[Bp_certs] About types of CERTs

[Robin M. Ruefle]

Hello again all,

I'd like to start a new topic - still within the topic of types of CERTs or types of CSIRTs maybe is better.

One of the things we have been asked about from internal CSIRTs - is what is the relationship between the CSIRT and the Security Operations Center (SOC) or Network Operations Center (NOC). And how should they be structured.  Are they the same thing or different?

I'd like to get some comments from the group on this - especially those within internal CSIRTs or organizational CSIRTs.

Our experience has been varied.

We have seen situations where there is
*       a specific "incident response team" within the SOC
*       a parallel "incident response team" that works in tandem with the SOC

In these cases the SOC focuses on detection and triage and the Incident response team focuses on the detailed analysis and response (although they may ask for more data from the SOC or ask them to take specific actions for blocking or filtering, etc. if the SOC controls such things.

In other cases we have seen where the SOC performs detection, triage, analysis, and response - and there is no particular "team" labeled incident response.

And in some cases we have seen the CSIRT have the responsibility for all of this as a stand alone organization.

I was just wondering what this group's experience has been.

Thank you,
Robin


Robin Ruefle
CERT Program
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890 U.S.A.

Email: rmr at cert.org
http://www.cert.org/




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://intgovforum.org/pipermail/bp_certs_intgovforum.org/attachments/20140731/42deb8cd/attachment.htm>