[BreachExchange] Building an effective computer security incident response team

[Audrey McNeil]

https://continuitycentral.com/index.php/news/technology/3670-building-an-effective-computer-security-incident-response-team


A few years ago, the idea of a dedicated computer security incident
response team (CSIRT) may have seemed luxurious. Fast forward to the
present day and for many it’s become essential. A CSIRT differs from a
traditional security operations centre /center (SOC), which focuses purely
on threat detection and analysis. Instead, a CSIRT is a cross-functional
response team, consisting of specialists that can deal with every aspect of
a security incident, including members of the SOC team. The effort could
include the technical aspects of a breach, assisting legal, managing
internal communications, and even creating content for those that must
field media enquiries.

Key roles and responsibilities within a CSIRT

In addition to the conventional duties of a SOC, a CSIRT must also fulfil a
variety of non-technical, but equally important roles and responsibilities.
This requires a much wider set of skills, and getting the right balance of
personnel is key. Some members may be full-time, while others are only
called in occasionally, but they will all bring key skills to the table if
and when they are needed.

At a minimum, an effective CSIRT will contain the following members:

Executive sponsor: this leadership role is typically fulfilled by the CIO
or CISO and involves promoting the work of the CSIRT internally, reporting
back to the board to ensure the team’s continued support at the highest
levels.

Lead investigator: this technical resource, such as a security analyst or
dedicated incident responder, is responsible for investigating any security
incident that may occur. The lead investigator often works with an extended
team of security analysts and forensic investigators.

Incident manager: usually a manager or equivalent, they are responsible for
coordinating the CSIRT, calling meetings and escalating issues up to higher
levels as needed.

Legal: the legal representative advises on the need to disclose incidents
and deals with any of the resulting legal fallout, such as employee or
shareholder lawsuits and privileged communications.

Communications/PR: ideally a member of the corporate communications team,
their job is to field media enquiries, monitor social media channels and
lead all communications about an incident with employees, partners and
customers.

Human resources (HR): this HR representative is responsible for managing
all personnel-related issues, including disciplinary action if required.

The importance of developing an effective incident response plan (IRP)

Creating a comprehensive written IRP is one of the first and most important
tasks for any CSIRT. Not only should this document be easy to locate, it
should also be simple for all members to understand and follow in the heat
of a crisis. An effective IRP must be clear, concise, and accurately
reflect the behaviour of the team.

Defining the roles and responsibilities of CSIRT members is a key first
step, along with assigning a back-up for each role in the event of someone
being unreachable at the critical moment. It should be no surprise that
adversaries are known for carrying out attacks outside business hours,
during weekends, or in the holidays when resources are spread thinly and
customers are less diligent about monitoring their online purchases. For
this reason, it’s important to try and ensure CSIRT staff are dispersed
geographically if possible; and on-call coverage is well communicated. This
ensures round the clock coverage for as many roles as possible.

The next steps should include:

- Cataloguing all critical business assets: map out systems and
intellectual property. Understand the value of source code or web
properties. Know the financial impact of a business system outage. Note:
this is a task for non-security staff, driven by the CSIRT
- Agreeing a communications plan and protocol: establish how the team will
communicate both with themselves and wider stakeholders in the event of a
breach.
- Creating pre-emptive communications: list all potential incidents, such
as theft of customer data, critical system compromise etc., and draft
potential statements, press releases and tweets in advance. Once drafted,
they should be vetted and approved by the legal team, saving significant
time in a real emergency situation.
- Conducting drills: there are many things that can go wrong in a crisis,
particularly if people don’t know what they’re doing. Drills will not only
highlight potential issues, but give the team more confidence.
- Refining existing plans and processes: ultimately, all CSIRTs learn best
from experience. Continually collecting feedback and refining existing
plans and processes over time is a critical part of the process. This often
means making adjustments to the IRP, and can even mean substituting team
members.

In the modern business landscape security incidents are inevitable. How
organizations deal with these incidents will largely be down to the
effectiveness of the CSIRT they have in place at the time. This article
provides some of the fundamental building blocks for a strong and competent
CSIRT, but ultimately its effectiveness will be decided by the commitment
and investment of each individual organization.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190125/4f8b3284/attachment.html>