Wednesday, July 14, 2010

Gartner on CSIRTs

I know some of you pay attention to what Gartner says, or more probably, your management does. I found this new report How to Build a Computer Security Incident Response Team by Jeffrey Wheatman, Rob McMillan, and Andrew Walls helpful if you need external validation from a source your management is likely to recognize. You need a Gartner account to breach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paywall.

I wanted to provide a few reasons why you might want to buy it and share it:

It is becoming increasingly common for auditors, regulators and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r stakeholders to require organizations to formalize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir responses to security events...

Even smaller organizations with limited legal and regulatory requirements can gain significant benefits in risk mitigation from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 implementation of a basic security incident response team. Following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 phased approach outlined in this research will guide clients on how to best assess cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir needs and implement a response team that will satisfy all stakeholders...

A competent and adequately resourced CSIRT is an important part of an organization's information security program. Many organizations eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r have nothing in place or follow inconsistent procedures.

In many organizations, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 goal is to recover from an incident and get back up and running with minimal attention being paid to evidence collection, analysis or postmortem reporting.

Over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 long term, this approach results in more security events, not fewer, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization is unable to discern cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 root causes of incidents and incorporate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se lessons learned into improvements in infrastructure and process management.

Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, in those instances where an organization's individual experience is part of a broader incident affecting multiple organizations, this approach may result in added legal complexity and
liability.


That should help justify a CIRT. I was glad to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

CSIRT staff will require access to key systems where required, such as capabilities that are normally available via network operations centers (NOCs) or security operations centers (SOCs).

The team will also require dedicated infrastructure, possibly protected from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization, including secure physical facilities, material storage and dedicated
computers, as well as specialized software and hardware.

Redundancy in physical resources and technical systems is required to ensure CSIRT operations when normal facilities and technology are corrupted or unavailable. For example, CSIRT members should be able to access mobile telephones, fixed-line telephones, faxes and, in extreme circumstances, radio communications.


The need for separate infrastructure -- a "technology gap," as my team calls it -- is crucial. How can you defend vulnerable infrastructure using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same vulnerable infrastructure?

More on tools:

The key issue is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CSIRT is likely to require tools in order to perform its function. Since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se tools will be used in an uncertain operational environment (that is, one that is suspected or confirmed as having been compromised), it is important that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization be able to confidently assert that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se tools are reliable and preserve evidence in an untainted fashion...

In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technology gap can also help a CIRT defend its evidence.

I found this interesting:

A variety of public and commercial organizations provide a range of support services for CSIRTs, including...

FIRST (http://first.org): This membership-based organization provides a support service for CERTs and CSIRTs on a global basis. FIRST members tend to be governmental organizations (for example, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. Army CERT — ACERT) and major commercial organizations (for example, GE-CIRT, General Electric's CIRT).


Wow, I guess we made cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 big time!

In conclusion, check out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Gartner document. It might help you. If anyone wants to post links to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 myriad of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r resources out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re (FIRST, CERT/CC, etc.), link away. I don't feel like hunting down cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results of a Google search for building an IRT. Thank you.

3 comments:

G. Silowash said...

Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than try to get through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pay wall, I would check out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various free resources from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original creators of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CSIRT: CERT/CC. They are available here:

http://www.cert.org/csirts/

The Gartner name will grab cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attention of management.

Unknown said...

I missed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 research bit? I'd be interested in hearing any ideas on research (applied) that could be used to help teams/managers.

-Rob

@mattnels said...

Sort of relevant to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Redundancy in Physical resources....

FCC Okays Employee Participation in Emergency Drills

Moving with unaccustomed speed, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FCC adopted a Report and Order on July 14, allowing hams who are employed by both government agencies and non-government agencies such as hospitals, to participate in emergency and disaster drills on behalf of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir employers. The ruling was based on a Notice of Proposed Rule Making, WP-10-72, issued this past March, in response to petitions arising from a strict interpretation by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FCC's Enforcement Bureau of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prohibition on amateurs communicating on behalf of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir employers. The decision came just more than a month after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reply comment deadline.

The ruling added a new paragraph to Section 97.113(a)(3) of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FCC rules, which reads as follows:

(i) A station licensee or control station operator may participate on behalf of an employer in an
emergency preparedness or disaster readiness test or drill, limited to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 duration and scope of such test or
drill, and operational testing immediately prior to such test or drill. Tests or drills that are not
government-sponsored are limited to a total time of one hour per week; except that no more than twice in
any calendar year, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y may be conducted for a period not to exceed 72 hours.