Networks  ·∙  Services  ·∙  People                      www.geant.org      

Nicole  Harris,  Project  Development  Officer  

1st  WISE  Workshop,  Barcelona  

Lessons  from  the  Trusted  Introducer  Approach  

21st  October  2015  

GÉANT  Amsterdam  Office  

Networks  ·∙  Services  ·∙  People                      www.geant.org      

2  

TF-­‐CSIRT,  Trusted  Introducer  and  TRANSITS    

TF-­‐CSIRT  

TRANSITS  Training  

TF-­‐CSIRT  Steering  

CommiLee  

Trusted  Introducer  

•  Meets  three  Omes  a  year.  •  100  –  160  people  per  meeOng.  •  Closed,  only  for  teams  in  TI.  

•  GÉANT  Task  Force  but  not  typical.  •  Even  mix  of  NREN,  commercial,    

government  /  naOonal  CERTS.    

•  Procured  service.  •  Supports  lisOng,    

 accreditaOon  and    cerOficaOon  of  teams.  

•  Provides  both  taught  courses  and  licenses  materials  for  general  use.    

Networks  ·∙  Services  ·∙  People                      www.geant.org      

•  A  process  for  CSIRT  teams  to  get  to  know  each  other  and  build  trust.      

•  A  registry  of  CSIRT  teams.    

•  A  set  of  tools  that  can  be  used  by  the  teams  for  incident  response.    

•  An  accreditaOon  and  cerOficaOon  process  to  help  teams  express  their  trustworthiness.    

•  TradiOonally  Europe  +  surrounding  regions  but  now  accepts  all  teams.  

hLps://www.trusted-­‐introducer.org  

What  is  Trusted  Introducer?  

3  

Networks  ·∙  Services  ·∙  People                      www.geant.org      

•  APCERT,  •  AfricaCERT,  •  AMPARO,  •  FIRST,  •  ENISA,    •  RIPE.  

Partners  

4  

We  align  with  the  Regional  Internet  Regions    

Networks  ·∙  Services  ·∙  People                      www.geant.org      

Three  Processes  of  TI  

5  

•  Free  service.  •  Simple  team  lisOng  in  registry.  • Must  be  supported  by  2  exisOng  teams.  • Can  aLend  TF-­‐CSIRT  general  sessions.  

LisOng  

• Cost  of  1,200  euros  per  year,  plus  one  Ome  fee  (800  euros).  •  Supported  self-­‐assessment  against  a  set  of  criteria.  • Can  aLend  closed  meeOngs,  be  on  closed  lists,  access  closed  area  of  website.    

AccreditaOon  

• Cost  of  2,400  euros  (in  Europe,  more  outside).  •  Full  audited  cerOficaOon.  CerOficaOon  

Networks  ·∙  Services  ·∙  People                      www.geant.org      

How  About  You?  

6  

LISTED

 

•  CERN-­‐CERT  •  PIONIER-­‐CERT  

ACCR

EDITED

 

•  SURFcert  •  Funet  CERT  •  RESTENA  CSIRT  •  Janet  CSIRT  •  BELNET  CERT  •  GARR-­‐CERT  •  CESNET-­‐CERTS  •  CSUC-­‐CSIRT  •  RedIRIS  •  LITNET  CERT  

CERT

IFIED   •  GÉANT  CERT  

•  EGI  CSIRT  •  SWITCH-­‐CERT  •  UNINETT  CERT  •  DFN-­‐CERT  •  NORDUnet  CERT  (can)  

Networks  ·∙  Services  ·∙  People                      www.geant.org      

•  AccreditaOon  requires:    •  Maintaining  accurate  data  on  the  TI  database  (annual  check).  •  Compliance  with  RFC2350:  hLp://www.ief.org/rfc/rfc2350.txt.    •  Support  for  the  InformaOon  Sharing  Traffic  Light  Protocol:  hLps://www.trusted-­‐introducer.org/ISTLPv11.pdf.      

•  Support  for  the  CSIRT  Code  of  PracOce:  hLps://www.trusted-­‐introducer.org/CCoPv21.pdf.    

•  CerOficaOon  requires:    •  AudiOng  against  the  SIM3  model:  hLps://www.trusted-­‐introducer.org/SIM3-­‐Reference-­‐Model.pdf.      

 

AccreditaJon  /  CerJficaJon  Processes  

7  

Networks  ·∙  Services  ·∙  People                      www.geant.org      

Number  of  Teams  

8  

As  of  end  08-­‐15:    •  254  Listed.  •  (of  which)  121  

Accredited.  •  (of  which)  14  

CerOfied.  

Networks  ·∙  Services  ·∙  People                      www.geant.org      

Team  Types  (listed)  

9  

Networks  ·∙  Services  ·∙  People                      www.geant.org      

Team  types  (accredited)  

10  

Networks  ·∙  Services  ·∙  People                      www.geant.org      

Czech  Model  –  group  within  a  group  

11  

Networks  ·∙  Services  ·∙  People                      www.geant.org      

•  Response  /  maturity  tesOng.    •  TesOng  the  response  abiliOes  of  teams  to  an  e-­‐mail  and  other  supporOng  factors  (cerOficates  for  signing).    

•  No  penalOes  for  not  reply,  but  teams  and  team  managers  are  shown  the  results.  

•  Has  lead  to  changes  being  made  by  teams.  •  Lightweight  exercise  to  help  support  best  pracOce.    •  Will  be  repeated  3  Omes  a  year.    

•  TI  Review.  •  Currently  undertaking  a  full-­‐scale  review  of  the  TI  service  porfolio.    

•  Complaints  Procedure.      

•  API  to  the  database  /  other  sources  of  informaOon.    

New  developments  

12  

Networks  ·∙  Services  ·∙  People                      www.geant.org      

•  What  do  accreditaOon  /  cerOficaOon  programmes  add?    •  Cost!  •  Brand  recogniOon.  •  Rubber  stamp.    

•  What  is  the  role  for  face-­‐to-­‐face?  •  Consistently  large  TF-­‐CSIRT  meeOngs.    People  show  up.    •  Closed  meeOngs  for  sharing,  but  sOll  reluctance  unOl  someOme  aker  the  event.  

•  What  happens  when  you  grow  too  big?  

•  Bilateral  vs.  Group  sharing.      

 

What  is  the  recipe  for  trust?    

13  

Networks  ·∙  Services  ·∙  People                      www.geant.org      

•  No  maLer  what  the  trust,  trust  cannot  be  grown  throughout  the  whole  group.    

•  General  models  can  be  used  for  fostering  more  local  trust  groups.  

•  Face-­‐to-­‐face  is  absolutely  essenOal  and  worth  the  cost.  

•   Don’t  expect  full  group  sharing,  even  on  closed  “trusted”  lists.    

•  Where  are  we  storing  informaOon  about  teams  and  can  we  reduce  duplicaOon?  

Lessons  Learned?  

14  

Networks  ·∙  Services  ·∙  People                      www.geant.org      

Thank  you  

Networks  ·∙  Services  ·∙  People                    www.geant.org  

   

15