Gartner on CSIRTs

I know some of you pay attention to what Gartner says, or more probably, your management does. I found this new report How to Build a Computer Security Incident Response Team by Jeffrey Wheatman, Rob McMillan, and Andrew Walls helpful if you need external validation from a source your management is likely to recognize. You need a Gartner account to breach the paywall.

I wanted to provide a few reasons why you might want to buy it and share it:

It is becoming increasingly common for auditors, regulators and other stakeholders to require organizations to formalize their responses to security events...

Even smaller organizations with limited legal and regulatory requirements can gain significant benefits in risk mitigation from the implementation of a basic security incident response team. Following the phased approach outlined in this research will guide clients on how to best assess their needs and implement a response team that will satisfy all stakeholders...

A competent and adequately resourced CSIRT is an important part of an organization's information security program. Many organizations either have nothing in place or follow inconsistent procedures.

In many organizations, the goal is to recover from an incident and get back up and running with minimal attention being paid to evidence collection, analysis or postmortem reporting.

Over the long term, this approach results in more security events, not fewer, as the organization is unable to discern the root causes of incidents and incorporate these lessons learned into improvements in infrastructure and process management.

Further, in those instances where an organization's individual experience is part of a broader incident affecting multiple organizations, this approach may result in added legal complexity and
liability.

That should help justify a CIRT. I was glad to see the following:

CSIRT staff will require access to key systems where required, such as capabilities that are normally available via network operations centers (NOCs) or security operations centers (SOCs).

The team will also require dedicated infrastructure, possibly protected from the rest of the organization, including secure physical facilities, material storage and dedicated
computers, as well as specialized software and hardware.

Redundancy in physical resources and technical systems is required to ensure CSIRT operations when normal facilities and technology are corrupted or unavailable. For example, CSIRT members should be able to access mobile telephones, fixed-line telephones, faxes and, in extreme circumstances, radio communications.

The need for separate infrastructure -- a "technology gap," as my team calls it -- is crucial. How can you defend vulnerable infrastructure using the same vulnerable infrastructure?

More on tools:

The key issue is that the CSIRT is likely to require tools in order to perform its function. Since these tools will be used in an uncertain operational environment (that is, one that is suspected or confirmed as having been compromised), it is important that the organization be able to confidently assert that these tools are reliable and preserve evidence in an untainted fashion...

In other words, the technology gap can also help a CIRT defend its evidence.

I found this interesting:

A variety of public and commercial organizations provide a range of support services for CSIRTs, including...

FIRST (http://first.org): This membership-based organization provides a support service for CERTs and CSIRTs on a global basis. FIRST members tend to be governmental organizations (for example, the U.S. Army CERT — ACERT) and major commercial organizations (for example, GE-CIRT, General Electric's CIRT).

Wow, I guess we made the big time!

In conclusion, check out the Gartner document. It might help you. If anyone wants to post links to the myriad of other resources out there (FIRST, CERT/CC, etc.), link away. I don't feel like hunting down the results of a Google search for building an IRT. Thank you.