Skills and experience needed to support a CSIRT, SOC or SIEM team
As the cyber-threat landscape evolves and data breaches escalate, incident response becomes more important than ever for any business. Consequently, to overcome any common challenges in security and to prevent, as much as possible, the often disastrous consequences of an intrusion, companies of all sizes are enlisting the help of team professionals specialized in rapid response when IT problems occur.
A computer security incident response team (CSIRT) is a body of people tasked with the difficult feat to address, timely and efficiently, all incidents that affect the organization. They are responsible for safeguarding the confidentiality, integrity and availability (CIA) of the business' assets (computer systems or networks) and data. Expert services can be provided by in-house CSIRTs or outsourced to external service providers (MSSPs). In smaller organizations, an ad-hoc team can also be convened to provide response to an incident when the need arises.
ChatGPT: Self-paced technical training
Who works on a CSIRT?
A CSIRT's main objective is to minimize the impact of any incidents. In order to do that, the team must include professionals with different expertise, from security analysts and incident handlers to network and system administrators, vulnerability handlers, trainers and management-level employees.
The team must also involve other sections of the company, from human resources and legal to public relations and customer support. This is because resolving an incident doesn't just mean stopping an intrusion, isolating the affected systems, recovering data and applying countermeasures. It also means responding to managers, keeping communication open with customers and the public, as well as requesting disciplinary actions if applicable.
CSIRT vs. SOC vs. SIEM
A CSIRT might be part of an organization's security operation center (SOC), a group responsible for the overall IT security of an organization including policies, compliance, governance and security of systems and applications. It can also coexist, providing the SOC with incident response (IR) capabilities in case of an incident.
As the number of computer security incidents continues to grow, more and more organizations are relying on IR teams who work independently from the SOC to provide effective response times and that make use of technologies, like SIEM products, to detect abnormal activity.
No matter what type of CSIRT an organization decides to employ, the set of functions or services that a CSIRT provides is key to supporting critical business processes and systems. To be working in a 24/7 SOC environment position involves critical duties and responsibilities that must continue to be performed during crisis situations and contingency operations. And then it is obvious that particular attention needs to be given to choosing the right people to fulfill the necessary roles.
CSIRT roles & functions
According to The State of Incident Response survey, CSIRTs perform many different incident handling functions, from assessing the organization's IR program to "perform[ing] collaborative, interactive investigations to scale the incident response function effectively within a security operations center." The study also found there are a variety of staff members with IR roles. "When asked about their involvement with incident response, 31.8% of respondents stated that their duties were dedicated to the SOC or IR. However, 62.9% reported that they had some responsibility for incident response or the security operations center, or that they had oversight of IR and/or the SOC."
Some CSIRT members will run internal IR exercises with the purpose to make improvements in accuracy, response time and reduction of attacks that surface. Others will be placed in positions assigned to analyst roles conducting deep incident analyses, as needed, to ensure the continuity of critical business functions. Other CSIRT members will be told to perform comprehensive IR services that will include the monitoring of an IT environment, assessing threats and providing intelligence against potential breaches or system weaknesses.
No matter what job roles make up the CSIRT team, members need to communicate with each other to work in synergy and "understand the functionality and use of various tools to facilitate the review and interpretation of incident data (compressed file formats and tools, archiving tools such as UNIX tar or WinZIP, uuencode/decode, etc.)."
What technical skills do CSIRT staff need?
The CSIRT comprises of professionals with different technical, communication and administrative expertise. In addition to their expertise, education and cybersecurity certifications, a set of skills that CSIRT staff members should have include basic knowledge of incident-handling services.
It is obvious that all CSIRT members need to have a knack for incident response and solid technical skills to include acquaintance of the tools for managing risks when used in the organization to discover potential weak points. They also need to be well versed in understanding attack vectors, as well as vulnerabilities, the severity of flaws, malicious code, access control issues and physical security requirements regarding CIA (confidentiality, integrity, availability) of data or resources to ensure they are available. Furthermore, to quickly identify and respond to incidents, all professionals in a CSIRT need to be well versed in network technologies, their applications, communication protocols and security issues.
What's more, professionals must recognize intrusion techniques and apply analytical skills to analyze data, logs, inappropriate traffic and network behavior, as well as possible motives for the attack. The patterns they can identify and the information they can collect, evaluate and put in perspective could be invaluable in stopping further attacks and discovering the culprits. Specific technical skills, however, are not the only requirements in the personal experience baggage of CSIRT professionals.
What soft skills do CSIRT staff need?
As important are a number of other abilities and soft skills that are often just as important, which employers should look for in their candidates.
- Communication skills. This is one of the main personal skills needed by all members of the team. Whether it is to communicate with other team members while in emergency mode or to communicate calmly and effectively with clients, the public and executives, the ability to convey information clearly and at the appropriate level is essential in a CSIRT professional. Written communication is also important, as members need to be able to write effective policies, communicate clearly with stakeholders via emails and notices, as well as document incidents thoroughly.
- Listening skills. The ability to pause and listen to the concerns and requests of clients as well as management is paramount when working during the resolution of an emergency. A CSIRT member who doesn't take the time to listen to fellow team members or customers diminishes his or her ability to resolve the incident in a more effective way.
- Tact and diplomacy. Any time professionals are asked to deal with an emergency, they might find themselves in situations where they are hard-pressed for information or deal with anxious, angry customers and/or managers. The ability to calmly handle all situations with tact and diplomacy can go a long way in keeping the organization focused on what needs to be done to minimize the impact of an incident, as well as to prevent the release of information that shouldn't be public domain.
- Teamwork. This is obvious. In an intricate group of professionals with different technical skills, experience and roles, it is important that all members are able to work well in a group, accept differences of approach, understand each other's roles and be able to support each other's functions without reserve. They also need to be able to interact with other sections of the organizations and non-technical staff, as well as recognize and accept leaders in their workgroup.
- Trustworthiness and discretion. Members of a CSIRT are often made privy to highly sensitive information and need to preserve the information there are given. Members need to be able to strike the right balance between what is legitimate to divulge to stakeholders and what information should be well guarded against unnecessary disclosure.
- Problem solving. This is one of the most important skills. Not all incidents are created equal, and professionals need to be able to adapt to changing situations, new scenarios and a variety of attacks in order to respond as quickly as possible. Strong problem-solving skills and creativity support the technical abilities of team members and allow them to face and resolve even the most unexpected situations.
- Ability to cope with stress. Although all jobs require the ability to keep calm and collected in difficult times, this is particularly important when dealing with incident response. A highly-skilled professional who crumbles under pressure is a weakness that no CSIRT team can afford.
- Organizational skills. In an emergency, the ability to organize the work, prioritize it and apply time management skills is one of the most important traits. Juggling between the actual technical response to the attack or vulnerability while informing stakeholders, documenting findings and actions, and keeping the rest of the organization's systems running, if possible, requires both types of skills to perform a certain job or task.
What experience are employers looking for when staffing a CSIRT?
Employers tend to look for staff with the following experience:
- Security-related experience detecting and collecting threat intelligence
- Demonstrated problem-solving skills
- Ability to conduct preventive and predictive analysis to help mitigate future threats
So, how does one become a dedicated a CSIRT member? Many organizations will hire staff who have taken incident response courses and acquired a certification, or train existing team members to build their skills.
Companies will also look for professionals with expertise in SIEMs. SIEM stands for security information and event management and it is software for managing and investigating intruder alerts. A SIEM tool, therefore, is considered the core piece of software in a SOC. It can be utilized for automatic security management (incident response) to find suspicious or malicious activity by analyzing alerts by source, destination and type. Yet, a SIEM needs to be run by people who possess good skills to perform such an evaluation.
Additions CSIRT resources
The presence of a CSIRT in an organization can help enhance security and ensure business continuity. Its members gain insight into threats against the organization, provide quick and efficient incident recovery, control and minimize any damage, and prevent future incidents. Time and again, businesses fail to understand how security incidents happen in the first place. With cybercrime continuing to surge in 2022, CSIRTs are an essential way to defend against those malicious actors.
There are resources available to gain a better understanding of the structure and functions of existing teams: For example, the NIST Special Publication 800-61 Revision 2 of the Computer Security Incident Handling Guide or the CMU/SEI-2003-HB-002 Handbook for Computer Security Incident Response Teams (CSIRTs) describes the tools, procedures and roles necessary to implement the team. However, creating ad-hoc teams requires finding the right mix of people, processes and technologies (CSIRT/SOC/SIEM). In other words, it's all about striking the right balance between workforce talent and the right security tools.
In particular, it is important to employ professionals who possess the special skills (technical and personal) and knowledge that will help them support the long-term resiliency of companies' IT infrastructures.
Sources
- CSIRT Frequently Asked Questions (FAQ), Software Engineering Institute
- Skills Needed When Staffing Your CSIRT, Software Engineering Institute
- On Computer Security Incident Response Teams, IEEE