For organizations of all sizes, cyber attacks are not a matter of if, but when. Given that an organization is going to experience security incidents, attacks and even breaches, a cyber incident response team and plan is critical.
In a sophisticated threat landscape, what are the key considerations to building a successful cyber security function?
The following are key requirements for companies looking to build their own cyber security incident response team (CSIRT):
However, it is not always easy to find skilled and qualified staff and therefore, CSIRTs may need to nurture and develop internal employees to progress into these roles.
A CSIRT team plays a critical role in upholding CSIRT mission and service. Both technical and personal skills are required. A wide range of personal skills are necessary because a major part of the incident handler’s daily activity will involve communicating with other stakeholders who may have various levels of understanding. Therefore, overall success of the CSIRT is reliant on daily interactions that, in turn, can strengthen the reputation of the team and the respect with which that team is held.
On the other hand, a team member who is a technical expert but has poor communication skills could be the downfall of a team.The team’s overall reputation is at risk if communications are poor, misinterpreted or handled incorrectly.
A well-planned incident response plan will result in positive post-incident results. Communication during incident response neither fails or succeeds; it is either effective or ineffective.
Incident responders will need to have a well-rounded skill set which include:
The functions of a CSIRT serve a powerful reminder that we should harness shared interests in keeping cyberspace safe and lay a strong foundation for cooperative structures to evolve.
Look for individuals who are:
Individuals inside the company, similar to a network co-op (student with a multi-work term agreement), can be used as a resource as these people are motivated and striving for success. They already know the processes and infrastructure and can be trained to be a level one incident responder.
Various core competencies are necessary. So, depending on the company infrastructure, choose a great server person, a great desktop person, a great network person from inside the company and form a cross-competent team. No team is perfect from the start, but having these internal expertises from the outset will reduce ramp up substantially.
Problems change week to week so learning new techniques, picking up internal intel to see what counterparts are doing, see what’s happening, what’s changing. Constantly strive to improve and make the program yours – problems change weekly – and a program and people should be adaptable.
Kaizen: Adopting the practice of continuous improvement to improve security posture
In the early 80’s, the Japanese automobile industry popularized the concept of ‘kaizen’, or continuous improvement, as a daily process of positive transformation. Kaizen refers to activities that continuously improve all functions within a company to reduce waste and to increase productivity and efficiency. To adopt this practice, all components of a business must work collaboratively
Enterprise security programs have often worked in silos with their approach and dedicated the majority of their resources towards prevention. As zero-day threats improve, preventative controls fail. Businesses should consider a kaizen approach to threat defense where each control can continuously feed and improve the others through integration, which can significantly improve an enterprise’s overall security posture.
VMRay supports incident response every step of the way. Detect and respond to critical security incidents within minutes to prevent the spread of threats and limit their impact.
Find out more: Incident Response with VMRay Analyzer: An Automated Army of Virtual Analysts