Protect Your Company With a CSIRTPosted 2012-09-20 Email Print
An effective computer security incident response team (CSIRT) can help your organization protect critical assets and data and lower risks by increasing awareness and creating controls.
To create a better CSIRT, companies must identify team members and establish responsibilities. The team should include IT, security, legal, internal audit, business units and communications. Then train the team to understand responsibilities and procedures and to operate effectively. Often overlooked— but equally important— is the need for corporate awareness training and campaigns to promote an overall security- conscious culture.
An effective CSIRT provides “assistance and information to help prepare, protect and secure constituent systems in anticipation of attacks, problems or events,” according to the CERT Coordination Center. The team can create tools and procedures for response management; develop awareness training for the entire company; create a technology watch; employ intrusion detection services; and disseminate security-related information.
Detect and Report Incidents.
Detecting and reporting incidents is an important role of the CSIRT to ensure that incidents are properly reported, triaged and escalated for treatment when they occur. Detection is conducted through technology as well as physical means. Reporting includes internal and external resources.
Contain, Eradicate, Recover.
Core reactive services provided by a CSIRT are “triggered by an event or request, such as a report of a compromised host, wide-spreading malicious code, software vulnerability, or something identified by an intrusion detection or logging system,” per the CERT-CC. The team stops the condition from worsening, removes the source condition and returns systems to normal operating levels. In this phase, the team manages alerts and warnings, incident response and analysis, and vulnerability handling and analysis.
Assess and Improve.
A CSIRT’s most important service is to incorporate lessons learned into process changes to correct identified errors or inefficiencies. The team should conduct a postmortem of the incident, evaluating the actions, tools used, teams involved, timeline, costs, root cause(s) and other factors involved. This evaluation aims to improve future response capabilities and communications, reduce the time and cost of returning to normal after an incident, and prevent future incidents.
Organizations can gain several benefits from creating a formal CSIRT program, which establishes a central point of contact for incidents, security-related policies, standards and frameworks. On the front end, a CSIRT provides visibility into existing risks through proactive discovery and risk assessment. An effective team can better detect and respond to an incident and reduce recovery times.
If an incident occurs, a trained team has specialized skills to handle them, including tracking activities for efficient analysis and reporting, such as evidence needed by the legal department. The benefits of an effective CSIRT can range from cost savings and increased system availability to increased brand trust and customer retention.
Peter Ridgley is managing partner and national practice lead for OpenSky’s governance, risk and compliance consulting practice. He has more than 14 years’ experience in network engineering, information security and risk management.