It is unfortunate when large Fortune 500 companies do not have a Computer Security Incident Response Team (CSIRT). In some occasions, their CSIRT consists of one part-time employee. This is why it is extremely important to have management support when creating CSIRTs. It is difficult and problematic to create a CSIRT without management approval and support. Also, the support needed goes beyond budget and money. It includes executives, managers, and their staffs committing time to participate in the planning and improvement processes. Furthermore, it is equally crucial to get management commitment to award empowerment to the CSIRT. How good is a CSIRT if it does not have the authority to make an emergency change within the infrastructure if the organization is under attack or a victim of an outbreak?
Note: CSIRTs operate differently depending on the organization, its staff, their expertise, and budget resources. On the other hand, the best practices described in this chapter apply, generally, to any organization.
Who Should Be Part of the CSIRT?
Finding and retaining qualified security professionals is challenging. It can be also a struggle for organizations to justify additional headcount, especially for network security. Traditionally, information technology (IT) expenses are justified based on return on investment (ROI) and productivity metrics. On the other hand, security has been historically viewed as an additional cost. The opinion of many executives is changing, as organizations discover that better network security makes business transactions safer and reduces a big ticket item—liability.
In some cases, additional headcount is needed to create a formal CSIRT within an organization. However, on many occasions, the CSIRT can comprise staff from different departments within an organization. For example, an organization can have representatives from IT, Information Security (InfoSec), and engineering to be part of the CSIRT. The decision of whether to hire new staff or develop an in-house team depends on your organizational needs and budget. Clearly identify who needs to be involved at each level of the CSIRT planning, implementation, and operation. For instance, one of the most challenging tasks is the process of identifying the staff that will be performing security incident response functions.
In addition, identify which internal and external organizations will interface with the CSIRT. Evangelize and communicate the CSIRT responsibilities accordingly.
A question that many engineers, managers, and executives commonly ask is this: what skills should the CSIRT staff possess? The answer certainly goes beyond the in-depth technical expertise that the CSIRT contributor must have. Communication skills—both written and oral—are a plus. The CSIRT personnel must be able to communicate effectively to ensure that they obtain and supply the necessary and appropriate information. This leads to other critical qualities: the ability to respect confidentiality and integrity. This is obvious: integrity and confidentiality are crucial. Other key skills include:
Handling stressful situations competently
Problem solving/troubleshooting skills
Working with teams effectively
Handling situations diplomatically
Note: CERT has a section within its website dedicated to information about CSIRTs:
Community,I have 4 total domains, 1 Global Domain and 3 Leaf domains under the Global. I have external authentication configured in the Global Domain on the FMC via LDAP integration and it is working great. However, I have 2 new users who I only want to h...
Is anyone familiar with a way to centralize the reporting of TrustSec events on switches and routers? Specifically SGACL drop messages. Our network topology consists of around 150 switches (mostly 9200/9300s) and 100 routers (all 4331s or 4431s). Right no...
Hello community, I have a question for which I googled but still do not understand it quite well. Would it be possible to create a site2site connection, with both sides having the same subnet? What I have found is the use of XLATED. h...
I am fairly new with the Firepower firewalls. I was wondering if this is possible. I want one profile to use split tunneling. So I have nat(inside,outside) after-auto source static inside inside destination inside insideI want one profile...