A brief introduction to RTIR

4,400
-1

Published on

A brief introduction to RTIR as presented to the UNAM.mx Congreso de Seguridad en Cómputo

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,400
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
77
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

A brief introduction to RTIR

  1. 1. RT and RT for Incident Response Jesse Vincent, Best Practical Solutions http://fsck.com/~jesse/talks/2008/09/rtir.pdf
  2. 2. Carlos Fuentes Bermejo RTIR WG - Primary Technical Contact RedIRIS IRIS-CERT - Security Specialist Si habla español Couldn’t be here today :( http://fsck.com/~jesse/talks/2008/09/rtir.pdf
  3. 3. Jesse Vincent Designed RT and RTIR (It’s all my fault) Founded Best Practical (It’s even more my fault) No puedo presentar en español. Lo Siento. http://fsck.com/~jesse/talks/2008/09/rtir.pdf
  4. 4. ¡AVISO! WARNING!
  5. 5. I represent a software vendor
  6. 6. We sell support, training, consulting and customization for RT, RTIR and RTFM
  7. 7. This talk could be dangerously close to a sales pitch
  8. 8. I’m not a sales guy
  9. 9. All the software we make is open source
  10. 10. We created RT to help sysadmins and helpdesk staff
  11. 11. We helped create RTIR to let CERT teams be more effective
  12. 12. I want you to use RTIR (or RT) for free - forever
  13. 13. I will be happy if you use them for free
  14. 14. (Now do you believe that I’m not a sales guy?)
  15. 15. About RT
  16. 16. RT is a Ticketing System
  17. 17. RT helps keep you organized
  18. 18. Every conversation gets a number, a status and an owner
  19. 19. RT helps keep your customers happy
  20. 20. RT sends an autoreply and ticket number when they report a problem
  21. 21. RT helps keep your team from going crazy
  22. 22. You know what’s been done – and when
  23. 23. RT helps you show your bosses how hard you work
  24. 24. It’s easy to run reports on all kinds of metrics
  25. 25. RT builds an ad-hoc knowledge base
  26. 26. (RTFM helps you build an explicit Knowledge Base)
  27. 27. Some RT history... Created in 1996 First public release in 1997 2.0 released in 1999 Best Practical formed in 2001 RTIR Created in 2003 RTIR WG Started in 2005 RTIR 2.4 Released 2008 (Last week!)
  28. 28. What is RT used for? Issue Tracking Process Management Trouble Ticketing Bug Tracking Incident Handling Sales Leads Workflow Youth Counseling Helpdesk Home Rentals Customer Service
  29. 29. RT Homepage
  30. 30. Ticket Details
  31. 31. Ticket History
  32. 32. Ticket Update
  33. 33. RT Core Concepts Tickets Queues Custom Fields Scrips Access Control Email Gateway Internationalization
  34. 34. Tickets Track issues Have unique id #s Keep a history of correspondence Have one owner (And a bunch of other metadata)
  35. 35. Queues High-level grouping of tickets Each can have its own Access Control Business Logic (Scrips) Custom Fields
  36. 36. Custom Fields Track your own ticket metadata Freeform (optional validation) Select (one or many) Text block Upload files or images Custom data sources Per-field access control
  37. 37. Scrips Custom business logic (Also how RT sends mail) Each is built from Condition Action Template
  38. 38. Access Control User, Group or Role based Global and Per-queue rights
  39. 39. Email Gateway RT was first made to replace a mailing list RT is designed for email interaction (and web. and command line) RT mediates and tracks all discussions
  40. 40. Internationalization Fully native UTF8 internally Speaks 22 languages Handles inbound and outbound email encoding Contribute at https://translations.launchpad.net/rt/
  41. 41. More RT Features Charts and Reports Ticket Locking Dashboards Web API Self-service interface Perl API Feeds CLI tools RTFM Customizability PGP Support Themability The RT Community Ticket Aging
  42. 42. The RT Community http://bestpractical.com/rt http://wiki.bestpractical.com rt-es-subscribe@lists.bestpractical.com rt-users-subscribe@lists.bestpractical.com rt-devel-subscribe@lists.bestpractical.com
  43. 43. Quick Start (For testing) wget http://download.bestpractical.com/ pub/rt/release/rt.tar.gz tar xzvf rt.tar.gz cd rt-3.8.1 make fixdeps ./bin/standalone_httpd
  44. 44. RTIR: RT For Incident Response
  45. 45. What is RTIR? Ticketing System RT for Incident Response Designed for CERT/CSIRT Teams Designed for a CERT team - JANET-CERT Generalized for a ‘standard’ process
  46. 46. Differences from RT RTIR is RT ...with more features, a custom interface and special configuration
  47. 47. Designed for CERT/CSIRT Teams Metadata - IPs, SLAs, Constituency, etc Workflows - Streamline your job Views - Show what you need Plugins - Lookups, Locking, ‘Shredding’, etc
  48. 48. We designed RTIR to help you get your job done
  49. 49. RTIR keeps track of incidents
  50. 50. RTIR keeps track of correspondence
  51. 51. RTIR keeps an uneditable history
  52. 52. RTIR makes incident research easier
  53. 53. RTIR tracks your SLA commitments
  54. 54. RTIR integrates with your other systems
  55. 55. RTIR takes care of the ‘boring’ parts of Incident Response
  56. 56. RTIR Basics Incident Reports Incidents Investigations Blocks
  57. 57. RTIR History
  58. 58. RTIR 1.0 Sponsored by JANET-CERT Replaced a homebuilt Remedy system Built on RT 3.0 2003
  59. 59. RTIR 1.0 Features Clickable ‘Data Detectors’ IP/Domain/Address Lookup Tool RTIR Automated Rules SLA Monitoring Business-Hours Logic
  60. 60. RTIR WG Members JANET CSIRT/UKERNA ACOnet-CERT (Chair of project) LITNET CERT IRIS-CERT/RedIRIS (Technical contact) SUNet CERT CERT POLSKA SWITCH-CERT CERT.PT GOVCERT.NL
  61. 61. RTIR 2 Sponsored by TERENA RTIR WG Initial vision by JANET-CERT Design collaboration between RTIR WG and Best Practical Built on RT 3.8 RTIR 2.4 released September 2008
  62. 62. RTIR 2.4 New Features PGP Integration Message Forwarding Ticket Locking Bulk Actions Ticket Aging Quick Actions Database Pruning Per-User Timezones RTFM Integration IP Address Range Fields
  63. 63. RTIR 2.4 New Features Improved Automation Improved UI Improved Searching More flexible workflow Improved Customization More user preferences Improved Reporting Easier Integration Improved Testing Improved Performance
  64. 64. The RTIR Workflow
  65. 65. RTIR Homepage
  66. 66. RTIR is built around Incidents Incidents tie everything together One Incident for many Incident Reports many Investigations many Blocks
  67. 67. It usually starts with an Incident Report Conversations with Customers “Something bad happened!” “Please help me!”
  68. 68. Create an IR
  69. 69. Create an IR #2
  70. 70. IR Details
  71. 71. IR History
  72. 72. Incident Report Reply
  73. 73. Incident Report History
  74. 74. Once reported, the team tracks an Incident Track what actually happened Private / Internal Tie everything together
  75. 75. Create an Incident
  76. 76. Incident Details
  77. 77. Incident Details #2
  78. 78. Incident History
  79. 79. The team starts an Investigation Internal Research and Discovery Conversations with external partners Law Enforcement Network Providers Experts
  80. 80. Launch Investigation
  81. 81. Launch Investigation
  82. 82. Investigation Details
  83. 83. Investigation History
  84. 84. Sometimes the easiest answer is just a Block Records of network blockades Tied to an Incident Could auto-update firewalls (Optional Feature)
  85. 85. Create a Block
  86. 86. Automatic IP Detection
  87. 87. Automatic IP Detection
  88. 88. Data Detectors
  89. 89. Research Tools
  90. 90. You should be using RTIR (or RT)
  91. 91. Cost of RTIR: $0
  92. 92. Cost of required software: $0
  93. 93. Cost of required hardware: $0?
  94. 94. Operating System Unix/Linux/FreeBSD/MacOS X/Solaris/etc (We don’t do Windows)
  95. 95. Database MySQL 4.1 or 5.0 PostgreSQL 8.x Oracle 9x or 10.x SQLite (for testing)
  96. 96. Web Server Apache mod_perl or FastCGI lightttpd FastCGI Standalone pure-perl server
  97. 97. RT & RTIR Community http://bestpractical.com/rtir/ http://wiki.bestpractical.com - http://rtir.org rtir-subscribe@lists.bestpractical.com rt-es-subscribe@lists.bestpractical.com rt-users-subscribe@lists.bestpractical.com rt-devel-subscribe@lists.bestpractical.com
  98. 98. ¡Muchas gracias! ¿Preguntas? http://fsck.com/~jesse/talks/2008/09/rtir.pdf Jesse Vincent - jesse@bestpractical.com - +1 617 812 0745

×