Protect Your Company With a CSIRT

Posted 2012-09-20

By Peter Ridgley

Corporations today face a high risk of a security incident and the increased possibility of serious financial problems caused by a data breach. Yet, according to the “Verizon 2011 Data Breach Investigations Report,” 96 percent of incidents would have been avoidable through simple or intermediate-level controls. An effective computer security incident response team (CSIRT) can help your organization protect critical assets and data and lower risks by increasing awareness and creating controls.

In a company’s IT environment, a host of factors can combine to create dynamics that threaten confidential data. The increasing value and volume of sensitive data, mobile technology, advanced platforms, compiled software that’s readily available to test and exploit, and the complexity of most infrastructures and applications can all combine to create a complex web that must be protected. Contributing to the problem are outdated configurations and patches, “bolt-on” security that’s improperly integrated with current processes, and inadequate prevention, detection and response activities—all of which expose the enterprise to potential breaches and losses.

The Verizon report indicated that, although large organizations experienced a significant number of breaches, a “virtual explosion of breaches involved smaller organizations.” Eighty-three percent were victims of opportunity: Had more stable and secure structures been in place, these organizations might not have experienced a breach.

The costs for even a small security event can add up. Companies incur attorneys’ fees to prepare breach notifications and victim lists, plus printing and mailing costs. Systems removed from service can affect productivity and costs. Plus, costs can escalate for overtime required to contain, remediate and restore services, as well as the expense of external experts to investigate or provide specialized services.

If insurance is leveraged, premiums may increase. If reparations are required, such as identity theft protection for consumers or new controls to prevent future incidents, these outlays are included in the cost of a security incident. In addition, public companies may face a loss in stock value.

Investing in incident prevention can reduce the number of breaches and the associated repercussions.

Create the Team

Being prepared with an effective CSIRT can help calm the chaos during and following an incident, reduce outage times, and rebuild trust with both internal and external customers.

According to the Carnegie-Mellon Software Engineering Institute, a CSIRT is “an organization or team that provides services and support to a defined constituency for preventing, handling and responding to computer security incidents.” An effective CSIRT should be proactive, able to communicate and work effectively with all key stakeholders, and maintain a cohesive set of coordinated processes to respond to an incident.

Establishing an effective CSIRT can be difficult. Often, enterprises fail to assign formal responsibility to a predetermined group of experienced security professionals. But a decentralized, ad hoc approach to incident response can lead to miscommunication, failure to standardize and analyze response procedures, and minimal reporting or postmortem evaluation.

In most organizations, CSIRTs are embedded in IT and focus on response activities. A more effective CSIRT organization may still reside in IT, but it should be focused on prevention activities.

To create a better CSIRT, companies must identify team members and establish responsibilities. The team should include IT, security, legal, internal audit, business units and communications. Then train the team to understand responsibilities and procedures and to operate effectively.  Often overlooked— but equally important— is the need for corporate awareness training and campaigns to promote an overall security- conscious culture.

Reduce Vulnerabilities.
An effective CSIRT provides “assistance and information to help prepare, protect and secure constituent systems in anticipation of attacks, problems or events,” according to the CERT Coordination Center. The team can create tools and procedures for response management; develop awareness training for the entire company; create a technology watch; employ intrusion detection services; and disseminate security-related information.

Detect and Report Incidents.
Detecting and reporting incidents is an important role of the CSIRT to ensure that incidents are properly reported, triaged and escalated for treatment when they occur. Detection is conducted through technology as well as physical means. Reporting includes internal and external resources.

Contain, Eradicate, Recover.
Core reactive services provided by a CSIRT are “triggered by an event or request, such as a report of a compromised host, wide-spreading malicious code, software vulnerability, or something identified by an intrusion detection or logging system,” per the CERT-CC. The team stops the condition from worsening, removes the source condition and returns systems to normal operating levels. In this phase, the team manages alerts and warnings, incident response and analysis, and vulnerability handling and analysis.

Assess and Improve.
A CSIRT’s most important service is to incorporate lessons learned into process changes to correct identified errors or inefficiencies. The team should conduct a postmortem of the incident, evaluating the actions, tools used, teams involved, timeline, costs, root cause(s) and other factors involved. This evaluation aims to improve future response capabilities and communications, reduce the time and cost of returning to normal after an incident, and prevent future incidents.

Organizations can gain several benefits from creating a formal CSIRT program, which establishes a central point of contact for incidents, security-related policies, standards and frameworks. On the front end, a CSIRT provides visibility into existing risks through proactive discovery and risk assessment. An effective team can better detect and respond to an incident and reduce recovery times.

If an incident occurs, a trained team has specialized skills to handle them, including tracking activities for efficient analysis and reporting, such as evidence needed by the legal department. The benefits of an effective CSIRT can range from cost savings and increased system availability to increased brand trust and customer retention. 

Peter Ridgley is managing partner and national practice lead for OpenSky’s governance, risk and compliance consulting practice. He has more than 14 years’ experience in network engineering, information security and risk management.