Matteo Michelini: Companies disregard need for response teams
Companies that do not have a computer security incident response team (CSIRT) in place will have a problem when it comes to containing a security incident.
Matteo Michelini, senior security consultant at MWR InfoSecurity, notes the practice of having CSIRTs within organisations is not widespread, and usually only certain elements of the team are present within most companies.
Michelini says there is an understaffed team of people doing bits of everything across the security domain. He says this includes penetration testing, security architecture review, intrusion detection and network security.
Many firms do not believe they need a CSIRT, because they have business continuity, risk management, an incident manager or security operations centres, which fill the same function, says Michelini. He was addressing delegates at ITWeb's Security Summit 2014 yesterday.
However, this leaves companies in a precarious position when incidents, such as unauthorised access to a core system, happen, says Michelini. He explains without a CSIRT, no one is responsible for containment of issues, and the question of who is responsible for fixing the incident is also left hanging.
With a CSIRT, the incident is followed end-to-end and the team handles assessment, containment and is consulted when it comes to remediation.
Michelini says key requirements for a CSIRT is to act as a bridge between the business and security operations; between security operations and other IT functions; successfully contain security incidents; as well as drive remediation and improvements.
Skills required include being able to handle incidents, forensics and risk management, says Michelini. To identify the team, companies need to look at their core business, as well as the risk of being attacked.