The Anatomy of a Security Incident Response Team


As organizations continue to invest in dedicated information security resources, it is imperative that they also develop the capability to respond to security incidents.

In the event of an information security breach, an organization must be able to respond effectively and undertake the appropriate countermeasures. This will minimize the possible business consequences of a breach such as financial loss, negative publicity and legal action.

The publicity associated with high-profile security breaches can be disastrous. This threat alone has encouraged many to formalize operational security processes. And as the financial impact of breaches continues to increase, more and more organizations are starting to take legal action against perpetrators. This in turn results in security response procedures being expanded to include forensics and evidence collection.

Although the majority of Global 2000 organizations have now formed dedicated security teams, most are focused on developing new security policies and assessing technologies to protect the organization from external attack. However, a key function of the security team must be to manage the organizations' response to security incidents, including appropriate countermeasures and corrective actions. The setup of a security incident response team (SIRT) is essential for effective information security countermeasures. Indeed, investing in SIRT resources should be one of the short-term initiatives of a corporate security program.

META Group predicts that 40 per cent of Global 2000 organizations will have implemented a SIRT by 2003, with 60 per cent by 2004. However, over the next year as many as 30 per cent of organizations will misguidedly invest in automated event correlation and response technologies instead of investing in process and human resources. This will result in unfulfilled expectations and delaying effective SIRT capabilities for such organizations until 2004-05.

The main objective of a SIRT (sometimes referred to as a CERT: computer emergency response team) is to support effective corporate response to information security breaches and policy violations, and as such it should be based upon clearly defined processes, policy, roles and responsibilities.

The primary functions of the SIRT are to:

  • Monitor the integrity of the computing environment.
  • React to internal and external security breaches and policy violations.
  • Capture and interpret relevant information about security incidents.
  • Assess the impact of security incidents.
  • Differentiate between accidental and malicious incidents.
  • Advise the business on appropriate responses to security incidents.
  • Manage root cause analysis and corrective activities to prevent recurrence.

The permanent members of the SIRT will be multi-disciplinary. This core team should have adequate technical, application, organizational and business knowledge to enable it to activate additional resources (internal and external), and to provide effective advice to the business. Typically the team will consist of an incident response manager, additional security operations staff, the chief security officer and selected information security specialists, appropriate IT operations and technical support managers, and the IT application managers. Ad hoc members will include business unit managers, legal and human relations managers, public relations managers, and the information security steering committee.

Effective escalation procedures are a crucial element in ensuring the quality of an incident response. Since security incident management is essentially a problem management activity, there must be clearly defined integration points with the organization's problem management and disaster recovery / business continuity processes.

In the event of a security breach, the first role of the team is to rank its severity as a guide to escalation and countermeasure decisions. For example a low level breach may be ranked as having no impact on business activities and a small impact on operational activities (e.g. recovery of files, disciplinary caution, modification of procedures). A medium breach may have little of no impact on business activities (e.g. temporary reversion to manual procedures, small transaction delay), but it may have a major impact on operational activities such as system recovery, system reconfiguration or upgrade, and formal disciplinary action. At the top end of the scale a highly severe breach is likely to have a significant impact on business activities such as the inability to transact, exposure of competitive or personal data, legal violation or financial loss, as well as a major impact on operational activities.

The next step focuses on the escalation chain. This is the hierarchy of stakeholders that must be involved in response activities and decisions. Depending on the severity of the breach and the value of the information asset involved, the potential escalation activities are:

  • Report: Report incident via the normal reporting structures, e.g., monthly incident report. Investigate and decide appropriate remedial actions.
  • Notify: Immediately notify information owner, and log in normal reporting mechanism. Investigate and decide appropriate remedial actions.
  • Alert: Immediately notify information owners and relevant business executives. Put emergency response team on standby. Keep all relevant stakeholders informed of status and actions.
  • Activate: Immediately alert all relevant stakeholders, and convene emergency response team. Decide on appropriate countermeasures.

All responses and countermeasures must be grounded in the relevant legal context in terms of what actions are allowable and what kind of evidence must be captured. A major responsibility of the SIRT is to triage between the short-term need of the business and the IT organization (i.e., to restore service as soon as possible) and the legal requirements (e.g., capturing evidence in a legally acceptable manner, treating suspect employees appropriately).

The SIRT must also equip itself with the latest threat management products. These include host and network based intrusion detection tools (e.g., Tripwire, ISS, Cisco, Entercept) and malicious code filters (e.g., Symantec, Trend Micro, Network Associates), but also event information from firewalls, VPN systems, operating systems and potentially also applications. Log consolidation and analysis tools (e.g. CA eTrust Audit) can prove helpful, while event consolidation platforms (e.g., Intellitactics, E-Secure, Micromuse) and forensics tools (e.g., Guidance Software) will become increasingly popular for supporting correlation, analysis and evidence capture.

While the SIRT is typically located in the security operations center, many organizations are outsourcing some operational security processes, including monitoring and forensics, to external service providers. The nature of the incident response process does not lend itself to being outsourced. This is due to the fact that correlating security event information with local infrastructure knowledge and the resulting business impact is a complex process that is used to derive an appropriate response. Indeed, outsourcing the monitoring and forensics processes emphasizes the need for dedicated relationship management to ensure the respective responsibilities and handover points between the service provider and the SIRT are clearly defined and managed.

Tom Scholtz is vice president of global networking strategies at META Group (

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.