BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS

Building or modernising own CSIRT/SOC: Practical tips

Dr. Vilius Benetis

CEO

BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 2 I NRDCS.LT

Our project geography

South Asia

AfricaSouth America

Europe

BUILDING CYBERSECURITY

CENTERS (CSIRTS) FROM 1998.

CSIRT/SOC TEAMS

ESTABLISHMENT GLOBALLY TO

CONFRONT CYBERATTACKS

AND CYBER CRIME.

CURRENTLY FULLY-PACKAGED

TEAM TRUSTED BY ITU FOR

THE JOB, GLOBALLY.

BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 3 I NRDCS.LT

True needs for CSIRT/SOC

1. When attack hits:is there a skilled team ready to respond and handle cyber-incidents using well known and internationally accepted Incident Response method?

2. Cyber crime is international:is your team trusted by international community to provide support during your investigations?

BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 4 I NRDCS.LT

Who should have CSIRT/SOC?

When organisation is substantially digital, i.e.:

1. Processes a lot of data Especially sensitive: personal, financial, etc.

2. Automates processes heavily

3. Is part of critical infrastructure

4. Is highly susceptible to the cyber threats

BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 5 I NRDCS.LT

IT Security Teams mature into:Computer Security Incident Response Teams (CSIRT) synonymous to:

CERTComputer

Emergency

Response

Team

PSIRTProduct

Security

Incident

Response Team

CIRTCybersecurity

Incident

Response

Team

ISACInformation

Sharing and

Analysis

Center

Security Operations Center (SOC) is:A partial operations of CSIRT model, primarily focused on internal monitoring, detection and

triage

Defining CSIRT/SOC/CERT/ISAC

BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 6 I NRDCS.LT

HOWTO MAKE IT WORK?

BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 7 I NRDCS.LT

Establishing CSIRT/SOC

BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 8 I NRDCS.LT

Different CSIRT/SOC stacks

BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 9 I NRDCS.LT

Lesson #1: Mandate is the key enabler

▪ Most difficult part is to get it signed/adopted

▪ It empowers to act

▪ Sometimes it comes only after tangible results have been achieved

▪ Iterative approach then: Data centre gov. national

▪ It triggers related essential components to be established:

▪ Technology

▪ Processes

▪ Skills

Mandates are different and unique:

▪ Central Bank of Egypt CSIRT vs. Bangladesh e-GOV CSIRT vs. Cyprus National CSIRT

Lessons learned

BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 10 I NRDCS.LT

Lesson #2: Leadership / passion inside CSIRT team is the second key

enabler

▪ To lead though uncertainty and growth, recognition

▪ Clear vision and focus on execution (relates to the Mandate)

▪ Focus on trust/reputation establishment

Lessons learned (cont.)

BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 11 I NRDCS.LT

Lesson #3: Do a few things well

(at least initially)

▪ Select services from the list

and concentrate on them

Lessons learned (cont.)

BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 12 I NRDCS.LT

5 key things to take away

1. Definitions matter:

Cybersecurity, CSIRT/SOC, Incident, Mandate, Cybercrime…

2. CSIRT/SOC

is a de-facto framework for cybersecurity operations

3. Experience ensures success,

however it still will take at least a year to build operations

4. There are experienced consultants to help you on your

journey, however the actual work is done by you

5. Despite your size you should start now!

BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 13 I NRDCS.LT

Why work with NRD Cyber Security?

1. Focused on building strong capable CERT/CSIRT/SOC teams

2. Constructing relevant visibility for technical and policy decision making on

cyber security and metrics

3. Proven track record of success around the world

4. Very cost competitive

Let’s have a chat vb@nrd.no

www.nrdcs.lt

Stand X149

The photos used in the presentation are either the property of NRD Cyber Security or have been downloaded from www.pexels.com

BUILDING OR MODERNISING OWN CSIRT/SOC: PRACTICAL TIPS 14 I NRDCS.LT

Invitation to Vilnius!

▪ NRD Cyber Security is ITU Centre of Excellence for European Region 2019-22

▪ Training course for your calendars: Incident Response Practice

▪ Dates and place: 17-20th September, Vilnius, Lithuania

▪ Designed for: CSIRT/SOC members, all incident handlers, IT professionals and

anyone who is interested in incident handling and response

▪ Delivered by:

Marius Urkis

NRD CSIRT lead, cybersecurity incident

response and forensics expert

Rimtautas Černiauskas

Technical cybersecurity consultant,

investigator