Вы находитесь на странице: 1из 8

Seven Steps to Creating an Effective Computer

Security Incident Response Team


11 January 2012 ID:G00225512
Analyst(s): Rob McMillan, Andrew Walls

VIEW SUMMARY
A carefully managed incident response team, designed to meet specific organizational circumstances,
is a vital component of an organization's defense. A phased approach to the creation of the team will
ensure optimal effectiveness.

Overview
An effective computer security incident response team (CSIRT) is the result of planning, preparation
and training. Chief information security officers (CISOs) and other key security decision makers should
follow a phased approach in developing and maintaining a CSIRT that will identify, contain, escalate,
investigate and remediate incidents in a timely and efficient manner.

Key Findings

A CSIRT the entity that "owns" an organization's security incident response functions is
an integral component of an effective security program. Nonetheless, many organizations either have
no CSIRT in place, or have not established workable goals or procedures for the team.
CSIRTs require the involvement and support of individuals and roles beyond the information
security and IT organizations. Most are actually "virtual teams," with members who can be called on
as needed for specific skill sets.
Part-time responders cannot be successful without adequate management support for training
and the ability to leave their normal jobs on demand.
The CSIRT's activities impact many different functional areas and operate across
organizational and geographical boundaries. For this reason, the commitment and support of many
different stakeholders including senior management are crucial to the team's success.
A phased approach to development and implementation will enable organizations to best
assess their needs and implement a CSIRT that will satisfy all stakeholders' needs, and use available
resources effectively.

Recommendations

Identify key executive stakeholders, such as those in lines of business, risk, HR and
communications, and gain their explicit support for the goals of the CSIRT and its budgetary and
cultural support.
Incorporate your response and escalation plan into your corporate policy to establish the
CSIRT authority to do whatever is necessary to protect the organization, conduct an investigation, and
ensure that CSIRT staff acting within their authority are protected from corporate politics and legal
actions.
Build reporting into all facets of operations, including regular reporting on all activity detected
this provides context when incidents occur.
Include your virtual team in regular training drills, using a variety of techniques and scenarios.
TABLE OF CONTENTS
CONTENTS

o
o

Analysis
The CSIRT: The Key to Managing Today's Security Incident and Tomorrow's
Seven Steps to Creating an Effective CSIRT
Step 1. Define Context and Scope
Step 2. Establish a Governance Structure
Step 3. Identify and Acquire Necessary Resources
Step 4. Define Processes
CSIRT Process Phases

Step 5. Assemble a Toolkit


Step 6. Establish Detection Capabilities
Human Sources
Technical Sources
Step 7. Validate the Process

TABLES
Table 1.
CSIRT Skill Sets
Table 2.
Tool Categories

Analysis
The CSIRT: The Key to Managing Today's Security Incident and Tomorrow's
The CSIRT is an entity that "owns" an enterprise's security incident response functions their
definition, execution and improvement. A capable CSIRT, with adequate executive support, funding
and other resources, is an integral component of any information security program.
Gartner client interactions show, however, that many enterprises have no CSIRT in place, have poorly
defined goals for the team or follow inconsistent procedures. These problems can dramatically reduce
the security organization's effectiveness in responding to future information security incidents, and
lack of planning may expose the enterprise to serious legal or regulatory liability.
Enterprises at a low level of security maturity view the goal of incident response as simply to recover
from the incident, paying minimal attention to "secondary" functions, such as evidence collection,
analysis and postmortem reporting. In the long term, this approach will almost certainly result in more
security incidents, not fewer, because their root causes are not identified, and infrastructure and
process management are not improved. Moreover, disclosure laws in some jurisdictions compel
enterprises to carefully analyze data that may have been leaked.
A CSIRT does not need to be a full-time team of investigators and technical experts. CSIRTs are often
"virtual teams," with members who can be called on when a particular incident requires their specific
skill sets. A structure of this type reduces the team's staffing costs and enhances the flexibility of the
team, but also presents skills development challenges (for example, the difficulty of bringing team
members together for practice exercises). The team's membership must be flexible and agile enough
to allow the CSIRT to respond to specific issues that may emerge in the course of an incident, which
may require that other personnel be called on to assist the regular members. The team requires at
least some dedicated full-time members, and the other virtual team members (part-time or on-call)
must have adequate training.
The creation of an agile and effective CSIRT requires a phased approach that simultaneously develops
the team's technical, managerial and procedural capabilities and the organizational support for it.
Incident response is a discipline that touches on many different functional areas and operates across
organizational and geographic boundaries. Gartner's seven-step approach provides opportunities for
feedback from the many stakeholders and participants in incident response, and allows for continuous
improvement throughout the development process (see Note 1).
Table of Contents

Seven Steps to Creating an Effective CSIRT


Step 1. Define Context and Scope
A clearly defined context, purpose and scope focus the development of the CSIRT, ensure that the
program meets internal and external requirements, set appropriate expectations, and establish
support from senior leadership.
Context: A CSIRT cannot function in isolation. It depends on internal, outsourced and external
functions, and needs to provide support to other organizations within the enterprise. The
administrative "home" of the CSIRT must be defined, usually within the security team, because this

fundamental decision affects many of the other steps in the process. Establishing other contextual
relationships for the CSIRT will help to define its operating model and build organizational support.
These relationships may include dependencies on network support teams or technology outsourcing
providers, and the provision of services to customer channels and other outside entities (see "Six
Decisions You Must Make To Prepare for a Security Incident"). The extent and implications of team
interactions with external organizations for example, the Forum of Incident Response and Security
Teams (FIRST) must be determined and defined.
Scope: The scope of the team's activities will be determined by its context and purpose. Gartner's
phased approach assumes that the CSIRT and its clients are internal. If third-party providers are used
for business processing, technology support or other services, it may be necessary to determine
whether the CSIRT will have accountability for executing core functions on behalf of the providers,
coordinate or oversee provider security responses, or play some other role in ensuring adequate
provider response to an incident. The CSIRT must, of course, cooperate with other operational teams
within the enterprise. Clear definitions of responsibility and points of coordination between teams are
essential to ensuring that functional gaps and territorial conflicts that could diminish the CSIRT's
effectiveness are avoided.
Core CSIRT functions may include:
Event monitoring and identification Monitoring of logging infrastructure to identify
events of interest, and identify and conduct early assessment of events that may constitute security
incidents (for example, security information and event management [SIEM] tools and other
information sources).
Incident management Command and control of actions directly required to coordinate
work and manage an incident to its completion.
Forensic analysis and evidence collection Collation, cataloging and protection of
material used in support of decisions made during the incident, as well as research, disciplinary and
legal activities following the incident.
Other functions may include:
Communication Communication with internal personnel, including impacted business
process owners (but not the public or external entities, which should be managed by the corporate
communications or public relations organization).
Investigation Investigation of potentially inappropriate activities by personnel (including
security personnel or CSIRT members), which makes it critical that the team include a human
resources (HR) member to reduce the potential for conflict of interest.
Legal support Action to help the organization deal with potential legal or other liability (for
example, through the exposure of confidential data and trade secrets, theft of funds, loss of private
data or implied breach of contract), which requires a clearly defined relationship with legal counsel and
internal legal mechanisms that give the CSIRT team the authority and flexibility to make decisions
according to organizational priorities (see "Toolkit: Security Incident Response Preparation") and
provide protections for the team if good-faith mistakes are made.
Service management Service commitments that may be affected by a security incident
(for example, unscheduled outages for system repair and patch application, or external review/audit)
and result in business or financial impact, which may become critical in heavily outsourced
environments.
Customer service Managing the impact of security incidents on customer service, which
will probably involve a dedicated customer service team and marketing or public relations personnel.
Whether ancillary teams have individuals formally identified as part of the CSIRT or whether the
CSIRT is tasked with providing supporting service to those teams will depend on enterprise-specific
requirements. It is important to note that many of these elements will also be considered during the
development of business continuity plans, and possibly IT disaster recovery plans, as well, and the
CSIRT's role should be consistent with these plans.
Table of Contents

Step 2. Establish a Governance Structure

The CSIRT's authority must be clearly established by a defined governance structure that is supported
by documented policies and oversight by a governance committee. The committee should not be
confined to IT leaders and other technologists, but should also include business, operational risk and
audit representation (for example, from the corporate audit committee).
The governance committee should have oversight of some elements of team administration, such as
structure, critical personnel, funding, and policies and procedures, particularly regarding escalation
criteria. Escalation criteria are especially important in large organizations where command and control
of an incident that is formally escalated to a crisis may transition from the CSIRT or middle
management to senior management. It is particularly important in these environments that the
requirements for adherence and support for the incident response process and delegation be
enshrined in policy.
The team's governance structure should include regular, required reporting whose content and
frequency are determined by the committee, as well as postincident reporting after all high-severity
incidents.
The governance committee should also ensure oversight of the CSIRT's communications plan,
including communications during an incident and ongoing communications not related to specific
incidents. This should include defining triggers for, and content of, messages to ensure that they are
adequate and appropriate.
Table of Contents

Step 3. Identify and Acquire Necessary Resources


The success of the CSIRT will depend heavily on the allocation and availability of appropriate
resources, in two key areas:
Personnel: It is impossible to anticipate all the skills that will be required to successfully manage all
security incidents. Core roles and skill sets can and should be defined in advance, through a gap
analysis, but the CSIRT's structure should anticipate that new skills and capabilities may be required,
particularly as new technologies are deployed and the enterprise evolves. Some of the personnel
required may come from outside the IT organization (see Table 1).
Function

Description

Technical Systems
Knowledge

Knowledge of enterprise systems and platforms (important in establishing dependencies)

Technical Artifact Analysis

The ability to obtain and analyze log information, malware examples and other evidence

Investigative Process
Capabilities

Skills in all aspects of incident investigation, including evidence management, journal maintenance,
risk escalation, surveillance and team coordination

Intelligence Analysis
Capabilities

The ability to collate and analyze intelligence information

Incident Supervision

The ability to manage incidents capably

Communications
Management

The ability to delivery accurate, timely communication concerning ongoing incidents and incident
outcomes

Public Relations and Media


Management

Skills in communicating with the public and other external parties

Law Enforcement Liaison

Knowledge of when and how to engage with law enforcement agencies

Legal and Compliance

The ability to identify and manage legal risks and instances when legal responses (for example,
criminal prosecution of other forms of litigation) are called for

HR Management

The knowledge and authority to ensure that appropriate HR processes are followed, particularly
regarding information concerning employee behavior or risks to privacy or health and safety

Planning and Evaluation

The ability to document and update the plan in a disciplined fashion and organize periodic testing

Table 1. CSIRT Skill Sets


Source: Gartner (January 2012)
The goal of the personnel/skill set gap analysis is to validate that there is an appropriate level of
expertise within each sphere of CSIRT responsibilities. If the necessary skill sets cannot be identified

within the enterprise, contractors or service providers may be needed to supplement internal skills.
Due to the sensitivity of the information the CSIRT handles, members and outside parties should be
subjected to more-intense background security checks than usual.
Senior management must recognize that, during an incident response action, team members and
assigned respondents may need to shift priorities on short notice. CSIRT functions must always be
seen as a high priority, and personnel who perform these roles must not be penalized for their CSIRTrelated efforts.
Facilities: CSIRT members will require access to key systems, such as capabilities that are normally
available via network operations centers (NOCs) or security operations centers (SOCs). The team will
also need dedicated infrastructure, which may be protected from the rest of the enterprise, including
secure physical facilities, materials storage and dedicated computers, as well as specialized software
and hardware.
Redundancy in physical resources and technical systems (mobile phones, fixed-line telephones, fax
machines and, in extreme circumstances, radio communications) will ensure the continuity of CSIRT
operations when normal facilities and technology are corrupted or unavailable.
Table of Contents

Step 4. Define Processes

The CSIRT's operational processes must be clearly established. The CSIRT should not, for example,
become involved until an event has been identified as security-related and confirmed as an actual
security event as defined by enterprise-specific criteria. In some extreme cases, a security incident
may become so severe that it threatens the ongoing viability of the organization and becomes a crisis.
The management of a crisis often requires the active participation of management that is typically
more senior than that of the CSIRT (for example, the CEO and direct reports). Accordingly, the
process should include escalation criteria to identify when an incident is to be declared a crisis and
managed via crisis management procedures. It is imperative that this escalation protocol be tested at
the executive committee (CEO and direct-reports) level.
The CSIRT's process documentation must identify key roles and responsibilities to ensure that
decisions are made by the right people at the right time using the right information. An individual
managing an "everyday" incident, for example, will typically not need to be particularly senior.
However, if the incident is escalated to crisis level because it could involve material losses or even
more dramatic consequences higher-level involvement will likely be required. An optimal way to
achieve this transition is to have procedures recorded in the form of cross-functional flowcharts, which
also reinforces the importance of recruiting disciplined individuals who are dedicated to process.
CSIRT Process Phases
Various references outline proposed and reasonable processes for the management of an incident (see
Note 2). A generic process typically includes the following phases:
Detection
Assessment
Mitigation
Recovery
Postmortem
Event detection may occur by several means, and is not necessarily the sole responsibility of the
CSIRT. However, the CSIRT is generally responsible for the other phases.
The final phase postincident reporting to address the cause, scope, type and level of impact (shortand long-term) and resolution of the incident is crucial. The postmortem should also be used to
evaluate the effectiveness of the response and identify areas for continuous improvement. All
participants in the response should contribute to the postincident report, with an independent
colleague taking responsibility for preparing the report. All postmortem reports should use a common
format and include a set of action items that are tracked to optimize future operations.
The CSIRT should provide only "anonymized" management presentations of incident response
activities. It is not necessary to identify the individual employees involved as investigators,
perpetrators or suspects. Information concerning the identity and disposition of personnel involved in
incidents is the sole responsibility of the HR organization.

Table of Contents

Step 5. Assemble a Toolkit


The technical and other tools the CSIRT needs will vary widely, depending on the types of services to
be offered, the infrastructure being managed and any outsourcing arrangements that are in place (see
Table 2). The enterprise may already have deployed some of these tools for other purposes. The
CSIRT should seek to leverage existing investments in tools whenever possible to maximize the costeffectiveness of the CSIRT operation and to take advantage of available skills.
Function

Tool Categories

Monitoring and Detection

SIEM
Database activity monitoring
Data loss prevention (DLP)
Anti-malware
Intrusion prevention system (IPS) (application, host and network)
Fraud monitoring and prevention

Incident Management

Case management
Ticketing and tracking system
Database for data storage
Knowledge base

Forensics

Disk/network forensics tools


Network protocol analyzer
Change management records
Malware analysis tools

Technology Support

Notebook computers
Network island separated from production environments
Communications tools (e.g., phones)

Table 2. Tool Categories


Source: Gartner (January 2012)
Some of these tools will be dedicated to the CSIRT (for example, forensics tools), but many (for
example, intrusion detection system [IDS]/IPS and DLP tools) are likely to be managed by other
teams or by shared systems (such as case management systems).
The tools the CSIRT requires will be used in an uncertain operational environment one that may
have been compromised so it is important that the enterprise be able to assert with confidence that
they are reliable and can preserve evidence in an untainted fashion. This may become crucial as the
consequences of an incident are realized during commercial negotiation or legal proceedings.
CSIRT members must receive training on the tools and techniques they are expected to use. Training
for the tools is usually available from the vendor. External training resources for CSIRT operations are
available from organizations such as regional computer emergency response teams (CERTs), the CERT
Coordination Center and commercial entities (see Note 2).
Table of Contents

Step 6. Establish Detection Capabilities


The rapid detection of potential incidents is critical to early identification and response. (Forewarning
of planned incident activity is, of course, ideal, but it is difficult to achieve.) Any incidents affecting
competitors, business partners or customers should be assessed for possible implications for the
enterprise. Third-party intelligence services can also be highly beneficial for providing new information
or insight (see "How to Select a Security Threat Intelligence Service").
Detection capabilities should not be restricted to technical sources within the enterprise. High-quality
intelligence will usually be a blend of information from human and technical sources.
Human Sources
Human sources are often the trigger for the detection of particularly important or damaging incidents.
The establishment of a whistleblower capability will enable personnel to report incidents without fear
of retribution (and, in some jurisdictions, guarantee legal protections for the whistleblower).

In many cases, individuals may not recognize an event as a security incident, but may simply see a
technical anomaly and contact the help desk. For this reason, scripts for help desks and call centers
should include questions that may trigger a CSIRT response.
Technical Sources
Technology is one of the key sources if not the key source of security information. However, it is
important to understand that the role of the CSIRT is to manage the incident as a business event, not
purely as a technical event. The CSIRT must liaise with IT managers to establish clear guidelines for
analysis of technical system outputs in order to filter, identify and escalate evidence of possible
incidents. The CSIRT is not responsible for operating security monitoring systems (such as SIEM or
IPS), but should be informed of alerts generated by these and other systems.
Table of Contents

Step 7. Validate the Process

All CSIRT processes must be validated, to ensure that they are adequately documented, that all
participants understand their roles, that all participants have the requisite skills and that the available
tools are appropriate for the team's purposes.
This validation may be performed as:
A tabletop exercise specifically formulated for the purpose of working through the CSIRT basic
procedure (see "Tutorial: How to Plan and Run a Tabletop Training Exercise on Incident Response")
Part of regular business continuity testing, in which alternative operational arrangements are
tested
Part of regular crisis management testing at the senior management level
Part of industry exercises, such as the Cyber Storm exercises conducted within some
jurisdictions (an option that will likely only be available to large enterprises considered to be part of
critical national infrastructure)
Test exercises are easy to overlook, because they do not have the same level of urgency as the
enterprise's core business. However, neglecting this phase may leave the enterprise unprepared for a
security incident. For this reason, needed participants must participate in exercises. In heavily
outsourced environments, it may be necessary to incorporate participation as a contractual
requirement.

Table of Contents

STRATEGIC PLANNING ASSUMPTION


NOTE 1
SEVEN-STEP APPROACH
The steps Gartner recommends do not need to be implemented sequentially. Implementation will inevitably require that
some activities be implemented concurrently, and perhaps iteratively.

NOTE 2
RESOURCES FOR CSIRTS

A variety of public and commercial organizations provide a range of support services for CSIRTs, including:
CERT.org (www.cert.org/cert): The original CERT was formed at Carnegie Mellon University (CMU) in Pittsburgh,
Pennsylvania, and remains a major force in the CERT/CSIRT world. Its website provides numerous resources for CSIRTs,
including links to manuals, policy templates and training resources.
SANS (http://isc.sans.edu): The SANS Institute provides training in incident handling and forensic techniques,
and the website provides tools and resources for anticipation of analysis-of-attack activity.
US-CERT (www.us-cert.gov): The U.S. Department of Homeland Security, working in conjunction with the CMU
CERT, has developed a national, government-based CERT capability to coordinate national CERT efforts. The website
provides numerous resources and links.
CSIRT.org (http://csirt.org): This commercial organization provides a collection of materials and services,
including team training, incident escalation and investigation services and links to other online resources (such as
CERT.org).
FIRST (http://first.org): This membership-based organization provides a support service for CERTs and CSIRTs on
a global basis. FIRST members tend to be governmental organizations (for example, the U.S. Army CERT ACERT) and
major commercial enterprises (for example, GE-CIRT, General Electric's computer incident response team).

ACRONYM KEY AND GLOSSARY TERMS


CERT

computer emergency response team

CSIRT

computer security incident response team

DLP

data loss prevention

FIRST

Forum of Incident Response and Security


Teams

PS

intrusion prevention system

SIEM

security information and event


management