Chronic Workload Problems in Computer Security Incident Response Teams Johannes Wiik, Jose J....
-
Upload
jodie-jordan -
Category
Documents
-
view
218 -
download
0
Transcript of Chronic Workload Problems in Computer Security Incident Response Teams Johannes Wiik, Jose J....
-
Chronic Workload Problems in Computer Security Incident Response Teams
Johannes Wiik, Jose J. GonzalezUniversity of Agder, Norway
Pl I. DavidsenUniversity of Bergen, Norway
Klaus-Peter KossakowskiSEI Europe, Carnegie Mellon University, Germany
-
Computer security incidentsLow-priority incidentsSuch as port scans, spam, fake email, and other nuisances Nevertheless, a significant challenge owing to their large volumeDynamics: quite accurately described as exponentially growingEssential point: Cannot be matched by staff increase and CSIRT-fundingHigh-priority incidentsSuch as attacks on net infrastructure, serious new worms, viruses, botnets, sniffers, account compromisers, etcLow volume, but very seriousDynamics: basically oscillatory
-
CSIRTsComputer Security Incidence Response Teams (CSIRTs/CERTs) provide one or more services:incident analysisincident response on site, support & coordinationnowadays increasing emphasis on proactive servicesChronic situation for CSIRTs since their inception in 1988CSIRTs are underfunded, understaffedCSIRT staff is overworkedWorsening situation for CSIRTs in recent yearsIncreasing volume of (mainly low-priority) incidents, automation and speed of new attack tools give CSIRT staff less and less time to reactInstabilities in high-priority security incident reports from the constituency (internal sites) and affected external sites
-
High priority incidentsInstabilities in incident reports instabilities in workload inefficient use of resourcesProblems to retain the CSIRT constituency ( funding problems)See posters # 1193 and 1212
Chart2
0.05438708311994
0.44189504991995
0.52347567451996
1.41066496711997
1.56022944551998
1.59337157431999
1.16847248781.291005291
1.23220735081.0476190476
0.77331633740.9523809524
0.91353303590.6666666667
0.9092840450.9206349206
1.41916294881.1216931217
Incident variation high priority
Site variation high priority
Sheet1
Incident variation high priorityIncident variation low prioritySite variation high prioritySite variation low priority
1993
19940.050.00
19950.440.02
19960.520.02
19971.410.06
19981.560.06
19991.590.10
20001.170.541.291.68
20011.230.951.051.27
20020.771.930.950.76
20030.914.900.670.65
20040.912.850.920.90
20051.420.571.120.74
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
Sheet1
Incident variation low priority
Sheet2
Incident variation high priority
Site variation high priority
Site variation low priority
Sheet3
Incident variation high priority
Site variation high priority
Incident variation high priority
Site variation high priority
Incident variation high priority
Site variation high priority
-
Low-priority incidentsOverwhelming increase in the rate of low-priority incidentsThe workload increases accordinglyHuman resources cannot keep paceWork LoadHuman Resources
-
Modeling processClose collaboration with one of the oldest and largest coordinating CSIRTsInitial research questionsWhat factors limit the effectiveness of the incident response service in the CSIRTWhat policies can improve the effectiveness of the incident response service in the CSIRT?What constitutes effective incident response in the CSIRT?The management and staff of the CSIRT participated in 5 face-to-face working sessions of 1 4 days over a 1 year period:Eliciting of mental, written and numerical information, incl. reference behavior modesReview of model structureModel verification, validation & policy testing
-
Reference behavior modesIdealized reference behavior derived from time series data and from interviews with CSIRT management and staff
*
Percent of low priority incidents actually handled
0 %
100 %
Manual productivity is sufficient
The manual productivity limit is reached
The service is gradually discontinued
First attempt at developing automation fails due to work overload
Less work pressure releases effort for automation
An increasing fraction of incidents is handled automatically
Effort to automation (0-100% of need)
Fraction of low priority incidents handled (0-100%)
-
Policy structure diagram
-
Base run
-
Policy analysis scenariosFixed resource split: The CSIRT separates the workforce into two fixed workgroups instead of using it as a shared resource between tool development and incident responseOnly automation: The CSIRT only offers automatic responseMaintain manual handling: The CSIRT refuses to change the service scope and only provides manual handling
-
Policy runs
-
Thank you!