Managing Computer Security Incident Response Teams - Introduction

Managing Computer Security Incident Response Teams
Introduction
Table of Contents
Notices ............................................................................................................................................ 2
Introduction .................................................................................................................................... 2
Purpose ........................................................................................................................................... 3
Intended Audience.......................................................................................................................... 4
Workshop Goals.............................................................................................................................. 5
Workshop Overview ....................................................................................................................... 6
Applying This Material .................................................................................................................... 7
CERT/CC Lessons Learned............................................................................................................... 9
Page 1 of 11

Notices
8
Managing CSIRTs
© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Introduction
1
Managing CSIRTs
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Introduction
Managing Computer Security
Incident Response Teams
(CSIRTs)
**001 Hello, and welcome to Managing
Computer Security Incident Response Teams.
Page 2 of 11

Purpose
2
Managing CSIRTs
Purpose
To provide a common understanding of
• workshop goals
• how to apply workshop materials for your needs
**002 In this introduction module,
we'll provide an overview of the goals
of this training course, as well as
inform you how to use and apply the
workshop and training materials for
your own particular needs.
Page 3 of 11

Intended Audience
3
Managing CSIRTs
CSIRT managers of all kinds
• prospective
• new
• existing
Other individuals
• C-level managers (CIOs, CSOs, etc.)
• upper management
• public affairs or public relations
• legal counsel
No prerequisite incident handling experience is required for
this course.
Intended Audience
**003 The primary audience that
these training materials are intended
for are people who have an interest
in or who have managed a computer
security incident response team for
any length of time. Whether you
have been a team lead or a manager
of an existing CSIRT or you are new
in the role of managing a CSIRT, or
perhaps you are potentially interested
in becoming a manager of a CSIRT in
the future, we hope that these
materials apply to you.
Others who may be interested in this
training include not just those that
directly manage a CSIRT, but other
managers, such as C-level managers,
chief information officers or chief
security officers; upper management
or executives who interact with the
CSIRT; public affairs or public
relations staff or personnel; human
resources; legal counsel; people who
Page 4 of 11

have a role in other security matters;
system and network administrators;
and anyone who might interact with
the CSIRT. No prior incident
handling knowledge or experience is
required to take this training.
Workshop Goals
4
Managing CSIRTs
To provide insight into the type and nature of work CSIRT
staff may be expected to handle
To provide an overview of the incident response arena
• the nature of incident response activities
• incident handling processes
To help you to understand
• technical issues from a management perspective
• problems and pitfalls to avoid
• best practices where applicable
To emphasize the importance of pre-defined policies and
procedures
To discuss what is needed to operate an effective CSIRT
Workshop Goals
**004 Our goals for this training are
to provide insight into the type and
nature of work the CSIRTs may be
expected to handle. We will provide
an overview of the incident response
field, including the nature of incident
response activities and an overview
of the incident handling processes
themselves. We hope to help you
understand technical issues from a
management perspective and learn
from problems and pitfalls that others
have encountered as they're
managing a CSIRT, highlight best
practices where applicable, and other
things that have worked well from
organizations with CSIRTs.
Page 5 of 11

You will hear us emphasize again
and again the importance of having
documented and predefined policies
and procedures that relate to your
CSIRT operations, and we will share
with you ideas and suggestions on
what you may need to effectively
operate your CSIRT.
Workshop Overview
5
Managing CSIRTs
Workshop Materials focus on
• foundation material, staffing issues
• incident management processes
• other issues, such as working with law enforcement,
insider threat, and publishing information.
Workshop Overview
**005 The training materials are
broken into a series of separate
modules covering various topic areas
that we feel would be useful for
someone to manage a CSIRT more
effectively. The first series of
modules will cover topic areas such
as CSIRT management, the
environment, staffing issues, code of
conduct, dealing with the news
media, and managing a CSIRT
infrastructure.
The next series of modules will go
into the individual incident
Page 6 of 11

management processes, from helping
to better prepare and protect your
critical assets, to detect and triage
events and incident reports, to
respond to those incident reports,
and to deal with different major
events.
After that, we will move into other
topic areas and issues, such as
publishing and disseminating
information, evaluating your CSIRTs,
dealing with and being prepared to
handle insider threats, and working
with law enforcement organizations.
References and citations to other
resources will also be provided
throughout the different training
modules.
Applying This Material
6
Managing CSIRTs
All CSIRTs are different.
• One size does not fit all.
Take what makes sense for your situation.
Refer to your own CSIRT policies and
procedures for
• appropriate responses and response times
• prioritization and escalation criteria
Examples and suggestions point out
• what has worked well for the CERT/CC and other teams
• pitfalls and benefits encountered
Applying This Material
**006 As we present this material,
please keep in mind that our
intention is to provide you with ideas
Page 7 of 11

and suggestions and topics for
consideration on things that can help
you to manage your CSIRT, but we
don't necessarily hope to prescribe
how to do that. Many of the topic
areas that we'll address will vary
depending on your unique and
personal situations.
CSIRTs can vary from one another,
and not one solution will meet all
CSIRTs' needs, so we ask you to
consider with an open mind any
suggestions we offer. Try to adopt
whatever makes sense for your
particular situation, and perhaps
adapt or tailor other ideas as
appropriate for your organization.
Apply the materials to your own
CSIRT and organization and any
existing policies or procedures that
already are in place for computer
security response and other
escalation or prioritization criteria.
The examples and ideas presented in
this training are based on our
experiences and what's worked well
for our team and other organizations
that we've interacted with, and we
hope to share with you the benefit of
lessons that we've learned, including
problems that we've encountered and
things that have worked well for us.
Page 8 of 11

CERT/CC Lessons Learned
7
Managing CSIRTs
CERT/CC Lessons Learned
Trustworthiness is paramount to the success
of your team.
You will live or die by your credibility.
• Never violate a confidence.
• Speak only in facts.
• Don’t spread rumors.
• Don’t be afraid to say “I don’t know.”
CSIRTs should be proactive.
• Share information as openly as possible.
• Set expectations repeatedly.
Be aware that all CSIRTs differ.
Recognize that things take time; most CSIRTs
• have no authority over their constituency
• are third parties to incidents
• fail to plan for growth and are soon overwhelmed
• take 1-2 years to gain constituency recognition
If your CSIRT has no authority, learn to be effective
through influence.
Train for a marathon, not a sprint.
• We will be doing this for a long time.
• Plan for the long haul.
• Leverage other resources and existing mechanisms.
• Build a network of experts who can advise and help.
• You will need endurance as well as brilliance.
**007 After having worked in this
area for over three decades, the
CERT Coordination Center at the
Software Engineering Institute has
learned a number of lessons and
would like to share some of those
lessons with you before we begin our
training today.
One of the most important lessons is
that recognizing that trustworthiness
is going to be paramount to the
success of your team. If you are not
able to build and maintain the trust
and credibility with your constituency,
it's going to hamper a lot of the
activities that you try to provide to
them.
If your team is new or just starting
out, or if you have limited resources,
many organizations find that their
CSIRTs spend most of their time
being reactive, but if you strive to be
Page 9 of 11

more proactive, share information as
much as possible and repeatedly set
expectations with the stakeholders
that you deal with, you'll find yourself
helping to prevent incidents from
happening in the first place to reduce
the need to be reactive.
As we said, recognize that CSIRTs
differ from one another. What works
well for one may not work in your
situation. If your CSIRT is one that
does not have authority to make
changes or dictate strategies to
respond to incidents, you'll have to
learn to be effective through
influence and providing value-added
services.
Also be aware that many of the
activities and the things that CSIRTs
do may take more time than is
expected. Many organizations that
are just starting to implement their
team or incident management
capability find it may take 12 months,
18 months, 24 months or longer
before they can plan their CSIRT,
implement that CSIRT to become
operational, and become recognized
with their constituents. So don't be
discouraged if things aren't
happening as quickly as you expect,
and don't be afraid to revise or
change your plans or your processes
as appropriate when the time arises.
With the complex technologies and
the interrelated dependencies that
we have on the information systems
that we use today, we're going to be
doing this line of work for a long time
to come, so be prepared to train for a
Page 10 of 11

marathon, not a sprint. Where
possible, build upon or leverage
existing resources and mechanisms
to help you with your incident
management processes. Build a
network of other subject matter
experts who can advise and help you
with your activities, and focus on
endurance, not just speed and easy
solutions.
We expect that you probably have a
number of questions that you hope to
have answered during this training.
If we're successful, we hope to not
only answer many of those questions
but also to inspire new issues and
ideas for you to consider as you
apply this material in managing your
own CSIRTs. Thank you again for
joining us, and good luck.
Page 11 of 11

Managing Computer Security Incident Response Teams - Introduction

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Managing Computer Security Incident Response Teams - Introduction

Ähnlich wie Managing Computer Security Incident Response Teams - Introduction (20)

Mehr von VICTOR MAESTRE RAMIREZ

Mehr von VICTOR MAESTRE RAMIREZ (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Managing Computer Security Incident Response Teams - Introduction