Military networks• Monitoring of data flows• Evaluation events of IPS/IDS• Processing logs of critical devices

SIEM – Security Information and eventmanager

Monitoring functionality of cyber security technologies

Incident Desk

Monitoring Technology

Incident Desk

Basic tool of incident handling Management system for ticketing Early warning system in case of cyber attack Information support for ICT administrators & supervisors Reports and statistics

Incident and Vulnerability Handling

Cell of Watchkeepers• Service 24/7• Detection• Describing events in the tickets• Basic analyze

Cell of Analysts / Vulnerability• Comprehensive analysis of events• Technical support for Watchkeepers• Determination of false positive• Incident identification• Recommendation escalate event to cyber security incident

Cell of Coordination • Escalation of events to security incident• Classification of the incidents• Cooperation in resolving the incident• Incident Reporting• Incident closure

Detection

Analysisand

Recommendation

ClassificationResolving

and Incident closure

Workflow SCIRC – Local Administrators

Is LA available?

LA

User

YesNo

www.circ.acr, www.circ.army.cz

User is responsible for reporting every security offence including suspicion for possible incident to Local administrator

In case of absence LA user reports via special form „Reporting of security incident“ on Portal CIRC (www.circ.acr or www.circ.army.cz), or use e-mails KOCIRC@sis.acr or CIRC-IHO@army.cz.

During nonworking hours user reports via e-mails operatorCIRCMO@sis.acr

or CIRC-WK@army.cz,

Aneta.Coufalikova@army.cz