On-demand security when disaster strikes
Having a Computer Security Incident Response Team (CSIRT) is a major investment for any organization, and might seem like a capital expenditure with no returns expected; but the fast handling of security incidents is a proven business differentiator.
How do you prepare yourself?
Most organizations have an IT security team in place to define the security posture. In general the responsibility of the team is to try and avoid a security incident from happening. They are responsible for tracking security threats as well as deciding on the tools and training required for the organization to be “safe”.
The security team has a wide arching role in the organization including ensuring appropriate patches, evaluating new threats and ensuring all newly discovered vulnerabilities have been addressed in addition to security consulting, risk analysis, security fire drills etc.
This stance exposes the organization to an operational risk of not responding to a security incident, which inevitably happens, in a predictable manner. Large organizations can afford to have a specialized team providing responsive services for security related incidents. How do you manage this is in a small to medium business?
Small to Medium Business – Security Challenges
In SMBs managing security is a heightened challenge, as executive sponsors are scarce usually without a CSO or CISO. Does having the latest patches, IDS and perimeter protection reduce the risk? They are just the basic and necessary security requirement for any SMB. What happens if there is a breach? How do you ensure that the security team is guided appropriately in resolving the security incident? How do you ensure appropriate responses are requested from the legal, HR and if necessary the PR department? Does the incident trigger off a forensic process, are the artifacts collected for analysis, and is the law enforcement notified regarding the incident?
All these processes are complex and sensitive and it is essential that these are handled with the least effort and cost overhead possible. How do you deal with the security response challenges while maintaining low operational overhead?
To address these issues we have developed the Computer Security Incident Response Management System (CSIRMS), a business process solution. The solution systemizes the response process based on the category of the incident which includes deciding the appropriate teams to be brought in for handling an incident. It encapsulates all possible flows a response process could take. Coupled with powerful decision making capability, this can ensure that a computer security incident is contained effectively by creating efficiency and consistency in responding to a security threat.
The system also enables integration with existing IDS and perimeter defense systems. If you have a Managed Security Service provider, it is critical to have a CSIRMS to avoid the coordination overhead with various organization departments. By providing the service provider capability to trigger off the response processes using the appropriate CSIRMS interface, you can enable stakeholders to collaborate, decide and execute response strategies after analyzing impact on business and operations.
Unlike other solutions available in the market, that operate on a completely automated mode based on incident related intelligence from SIMs and IDSs, CSIRMS operates on the assumption that a security response has automated and manual aspects to it.
The coordination effort required across department can be achieved by processing the interactions and backing it up with a system which can provide contextual intelligence depending on which stage the process is in and the category of the security incident.
Ishi’s CSIRMS addresses the following process areas which the CSIRT is responsible for:
- Detect (Investigations and Forensics)
- Triage (Categorization and Response Strategy Development)
CSIRMS also addresses proactive process areas for preparation, such as response and coordination plans, risk analysis, threat and vulnerability evaluation and security reviews, to handle risks.
Contact us to learn more about how to develop CSIRT capability and deploying CSIRMS in your organization.