Question

Discuss ways organizations have built a CSIRT. What are the components of building an effective and successful CSIRT team?

Answer 1

`Hey,

Note: If you have any queries related to the answer please do comment. I would be very happy to resolve all your queries.

1. Build a friendly team.

Part of building an effective CSIRT is educating your entire organization about its critical, cross-functional nature. Every team member needs to understand the value of complementary skills and roles. This helps eliminate friction between, for example, technical members in the SOC and nontechnical CSIRT members.

2. Recruit an effective advocate or executive sponsor.

This should be a staff member at the level of a CISO or executive staff member who can effectively communicate the impact of an incident to other executives, as well as to board members. This person is also responsible for ensuring that the incident response team receives appropriate attention, a workable budget, and retains the authority to act swiftly during a crisis.

3. Define key roles and recruit from across the organization.

The cross-functional team members should include:

• An Incident Manager who can work across the organization, call meetings, and hold team members accountable for their action items. This person rolls up findings before communicating incidents to the company.
• A Lead Investigator, such as a security analyst or dedicated SOC incident responder who takes charge of investigating a security incident.
• A Communication and Public Relations specialist who handles everything from fielding press enquires to communicating to employees and monitoring social media.
• A Lead Legal/Privacy expert such as your general council or a deputy legal team member, who advises on issues. An example is the need to disclose a breach or deal with potential legal impacts of a security incident.

4. Create a deep bench based on realistic IT budgets.

Since security incidents can occur at any time, you will need to have CSIRT staff geographically dispersed to ensure someone will be available 24/7. If you can’t “follow the sun,” then the next-best option is to implement shifts comprised of those who are trained and qualified to lead an incident. You should also have redundancy through cross-training for each CSIRT member and their role.

However, few IT organizations have the budget to staff to this ideal level. So as part of this best practice, plan for real-world staffing limitations before an incident occurs. Job shadowing and cross-training also help.

5. Insulate team members from distractions.

Security incidents can be intense; the effort required for breach response could take years. CSIRT members may experience burnout from responding to an ongoing deluge of audits, legal needs, HR requests, various daily fires to put out, and so on. So, while your incident response team team needs to be “friendly,” they should also practice distraction avoidance. This requires isolation from unplanned external requests as well as establishing a process for work intake.

6. Make incident response a shared responsibility.

When building the team structure, never put team members in a position where they simply throw an incident over the wall—either from the SOC to the CSIRT, or vice versa.

7. Clearly establish roles and responsibilities as nonlinear.

The SOC and CSIRT need to work in parallel, co-owning problems. They will require feedback loops for observations, ongoing investigative support, and technical recommendations. This helps the work of the incident response team extend beyond simply responding to incidents. It involves learning why incidents occur, then cascading that information through the organization to help prevent similar future incidents.

Kindly revert for any queries

Thanks.