Re: CERT Software

[Lionel Ferette <lionel.ferette () belnet be>]

Hello,

In the wise words of Brian Peister, on Tuesday 16 November 2004 21:27:
> Does anyone know of or has used CERT (Computer Emergency Response Team)
> software? I reviewed Guidance software's Encase Enterprise product,  and
> it's mostly focused on the forensics aspect of indecent handling. I'm
> looking for a software product that stream-lines the Computer security
> incident handling process (Similar to SANS 6 phases of incident handling)
I guess you'll hear a few words about Remedy (http://www.remedy.com/) or RT/IR 
(http://www.bestpractical.com/rtir/). They are not specifically mapped on the 
SANS 6 phases, but they do the job. At BELNET CERT we use RT/IR, which has 
the advantage (for us) of being open-source, and thus allows us to tune it 
where needed.

The handling process is the following:
Incident Report(s) -> Incident -> Investigation(s) -> Firewall-level blocks 
(if needed)
Don't misunderstand the 'firewall-level blocks' part: RT/IR does not interface 
with your firewall, but allows you to keep track of what is blocked at what 
level, and why (thanks to the links to the incidents).

Best regards,

Lionel

-- 
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- Benjamin Franklin

Lionel Ferette
BELNET CERT Coordinator

Tel: +32 2 7903385                  http://cert.belnet.be/
Fax: +33 2 7903375                  PGP Key Id: 0x5662FD4B

Attachment: _bin
Description: