Background on eCSIRT.net

The Role of the eCSIRT.net project

This project does therefore not address the need for additional CSIRTs in particular, although its results will impact any CSIRT whether existing or new, as the techniques that will be brought to fruition within the trial, will directly affect their "modus operandi" and substantially add to their service once they embrace them.

Instead the project focuses on the deployment of techniques that will satisfy the basic, nay existential, need of existing teams to cooperate and exchange incident related data, and to collect shared data for statistical and knowledge-base purposes. More precisely put, the take-up of techniques in trial form that is proposed here will serve the following goals:

1. to establish a standardized and unambiguous exchange of incident related information between the CSIRTs involved;
2. to establish the collection of standardized and unambiguous incident statistics to serve the CSIRTs involved, and - in a generalized fashion - serve the information needs of a wider audience;
3. to establish the collection of standardized and unambiguous incident related data, followed by intelligent generation of warnings and emergency alerts based on that integrated dataset, to serve the CSIRTs involved.

To enable the pursuit of these goals, it is necessary to first establish a "standardized and unambiguous" language for data exchange. To establish this is part of this project, and this work will build on the IODEF and IDMEF work done by the IETF and TF-CSIRT.

The third goal is meant to facilitate "early warning" services of the participating CSIRTs. Though the currently popular notion of "early warning" in regard to incident management is really an integral combination of three of the above mentioned basic services, namely prevention, awareness raising and detection, the crucial element still is to have information early enough to make warnings effective. And the techniques proposed to deploy here have the potential to do just that.

To explain that a little more: much of the information relevant for early (or earlier) warning is already there now! But it is scattered over many CSIRTs, vendors and fora, in many formats, with entirely different syntaxes and semantics. IODEF and IDMEF aim at addressing the syntax problem. This project aims at employing IODEF, IDMEF and other relevant techniques in a trial setting between European NREN CSIRTs backed-up by two commercial companies active in the CSIRT market.

Dissemination

To disseminate the experiences and practices to other countries not represented in the project dissemination and exploitation activities are tailored towards already existing forums like FIRST and TERENA Task Force CSIRTs as well as addressing teams registered in the European CSIRT directory maintained by TI. As all groups mentioned bring together commercial, government and research/education oriented teams as well as service providers and ISPs, it is ensured that all sectors and areas are reached.

• Building public awareness and online dissemination information: an eCSIRT.net website will be created and maintained to present the project, ongoing results and related links.
• Conferences and workshops: participation in international conferences, forums, seminars, and workshops to present the eCSIRT.net project.
• European projects and initiatives: The consortium will seek to exploit possible synergies through project clustering and joint exploitation activities.
• User group: ongoing encouragement of CSIRTs to join the user group, either as active participants in the trial or as interested observers.

A short note on philosophy ...

There has been considerable discussion in Europe since 1992 on the collaboration and coordination of CSIRTs. While it certainly holds true that CSIRTs coordinate security incidents (and preventive measures) in Europe and worldwide, this is being done without any "control from above" - there is no "top" in the CSIRT hierarchy that tunnels all information, but though there is some hierarchy the prevailing mechanism of interworking is that of inter-CSIRT peering. This has proven to be the most practical and efficient way - as the shortest path between any two points is still the straight line for CSIRTs for whom swiftness of operation, reduction of overhead and working on a need-to-know base are of paramount importance. The bottom-up approach that CSIRTs adopt to interwork satisfies precisely those needs.

This project adapts to this bottom-up culture by not applying any centralized or hierarchical approach. Instead, functionality is added to the existing infrastructure which has the potential to improve the way CSIRTs operate and communicate, and which enables value added services otherwise not achievable. The project is built around a substantial number of CSIRTs that together form a significant subset of the European CSIRT community - so significant that succesful deployment of the trial techniques would almost certainly be picked up by a wider CSIRT community.

Read on: Vision for the eCSIRT.net project

• Needs
• Benefits

eCSIRT.net The European Computer Security Incident Response Team Network News | Sitemap | Imprint | Privacy Statement | Contact | Top Last changed: February 5, 2003 / AL Copyright © 2002-2003 by PRESECURE Consulting GmbH, Germany

Signed with PGP!