It is unfortunate when large Fortune 500 companies do not have a Computer Security Incident Response Team (CSIRT). In some occasions, their CSIRT consists of one part-time employee. This is why it is extremely important to have management support when creating CSIRTs. It is difficult and problematic to create a CSIRT without management approval and support. Also, the support needed goes beyond budget and money. It includes executives, managers, and their staffs committing time to participate in the planning and improvement processes. Furthermore, it is equally crucial to get management commitment to award empowerment to the CSIRT. How good is a CSIRT if it does not have the authority to make an emergency change within the infrastructure if the organization is under attack or a victim of an outbreak?
Note: CSIRTs operate differently depending on the organization, its staff, their expertise, and budget resources. On the other hand, the best practices described in this chapter apply, generally, to any organization.
Who Should Be Part of the CSIRT?
Finding and retaining qualified security professionals is challenging. It can be also a struggle for organizations to justify additional headcount, especially for network security. Traditionally, information technology (IT) expenses are justified based on return on investment (ROI) and productivity metrics. On the other hand, security has been historically viewed as an additional cost. The opinion of many executives is changing, as organizations discover that better network security makes business transactions safer and reduces a big ticket item—liability.
In some cases, additional headcount is needed to create a formal CSIRT within an organization. However, on many occasions, the CSIRT can comprise staff from different departments within an organization. For example, an organization can have representatives from IT, Information Security (InfoSec), and engineering to be part of the CSIRT. The decision of whether to hire new staff or develop an in-house team depends on your organizational needs and budget. Clearly identify who needs to be involved at each level of the CSIRT planning, implementation, and operation. For instance, one of the most challenging tasks is the process of identifying the staff that will be performing security incident response functions.
In addition, identify which internal and external organizations will interface with the CSIRT. Evangelize and communicate the CSIRT responsibilities accordingly.
A question that many engineers, managers, and executives commonly ask is this: what skills should the CSIRT staff possess? The answer certainly goes beyond the in-depth technical expertise that the CSIRT contributor must have. Communication skills—both written and oral—are a plus. The CSIRT personnel must be able to communicate effectively to ensure that they obtain and supply the necessary and appropriate information. This leads to other critical qualities: the ability to respect confidentiality and integrity. This is obvious: integrity and confidentiality are crucial. Other key skills include:
Handling stressful situations competently
Problem solving/troubleshooting skills
Working with teams effectively
Handling situations diplomatically
Note: CERT has a section within its website dedicated to information about CSIRTs:
My customer has integrated ISE and Stealthwatch SMC and looking for automatic user notification after getting quarantine from SMC.
Is it possible to send email notification?
Can we do portal (like Hotspot or static web page) redirection?
hi!I have probably very simple question but i can't find the information i need.So here it is: we have asa5555-x with created context for ISP and admin context. ISP's context has inside and outside interfaces. Both has public ips assigned to it. Admin con...
Hi All, I have recently set up a Firepower management centre with new shiny FTD devices(in HA mode). Now i have to configure remote access VPN to my users, can anyone please suggest me some steps on how to do it, though there are myriad of documents ...
Hello, Wanted to run this question by you guys: We are deploying 3 Guest PSNs (One per region) which are going to be used only for Guest Self registration portal and sponsor approval services. Is it possible to: If I am an ...