Offshoring Incident Response
A blog reader emailed the following question.
We recently had a CISO change, and in the process of doing an initial ops review and looking at organizational structure, one of the questions the new CISO has is about the viability of offshoring incident response... I would be very interested in your views on this matter, and would appreciate any feedback you can offer.
As background, I've been involved in incident response in many different capacities: top-level military CERT, managed security services provider, fly-away consultant, government contractor, independent consultant, and top-level corporate CIRT. In other words, I've worked in insourced and outsourced environments.
I strongly advocate insourced or internal, professional incident response teams. Many technical people fixate on the technical aspects of security, as you might expect. While technical expertise is critical, it is also critical to understand the client. Depending on the size and complexity of the client, it can take an external team weeks or months to acquire the necessary understanding of the client to make a real difference. Sure, an external team can probably perform great analysis if given the right details and context. However, doing something about usually relies heavily on identifying and overcoming the various bureaucratic, cultural, financial, legal, and political challenges found in any suitable large organization. Therefore, I believe internal CIRTs are necessary for all organizations larger than a few hundred employees.
I believe it is appropriate and sometimes necessary to rely on outsourced incident response services when your organization meets one or more of these criteria during an incident.
Furthermore, when I read the term "offshoring" I get the sense that the question may involve hiring contractors who work for the organization permanently but report to their home contracting organization. In my experience any "cost savings" in such an arrangement are a figment of the accounting imagination. I recommend full-time employees be CIRT members.
Any thoughts from blog readers?
We recently had a CISO change, and in the process of doing an initial ops review and looking at organizational structure, one of the questions the new CISO has is about the viability of offshoring incident response... I would be very interested in your views on this matter, and would appreciate any feedback you can offer.
As background, I've been involved in incident response in many different capacities: top-level military CERT, managed security services provider, fly-away consultant, government contractor, independent consultant, and top-level corporate CIRT. In other words, I've worked in insourced and outsourced environments.
I strongly advocate insourced or internal, professional incident response teams. Many technical people fixate on the technical aspects of security, as you might expect. While technical expertise is critical, it is also critical to understand the client. Depending on the size and complexity of the client, it can take an external team weeks or months to acquire the necessary understanding of the client to make a real difference. Sure, an external team can probably perform great analysis if given the right details and context. However, doing something about usually relies heavily on identifying and overcoming the various bureaucratic, cultural, financial, legal, and political challenges found in any suitable large organization. Therefore, I believe internal CIRTs are necessary for all organizations larger than a few hundred employees.
I believe it is appropriate and sometimes necessary to rely on outsourced incident response services when your organization meets one or more of these criteria during an incident.
- Your CIRT is nonexistent.
- Your CIRT is not staffed with enough people to meet the challenge at hand.
- Your CIRT is not technically equipped to meet the challenge at hand.
- Your CIRT needs help with a specific aspect of the challenge at hand.
- Your CIRT needs external assistance due to regulatory, compliance, or other legal issues.
Furthermore, when I read the term "offshoring" I get the sense that the question may involve hiring contractors who work for the organization permanently but report to their home contracting organization. In my experience any "cost savings" in such an arrangement are a figment of the accounting imagination. I recommend full-time employees be CIRT members.
Any thoughts from blog readers?
Comments
You would think doing a full certification and accreditation of a CIRT process/team would zap any of your cost savings.
yay me.
But *something* should be better than nothing. Actually taking a "Globalizing IT" course right now and the given advice for starting off an international work unit (and not have them call you every 20 minutes) is apparently to create 'atomic work' items.
But in a SOC environment?
I loathe the idea of defining every "signature" they should watch for in a "day-2-day" capacity... seems counter-intuitive.
I'm fighting a losing battle in requiring an actual analysis phase (especially determining the extent of the incident impact both in terms of breadth of incident... This CIRT team tends to treat widespread outbreacks of malware as independent incidents, instead of looking for commonalities, and in the impact of data losses [I work in the personal finance industry]). This is due to contractual SLAs to 'close the call.' This then leads to no lessons learned, and more importantly, no data on the true impact of the incident [data exposed].
http://www.trusted-introducer.org/ti_process/accredit.html