9. Managing Things
• Managing Security Incidents
o Reduce Impact of Security Incidents
o Prevent Security Incident from Occurring
o Fixing actual vulnerabilities
o Gain insights about emerging threats or incidents (Information Security & Analysis
Centers, Threat Intel Feeds)
o Collaborate with other stakeholders (i.e. investigation, policy/strategy)
• Managing Security Incident Response Teams
o Establishing CSIRT
o Operationalizing CSIRT
o Having the right skill-sets, knowledge and tools
o Being part of the community
11. Don’t Phish Me!
• Online Banking
• Traditional Phishing (email ->
• Multiple Banks
• CERT receiving reports but
coordination is needed
• Money Mules!
• Outcomes – coordinated plan,
LEA engagement, Awareness for
Customers, Browser Plugin
Anti Phishing Working Group
12. Key Ingredient – People
• Who is going to work in the team
• Role/Position = $$
• Training and capacity development
oGo deeper and wider
• Transitioning from non-security, non-secops
• Upskilling for tech folks – management
Sri Lanka CERT Cyber Security Awareness Week (2016)
13. Annual National Cyber Security
Exercise 2007 - XMAYA
Plan for Critical
o National Security Council
o Support by Sector Lead of
o Drill Development &
Preparation by National
o Good view of policy vs
o Roles & Responsibilities
o Capacity Development –
• Different Set of Challenges for National vs Enterprise CERTs
• Getting started **
• Organisational – Mandate/Responsibility, Sustainability and Expansion
• Operational – visibility, resources, collaboration & coordination
15. Challenges - Continuity
• Continuity – change is expected
• Consistent policy, vision needed
• Positive = CERT expanding into a cyber security agency
• Negative = No funding for CERT, hostile takeovers
• Strengthening the Stakeholders
• User base and technology is dynamic
• Supporting the ecosystem – Resources, Training & Infrastructure
16. CERT/CSIRT in the Pacific Project
• Interest in setting up a National CERT (starting with CERT
Tonga) in 2016
• Kick Start – Series of Workshops
o Establishing & Operationalizing a CERT in the context of the
o Collaboration + Networking (with other partners PACSON,
APCERT & FIRST)
o On the job training
o Sharing ideas, success stories etc
• Created momentum in other areas of cyber security i.e.
education & awareness, support for LEAs and other
17. Where are we?
1. Do you have an incident response plan?
2. What are the top 5 threats last year or last month?
3. Where do cyber security incidents* get reported?
4. Is there an active information sharing network for security
practitioners or security teams?
5. Is there good visibility of what is happening in the environment?
6. Are organisations assessed to deal with data breach incidents or
ransomware? How is the coverage?
7. Are there any activities related to the coordination of incidents
within a specific economic sector or at the national level.
19. Take Aways
• Appreciation of Incident Response in the
Bigger Security Picture
• Cyber Resilience is not an option
• Continuous process
• Dedicated Teams & Capabilities
• Challenges – Getting Started, Expanding
• Requires planning, resources and
• Our role – support & do something now