Building an effective computer security incident response team

As the volume and variety of cyber attacks on businesses continue to grow, the need for better incident response has never been greater. Stephen Moore discusses how to build an effective CSIRT and the role it can play in protecting an enterprise in the event of a breach.

A few years ago, the idea of a dedicated computer security incident response team (CSIRT) may have seemed luxurious. Fast forward to the present day and for many it’s become essential. A CSIRT differs from a traditional security operations centre /center (SOC), which focuses purely on threat detection and analysis. Instead, a CSIRT is a cross-functional response team, consisting of specialists that can deal with every aspect of a security incident, including members of the SOC team. The effort could include the technical aspects of a breach, assisting legal, managing internal communications, and even creating content for those that must field media enquiries.

Key roles and responsibilities within a CSIRT

In addition to the conventional duties of a SOC, a CSIRT must also fulfil a variety of non-technical, but equally important roles and responsibilities. This requires a much wider set of skills, and getting the right balance of personnel is key. Some members may be full-time, while others are only called in occasionally, but they will all bring key skills to the table if and when they are needed.

At a minimum, an effective CSIRT will contain the following members:


Source: DRJ New feed

Tagged on: