Software Engineering Institute Carnegie Mellon

Organizational Models for Computer Security Incident Response Teams (CSIRTs)

[Abstract]   [Title Page]   [Preface]   [Acknowledgements]   [1 Introduction]  
[2 Establishing CSIRT Capabilities]   [3 Operational Issues]  
[4 Security Team--Using Existing IT Staff]   [5 Internal Distributed CSIRT]  
[6 Internal Centralized CSIRT]  [7 Combined Distributed and Centralized CSIRT]  
[8 Coordinating CSIRT]   [9 Choosing the Right CSIRT Model for Your Organization]  
[10 Closing Remarks  [Appendix Summary of Services Offered [Bibliography]   [PDF File]

6 Internal Centralized CSIRT

6.1 Overview

The internal centralized CSIRT model is a dedicated CSIRT, centrally located, that has full responsibility for all incident reporting, analysis, and response. In many cases team members spend 100% of their time working for the CSIRT and perform all incident handling tasks. There is a CSIRT manager who reports to high-level management such as a CIO, CSO, or CRO. All CSIRT resources are located at a central site. This model is referred to as the "centralized CSIRT" throughout the rest of this document.

This model provides a centralized team that can collect information from a wide variety of constituent sources and quickly synthesize and disseminate it across the enterprise. The CSIRT responds to reports of abnormal activity or other incident reports. It can also participate in incident and vulnerability analyses, lend expertise in testing or assessing the security of the enterprise, and play a proactive role in promulgating computer security awareness and training throughout the organization, if appropriate to the organizational structure.

The centralized CSIRT has full authority to analyze activity and full or shared authority to respond to incident activity as it occurs. No enterprise-wide action can be taken or recommended without the approval of the CSIRT manager and possibly upper management. The team also has the authority to enforce recovery and mitigation strategies with the approval and consent of upper management. Divisional and functional unit managers are notified of any action to be taken in their areas, and are involved in the decision-making process to determine how to implement a response.

The team has the authority to release enterprise-wide advisories and other documents, including best practices, response and recovery steps, and security updates. The team can also be responsible for reviewing and analyzing all IDS or other network/system/application logs.

The organization determines whether the CSIRT will visit victim sites in the parent organization to enact response efforts or whether they will recommend responses to be carried out by the local system, security, and network administrators in each division.

6.2 Supported Constituencies

This model can be used by two very different types of organizations. It is most commonly found in small organizations, where the number of staff, systems, and buildings can be handled by a small centralized IT department and CSIRT. An example might be a small commercial organization, one government department or agency, an educational institution, or a vendor organization.

The model can also be implemented in a larger organization with a constituency dispersed over many different physical and geographical locations. This type of organization might be a large educational institution with many branch campuses or a military or government organization with many departments.

In all of these cases, whether a large or small organization, the constituency itself has some common characteristics and a common organizational structure that allows the CSIRT to work with the different business units or groups.

This model can also be used, but with some difficulty, in a large organization with multiple affiliate or subsidiary companies or groups. An example might be a large multinational corporation that is comprised of a collection of independent legal entities (affiliates and subsidiaries). In this case, although seen as part of the same parent organization, each affiliate or subsidiary might have its own management structure, policies, procedures, and authority, or even its own CSIRT. This may cause problems in how much authority the centralized CSIRT has over the systems, networks, and incident response efforts in the affiliates and subsidiaries. This may also cause problems in effecting a consistent level of response across these disparate units. Although a centralized CSIRT can work in this organizational situation, a coordinating model might be a more effective approach. It should be remembered that in a commercial organization, business impacts are the crucial decision criteria, so usually the CSIRT provides advice rather than dictating the actions to be taken.

This model can be implemented but will not work as well for a large, dispersed, diverse constituency, such as numerous countries in a particular geographic area or numerous educational or commercial entities in a country. In those types of organizational settings, a coordinating CSIRT, described in Chapter 8, is a better organizational model choice.

6.3 Organizational Structure

The centralized CSIRT should be comprised of staff with expertise in all systems and platforms supported by the enterprise. If this is not possible, experts in the parent or host organization must be identified to work closely with the team as needed. The CSIRT manager reports to the CIO, CSO, CRO, or other equivalent manager and represents the CSIRT on boards, councils, and activities that involve or are related to computer security. The team is centrally located at one physical site, close to their upper-level manager.

A centralized team's services can be organized in a variety of structures. The team can provide a full range of incident handling services or just limited services, such as only intrusion detection, or only incident analysis and response coordination. It is up to the parent organization (or constituency) to decide what services will be provided. A centralized team in a large, geographically dispersed organization cannot reasonably provide direct incident response on site, but it can act efficiently in providing incident, vulnerability, or artifact response coordination services, such as providing advisories, alerts, training sessions, and documented procedures.

Generally the centralized CSIRT staff perform incident handling and CSIRT tasks 100 percent of their time. However, in some instances, due to budget constraints, it may not be possible to have all full-time centralized team members. Instead there may be a core set of assigned staff who share responsibility for CSIRT functions. So there is always someone on the centralized team, but each staff member rotates on and off the team periodically. This type of part-time staff may work well in a very small organization where the CSIRT staff members also perform other IT or security-related tasks.

Another organizational option is to outsource part of the CSIRT work to a third party contractor to augment the CSIRT's expertise and provide specific support such as the development of alerts and advisories or the monitoring of IDS logs. Organizations should take great care when opting to outsource any of their incident handling tasks and functions. Issues related to CSIRT authority, data protection, information disclosure, and securing the incident handling infrastructure as it pertains to the outsourced functions must be addressed. Guidance for outsourcing managed security services is available in Outsourcing Managed Security Services.

6.4 Triage

In a centralized CSIRT, the triage function is essential to the operation of the team. There is an established method for contacting the CSIRT such as an email alias or phone number. This method of contact is used for not only reporting incidents but also for making other requests for CSIRT services. CSIRT service listings, hours of operation, and incident reporting guidelines are widely advertised so the constituency understands how to interact with the team. There are online reference materials to assist the organization's staff in reporting to and contacting the CSIRT.

In this model, triage can be provided through two different structures: as a component part of the CSIRT or as a separate entity from the CSIRT. These two approaches are outlined in Section 3.3.1.

Whatever help desk or hotline approach is used, it is also important that the constituency understands the organizational security policies and procedures. All users must understand the importance of reporting attacks, viruses, and any other suspicious or abnormal activity. There must be no fear of retaliation for reporting activity to the help desk. Guidance for reporting activity is available to the constituency via an intranet or some similar application.

Because the centralized reporting and triage processes provide a way to coordinate the collection of information, it is possible to know what type of activity is being observed or reported across the organization. The CSIRT can therefore identify in a more efficient and timely manner whether critical system and network services are being attacked.

6.5 Available Services

The following sections describe how some CSIRT services might be provided in a centralized CSIRT model. It is recognized that every team is different, so these are general descriptions based on observations of and discussions with other teams. The method in which the service is delivered assumes a certain level of infrastructure, staff, and equipment, which are discussed in later sections.

6.5.1 Core Services

The core services characterizing this centralized model are very similar to the core services for a distributed CSIRT listed in Section 5.5.1.

Alerts and Warnings

In a centralized model, all alerts and warnings coming into the CSIRT or parent organization from other security experts, vendors, or CSIRTs are received by the centralized team through some designated point of contact such as a CSIRT phone number or email alias. From there the alerts and warnings are disseminated to various points of contact throughout the organization, which might include system and network administrators, business managers, or security teams at their sites. In this way a common message with a consistent set of steps to prevent or respond to any activity or security incidents can be sent throughout the organization. General alerts and warnings that affect all members of the constituency are sent to a predetermined mailing list by the centralized team. For this to work efficiently there must be an up-to-date list of people and units to notify.

It should be noted that members of the distributed team also may receive alerts and warnings from external sources such as security mailing lists and advisory lists. Just because the centralized team is the designated point of contact does not preclude the distributed members from obtaining information from other sources. In many cases, where threats are immediate, distributed team members may not want to wait for the information to be re-sent to understand about new attacks or problems. However, the responses taken should be coordinated with the centralized team and any information that the distributed team members receive that is not received by the centralized team should be passed on.

If alerts, warnings, or advisories for the CSIRT's constituency need to be developed, these are assigned by the CSIRT manager to a member of the centralized team. The assigned staff can enlist the help of others in the organization who have expertise that might be needed. They may also want to work with a technical writer to produce the final versions. If a technical writer is not on staff as part of the CSIRT, it may be possible to use staff with the needed skills from the constituency or parent organization. Whatever arrangement is used to obtain technical writing assistance, it should be established in advance, so that the technical writer can be called as needed.

Incident Analysis

Because centralized team members have dedicated time to spend on CSIRT work, they often can perform more proactive incident handling functions such as analyzing incoming reports and identifying any trends or patterns appearing across the organization.

Based on its understanding of the overall picture, the CSIRT makes recommendations for strengthening the security of the enterprise systems, similar to how a distributed CSIRT works. But because team members are physically located together, the team can more easily discuss incident activity to determine similarities between incidents. This close proximity and interaction can potentially decrease the amount of time it takes to determine the scope and nature of an attack.

However, because of the centralized nature of the team, the CSIRT staff may not know a lot about the real infrastructure of the organization and the practical day-to-day issues of business needs versus risks. Therefore, they may have to involve other parts of the organization in their analysis of any incident activity, especially in regards to acceptable response and mitigation strategies. Part of the training that any centralized staff will need to receive is an understanding of the critical systems as they relate to the parent organization's missions and goals. The CSIRT staff will not be able to operate in isolation; they must spend considerable time learning about the enterprise infrastructure, organizational business goals, and critical assets and establishing good channels of communication with other parts of the organization.

Incident Response Support

This service is especially prevalent when the constituency is a large, dispersed organization, because the CSIRT can serve as a focal point for disseminating information and response strategies. To be successful at this service, the CSIRT must have a good collaborative working relationship with the other parts of the enterprise.

In its role as the centralized CSIRT, the team is responsible for initiating the appropriate response and recovery steps based on the reports received and the analysis done. Because team members' time is devoted to CSIRT work, they can consolidate and distribute information in a more timely manner. They usually also have a broader perspective on security issues and more in-depth incident handling skills. This allows them to better understand the technical nature of threats and risks (real or potential) and to provide direct guidance on recovery actions to assist local administrators.

Response can be implemented in a number of ways. In larger organizations, the CSIRT can be responsible for sending out technical guidelines on how to handle or recover from a particular security event. These guidelines are received and followed by system, network, and security administrators or other responsible personnel in each division. The guidelines are also sent to the division and business unit managers so they are informed. In this model, as with the distributed model, it may be difficult for the centralized CSIRT to determine if the correct response effort has been taken at the division level. Some means of ensuring consistency and accountability should be implemented. One problem is that even though the centralized team can work closely with the administrators in the field to explain response strategies, they do not have the face-to-face contact available through on-site incident response.

In a smaller organization, the CSIRT may actually be located in the same physical area as the system and network administrators responsible for implementing the response. This can make it easier to establish strong working relationships with these administrators, which can in turn enable a more efficient response effort.

In larger organizations, however, there may be times when the CSIRT staff is not able to react to an immediate threat as quickly as is needed by the part of the organization having a security problem or incident, and the local system and network administrators must take action themselves before involving the CSIRT. Some "rules of engagement" should be established in advance for these kinds of cases. It will be especially important in such instances that the local system and network administrators report to the CSIRT as soon as possible about what triggered the activity and what action they took to respond to the event.

Incident Response Coordination

Their central location and ability to gather and synthesize information from across the enterprise establish the CSIRT as the best point for incident response coordination. They have the information and the expertise in incident response. In this capacity they are able to act as a point of contact regarding incident activity with other parts of the organization, law enforcement, and other external CSIRTs, security experts, and involved sites. They also will develop the main mitigation strategies and response solutions for any incident activity and distribute this to relevant system, network, and security administrators in the field. They can also update higher level management and any other divisional or functional managers as needed.

For this coordination effort to work effectively, the CSIRT must have points of notification already established across the enterprise for notifying others about incident activity. An established relationship with the IT department and organizational system, network, and security administrators is needed.

Vulnerability and Artifact Response Coordination

A centralized CSIRT is better positioned than a security or distributed team to perform effective vulnerability and artifact response coordination, provided the necessary expertise exists in the team. With dedicated resources, the team can provide comprehensive tracking, recording, and dissemination of information to the enterprise. By consolidating the information collected, the team is better able to identify similar attacks, artifacts, exploits, trends, and patterns. Potential new threats to the enterprise can also be identified. In this centralized model, it is important that the team have expertise or familiarity with all platforms and operating systems used in the organization. If this is not possible, mechanisms need to exist for the CSIRT to call upon platform specialists in other parts of the enterprise or third party experts as needed.

Based on the results of the analysis of any vulnerability or artifact information, the CSIRT coordinates the release of remediation, detection, and recovery steps throughout the enterprise as required.

Even with a centralized CSIRT, many teams find they do not have the skills or expertise to be able to provide this vulnerability and artifact coordination service effectively, so they depend on other CSIRTs to provide analysis and recommendations to the community (e.g., vendor sites, members of FIRST, computer security experts, the CERT/CC, or other CSIRTs). In this case, the CSIRT would be a point of contact for receiving this information from other experts and disseminating it as appropriate throughout the enterprise.

Announcements

The centralized team is in a position to be a good point of contact for all incoming information from external and internal sources regarding incident activity, vulnerabilities, and intruder trends. As part of its centralized function it can review and filter all incoming information and pass it on to various parts of the organization. For this service to work properly, established channels and mechanisms for communicating information to the rest of the constituency must be in place and understood by the recipients. Established document types and distribution procedures should also be in place. Announcements might be about intruder trends noted in the general Internet community but not yet affecting the constituency, vulnerabilities that have been discovered, or new incident information that may have an impact on the enterprise. Mechanisms for disseminating announcements may include mail distribution lists, advisory mailing lists, CSIRT web page posts, or even recorded messages in phone systems.

Technology Watch

Having a dedicated staff in the centralized model means there will probably be sufficient resources to provide a technology watch service.

In this model, this service can be delivered in one of two ways. Either one or two staff can be assigned to perform this service on a full-time basis as one of their primary job functions or each member of the team can be assigned a particular technology area or platform to monitor.

If multiple assignments are made across the team, either someone will need to be assigned to consolidate the information or each person will need to send out their own information. Any information is then made available to the rest of the CSIRT staff via the secured intranet or extranet.

Security-related information that affects the organization can be posted to a mailing list or an intranet discussion site as a means of keeping network, system, and security administrators up to date. This notification can also be used to raise the level of security awareness for all members of the enterprise. Such an information distribution site can provide educational benefits by allowing people to post questions that can be answered by the CSIRT staff if time permits.

Security-Related Information Dissemination

Having a dedicated team allows the centralized CSIRT to also focus on providing security-related information to the rest of the organization.

The CSIRT can establish a centralized web site (and FTP site, if appropriate) to provide organization-wide access to appropriate security-related information. They can also use these sites to disseminate information from other external sources that has been tailored to the needs of the constituency in regard to supported technologies and software. Information can also be distributed via newsletters and mailing lists.

Information disseminated includes current activity reports, threat trends and patterns, security awareness tutorials, incident reporting forms and guidelines, current updates on CSIRT developments, and any special security-related information on various applications, protocols, and security or attack tools.

If the CSIRT web and FTP sites are not maintained by the team but by other parts of the IT group, then it will be important for the CSIRT to work closely with the administrators to ensure the server is adequately protected and that information is updated in a timely manner.

Depending on its resources, if the centralized CSIRT is international this service might also include translation of security information into other languages.

6.5.2 Additional Services

In addition to its core services, a centralized CSIRT may choose to offer other services as identified or required by the constituency. The following services are those most likely to be provided.

Incident Response On Site

In a small organization, the centralized CSIRT can be tasked with performing response and recovery steps themselves, provided the team members have the required expertise.

This is more problematic in a large, distributed organization. The problems result from the time and resources needed to send a CSIRT staff member to the affected location if they are not in the same building or geographical location. If staff are away from the centralized team, this may also affect the overall performance of the team in providing services at the central site.

For this type of service to work effectively, the centralized team will need well-established relationships with the system, network, and security administrators throughout the enterprise. Agreements that the CSIRT will handle the recovery and response steps will need to be made with any relevant divisions or business units, as well as with the IT department.

Vulnerability and Artifact Analysis

If the centralized team has staff dedicated to CSIRT work, they may have the resources and expertise to engage in technical vulnerability and artifact analysis.

If analysis is not done, information about vulnerabilities and artifacts is obtained from other entities such as other external CSIRTs and security experts, as described in "Vulnerability and Artifact Response Coordination" in Section 5.5.1.

However, for the centralized team to be able to gauge the impact and threat of a particular vulnerability or artifact across their infrastructure, they may need to rely on the expertise of the operational staff that run the various parts of the infrastructure and the business managers who are responsible for each area.

Security Audits or Assessments

With its technical expertise and experience handling new vulnerabilities, real incidents, and artifacts, the centralized members of the CSIRT could participate with an audit or assessment team in the provision of this service, or provide input into the development of compliance criteria and requirements.

The centralized team can also provide the lead in coordinating and maintaining any proactive vulnerability scanning or penetration testing that may occur.

Configuration and Maintenance of Security Tools, Applications and Infrastructures

Although it is possible for the staff of a centralized team to perform configuration and maintenance of security tools, applications, and infrastructures, that is not usually one of their primary functions. However, for some team structures, the CSIRT staff may indeed maintain border firewalls, do network monitoring, and also recommend security configurations for various systems and services on the network infrastructure. If such tasks are performed, the CSIRT staff will need to have a good understanding of the mission and function of all critical infrastructure components and their relationship to each other.

The system and network components configured and maintained can include firewalls, VPNs, IDS, and even virus scanners. Work may also involve user account and password management or the review of network, system, security, and accounting logs.

Development of Security Tools

If the centralized team has dedicated resources, these team members may develop extensive expertise related to programming and software development. In such cases members of a centralized team might develop tailored tools to provide workarounds or temporary fixes to help resolve situations in which no patch or mitigation strategy is available. Delivery of such a service will depend on the expertise of the team members and the priority of other duties and functions.

Intrusion Detection Services

The centralized model is suited for having the CSIRT have the overall authority for reviewing and summarizing intrusion detection reports. Staff can develop the necessary procedures and guidelines based on past experience that can be used at the divisional level for reporting intrusions. The CSIRT can be the focal point for providing guidance in determining normal and abnormal network behavior and identifying appropriate response mechanisms and processes.

This service can be provided in one of two ways. In the first, the centralized team is responsible for maintaining and monitoring all intrusion detection systems within the enterprise. In the second, rather than performing the monitoring themselves, the CSIRT acts as a central coordinating site for the analysis of abnormal activity reported from the field. In this second model, the maintenance and monitoring of intrusion detection systems is done at the local level by each site or division (depending on the organizational structure), and all alerts or abnormal activity are reported, on some prescribed basis, to the centralized CSIRT for review and analysis. This enables the centralized team to look for trends, patterns, and correlations regarding incident activity across the enterprise.

All involved personnel need specialized IDS training. Regardless of the way the data is received, data reduction and analysis tools and scripts will be needed to manage and review the logs and information received.

6.5.3 Impact on Security Quality Management

By having a dedicated CSIRT, this model allows for the centralization of various incident handling and data analysis functions. This model establishes the CSIRT as the central point for the collection and dissemination of information related to incident activity, reported vulnerabilities, and identified artifacts. This information is used to provide a broad picture of the security of systems and networks within the enterprise. The information gathered and analyzed can be used by the CSIRT to develop materials and guidelines to assist system, network, and security administrators in providing support to their divisions and to the organization in general. Such materials can include self-assessments and checklists to help system, network, and security administrators secure systems before they are placed in production environments. These types of materials can also be used to evaluate and troubleshoot existing systems. Other materials that can be developed include security-awareness briefs and security policies and procedures for the organizational infrastructure. These materials can be used in a proactive manner to improve the security of all organizational divisions. Having such materials provides a consistent set of procedures to follow within the enterprise, including incident reporting and response procedures.

The centralized CSIRT is also responsible for working with human resources (or a similar department) to identify the needed training for staff throughout the enterprise. The CSIRT bases its input on the common types of activity and tools that are seen or used by the constituency. A security curriculum is developed that is geared to the functional responsibility of the CSIRT staff and the constituency it serves. The team develops presentations and user awareness campaigns and offers periodic "refresher" sessions. Members of the dedicated team may be assigned to visit organizational site locations to provide briefings or security awareness training. CSIRT staff can also provide instruction on security issues, tools, and recovery techniques. The CSIRT can also develop a web presence to provide relevant information to the organization, such as FAQs, security information, newsletters, policies, procedures, and guidelines.

Incident and vulnerability trends, knowledge about weaknesses in the enterprise and needed security precautions, as well as other information gathered by the CSIRT can provide input into many security quality management services, including the provision of audits and assessments, business continuity planning, and disaster recovery planning.

With a dedicated, centralized CSIRT there may be more time and opportunity available for CSIRT staff to devote to product evaluation or security consulting. The CSIRT, due to its position in the organization, should be heavily involved in the development of enterprise-wide security policies. What the team is actually able to do will depend on its size, mission, and workload.

6.6 Resources

The following staff, equipment, and infrastructure resources should be considered when implementing a centralized CSIRT model.

6.6.1 Staff

A centralized team can dedicate up to 100% of their effort to provide CSIRT services. The CSIRT is centrally located and coordinates activities across the enterprise. Its staff will most likely contain the following individuals:

In some organizations staffing levels may be from 1 to 4 and in others from 5 to 10 or more. Some organizations may have designated positions for the CSIRT but fill them with a number of rotating staff. For example, 1 or 2 staff may be assigned incident handling duties for a week. The following week different staff members perform the work for this position. Some teams in Europe call this a "Rota" model.1

If resources permit, the centralized team may also include

There may be additional adjunct staff who may work with the CSIRT on an as-needed basis from other areas of the organization, including

Having an established and effective communications plan with these additional areas is crucial to the success of the incident handling functions.

The total number of staff needed depends on the number of services provided, the size of the constituency, and the number of reports received by the CSIRT.

The CSIRT staff can call upon identified organizational contacts and/or system, network, and security administrators to respond to security events at the local level, or they may go to the local site to provide hands-on assistance (if this is part of the service the team provides). The staff will need to coordinate with any IT staff responsible for security and perimeter defenses.

With the centralized model, incident handling activities are coordinated and managed by the CSIRT. If the requisite skills are not resident in the CSIRT, the team may be able to negotiate with other local system administrators and existing security teams for assistance as needed. If there is an enterprise-wide help desk function, the CSIRT needs to coordinate with that staff.

6.6.2 Equipment

Equipment is needed to support the centralized CSIRT staff. This includes (but is not limited to) the following:

Where required, CSIRT staff negotiate for the use of other equipment for testing (e.g., in existing test labs). If the CSIRT is unable to acquire the use of needed equipment they may have to purchase this equipment at additional cost. It is also possible for the CSIRT to build a collaborative, trusted relationship with other external agencies and to call upon these other expert resources for assistance in analysis and/or testing.

6.6.3 Infrastructure

The infrastructure must provide a secure environment for the CSIRT's day-to-day operations. It should include (but is not limited to) the following:

6.7 Summary

This model has staff dedicated to CSIRT work located in one central site, reporting to a high-level manager, such as a CIO, CSO, or CRO. Team members are usually assigned 100% to CSIRT work; some organizations, however, may be able to use part-time staff. In some situations there may be staff resource sharing, as appropriate, for assistance in areas such as infrastructure support, technical writing, investigations, and media relations.

6.7.1 Impact on Constituency

This centralized model provides the organization with a clear mechanism for proactively managing its computer security risks and provides a broader understanding of the security threats and activity affecting the constituency. The dedicated team provides resources to expand the focus of the CSIRT beyond reactive services by providing more time to devote to proactive and security quality management services. The organization can now analyze potential threats and risks and determine the appropriate levels of prevention and mitigation necessary to provide adequate levels of security.

The major impact to the constituency is that now it must interface with the CSIRT. This means that the constituency must understand the function and purpose of the CSIRT. It must be trained in how and when to contact the CSIRT. Divisions that previously handled their own incident and vulnerability response must now learn to work closely with the CSIRT. New policies and procedures, organizational processes, and communications mechanisms must be developed. The CSIRT work and functions must be integrated into the existing enterprise.

In turn, the CSIRT must take the time and effort to understand not only the enterprise infrastructure but also the business needs and priorities of each part of the organization. This will require establishing good channels of communication between the CSIRT and other parts of the organization and a methodology for interacting with other business sectors to get their input and expertise during incidents that affect their systems and networks.

The CSIRT must be included in all long-term strategic planning regarding not only infrastructure support but also the implementation of new business services. This will help them to understand the service from its beginning so that they can provide insight into any security problems or issues that must be addressed, and also so they can understand the priority and function of this service so that they can provide the best response possible.

The CSIRT should also be involved in any change management or configuration management systems or communications channels that exist in the organization. The CSIRT needs to be aware of changes in the infrastructure and also needs to understand what type of configuration defenses are in place. Based on their understanding of current security problems and intruder trends, the CSIRT can also provide input into best practices for configuring systems in a secure fashion.

6.7.2 Constraints

Constraints for the effective operation of a centralized team include the large number and diverse platforms used by the organization, the organization's size, and the geographic locations of the divisions and sections. Such variables might make it difficult for one centralized group of security experts to handle all incoming incidents, especially if on-site support is part of the service.

If the parent organization or constituency is small, there may not be any problems or constraints in providing these services. At the same time, there may be difficulty in having enough funding, expertise, and resources to devote to a CSIRT. In that case, the team itself may be small or composed of staff who only work as a CSIRT member on a part-time basis.

6.7.3 Strengths and Weaknesses of the Model

In this centralized model, the CSIRT is composed of dedicated computer security professionals. This structure allows for an infrastructure dedicated to incident handling. It lends itself to formalized procedures, the creation and maintenance of a central repository of incident data, and the expertise to analyze the data for maximum advantage. This structure seems to provide the best support for developing and retaining the specialized expertise that many of the sophisticated CSIRT services require.

This model provides a very stable structure for building a CSIRT. This makes the organization's incident handling capability manageable and predictable.

The centralized model requires that a new specialized unit be created, staffed, and integrated into the organization's operations.

The main weakness of this model is that now the incident handling capability is separate and distinct from other operational units. The CSIRT has specialized security expertise but may lack operational knowledge. The operational units may assume that the CSIRT will handle all computer security events and therefore not be concerned about such issues themselves. The CSIRT may become disconnected from the operating units, making it difficult for the dedicated team to integrate and coordinate across a large enterprise. Also, having a centralized team may concentrate incident handling knowledge and skills in a small number of staff. When this staff leaves, there may be a more disproportionate loss of organizational knowledge, from which the CSIRT may not easily recover. In a centralized model, therefore, the cross-training and mentoring of staff and designated backups for each staff member is vitally important.

It is also vitally important that the roles and responsibilities and interactions of staff across the organization are clearly defined and understood.

The strengths and weaknesses of this model include the following:

 

1 More information about this model can be found in Section 4.2 of the JANET document Effective Incident Response.

 

[Abstract]   [Title Page]   [Preface]   [Acknowledgements]   [1 Introduction]  
[2 Establishing CSIRT Capabilities]   [3 Operational Issues]  
[4 Security Team--Using Existing IT Staff]   [5 Internal Distributed CSIRT]  
[6 Internal Centralized CSIRT]  [7 Combined Distributed and Centralized CSIRT]  
[8 Coordinating CSIRT]   [9 Choosing the Right CSIRT Model for Your Organization]  
[10 Closing Remarks  [Appendix Summary of Services Offered [Bibliography]   [PDF File]