


Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Established in 1934, GTRI pursues a strategically focused and synergistic model of research, innovation and education that is continually enhanced and applied ...
Typology: Slides
1 / 4
This page cannot be seen from the preview
Don't miss anything!



National Institute of Standards and Technology (NIST) Request for Information Docket Number 130208119-‐3119-‐ Document Number 2013-‐
Submitted by: Thomas Dunn Cyber Technology and Information Security Laboratory Georgia Tech Research Institute 250 Fourteenth St. Atlanta GA 30318
The Georgia Tech Research Institute (GTRI) is the Georgia Institute of Technology’s applied research institution. Established in 1934, GTRI pursues a strategically focused and synergistic model of research, innovation and education that is continually enhanced and applied to solve the problems of a complex world. GTRI’s strengths are based on: world-class subject matter experts in systems engineering, sensors, and information and telecommunications technology; a unique laboratory infrastructure; and collaboration with Georgia Tech’s academic colleges as well as access to the vast intellectual resources of one of America’s premier research universities.
GTRI plays a “white-hat” role between industry and government by performing cutting edge work to help secure national critical infrastructure entities. We research the backbone that our nation’s critical infrastructures depend on. GTRI has developed a unique cybersecurity framework that is both minimally disruptive and cost-effective. As our framework has evolved, we have identified key practices that pertain to securing critical infrastructure computer networks. The GTRI framework focuses on the following three interrelated core practices:
GTRI implemented an Information Security Operations Center (ISOC) that functions as the key player in all our cyber incident responses. It detects anomalies, categorizes incidents based on the impact they have on the GTRI environment and informs the appropriate response leads for remediation. Part of our incident response framework is learning from the incident, determining what went well and what we should change to prevent future incidents.
The core of the ISOC is an event correlation engine that consolidates all of our security, authentication and network traffic logs regardless of data source. These logs are useful for both detection as well as later forensics. GTRI has researched standards to guide which logs to correlate and which devices to fully log. This engine allows the ISOC staff to search for any indicators of a cyber incident, such as a source IP address or DNS name, regardless if it was logged by a firewall, IDS, or antivirus suite. A correlation engine such as this is a critical first step in cybersecurity response. No organization responsible for critical infrastructure will be able to respond to an incident without it.
It’s imperative to know exactly what is going into and out of critical infrastructure communication networks. We have integrated a full network forensics capability with our correlation engine. Full network forensics provides the infrastructure for full-packet capture of critical nodes in an organization’s network. The needs of the organization, as well as its risk profile will determine the length of time to preserve both security logs and network forensics.
important aspect is developing an extremely focused, targeted report as relevant to leadership as possible, such as a “top-ten list.” Doing it right isn’t about volume. Our goal is to achieve security buy-in; we want leadership to request penetration testing support as much as the system owners.
Everything we do in penetration testing is about relationship building. We strengthen security by establishing a trust partnership; we don’t want the person responsible for a targeted system to feel like we’re “out to get them.” We want system owners to desire our support just as much as leadership, not think our penetration testers as a hindrance.
Unless specifically requested, we conduct tests in a non-destructive manner; no Denial of Service, dangerous exploits or destructive scans. We test from both inside and outside our networks. A public IP space carries a higher criticality and time sensitivity since it introduces actors and systems external to GTRI control. We have learned to not only emphasize classic remote access vulnerabilities that compromise confidentiality, integrity or availability but also unintentional information disclosure (to prevent adversaries from building an accurate profile of their target). Continuously monitoring private IP space is just as important to thwart insider threats, but may not be as time sensitive.
GTRI’s core practices are broadly applicable across sectors and throughout industry. These practices should be widely used throughout critical infrastructure and industry. Additionally we can draw the following conclusions from our experience with our framework: