What is CSIRT?
CSIRT (pronounced see-sirt) refers to the computer security incident response team. The main responsibility of the CSIRT is to expose and avert cyber attacks targeting an organization.
As the number of cyber threats grow each and every day, the importance of having a security team that is solely focused on incident response (IR) is fundamental. An incident response team consists on three distinct components:
- PR Expert/Advisor
- Legal Expert/Advisor
While the roles of PR expert and legal expert are self explanatory, CSIRT’s role is focused on the technical aspects of the incidents. Members of CSIRT are in charge of detection, control and extermination of cyber incidents. Moreover, they are the ones that will recover and restore the systems that are affected by the incident.
What are the Responsibilities of CSIRT?
Members of the CSIRT analyse the data concerning incidents and discuss methods of prevention. When necessary, they share their insights and or solutions with the rest of the company. They are active players before, during and after cyber security incidents. As a result, the list of the responsibilities of CSIRT includes:
- Remediating security incidents.
- Detecting and taking immediate action upon incidents.
- Providing a 360 view and in depth analysis of the past incidents. Preventive protocols are set up in the light of these reports that CSRIT provide after the incidents.
- Training to give the appropriate responses for new threats.
- Management of audits.
- Reviewing the security measures of networks and systems to detect vulnerabilities.
- Informing related departments about new technologies, policies and changes in protocols after security incidents.
- Maintaining internal communications and supervising operations during and after significant incidents.
- Creating and (when necessary) updating the incident response plan (IRP).
- Preserving confidentiality during incidents. This includes the management of off-site stored sensitive information such as network configurations and passwords.
- Regularly reviewing standard security protocols and if needed, updating them.
Which Skills Should the Members of CSIRT Have?
It is best if the members of CSIRT have experience in security related areas. Especially experience and expertise in security incident detection and threat intelligence are proven to be extremely useful. In addition, every member of a CSIRT must have impressive problem-solving skills since being able to appropriately react to security incidents require a certain amount of skill regardless of the individual’s specific role in the team.
Moreover, you might also consider hiring staff that have completed IR courses and or have certification in regards to IR. Furthermore, employees that have an expertise in SIEM can play crucial roles in CSIRTs.
What are the Roles of CSIRT Members?
The IR team you have must be able to meet the needs of your business. That is why there is not a universally applicable magical formula but the following roles are often present on CSIRTs:
Leader of CSIRT. The team leader is mostly responsible with response protocols, incident analyses and updates in the response procedures.
Incident Leader of CSIRT. The incident leader is responsible with coordinating individual responses to the incidents. Mostly it is the most experienced member of the team on the area in which the incident is occurred.
Supporting members of CSIRT. There are several supporting members in a CSIRT team. Most of them are experts on the IT infrastructure but also it is quite wise to have staff with management experience on board. Also PR advisors and legal advisors are essential members of CSIRTs.