Picture this: A phone call wakes you, the CTO, at 6am on a Saturday morning. It’s a reporter from a large newspaper asking about your data breach. You have no idea what the reporter is talking about and you hang up the phone. You then start searching the internet to see if there’s any truth to this story and notice that it’s being reported all over the web, Twitter, Facebook, etc. You’ve been compromised – Now what?!
In this blog post we’re going to talk a little about the response team you need to put together ahead of time, so that you’re not starting from scratch when you’ve been breached. Some roles in the Computer Security Incident Response Team (CSIRT) are common sense but others aren’t, and these are the ones I want to focus on in this post.
It’s not hard to know who’s in your Security, Networking, Windows, Linux, etc. teams, and selecting the right people for the CSIRT shouldn’t be all that difficult. But, these aren’t the only people you need. Let’s review some other roles you need in the CSIRT:
During a breach your compliance team will obviously be heavily involved with the CSIRT. They must have full knowledge of the breach and what’s being done to address it so that they can answer the auditor’s questions at the next audit, which won’t be fun! The same goes for your risk management team. They will need to determine if there are any additional risks to the enterprise during and after the breach has been eradicated. This team will work directly with the security team to locate the risks across your environment and help to mitigate it.
It’s very easy to forget about your remote sites if you’re a large company headquartered with multiple smaller sites, but you mustn’t leave them in the dark. Eventually the threat or the media are going to find their way to them, and you need to have people assigned as remote site liaisons to the CSIRT to relay information and updates about their location. You also need technical people from these remote locations in the CSIRT to handle any local technical issues.
If you’re a large company with an in-house forensics team, you probably have the right resources to handle the forensics aspects of breach. If you don’t or you’re a small to medium size company, you should find the right expert vendor ahead of time. Doing the leg work upfront, such as finalizing financial and legal terms, will to save you a ton of valuable time (and money), when you need it.
Another area that’s often overlooked is your datacenter team. There’s a very good chance you have remote datacenters located in far flung places for business continuity purposes. But how do you manage the resources at these centers? It’s very possible that these systems are hosted by a third-party MSPs and the people working on your remote systems aren’t employees of your company. In the event of a breach, you probably won’t get the response or level of urgency from people who don’t have skin in the game.
If possible, you should establish a set of procedures for each remote datacenter, and assign a manager responsible in the event of a breach. Another good idea is to have regular fire drills for these resources so that they are fully trained on what they’ll need to do in the event of a breach. Many MSPs have high turnover so creating a runbook and assigning a manager will help expedite a few of these tasks if/when the time comes.
The Technical personnel are key to the CSIRT, but there are also non-technical teams that you really need to have on your side in the event of a breach. These are customer-facing teams that will manage the reputation and integrity of your business during and after a breach. Here are a few that you should start working with now:
These are a few teams that you should consider including in your CSIRT. This by no means a definitive list and there are probably many other relevant teams that are unique to your company. The key thing is defining and educating these teams ahead of time. What you don’t want is to have to pull these teams together after a breach has already occurred. Make sure you have your CSIRT established and processes well documented before you actually need them.
Receive notifications of new posts by email.