SecurityCertified

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Saturday, February 20, 2010

Offshoring Incident Response

Posted on 6:24 AM by Unknown
A blog reader emailed the following question.

We recently had a CISO change, and in the process of doing an initial ops review and looking at organizational structure, one of the questions the new CISO has is about the viability of offshoring incident response... I would be very interested in your views on this matter, and would appreciate any feedback you can offer.

As background, I've been involved in incident response in many different capacities: top-level military CERT, managed security services provider, fly-away consultant, government contractor, independent consultant, and top-level corporate CIRT. In other words, I've worked in insourced and outsourced environments.

I strongly advocate insourced or internal, professional incident response teams. Many technical people fixate on the technical aspects of security, as you might expect. While technical expertise is critical, it is also critical to understand the client. Depending on the size and complexity of the client, it can take an external team weeks or months to acquire the necessary understanding of the client to make a real difference. Sure, an external team can probably perform great analysis if given the right details and context. However, doing something about usually relies heavily on identifying and overcoming the various bureaucratic, cultural, financial, legal, and political challenges found in any suitable large organization. Therefore, I believe internal CIRTs are necessary for all organizations larger than a few hundred employees.

I believe it is appropriate and sometimes necessary to rely on outsourced incident response services when your organization meets one or more of these criteria during an incident.

  • Your CIRT is nonexistent.

  • Your CIRT is not staffed with enough people to meet the challenge at hand.

  • Your CIRT is not technically equipped to meet the challenge at hand.

  • Your CIRT needs help with a specific aspect of the challenge at hand.

  • Your CIRT needs external assistance due to regulatory, compliance, or other legal issues.


Furthermore, when I read the term "offshoring" I get the sense that the question may involve hiring contractors who work for the organization permanently but report to their home contracting organization. In my experience any "cost savings" in such an arrangement are a figment of the accounting imagination. I recommend full-time employees be CIRT members.

Any thoughts from blog readers?
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • DojoCon Videos Online
    Props to Marcus Carey for live streaming talks from DojoCon . I appeared in my keynote , plus panels on incident response and cloud secur...
  • Practice of Network Security Monitoring Table of Contents
    Since many of you have asked, I wanted to provide an updated Table of Contents for my upcoming book, The Practice of Network Security Monito...
  • Mandiant APT1 Report: 25 Best Commentaries of the Last 12 Days
    Two weeks ago today our team at Mandiant was feverishly preparing the release of our APT1 report . In the twelve days that followed public...
  • Feedback from Network Security Monitoring 101 Classes
    At Black Hat in Las Vegas I taught two Network Security Monitoring 101 (NSM101) classes. This is a new class that I developed this year, a...
  • A Book for the Korean Cyber Armies
    I've got a book for the Korean cyber armies, North and South. That's right, it's my first book , The Tao of Network Security Mo...
  • What is Cloud?
    The slide at left was one of my favorites from Craig Balding's Cloud Security Ghost Story talk from Black Hat EU earlier this year. I ...
  • SQL Injection Challenge and Time-Based Security
    Thanks to this Tweet by @ryancbarnett, I learned of the lessons learned of the Level II component of the ModSecurity SQL Injection Challen...
  • Bejtlich Speaking at TechTarget Emerging Threats Events in Seattle and New York
    I will be speaking at two events organized by TechTarget , for whom I used to write my Snort Report and Traffic Talk articles. The one-da...
  • BeyondTrust Report on Removing Administrator: Correct?
    Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis . The report offers several interesting ...
  • President Obama Is Right On US-China Hacking
    I strongly recommend watching the excerpt on the Charlie Rose show titled Obama: Blunt Conversation With China on Hacking . I reproduced the...

Categories

  • afcert
  • Air Force
  • analysis
  • announcement
  • apt
  • attribution
  • bestbook
  • blackhat
  • books
  • breakers
  • bro
  • bruins
  • certification
  • china
  • cisco
  • cissp
  • cloud
  • clowns
  • commodore
  • conferences
  • controls
  • correlation
  • counterintelligence
  • cybercommand
  • cyberwar
  • dfm
  • education
  • engineering
  • feds
  • fisma
  • freebsd
  • GE
  • ge-cirt
  • hakin9
  • history
  • impressions
  • information warfare
  • ipv6
  • law
  • leadership
  • malware
  • mandiant
  • microsoft
  • mssp
  • nsm
  • offense
  • oisf
  • packetstash
  • philosophy
  • pirates
  • powerpoint
  • press
  • psirt
  • reading
  • redteam
  • reviews
  • russia
  • sans
  • sec
  • sguil
  • snorby
  • spying
  • threat model
  • threats
  • Traffic Talk
  • training
  • tufte
  • tv
  • ubuntu
  • usenix
  • verizon
  • vulnerabilities
  • wisdom
  • writing

Blog Archive

  • ►  2013 (16)
    • ►  September (1)
    • ►  August (1)
    • ►  June (2)
    • ►  April (2)
    • ►  March (1)
    • ►  February (3)
    • ►  January (6)
  • ►  2012 (60)
    • ►  December (4)
    • ►  November (5)
    • ►  October (3)
    • ►  September (10)
    • ►  August (2)
    • ►  July (6)
    • ►  June (6)
    • ►  May (4)
    • ►  April (2)
    • ►  March (9)
    • ►  February (6)
    • ►  January (3)
  • ►  2011 (108)
    • ►  December (3)
    • ►  November (7)
    • ►  October (11)
    • ►  September (9)
    • ►  August (18)
    • ►  July (10)
    • ►  June (5)
    • ►  May (4)
    • ►  April (13)
    • ►  March (17)
    • ►  February (2)
    • ►  January (9)
  • ▼  2010 (193)
    • ►  December (14)
    • ►  November (11)
    • ►  October (6)
    • ►  September (16)
    • ►  August (15)
    • ►  July (26)
    • ►  June (15)
    • ►  May (15)
    • ►  April (15)
    • ►  March (16)
    • ▼  February (19)
      • Information Security Jobs in GE-CIRT and Other GE ...
      • Reaction to Cyber Shockwave
      • Review of Intelligence, 4th Ed Posted
      • Offshoring Incident Response
      • Advice for Academic Researchers
      • Answers Regarding Military Service
      • Max Ray Butler Sentenced (Again)
      • Get the Divers Out of the Water
      • A Hacker in Charge of Your Tax Dollars?
      • Thor vs Clown
      • Making Progress Matters Most
      • So Much for China's "Peaceful Rise"
      • APT Presentation from July 2008
      • Review of The Book of Xen Posted
      • Answering APT Misconceptions
      • DFRWS, VizSec, and RAID 2010 Calls for Papers
      • Google and NSA Fulfilling 2008 Predictions
      • DNI Blair Leads with APT as a "Wake-Up Call"
      • Traffic Talk 9 Posted
    • ►  January (25)
  • ►  2009 (123)
    • ►  December (10)
    • ►  November (17)
    • ►  October (21)
    • ►  September (13)
    • ►  August (20)
    • ►  July (21)
    • ►  June (21)
Powered by Blogger.

About Me

Unknown
View my complete profile