Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | teresa-byrd |
View: | 219 times |
Download: | 0 times |
CPT Aneta COUFALÍKOVÁ, Ph.D.
CIRC Centre, 34.zKIS, Czech Army
www.circ.army.cz, www.circ.acr
CIRC Technical Centre
Basic information Experience and cooperation History Structure Information Portal CIRC Monitoring Technology Incident Desk Incident and Vulnerability
Handling
Content
Essential element The Ministry of Defense in cyber security Part of Communication and Information Systems Base Dislocated in Brno
MAIN GOALS:
Proactively identify security threats and incidents (monitoring)Analyses Rapid responseReporting among administrators of military ICT systemsShare information and alerts with relevant partners in cyber defense fieldSecurity awareness
Basic information
Participating in many exercises (ICDW, Cyber Coalition,etc.) and conferences (NIAS,CYTER, etc.)
Cooperating with many other institutions in part of cyber defense field (NCIRC TC, Nebraska University, University of Defense in Brno, Masaryk University, etc.)
Experience and cooperation
Established in 2007 as equivalent to NCIRC Technical Centre
Reached basic capability in monitoring and analyzing events in military network
Implemented IDS/IPS and NETFLOW sensors Starting professional web Portal CIRC to build security
awareness Building up testing environment Running WSUS server for patch distribution in military
networks Starting Incident desk for ticketing system
History
Security technology Cyber Security Management & Information Systems include:
• Information Portal CIRC (www.circ.acr),• External Information Portal (www.circ.army.cz),• Incident Desk,• Secure shared storage,• Link to SIEM (Security Information and event
manager)• Alerter,• Central storage for collected data,• Wiki.
CSMIS
Information Portal CIRC
Provides every day awareness of possible cyber dangers and threats
Instruct users about security threats Allows to report the security incident
Secure zone as a tool for communication between security network administrators and CIRC Technical Centre staff
Knowledge base, Link to Incident desk, cyber defence instructions for IT specialists
Portal parts: Daily News (cyber security news) Security (security threats descriptions, security
recommendetions, instructions, reports and statistics)
Software (freeware tools for detecking and removing different kind of threats)
Critical Security Paches (Microsoft, Adobe, browsers)
Publications (CIRC Bulletins, materials from workshops, dictionary …)
FAQ (the most frequent security topics) About us (departments introduction and contacts) WSUS, NTP Server (Network Time Protocol)
Information Portal CIRC
Monitoring Technology
Monitoring of Military networks• Monitoring of data flows• Evaluation events of IPS/IDS• Processing logs of critical devices
SIEM – Security Information and eventmanager
Monitoring functionality of cyber security technologies
Incident Desk
Incident Desk
Basic tool of incident handling Management system for ticketing Early warning system in case of cyber attack Information support for ICT administrators & supervisors Reports and statistics
Incident and Vulnerability Handling
Cell of Watchkeepers• Service 24/7• Detection• Describing events in the tickets• Basic analyze
Cell of Analysts / Vulnerability• Comprehensive analysis of events• Technical support for Watchkeepers• Determination of false positive• Incident identification• Recommendation escalate event to cyber security incident
Cell of Coordination • Escalation of events to security incident• Classification of the incidents• Cooperation in resolving the incident• Incident Reporting• Incident closure
Detection
Analysisand
Recommendation
ClassificationResolving
and Incident closure
Workflow SCIRC – Local Administrators
Is LA available?
LA
User
YesNo
www.circ.acr, www.circ.army.cz
User is responsible for reporting every security offence including suspicion for possible incident to Local administrator
In case of absence LA user reports via special form „Reporting of security incident“ on Portal CIRC (www.circ.acr or www.circ.army.cz), or use e-mails [email protected] or [email protected].
During nonworking hours user reports via e-mails [email protected]