SecurityCertified

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, July 14, 2010

Gartner on CSIRTs

Posted on 6:26 PM by Unknown
I know some of you pay attention to what Gartner says, or more probably, your management does. I found this new report How to Build a Computer Security Incident Response Team by Jeffrey Wheatman, Rob McMillan, and Andrew Walls helpful if you need external validation from a source your management is likely to recognize. You need a Gartner account to breach the paywall.

I wanted to provide a few reasons why you might want to buy it and share it:

It is becoming increasingly common for auditors, regulators and other stakeholders to require organizations to formalize their responses to security events...

Even smaller organizations with limited legal and regulatory requirements can gain significant benefits in risk mitigation from the implementation of a basic security incident response team. Following the phased approach outlined in this research will guide clients on how to best assess their needs and implement a response team that will satisfy all stakeholders...

A competent and adequately resourced CSIRT is an important part of an organization's information security program. Many organizations either have nothing in place or follow inconsistent procedures.

In many organizations, the goal is to recover from an incident and get back up and running with minimal attention being paid to evidence collection, analysis or postmortem reporting.

Over the long term, this approach results in more security events, not fewer, as the organization is unable to discern the root causes of incidents and incorporate these lessons learned into improvements in infrastructure and process management.

Further, in those instances where an organization's individual experience is part of a broader incident affecting multiple organizations, this approach may result in added legal complexity and
liability.

That should help justify a CIRT. I was glad to see the following:

CSIRT staff will require access to key systems where required, such as capabilities that are normally available via network operations centers (NOCs) or security operations centers (SOCs).

The team will also require dedicated infrastructure, possibly protected from the rest of the organization, including secure physical facilities, material storage and dedicated
computers, as well as specialized software and hardware.

Redundancy in physical resources and technical systems is required to ensure CSIRT operations when normal facilities and technology are corrupted or unavailable. For example, CSIRT members should be able to access mobile telephones, fixed-line telephones, faxes and, in extreme circumstances, radio communications.

The need for separate infrastructure -- a "technology gap," as my team calls it -- is crucial. How can you defend vulnerable infrastructure using the same vulnerable infrastructure?

More on tools:

The key issue is that the CSIRT is likely to require tools in order to perform its function. Since these tools will be used in an uncertain operational environment (that is, one that is suspected or confirmed as having been compromised), it is important that the organization be able to confidently assert that these tools are reliable and preserve evidence in an untainted fashion...

In other words, the technology gap can also help a CIRT defend its evidence.

I found this interesting:

A variety of public and commercial organizations provide a range of support services for CSIRTs, including...

FIRST (http://first.org): This membership-based organization provides a support service for CERTs and CSIRTs on a global basis. FIRST members tend to be governmental organizations (for example, the U.S. Army CERT — ACERT) and major commercial organizations (for example, GE-CIRT, General Electric's CIRT).

Wow, I guess we made the big time!

In conclusion, check out the Gartner document. It might help you. If anyone wants to post links to the myriad of other resources out there (FIRST, CERT/CC, etc.), link away. I don't feel like hunting down the results of a Google search for building an IRT. Thank you.
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • DojoCon Videos Online
    Props to Marcus Carey for live streaming talks from DojoCon . I appeared in my keynote , plus panels on incident response and cloud secur...
  • Bejtlich Speaking at TechTarget Emerging Threats Events in Seattle and New York
    I will be speaking at two events organized by TechTarget , for whom I used to write my Snort Report and Traffic Talk articles. The one-da...
  • SANS WhatWorks Summit in Forensics and Incident Response
    I wanted to remind everyone about the SANS WhatWorks Summit in Forensics and Incident Response in DC, 8-9 July 2010. The Agenda looks gre...
  • Sguil 0.7.0 on Ubuntu 9.10
    Today I installed a Sguil client on a fresh installation of Ubuntu 9.10. It was really easy with the exception of one issue I had to troubl...
  • Microsoft Updates MS09-048 to Show XP Vulnerable to 2 of 3 CVEs
    Microsoft published a Major Revision of MS09-048 to show that Windows XP Service Pack 2 and Windows XP Service Pack 3* are now Affected So...
  • BeyondTrust Report on Removing Administrator: Correct?
    Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis . The report offers several interesting ...
  • Human Language as the New Programming Language
    If you've read the blog for a while you know I promote threat-centric security in addition to vulnerability-centric security. I think ...
  • DNI Blair Leads with APT as a "Wake-Up Call"
    AFP is one of the few news outlets that correctly focused on the key aspect of testimony by US Director of National Intelligence Dennis Bla...
  • SANS Forensics and Incident Response 2009
    The agenda for the second SANS WhatWorks Summit in Forensics and Incident Response has been posted. I am really happy to see I am speakin...
  • NYCBSDCon 2010 Registration Open
    Registration for NYCBSDCon 2010 is now open. As usual George and friends have assembled a great schedule ! If you're in the New York...

Categories

  • afcert
  • Air Force
  • analysis
  • announcement
  • apt
  • attribution
  • bestbook
  • blackhat
  • books
  • breakers
  • bro
  • bruins
  • certification
  • china
  • cisco
  • cissp
  • cloud
  • clowns
  • commodore
  • conferences
  • controls
  • correlation
  • counterintelligence
  • cybercommand
  • cyberwar
  • dfm
  • education
  • engineering
  • feds
  • fisma
  • freebsd
  • GE
  • ge-cirt
  • hakin9
  • history
  • impressions
  • information warfare
  • ipv6
  • law
  • leadership
  • malware
  • mandiant
  • microsoft
  • mssp
  • nsm
  • offense
  • oisf
  • packetstash
  • philosophy
  • pirates
  • powerpoint
  • press
  • psirt
  • reading
  • redteam
  • reviews
  • russia
  • sans
  • sec
  • sguil
  • snorby
  • spying
  • threat model
  • threats
  • Traffic Talk
  • training
  • tufte
  • tv
  • ubuntu
  • usenix
  • verizon
  • vulnerabilities
  • wisdom
  • writing

Blog Archive

  • ►  2013 (16)
    • ►  September (1)
    • ►  August (1)
    • ►  June (2)
    • ►  April (2)
    • ►  March (1)
    • ►  February (3)
    • ►  January (6)
  • ►  2012 (60)
    • ►  December (4)
    • ►  November (5)
    • ►  October (3)
    • ►  September (10)
    • ►  August (2)
    • ►  July (6)
    • ►  June (6)
    • ►  May (4)
    • ►  April (2)
    • ►  March (9)
    • ►  February (6)
    • ►  January (3)
  • ►  2011 (108)
    • ►  December (3)
    • ►  November (7)
    • ►  October (11)
    • ►  September (9)
    • ►  August (18)
    • ►  July (10)
    • ►  June (5)
    • ►  May (4)
    • ►  April (13)
    • ►  March (17)
    • ►  February (2)
    • ►  January (9)
  • ▼  2010 (193)
    • ►  December (14)
    • ►  November (11)
    • ►  October (6)
    • ►  September (16)
    • ►  August (15)
    • ▼  July (26)
      • Time Issues in Libpcap Traces
      • Review of Digital Forensics for Network, Internet,...
      • Review of Virtualization and Forensics Posted
      • Review of Digital Triage Forensics Posted
      • Dell Needs a PSIRT
      • Review of The Watchman Posted
      • Review of The Fugitive Game Posted
      • Review of At Large Posted
      • Review of The Cuckoo's Egg Posted
      • Review of Code Version 2.0 Posted
      • Review of Crypto Posted
      • Review of The Illusion of Due Diligence Posted
      • Human Language as the New Programming Language
      • Brief Thoughts on WEIS 2010
      • Brief Thoughts on SANS WhatWorks Summit in Forensi...
      • Network Forensics Vendors: Get in the Cloud!
      • Gartner on CSIRTs
      • My Article on Advanced Persistent Threat Posted
      • A Little More on Cyberwar, from Joint Pub 1
      • Thoughts on "Application SOC" and New MSSPs
      • Ponemon Institute Misses the Mark
      • Joint Strike Fighter -- Face of Cyberwar?
      • Cyberwar Is Real
      • Security Is Never Free -- Ask DNSSEC
      • Lessons from NETOPS vs CND
      • Secunia Survey of DEP and ASLR
    • ►  June (15)
    • ►  May (15)
    • ►  April (15)
    • ►  March (16)
    • ►  February (19)
    • ►  January (25)
  • ►  2009 (123)
    • ►  December (10)
    • ►  November (17)
    • ►  October (21)
    • ►  September (13)
    • ►  August (20)
    • ►  July (21)
    • ►  June (21)
Powered by Blogger.

About Me

Unknown
View my complete profile