SOC
Manuel Estévez GRC Manager

SOC, CERT, CSIRT: who do you belong to?

In 1988 Robert Tappan released the so-called "Morris worm" onto the Internet at the time. He was probably not aware that he was making history. Within 24 hours, the worm had infected 10% of the systems then connected, rendering most of them useless.

Incident response teams have been called by different names and have specialised or diversified

This attack gave rise to one of the concepts that more than 30 years later is still valid and evolving: the Computer Emergency Response Team (CERT).

Since then, incident response teams have been called by different names and, in a sense, have specialised or diversified, leading to the emergence of different methodologies, procedures, capabilities, and even objectives among them. CERT is a registered trademark of Carnegie Mellon University (CMU), while CSIRT (Computer Security Incident Response Team) is a taxonomic concept with no usage restrictions.

A CERT collects and disseminates security information, a CSIRT responds to incidents

To use a formal definition, the CMU itself explains that a CSIRT is "an organisational unit assigned responsibility for coordinating and supporting the response to a computer security incident", as opposed to what it considers a CERT, which it refers to as "studying problems that have widespread cybersecurity implications and developing advanced methods and tools".

In other words, while a CERT collects and disseminates security information , a CSIRT responds to incidents.

Much more recent are the SOCs (cybersecurity operations centres), units in charge of monitoring, detecting and analysing threats by continuously supervising networks, systems, applications and devices.

Thus, initially, each service should focus (specialise) in a particular area:

  • CERT: Prevention, e.g. looking for vulnerabilities by raising employee awareness, sharing threat or incident information. Ultimately, preventing security incidents from occurring.
  • SOC: Detection, identifying any suspicious or anomalous activity that may indicate a security incident, and prioritising analysis and response according to the criticality of the event detected.
  • CSIRT: Reaction, actions taken in response to a security incident once it has been detected. 

Over time, market players and a certain confirmation bias on the part of some clients have tainted this orientation and services are often offered that appear to combine all these capabilities in a sort of philosopher's stone of security.

Do you remember the episode of Don Quixote in which the hoods end up as thimbles?

You're either on one pavement or the other, but if you stay in the middle, you get run over

Separating prevention, detection and response functions into different teams or providers is the most effective strategy for several reasons:

  • Specialisation and focus:
    • Prevention: knowing the latest vulnerabilities and attack techniques, and how to mitigate those risks before they become problems.
    • Detection: data analysis, behavioural patterns, intrusion detection and, ultimately, rapid identification of any suspicious or anomalous activity.
    • Reaction: ability for incident and crisis coordination, communication management, threat containment, system recovery and ability to make quick and effective decisions in crisis scenarios.
  • Efficiency:
    • Each team operates independently but in a coordinated manner, reducing incident response time and improving detection capabilities.
    • Teams that focus on prevention are not distracted by the need to respond to ongoing incidents, allowing them to implement controls and improvements without interruption.
  • Reducing conflicts of interest:
    • If a single unit or team handles all functions, there may be conflicts of interest, especially when it comes to identifying and reporting failures in prevention measures that they themselves implemented. Separation allows for a more objective and critical view of security controls.
    • A detection team that is independent of the prevention team can more impartially assess the effectiveness of the policies and technologies implemented.
  • Improved responsiveness:
    • In the event of an incident, a specialised reaction team can act immediately without waiting for the same resources that are handling prevention or detection to be released. This reduces containment time and minimises the impact of incidents.
    • In addition, having a separate reaction allows for the execution of drills and incident response exercises without interrupting preventive or monitoring activities.
  • Development of complementary strategies:
    • Separation allows prevention and detection teams to develop and improve strategies that complement each other without overlapping. For example, while the prevention team can focus on improving security configurations, the detection team can fine-tune alerts to identify any breaches that may have been overlooked.
    • This creates a "defence in depth", where multiple layers of security work together to protect the organisation.
  • Clarity of roles and responsibilities:
    • With clearly defined and separate roles, it is easier to assign responsibility and accountability. Each team knows exactly what is expected of them, making it easier to evaluate performance and implement continuous improvements.
    • This also helps to avoid "shared blame", where an incident can be mismanaged due to confusion over who should have acted at a certain point in time.

The first step doesn't get you where you want to go, but it gets you out of where you are

Izertis has a highly experienced and trained Incident Response Team (CSIRT)

Starting with contracting out incident response services (CSIRT) to a specialised provider will be the best strategy for a company in most cases, especially when looking to establish a robust and reactive security strategy from the outset.

Our team is also ready to intervene immediately in the event of an incident

Izertis has a highly experienced and trained incident response team (CSIRT) that keeps abreast of the latest threats, techniques and procedures. Our clients gain immediate access to this expertise without the need to develop a team with these capabilities in-house.

  • We support organisations in determining their suitability in order to activate their response capabilities.
  • We provide a rapid action response capability to critical level incidents, focused on containment and removal.
  • We provide support in situation analysis, participate in crisis committees and advise management on decision-making.
  • We carry out investigation processes within the framework of an incident and based on the criticality levels of the impact.

Our team is also ready to intervene immediately in the event of an incident, minimising downtime and minimising the impact of the incident. The first hours after an attack are the most critical.

Finally, sometimes, why do they call it an incident when they (don't) mean crisis?