miércoles, 7 de diciembre de 2011

Report: Proactive Detection of Network Security Incidents (ENISA)


This document is the final report of the ‘Proactive Detection of Network Security Incidents’ study conducted between April 2011 and September 2011. The study, commissioned by ENISA, is aimed at identifying and improving ways for CERTs to proactively detect network incidents.



The report production was commissioned to CERT Polska / NASK.
Publication date: Dec 07, 2011
Authors: Katarzyna Gorzelak, Tomasz Grudziecki, Paweł Jacewicz, Przemysław Jaroszewski, Łukasz Juszczyk, Piotr Kijewski (CERT Polska / NASK)
Editor/contributor: Agris Belasovs (ENISA)



The goal of the study was to investigate ways in which CERTs – national and governmental ones in particular – proactively detect incidents concerning their constituencies, identify good practice and recommended measures for new and already established CERTs, analyse problems they face and offer recommendations to relevant stakeholders on what can be done to further this process. It is important to note that the results of the study are largely community driven. That is, they are based not just on research and the experience of the experts who conducted the study, but to a large extent on the results of a survey carried out amongst 105 different CERTs (which resulted in 45 responses overall) and external expert group input. The outcome is thus a work by the community for the CERT community.

Proactive detection of incidents is the process of discovery of malicious activity in a CERT’s constituency through internal monitoring tools or external services that publish information about detected incidents, before the affected constituents become aware of the problem. It can be viewed as a form of early warning service from the constituents’ perspective. Effective proactive detection of network security incidents is one of the cornerstones of an efficient CERT service portfolio capability. It can greatly enhance a CERT’s operations, improve its situational awareness and enable it to handle incidents more efficiently, thus strengthening the CERT’s incident handling capability, which is one of the core services of national / governmental CERTs.


The document is structured as follows:
• Chapter 2 Introduction and background explains in more detail the research objectives of the study, intended target audience, the concept of proactive and reactive detection of incidents, as well as different approaches to detection.
• Chapter 3 Methodology used is a description of work carried out as part of the study, together with an analysis of a survey carried out amongst CERTs primarily in the European Union Member States and the setting up of an expert group.
• Chapter 4 Analysis of the survey results presents an overview of the survey results, which drives much of this study.
• Chapter 5 Inventory and description of identified services and tools is an inventory of existing services and tools that can be used by CERTs for proactive detection, along with subjective ratings.
• Chapter 6 Services and tools recommended for proactive detection by CERTs provides a list of prioritised services and tools for CERTs and explains the rationale for their selection.
• Chapter 7 Identification of shortcomings in the proactive detection of incidents identifies shortcomings and gaps in the area of proactive detection and gives recommendations on their mitigation
• Chapter 8 Summary of recommendations provides a summary of recommendations and best practice for incident data providers, data receivers and other relevant stakeholders



No hay comentarios: