Principles of Incident Response and Disaster Recovery, 2nd Edition
Chapter 6 Incident Response: Organizing and
Preparing the CSIRT
Objectives
• Describe the purpose and function of the CSIRT • Discuss the skills and abilities needed in the CSIRT • Explain the standing operating procedures
associated with CSIRT operations • Describe training and deployment of the CSIRT
Principles of Incident Response and Disaster Recovery, 2nd Edition 2
Introduction
• Coordinated reaction to unexpected events – Requires a designated group of individuals
• Deal with the situation, reestablish information asset security
• Carefully selected with appropriate skill range • Alternates required to assume responsibilities • Distinct from Incident Response Planning (IRP) team
• IRP team’s primary incident response responsibility – Develop and implement policy and plans
Principles of Incident Response and Disaster Recovery, 2nd Edition 3
Introduction (cont’d.)
• IR reaction team responsibility – Respond to notice from a predefined entity as to an
incident possibility – CSIRT works to regain control of information assets at
risk, determine what happened, and prevent repeat occurrences
• IR reaction team’s other names – Computer Security Incident Response Team (CSIRT) – Security Incident Response Team (SIRT) – Computer Emergency Response Team (CERT) – IR team
Principles of Incident Response and Disaster Recovery, 2nd Edition 4
Introduction (cont’d.)
• Computer Security Incident Response Team – Loose or informal implementation
• Association of IT and InfoSec staffers • Called up if attack on information assets detected
– More formal implementation • Set of people, policies, procedures, technologies,
information • Detect, react, and recover from incident potentially
resulting in unwanted information modification, damage, destruction, or disclosure
• Prevention: entire information security staff involved Principles of Incident Response and Disaster Recovery, 2nd Edition 5
Building the CSIRT
• Formal CSIRT – Carnegie Mellon CERT/CC defined stages
• Step 1: Obtain management support and buy-in • Step 2: Determine the CSIRT strategic plan • Step 3: Gather relevant information • Step 4: Design the CSIRT vision • Step 5: Communicate the CSIRT vision and
operational plan • Step 6: Begin CSIRT implementation • Step 7: Announce the operational CSIRT • Step 8: Evaluate CSIRT effectiveness
Principles of Incident Response and Disaster Recovery, 2nd Edition 6
Step 1: Obtaining Management Support and Buy-In
• Formal management support – Required for CSIRT success
• CSIRT members assigned additional duties – CSIRT work: part-time or as detached assignments – Must ensure irresolvable conflicts with primary job
responsibilities removed – Senior management must direct subordinate
managers • Allow CSIRT members time on CSIRT activities
• Resources requiring funding and support – Time/materials for incident preparation/reaction
Principles of Incident Response and Disaster Recovery, 2nd Edition 7
Step 1: Obtaining Management Support and Buy-In (cont’d.)
• Constant and ongoing management support – Sustains team efforts – Ensures long-term success to manage incidents
• CSIRT champion – May be same person as the IR function champion – Typically the chief information officer (CIO) – Must be an upper-level executive
• Requires organizational power and authority to ensure success
Principles of Incident Response and Disaster Recovery, 2nd Edition 8
Step 2: Determining the CSIRT Strategic Plan
• Formal plan encompasses: – Team scope and responsibilities – Reporting structure and functional processes
Principles of Incident Response and Disaster Recovery, 2nd Edition 9
Step 2: Determining the CSIRT Strategic Plan (cont’d.)
• Formal plan items to address – Time frame for CSIRT development – Gap analysis: needed versus available skills – CSIRT structure and team model – Available and needed funding – Training and testing methods and requirements – Formal and informal communications requirements – Procedures for updating and modifying documents
and activities
Principles of Incident Response and Disaster Recovery, 2nd Edition 10
Time Frame for Development of the CSIRT
• First CSIRT strategic plan item to determine – How soon team needs to be up and running
• Management response: “yesterday” • Cold reality
– Weeks or months – Use informal organization response procedures
Principles of Incident Response and Disaster Recovery, 2nd Edition 11
Gap Analysis of Needed versus Available Personnel Resources (Skills)
• Harsh reality – Few departments overstaffed to support ongoing
operations • Small-to-medium-sized organizations
– May include the entire IT/InfoSec skillset – “Off duty” and “on call” IT staff expected to respond to
incidents • If organizations constantly calling back primary IT
and InfoSec personnel – Must conclude additional resources needed
Principles of Incident Response and Disaster Recovery, 2nd Edition 12
Gap Analysis of Needed versus Available Personnel Resources
(cont’d.) • Obtaining additional resources
– Understand skills needed to effectively respond to incident
– Determine if staff already has resources – Possible management determinations
• Willingness to acquire needed personnel to fill gaps • Willingness to provide existing personnel training • Willingness to live with consequences of team’s
inability to respond • Other option: outsourcing the CSIRT function
Principles of Incident Response and Disaster Recovery, 2nd Edition 13
Gap Analysis of Needed versus Available Personnel Resources
(cont’d.) • Typical CSIRT experience areas needed
– Malware scanning, elimination, recovery – System administration – Network administration (switches, routers, gateways) – Firewall administration – Intrusion detection systems – Cryptography – Data storage and recovery – Documentation creation and maintenance – Experience creating and following policy and plans
Principles of Incident Response and Disaster Recovery, 2nd Edition 14
CSIRT Structure and Team Model
• Incident discovery leads to CSIRT notification – CSIRT determines incident impact and acts
appropriately – Success dependent on participation and cooperation
of individuals • CSIRT structural categories
– Central CSIRT: single CSIRT handles incidents – Distributed CSIRTs: multiple CSIRTs handle incidents
for a particular logical or physical segment – Coordinating team: CSIRT provides guidance and
advice to other teams with no authority Principles of Incident Response and Disaster Recovery, 2nd Edition 15
CSIRT Structure and Team Model (cont’d.)
• CSIRT staffing models – Employees: organization performs all IR work
• Limited contractor technical and administrative support – Partially outsourced: portions of IR work outsourced
• 24-hour-a-day; 7-day-a-week (24/7) monitoring • Basic IR work performed in-house; contractors assist
– Fully outsourced: all IR work outsourced to on-site contractor
• Used when organization lacks available, qualified employees
Principles of Incident Response and Disaster Recovery, 2nd Edition 16
CSIRT Structure and Team Model (cont’d.)
• Team model selection factors to consider – Need for 24/7 availability – Full-time versus part-time team members – Employee morale – Cost – Staff expertise – Organizational structures
Principles of Incident Response and Disaster Recovery, 2nd Edition 17
Available and Needed Funding for Initial and Ongoing CSIRT
Operations • Everything in business costs money
– Time, people, and building a CSIRT operation – Top management must commit to funding CSIRT
• Team member needs – Time away from current responsibilities – Formal or informal training – Equipment to detect and manage incidents – Special communications equipment
• NIST recommends tools for use by incident handlers
Principles of Incident Response and Disaster Recovery, 2nd Edition 18
Training and Testing Methods and Requirements for the CSIRT
• CSIRT testing and training methods – Defined in the strategic plan
• Planning team – Must enumerate management expectations
• Most organizations – Provide some training for CSIRTs
• In-house and informal • Few organizations
– Conduct formal testing regimes • Fear creating incidents in the process
Principles of Incident Response and Disaster Recovery, 2nd Edition 19
Formal and Informal Communications Requirements
• Formal and informal communications methods – Included in the CSIRT strategic plan – Used between CSIRT personnel and other personnel – Must be clearly defined methods for:
• Contacting CSIRT personnel • Notifying CSIRT of potential incidents
• Critical requirement – Upward flow of information from CSIRT to
organizational and IT/InfoSec management • CSIRT must report preliminary finding to management
Principles of Incident Response and Disaster Recovery, 2nd Edition 20
Procedures for Updating and Modifying CSIRT Documents and
Activities • Final component of any formal plan
– Mechanism by which plan can and should be updated • CSIRT development plan designed to guide CSIRT
planning, training, testing – Routinely review (annually) and modify – Guides CSIRT planning, training, testing
• Guiding documents for updating CSIRT document – Formal Incident Response Policy and CSIRT plans – Provide response team preparation and training – May combine CSIRT strategic plan with an IR plan
Principles of Incident Response and Disaster Recovery, 2nd Edition 21
Step 3: Gathering Relevant Information
• CSIRT formation – IRP team collects organization IR and service needs
• Information used to craft CSIRT • Ensures necessary skills and abilities available
– IR planning committee • Establishes CSIRT scope and responsibilities • Determines team constituency and abilities
– Converse with stakeholders • Identify team skills and abilities • Identify end user needs
Principles of Incident Response and Disaster Recovery, 2nd Edition 22
Step 4: Designing the CSIRT Vision
• Planning elements – May have been developed as part of strategy
• Planning element steps – Identify constituency – Define CSIRT’s mission, goals, and objectives – Determine organizational model – Select CSIRT services to provide to the constituency
(or others) – Identify required resources to operate CSIRT – Determine CSIRT funding
Principles of Incident Response and Disaster Recovery, 2nd Edition 23
Identifying Your Constituency
• CSIRT must know: – Who it works for – What systems to focus on
• Clear chain of command necessary – Critical once CSIRT on site
• CSIRT can take charge of the situation • CSIRT can exert influence to regain control of systems
• Requires top management support – Provides emergency authority to CSIRT leader
Principles of Incident Response and Disaster Recovery, 2nd Edition 24
Identifying Your Constituency (cont’d.)
• “Scope of operations” – Determining systems falling under CSIRT’s
responsibility – Be aware of its existence
• Know who to serve • CSIRT constituents
– Defined by who provides funding • CSIRTs work collaboratively
– With other CSIRTs in their geographic and logical areas
Principles of Incident Response and Disaster Recovery, 2nd Edition 25
Defining Your CSIRT’s Mission, Goals, and Objectives
• CSIRT identifies for whom it works – Who it provides services to – Reporting relationships it must work within
• CSIRT must identify its mandate – Mission, goals, and objectives
• Mission of the CSIRT – States purpose clearly and succinctly – Establishes team tone – Provides path to obtainment of goals and objectives
Principles of Incident Response and Disaster Recovery, 2nd Edition 26
Defining Your CSIRT’s Mission, Goals, and Objectives (cont’d.)
• Mission of the CSIRT (cont’d.) – Common failing among multiple CSIRTs
• Lack of precision in defining mission • Failure to communicate mission so CSIRT tries to
validate priorities: leads to revisions on the fly – Clear and concise mission statement
• Allows for established service list, service levels, and quality framework
– Purpose statement supplements mission statement – Approaches to incident response (philosophy)
• Protect and forget, or apprehend and prosecute Principles of Incident Response and Disaster Recovery, 2nd Edition 27
Principles of Incident Response and Disaster Recovery, 2nd Edition 28
Defining Your CSIRT’s Mission, Goals, and Objectives (cont’d.)
• Goals and objectives of the CSIRT – Based on constituent or parent organization business
goals – CSIRT keys to success
• Protect critical assets • Enable and support constituency’s critical business
processes and systems – CSIRT goals coupled with detailed procedures
• Enable team to effectively contain and resolve incidents
– No goals results in inconsistent and incomplete incident response
Principles of Incident Response and Disaster Recovery, 2nd Edition 29
Selecting the CSIRT Services to Provide to the Constituency (or Others) • CSIRT main focus: performing incident response
– May shift gears to deal with threat – May significantly overlap with other traditional
information security tasks • Will have an IR focus
– CSIRT constantly works with IR-based tools and technologies
• Allows for training and focus on incidents • Can better deal with intrusions
Principles of Incident Response and Disaster Recovery, 2nd Edition 30
Selecting the CSIRT Services to Provide to the Constituency (or Others)
(cont’d.) • CSIRT services categories
– Reactive services – Proactive services – Security quality management services
• Advisory distribution – Describes new vulnerabilities – Provides information on mitigating the vulnerabilities – Useful in helping others identify incident signs
Principles of Incident Response and Disaster Recovery, 2nd Edition 31
Principles of Incident Response and Disaster Recovery, 2nd Edition 32
Selecting the CSIRT Services to Provide to the Constituency (or Others)
(cont’d.) • Vulnerability assessment
– IR team determines how vulnerability exploited, the risks, and recommends risk mitigation
– IR team may performs auditing or penetration testing – Incident handlers
• Well suited to perform vulnerability assessments • Intrusion detection
– May be performed by IR team • Allows team to gain knowledge
– Ideally performed by another team with IR team assisting
Principles of Incident Response and Disaster Recovery, 2nd Edition 33
Selecting the CSIRT Services to Provide to the Constituency (or Others)
(cont’d.) • Education and awareness
– Resource multipliers – Communicated by workshops and seminars, Web
sites, newsletters, posters, & stickers on monitors • Technology watch
– Look for new trends in information security threats – Recommend improvements in security controls
• Patch management – Not recommended for IR team (too time consuming) – Needed most when addressing large-scale incidents
Principles of Incident Response and Disaster Recovery, 2nd Edition 34
Identify Required Resources
• CSIRT needs – Qualified individuals to perform tasks – Time, funding, managerial support
• Incident response personnel – Single employee in charge of incident response – Fully outsourced model: person oversees and
evaluates service provided – All other models: team manager or deputy team
manager in charge – Managers perform variety of tasks with:
• Technical, communication, and positive attitude skills Principles of Incident Response and Disaster Recovery, 2nd Edition 35
Identify Required Resources (cont’d.)
• Technical skills – Technical lead
• Has strong technical skills and IR experience • Has oversight of and final responsibility for IR team
technical work quality – Incident lead
• Primary contact point for handling a specific incident • May not perform actual incident handling • Coordinates handlers’ activities, gathers information,
provides updates, ensures team’s needs met
Principles of Incident Response and Disaster Recovery, 2nd Edition 36
Identify Required Resources (cont’d.)
• Technical skills (cont’d.) – CSIRT members need excellent technical skills – Technical inaccuracy in functions undermines team’s
credibility – Poor technical judgment can cause incidents to
worsen – Critical technical skill areas include:
• System administration, network administration, programming, technical support, intrusion detection
– Team members need good problem-solving skills
Principles of Incident Response and Disaster Recovery, 2nd Edition 37
Identify Required Resources (cont’d.)
• Technical skills (cont’d.) – Provide opportunities for learning and growth
• Budget enough funding for technical conferences • Provide books, magazines, technical references • Provide opportunities to perform other tasks • Rotate staff members in and out of the CSIRT • Maintain sufficient staff for uninterrupted time off work • Create a mentoring program • Allow members to temporarily trade places • Occasionally bring in outside experts • Develop incident-handling scenarios and simulate
Principles of Incident Response and Disaster Recovery, 2nd Edition 38
Identify Required Resources (cont’d.)
• Nontechnical skills – Teamwork skills for cooperation and coordination – Communication skills
• Speaking • Writing
• Determine your funding – CSIRT leader and IRP team require a clearly defined
budget • Guides effort in planning preparation, training, and
testing
Principles of Incident Response and Disaster Recovery, 2nd Edition 39
Step 5: Communicating the CSIRT’s Vision and Operational Plan
• Communication important when developing CSIRT – Include a feedback mechanism – Keep stakeholders informed and involved
• Managerial team or individual serving as champion – First group to communicate CSIRT’s vision and plan
• Champion begins cultivating a marketing stance • Fully informed champion can:
– Convince top management of general success • Demonstrates champion is on top of the situation • Opens doors for additional resources and support
Principles of Incident Response and Disaster Recovery, 2nd Edition 40
Step 5: Communicating the CSIRT’s Vision and Operational Plan (cont’d.)
• Educating remaining top management – Serves two purposes:
• Closes loop on the preparation phase of CSIRT team building
• Moves group into an operational capacity – Pro forma notification
• CSIRT may have already begun supporting the organization informally
– Adjust executive mindset of top management as to the group status
– Communicate forthcoming CSIRT to employees Principles of Incident Response and Disaster Recovery, 2nd Edition 41
Step 6: Beginning CSIRT Implementation
• Execution of plans begin – Obtain management approval with a formal sign-off
• Substeps: – Recruit and train initial CSIRT staff – Purchase equipment and prepare the required
network infrastructure – Define and prepare necessary CSIRT policies and
procedures – Define and acquire incident-tracking system – Prepare incident-reporting guidelines and forms
Principles of Incident Response and Disaster Recovery, 2nd Edition 42
Step 6: Beginning CSIRT Implementation (cont’d.)
• Incident-reporting guidelines – Enable constituency to interact with the CSIRT
• Incident reporting process – Should be concrete – Include directives on how to make reports
• Guidance on responding to incidents – How request prioritized, applicable service levels and
response times, how notifications and escalations managed, & how resolution documented and reported
• Critical aspect of the IR plan: guideline and procedure definitions for incident response
Principles of Incident Response and Disaster Recovery, 2nd Edition 43
Step 7: Announce the operational CSIRT
• Provide formal or informal notice to employees – Describe availability of CSIRT service
• Items to include in announcement – Staff members and leadership – Mission and goals – Services and functions – Operating hours – Contact methods and number
• Circulate as part of security awareness program • Keep information in front of employees Principles of Incident Response and Disaster Recovery, 2nd Edition 44
Step 8: Evaluating CSIRT Effectiveness
• Two key mechanisms for IR plan – Test of CSIRT’s ability to respond to an incident – Means test for IR plan suitability, comprehensiveness
• CSIRT uses performance measures (metrics) • Closing the loop
– After action review (AAR): performed at end • Detailed event examination: detection to recovery • Key players review notes, members review actions • Update plan • Serves as training case for future staff
Principles of Incident Response and Disaster Recovery, 2nd Edition 45
Step 8: Evaluating CSIRT Effectiveness (cont’d.)
• CSIRT performance measures – Methods for assessing relative worth and operations
of a subject of interest – Identify operation areas to assess, collect data from
those areas • Review data periodically to determine if improving
– Feedback mechanism options • Compare local CSIRT measures to other CSIRTs • Solicit comments from CSIRT’s constituency • Use periodic surveys to gain insight from constituency • Collect, report, and audit a set of empirical measures
Principles of Incident Response and Disaster Recovery, 2nd Edition 46
Step 8: Evaluating CSIRT Effectiveness (cont’d.)
• CSIRT performance measures (cont’d.) – Useful to build baseline of past measures
• Compare current performance to past performance • Determines effect of CSIRT on its user community
– Measurements used for comparison • Incidents reported • Response times • Resolution rates for reported incidents
Principles of Incident Response and Disaster Recovery, 2nd Edition 47
Final Thoughts on CSIRT Development
• CSIRT development can be tedious, difficult process • Time necessary to build effective CSIRT varies
– Dependent on organization’s size, industry, staffing, availability of needed skills
– May take months or years: requires patience • First signal of progress
– Dramatic increase in number of identified incidents – Trust CSIRT to respond after notification
• See http://csrc.nist.gov/publications/nistpubs and http://www.cert.org/csirts
Principles of Incident Response and Disaster Recovery, 2nd Edition 48
http://csrc.nist.gov/publications/nistpubs
http://www.cert.org/csirts
Outsourcing Incident Response
• Organizations outsourcing part of IR capacity – Due to increase popularity of managed security
services • Specialized companies
– Install equipment firewalls and IDSs – Remotely monitor equipment from centralized facility
Principles of Incident Response and Disaster Recovery, 2nd Edition 49
Principles of Incident Response and Disaster Recovery, 2nd Edition 50
Current and Future Quality of Work
• Important consideration – Quality of service provider’s work
• Other considerations – Current quality of work – Efforts to ensure quality of future work
• Minimizing turnover and burnout • Providing solid new employee training program • Auditing or objectively assessing quality of service
provided
Principles of Incident Response and Disaster Recovery, 2nd Edition 51
Division of Responsibilities
• Organizations unwilling to give outside resource authority operational decisions – Must decide point where service provider hands off
incident response • Partially outsourced model
– Service provider delivers incident report with recommendations for handling incident
– Internal team ultimately makes operational decisions
Principles of Incident Response and Disaster Recovery, 2nd Edition 52
Sensitive Information Revealed to the Contractor
• How to limit issues – Divide IR responsibilities – Restrict access to sensitive information
• Example – Contractor can determine user ID used in an incident
• Will not know person associated with the user ID – Trusted employees can take over investigation
Principles of Incident Response and Disaster Recovery, 2nd Edition 53
Lack of Organization-Specific Knowledge
• Accurate analysis and prioritization of incidents – Dependent on specific environment knowledge – Provide service provider regularly updated documents
• Incidents concerning organization • Critical resources • Response level under various sets of circumstances
– Report all changes and updates to IT infrastructure, network configuration, systems
• If there is a lack of organization-specific knowledge: – Contractor has to make a best guess – Leads to problems in-house if communications weak
Principles of Incident Response and Disaster Recovery, 2nd Edition 54
Lack of Correlation
• Important to have correlation among multiple data sources
• Contractor requires administrative privileges: – To critical systems and security device logs – With remote access over secure channel
• Issues – Increases administration costs – Introduces additional access entry points – Increases risk of unauthorized disclosure of sensitive
information
Principles of Incident Response and Disaster Recovery, 2nd Edition 55
Handling Incidents at Multiple Locations
• Effective IR work – Often requires physical presence at the facilities – Considerations for off-site service provider
• How quickly it can have a CSIRT at any facility • How much this will cost
– Considerations for on-site visits • Facilities or areas where service provider should not
be permitted
Principles of Incident Response and Disaster Recovery, 2nd Edition 56
Maintaining IR Skills In-House
• When organization has completely outsourced IR – Strive to maintain basic IR skills in-house
• Organization can perform incident handling if service provider unable to act
• For service provider’s recommendation – Technical staff must understand:
• Significance • Technical implications • Impact
Principles of Incident Response and Disaster Recovery, 2nd Edition 57
Summary
• Organizations designate groups to: – Deal with unexpected situations – Reestablishing information assets security
• Formal or informal development CSIRT requires several stages
• CSIRT formal plan requires management support • Skills needed to respond to incidents • IR team availability necessary to respond to incident • Building CSIRT requires adequate financial support • Strategic plan: testing, training, contact information Principles of Incident Response and Disaster Recovery, 2nd Edition 58
Summary (cont’d.)
• Formal plan final component: update mechanism • IRP team collects information on IR and service
needs to develop plan details • Communicate CSIRT planning to general
management and employees • After planning phase: CSIRT implemented • CSIRT effectiveness mechanisms:
– IR plan tests and CSIRT performance measures • CSIRT development can be tedious • Organizations may outsource all or part of process Principles of Incident Response and Disaster Recovery, 2nd Edition 59
Principles of Incident Response and Disaster Recovery, 2nd Edition
Objectives
Introduction
Introduction (cont’d.)
Introduction (cont’d.)
Building the CSIRT
Step 1: Obtaining Management Support and Buy-In
Step 1: Obtaining Management Support and Buy-In (cont’d.)
Step 2: Determining the CSIRT Strategic Plan
Step 2: Determining the CSIRT Strategic Plan (cont’d.)
Time Frame for Development of the CSIRT
Gap Analysis of Needed versus Available Personnel Resources (Skills)
Gap Analysis of Needed versus Available Personnel Resources (cont’d.)
Gap Analysis of Needed versus Available Personnel Resources (cont’d.)
CSIRT Structure and Team Model
CSIRT Structure and Team Model (cont’d.)
CSIRT Structure and Team Model (cont’d.)
Available and Needed Funding for Initial and Ongoing CSIRT�Operations
Training and Testing Methods and Requirements for the CSIRT
Formal and Informal Communications Requirements
Procedures for Updating and Modifying CSIRT Documents and�Activities
Step 3: Gathering Relevant Information
Step 4: Designing the CSIRT Vision
Identifying Your Constituency
Identifying Your Constituency (cont’d.)
Defining Your CSIRT’s Mission, Goals, and Objectives
Defining Your CSIRT’s Mission, Goals, and Objectives (cont’d.)
Slide Number 28
Defining Your CSIRT’s Mission, Goals, and Objectives (cont’d.)
Selecting the CSIRT Services to Provide to the Constituency (or Others)
Selecting the CSIRT Services to Provide to the Constituency (or Others) (cont’d.)
Slide Number 32
Selecting the CSIRT Services to Provide to the Constituency (or Others) (cont’d.)
Selecting the CSIRT Services to Provide to the Constituency (or Others) (cont’d.)
Identify Required Resources
Identify Required Resources (cont’d.)
Identify Required Resources (cont’d.)
Identify Required Resources (cont’d.)
Identify Required Resources (cont’d.)
Step 5: Communicating the CSIRT’s Vision and Operational Plan
Step 5: Communicating the CSIRT’s Vision and Operational Plan (cont’d.)
Step 6: Beginning CSIRT Implementation
Step 6: Beginning CSIRT Implementation (cont’d.)
Step 7: Announce the operational CSIRT
Step 8: Evaluating CSIRT Effectiveness
Step 8: Evaluating CSIRT Effectiveness (cont’d.)
Step 8: Evaluating CSIRT Effectiveness (cont’d.)
Final Thoughts on CSIRT Development
Outsourcing Incident Response
Slide Number 50
Current and Future Quality of Work
Division of Responsibilities
Sensitive Information Revealed to the Contractor
Lack of Organization-Specific Knowledge
Lack of Correlation
Handling Incidents at Multiple Locations
Maintaining IR Skills In-House
Summary
Summary (cont’d.)