Building an effective computer security incident response team
- Published: Friday, 25 January 2019 08:48
As the volume and variety of cyber attacks on businesses continue to grow, the need for better incident response has never been greater. Stephen Moore discusses how to build an effective CSIRT and the role it can play in protecting an enterprise in the event of a breach.
A few years ago, the idea of a dedicated computer security incident response team (CSIRT) may have seemed luxurious. Fast forward to the present day and for many it’s become essential. A CSIRT differs from a traditional security operations centre /center (SOC), which focuses purely on threat detection and analysis. Instead, a CSIRT is a cross-functional response team, consisting of specialists that can deal with every aspect of a security incident, including members of the SOC team. The effort could include the technical aspects of a breach, assisting legal, managing internal communications, and even creating content for those that must field media enquiries.
Key roles and responsibilities within a CSIRT
In addition to the conventional duties of a SOC, a CSIRT must also fulfil a variety of non-technical, but equally important roles and responsibilities. This requires a much wider set of skills, and getting the right balance of personnel is key. Some members may be full-time, while others are only called in occasionally, but they will all bring key skills to the table if and when they are needed.
At a minimum, an effective CSIRT will contain the following members:
Executive sponsor: this leadership role is typically fulfilled by the CIO or CISO and involves promoting the work of the CSIRT internally, reporting back to the board to ensure the team’s continued support at the highest levels.
Lead investigator: this technical resource, such as a security analyst or dedicated incident responder, is responsible for investigating any security incident that may occur. The lead investigator often works with an extended team of security analysts and forensic investigators.
Incident manager: usually a manager or equivalent, they are responsible for coordinating the CSIRT, calling meetings and escalating issues up to higher levels as needed.
Legal: the legal representative advises on the need to disclose incidents and deals with any of the resulting legal fallout, such as employee or shareholder lawsuits and privileged communications.
Communications/PR: ideally a member of the corporate communications team, their job is to field media enquiries, monitor social media channels and lead all communications about an incident with employees, partners and customers.
Human resources (HR): this HR representative is responsible for managing all personnel-related issues, including disciplinary action if required.
The importance of developing an effective incident response plan (IRP)
Creating a comprehensive written IRP is one of the first and most important tasks for any CSIRT. Not only should this document be easy to locate, it should also be simple for all members to understand and follow in the heat of a crisis. An effective IRP must be clear, concise, and accurately reflect the behaviour of the team.
Defining the roles and responsibilities of CSIRT members is a key first step, along with assigning a back-up for each role in the event of someone being unreachable at the critical moment. It should be no surprise that adversaries are known for carrying out attacks outside business hours, during weekends, or in the holidays when resources are spread thinly and customers are less diligent about monitoring their online purchases. For this reason, it’s important to try and ensure CSIRT staff are dispersed geographically if possible; and on-call coverage is well communicated. This ensures round the clock coverage for as many roles as possible.
The next steps should include:
- Cataloguing all critical business assets: map out systems and intellectual property. Understand the value of source code or web properties. Know the financial impact of a business system outage. Note: this is a task for non-security staff, driven by the CSIRT
- Agreeing a communications plan and protocol: establish how the team will communicate both with themselves and wider stakeholders in the event of a breach.
- Creating pre-emptive communications: list all potential incidents, such as theft of customer data, critical system compromise etc., and draft potential statements, press releases and tweets in advance. Once drafted, they should be vetted and approved by the legal team, saving significant time in a real emergency situation.
- Conducting drills: there are many things that can go wrong in a crisis, particularly if people don’t know what they’re doing. Drills will not only highlight potential issues, but give the team more confidence.
- Refining existing plans and processes: ultimately, all CSIRTs learn best from experience. Continually collecting feedback and refining existing plans and processes over time is a critical part of the process. This often means making adjustments to the IRP, and can even mean substituting team members.
In the modern business landscape security incidents are inevitable. How organizations deal with these incidents will largely be down to the effectiveness of the CSIRT they have in place at the time. This article provides some of the fundamental building blocks for a strong and competent CSIRT, but ultimately its effectiveness will be decided by the commitment and investment of each individual organization.
Stephen Moore is chief security strategist at Exabeam.