Wednesday, July 14, 2010

Gartner on CSIRTs

I know some of you pay attention to what Gartner says, or more probably, your management does. I found this new report How to Build a Computer Security Incident Response Team by Jeffrey Wheatman, Rob McMillan, and Andrew Walls helpful if you need external validation from a source your management is likely to recognize. You need a Gartner account to breach the paywall.

I wanted to provide a few reasons why you might want to buy it and share it:

It is becoming increasingly common for auditors, regulators and other stakeholders to require organizations to formalize their responses to security events...

Even smaller organizations with limited legal and regulatory requirements can gain significant benefits in risk mitigation from the implementation of a basic security incident response team. Following the phased approach outlined in this research will guide clients on how to best assess their needs and implement a response team that will satisfy all stakeholders...

A competent and adequately resourced CSIRT is an important part of an organization's information security program. Many organizations either have nothing in place or follow inconsistent procedures.

In many organizations, the goal is to recover from an incident and get back up and running with minimal attention being paid to evidence collection, analysis or postmortem reporting.

Over the long term, this approach results in more security events, not fewer, as the organization is unable to discern the root causes of incidents and incorporate these lessons learned into improvements in infrastructure and process management.

Further, in those instances where an organization's individual experience is part of a broader incident affecting multiple organizations, this approach may result in added legal complexity and

That should help justify a CIRT. I was glad to see the following:

CSIRT staff will require access to key systems where required, such as capabilities that are normally available via network operations centers (NOCs) or security operations centers (SOCs).

The team will also require dedicated infrastructure, possibly protected from the rest of the organization, including secure physical facilities, material storage and dedicated
computers, as well as specialized software and hardware.

Redundancy in physical resources and technical systems is required to ensure CSIRT operations when normal facilities and technology are corrupted or unavailable. For example, CSIRT members should be able to access mobile telephones, fixed-line telephones, faxes and, in extreme circumstances, radio communications.

The need for separate infrastructure -- a "technology gap," as my team calls it -- is crucial. How can you defend vulnerable infrastructure using the same vulnerable infrastructure?

More on tools:

The key issue is that the CSIRT is likely to require tools in order to perform its function. Since these tools will be used in an uncertain operational environment (that is, one that is suspected or confirmed as having been compromised), it is important that the organization be able to confidently assert that these tools are reliable and preserve evidence in an untainted fashion...

In other words, the technology gap can also help a CIRT defend its evidence.

I found this interesting:

A variety of public and commercial organizations provide a range of support services for CSIRTs, including...

FIRST ( This membership-based organization provides a support service for CERTs and CSIRTs on a global basis. FIRST members tend to be governmental organizations (for example, the U.S. Army CERT — ACERT) and major commercial organizations (for example, GE-CIRT, General Electric's CIRT).

Wow, I guess we made the big time!

In conclusion, check out the Gartner document. It might help you. If anyone wants to post links to the myriad of other resources out there (FIRST, CERT/CC, etc.), link away. I don't feel like hunting down the results of a Google search for building an IRT. Thank you.


G. Silowash said...

Rather than try to get through the pay wall, I would check out the various free resources from the original creators of the CSIRT: CERT/CC. They are available here:

The Gartner name will grab the attention of management.

Rob Floodeen said...

I missed the research bit? I'd be interested in hearing any ideas on research (applied) that could be used to help teams/managers.


g33ks3cUr said...

Sort of relevant to the Redundancy in Physical resources....

FCC Okays Employee Participation in Emergency Drills

Moving with unaccustomed speed, the FCC adopted a Report and Order on July 14, allowing hams who are employed by both government agencies and non-government agencies such as hospitals, to participate in emergency and disaster drills on behalf of their employers. The ruling was based on a Notice of Proposed Rule Making, WP-10-72, issued this past March, in response to petitions arising from a strict interpretation by the FCC's Enforcement Bureau of the prohibition on amateurs communicating on behalf of their employers. The decision came just more than a month after the reply comment deadline.

The ruling added a new paragraph to Section 97.113(a)(3) of the FCC rules, which reads as follows:

(i) A station licensee or control station operator may participate on behalf of an employer in an
emergency preparedness or disaster readiness test or drill, limited to the duration and scope of such test or
drill, and operational testing immediately prior to such test or drill. Tests or drills that are not
government-sponsored are limited to a total time of one hour per week; except that no more than twice in
any calendar year, they may be conducted for a period not to exceed 72 hours.