5 Best Practices for Creating an Effective Computer Security Incident Response Team (CSIRT)

74

By: Stephen Moore, Exabeam Chief Security Strategist

In many organizations, a computer security incident response team (CSIRT) has become essential to deal with the growing number and increasing sophistication of cyber threats. Unlike a security operations center (SOC) —a dedicated group with the tools to defend networks, servers, and other IT infrastructure—a CSIRT is a cross-functional team that bands together to respond to security incidents. Some members may be full-time, while others are only called in as needed.

Unlike a SOC, the comprehensive response provided by an incident response team reaches beyond the technical actions taken to remediate an incident. It includes recommending changes to systems or organizational practices to protect against future incidents. Plus, it includes non-technical responsibilities, such as managing internal communications, status reporting, assisting counsel, and handling personnel issues in the event an incident resulted from insider actions.

Five Best Practices for Creating Your Incident Response Team

Creating an effective incident response team involves different processes and talent compared to establishing a SOC. In this blog, we will review ten effective best practices, leveraging the latest techniques and technologies.

  1. Build a friendly team

Part of building an effective CSIRT is educating your entire organization about its critical, cross-functional nature. Every team member needs to understand the value of complementary skills and roles. This helps eliminate friction between, for example, technical members in the SOC and nontechnical CSIRT members.

  1. Recruit an effective advocate or executive sponsor

This should be a staff member at the level of a CISO or executive staff member who can effectively communicate the impact of an incident to other executives, as well as to board members. This person is also responsible for ensuring that the incident response team receives appropriate attention, a workable budget, and retains the authority to act swiftly during a crisis.

  1. Define key roles and recruit from across the organization

The cross-functional team members should include:

  • An Incident Manager who can work across the organization, call meetings, and hold team members accountable for their action items. This person rolls up findings before communicating incidents to the company.
  • A Lead Investigator, such as a security analyst or dedicated SOC incident responder who takes charge of investigating a security incident.
  • A Communication and Public Relations specialist who handles everything from fielding press enquiries to communicating to employees and monitoring social media.
  • A Lead Legal/Privacy expert such as your general council or a deputy legal team member, who advises on issues. An example is the need to disclose a breach or deal with potential legal impacts of a security incident.
  1. Create a deep bench based on realistic IT budgets

Since security incidents can occur at any time, you will need to have CSIRT staff geographically dispersed to ensure someone will be available 24/7. If you can’t “follow the sun,” then the next-best option is to implement shifts comprised of those who are trained and qualified to lead an incident. You should also have redundancy through cross-training for each CSIRT member and their role.

However, few IT organizations have the budget to staff to this ideal level. So, as part of this best practice, plan for real-world staffing limitations before an incident occurs. Job shadowing and cross-training also help.

  1. Insulate team members from distractions

Security incidents can be intense; the effort required for breach response could take years. CSIRT members may experience burnout from responding to an ongoing deluge of audits, legal needs, HR requests, various daily fires to put out, and so on. So, while your incident response team needs to be “friendly,” they should also practice distraction avoidance. This requires isolation from unplanned external requests as well as establishing a process for work intake.

Using these capabilities gives your CSIRT repeatability. It enables you to define a preapproved set of actions or playbooks to deal with an attack or other incident. And since CSIRT actions are cross-functional, they should include all aspects of negative event response—from locking down an impacted system, to inbox cleanup, and rapid communication to impacted stakeholders. This makes the response much friendlier—or eliminating the “scary” aspect of automated responses.