We implemented CSIRT based on some frameworks and maturity model including FIRST Service Framework, SIM3 and some document devised in Japan. We will explain how to use these documents in this presentation.
Unleash Your Potential - Namagunga Girls Coding Club
Implementing CSIRT based on some frameworks and maturity model
1. Implementing CSIRT based on some framework and
maturity model
Jun 7, 2020
Akitsugu Ito
Cyber Security Defense Department (CSDD)
Rakuten, Inc.
2. 2
Who am I?
Akitsugu Ito (@springmoon6)
Specialty
I’ve worked security industry for 9 years.
- information security management / incident handling
- product security / quality assurance
Previous Presentation
- OWASP SAMM v2 Introduction (02/08/2020)
https://speakerdeck.com/springmoon6/owasp-samm-ver-dot-2-introduction-en
- Introduction of PSIRT Framework (08/29/2020)
https://speakerdeck.com/springmoon6/psirt-service-framework-falsegoshao-jie
5. 5
Background
CSIRT for communicating with external stakeholders
Each industry has an exclusive security community, such as ICT-ISAC.They have hold very important information inside members limitedly. It is necessary
to establish new Rakuten Mobile CSIRT to catch the cyber threat information from exclusive security community, and enhance the communication with
external stakeholders to fight against malicious activity like Phishing.
Rakuten HQ - CSDD
Rakuten-CERT
Tech Community - System Security Lead
IPA
Dept. Dept. Dept. Dept. Dept.
JPCERT/CC
CSIRT
Promotion Div.
Rakuten-MobileCSIRT
Rakuten Mobile
Development Team
ICT-ISAC,
NISC, JAIPA
Police CSIRT for Telecom
industry in Japan
External
Stakeholders
Rakuten Mobile
Security Team
1. Direction
6. 6
Relationship between Stakeholders
Business FunctionCorporate Function
CSIRT
Promotion Div.
Broad sense of
Rakuten-Mobile
CSIRT
Rakuten Mobile
Security Team
Service Experience
Center (SXC)
Narrow sense of
Rakuten-Mobile CSIRT
InfoSec
Promotion Div.
Legal UX Mobile PR
Representative Director/CEO
Narrow sense of Rakuten Mobile CSIRT is CSIRT Promotion office.
Broad sense of RM-CSIRT is a virtual team across the company.
1. Direction
7. 7
CSIRT Services (CMU)
・RiskAnalysis
・Business Continuity and Disaster
Recovery Planning
・Security Consulting
・Awareness Building
・Education /Training
・Product Evaluation or Certification
・Announcements
・TechnologyWatch
・SecurityAudits or Assessments
・Configuration and Maintenance of
SecurityTools, Applications, and
Infrastructures
・Development of SecurityTools
・Intrusion Detection Services
・Security-Related Information
Dissemination
・Alert and Warning
・Incident Handling
- IncidentAnalysis
- Incident response on site
- Incident response support
- Incident response coordination
-Vulnerability Handling
-Vulnerability analysis
-Vulnerability response
-Vulnerability response
coordination
・Artifact Handling
- Artifact analysis
- Artifact response
- Artifact response coordination
Reactive Service Proactive Service
Security Quality Management
Service
1. Direction
CSIRT
Promotion Div.
Rakuten Mobile
Security Team
CSIRT Services (11/2002)
https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=53046
8. 8
Define roles and responsibility
We defined our roles of CSIRT (broad sense) based on Nippon CSIRT Association (NCA) materials.
We separate roles into two categories, War Time and Peace Time. Narrow sense of CSIRT is Point of
Contacts (PoC).
2. Roles
CSIRT 人材の定義と確保(03/13/2017)
https://www.nca.gr.jp/activity/imgs/recruit-hr20170313.pdf
9. 9
Commander
CSIRT General
Manager
PoC
Coordinate with internal &
external Stakeholders
Notification
Coordination with related
departments
Executives / External
Stakeholders
Internal system /
related system
Self Assessment
Risk Assessment ,
Vulnerability Management
Incident Manager
Analysis the status of
incidents
Solution Analysts
Design System Security , Assess
the effectiveness
Triage
Coordinate affected systems
Information Aggregation
Status of response
Explain current status
Define Priority
Implement
Investigator
Investigate
Forensic
Inquiry
Instruct Response Inquiry
Information Aggregation
Define the effected area
Information Aggregation
Report the affected area
Planning / Promote
If you need legal confirmation or advice on a daily basis, each role will request
assistance from a legal advisor.
Information Sharing
Incident Handler
Vendor Management / Incident
response
Coordinate
Researcher
Information gathering / Monitoring
Production Environment / Analysis
Solid line :
Information flow
Dotted line :
Information flow if necessary
CSIRT
Promotion Div.
Rakuten Mobile
Security Team
Service
Experience Center
(SXC)
InfoSec
Promotion Div.
Roles of CSIRT (War Time) 2. Roles
CSIRT 人材の定義と確保(03/13/2017)
https://www.nca.gr.jp/activity/imgs/recruit-hr20170313.pdf
10. 10
Roles of CSIRT (Peace Time)
Executives / External
Stakeholders
Researcher
Information gathering / Monitoring
Production Environment / Analysis
Vulnerability
Assessor
Information Aggregation
Judge security risk
Confirm status Confirm status
Feedback
Training
Regularly implemented
Information Sharing Information Aggregation
Define the effected area
PoC
Coordinate with internal &
external Stakeholders
Notification
Coordination with
related departments
Internal system /
related system
Coordinate affected systems
Commander
CSIRT General
Manager
Solution Analysts
Design System Security , Assess
the effectivenessImplement
Incident Manager
Analysis the status of
incidents
Self Assessment
Risk Assessment ,
Vulnerability Management
Information Aggregation
Report the affected area
Planning / Promote
Trainer
Coordinate
Explain current status
Gather Information
Incident Handler
Vendor Management / Incident
response
If you need legal confirmation or advice on a daily basis, each role will request
assistance from a legal advisor.
Solid line :
Information flow
Dotted line :
Information flow if necessary
CSIRT
Promotion Div.
Rakuten Mobile
Security Team
Service
Experience Center
(SXC)
InfoSec
Promotion Div.
2. Roles
CSIRT 人材の定義と確保(03/13/2017)
https://www.nca.gr.jp/activity/imgs/recruit-hr20170313.pdf
11. 11
Creating Detailed Service Lists
FIRST Services Framework are high level documents detailing possible services CSIRTs and PSIRTs may
provide.
FIRST Services Framework
https://www.first.org/standards/frameworks/
2. Services
12. 12
Structure of CSIRT Service Framework
Service Area Service
Service
Service
Function
Function
Function
Function
Function
Support Service
CSIRT Services Framework 2.1.0 (11/2019)
https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1
2. Services
13. 13
Service Areas 2. Services
CSIRT Services Framework 2.1.0 (11/2019)
https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1
14. 14
Detailed Service Lists
CSIRT Service
Category
CSIRT Services CSIRT Service Framework v2
v2 Service Area
CSIRT Service Framework v2
v2 Services
Reactive Service Alerts and warning Information security event
management
Monitoring and Detection
Analyzing
Incident response support Information security incident
management
Information security incident
report acceptance
Incident response
coordination
Information security incident
coordination
Vulnerability response
coordination
Vulnerability management Vulnerability report intake
Vulnerability coordination
Vulnerability disclosure
Proactive Service Announcements Information security incident
management
Information security incident
coordination
Vulnerability coordination
Security related information
dissemination
Situational Awareness Data Acquisition
Analyze and interpret
Communication
2. Services
CSIRT
Promotion Div.
Rakuten Mobile
Security Team
Service Experience
Center (SXC)
InfoSec
Promotion Div.
15. 15
What should we implement with high priority?
We referred maturity model (Global CSIRT Maturity Framework based on SIM3).
2. Services
Open CSIRT – SIM3 SelfAssessment
http://sim3-check.opencsirt.org/#/
16. 16
SIM3 (Security Incident Management Maturity Model )
The European Union Agency for Cybersecurity (ENISA) uses SIM3 to strengthen the national CSIRT of each
EU country and also provides an online assessment tool based on SIM3. We can measure the maturity and/or
capability of security incident management.
The maturity model is built on three basic elements
- Maturity Parameters (44)
- Maturity Quadrants (4)
- Maturity Levels (0-4)
Each Parameter belongs to one of four Quadrants - the Quadrants are therefore the main four categories of
Parameters:
2. Services
Organization Human Tools Process
SIM3 : Security Incident Management Maturity Model mkXVIII (03/30/2015)
https://www.trusted-introducer.org/SIM3-Reference-Model.pdf
17. 17
Global CSIRT Maturity Framework (GCMF)
The Global CSIRT Maturity Framework is an approach from the GFCE for stimulating the development and
maturity enhancements of national CSIRTs. Although it’s aimed toward national CSIRTs, the methodology
and concepts can also be applied to other CSIRTs or incident response teams.
The framework relies on two building blocks: the Security Incident Management Maturity Model (SIM3) and
a three-tier CSIRT maturity approach by ENISA.
- Basic
- Intermediate
- Advanced
We set the our first goal on Basic Level.
Organization
Human
Tools
Process
Measure and Improve the Maturity ofYour Incident Response Team (11/06/2019)
https://securityintelligence.com/articles/measure-and-improve-the-maturity-of-your-
incident-response-team/
2. Services
18. 18
Comparison table between CSIRT Service framework and SIM3 2. Services
CSIRT Service Framework v2
Service Area
CSIRT Service Framework v2
Services
SIM3 ENISA/GCMF Basic Level
Support Service - 3
Information security event
management
Monitoring and Detection
Analyzing
1
Information security incident
management
Information security incident report
acceptance
2
Information security incident
coordination
3
Vulnerability management Vulnerability report intake
Vulnerability coordination
Vulnerability disclosure
1
Information security incident
management
Information security incident
coordination
Vulnerability coordination
3
Situational Awareness Data Acquisition
Analyze and interpret
Communication
2
19. 19
Enhance Support Service with PSIRT Framework
The detail of support service is not described in CSIRT Framework. So we will enhance support service with
Operational Foundation in PSIRT Framework. PSIRT framework has similar structure with CSIRT Service
framework. Operation foundation is same service area with operational foundation and has more detailed
services.
2. Services
Service
Area
Service
Service
Service
Function
Function
Function
Function
Function
Support Service
PSIRT Services Framework version 1.1 (Spring 2020)
https://www.first.org/standards/frameworks/psirts/psirt_services_framework_v1.1
Service
Area
Service
Service
Service
Function
Function
Function
Function
Function
Operational Foundations
CSIRT Service Framework PSIRT Service Framework
20. 20
Comparison table between Enhanced Support Service and GCMF 2. Services
CSIRT Service Framework v2
Service Area
CSIRT Service Framework v2
Services
SIM3 ENISA/GCMF Basic Level
Support Service – Strategic Executive Sponsorship 3
Stakeholder 3
Charter 3
Organizational Model 3
Management and Stakeholder
Support
3
Support Service – Tactical Budget -
Staff 3
Resources and Tools 1
Support Service – Operational Policies and Procedures 2
Evaluation and improvement 1
21. 21
Making KSA of Narrow sense of CSIRT
Staff service requires defining detailed tasks and KSA (Knowledge, Skills and Ability) of CSIRT Promotion
Office. We implement it based on SECBOK. SECBOK is a KSA lists based on NICE Framework.
JNSA セキュリティ知識分野(SecBoK2019)(03/18/2019)
https://www.jnsa.org/result/2018/skillmap/
2. Services
24. 24
Future Tasks (1)
Increase maturity of each area especially proactive services.
- CSIRT Service Framework covered reactive service well but proactive service is not enough.
25. 25
Future Tasks (2)
Mature some PSIRT related areas
- SIM3 covered vulnerability management but it’s not enough for development organization
Software Assurance Maturity Model (OWASP SAMM)
https://owaspsamm.org/
26. 26
Summary - Thank you for listening
We implemented CSIRT based on some frameworks and maturity model.
- JPCERT/CC CSIRTマテリアル
- CSIRT Services (CMU)
- CSIRT 人材の定義と確保
- FIRST Services Framework (CSIRT / PSIRT)
- SecBok
- SIM3
- Global CSIRT Maturity Framework (GCMF)
We plan to improve our CSIRT using some OWASP outputs.
- OWASP SAMM
Notas del editor
Japanese National CSIRT JPCERT/CC offers the JPCERT/CC CSIRT Material at their web-site. This manual includes how to implement CSIRT at an organization. This material has three steps. Concept, Build and Operation. We referred this manual and built CSIRT in four stages, Direction, Define Services & Roles, Dissemination and Operation. I will explain each stages from now on.