CERT's security incident-response project


CERT's security incident-response project

What is your opinion of the new CERT security incident-response project, and will it benefit infosec pros?

Security expert John Strand:
The goal of the CERT security incident-response project is to provide a management framework to serve as a guide for the technical components of

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

dealing with an incident.

I strongly believe that this type of guidance is long overdue. Too many security professionals are obsessed with tools and technology. Because many incident-response teams lack a management-level understanding of security, they tend to focus on dealing with the technical symptoms of an incident and not focus on root cause analysis. By implementing the CERT guidelines, it will help put incidents in the context of an enterprise and help the incident-response team focus on making the procedural and/or technical changes to mitigate damages of future incidents.

While the new security incident-response project is a great move by CERT, to many IT security pros it looks and feels like it has too much management speak. For example, on its website it mentions the goals of the CERT Incident Response Project as being focused on performance standards and management best practices. These are things that are usually the object of humor in Dilbert cartoons.

Keep in mind, though, that the first step in the process is to obtain management buy-in. Remember, management controls budgets, and we as security professionals need to speak their language. This applies not only to incident response, but also to architecture and penetration testing as well.

Another thing to keep in mind regarding any template-based procedures for incident response is that there is no such thing as one size fits all. Plans need to be tailored to specific environments. Take anything from CERT, NIST, and SANS as a starting point.

One of the nice things I see in this project is that it is goal- and metric-based. I feel that having goals and metrics are great tools to demonstrate the value of having a dedicated security/incident-response team. By utilizing goals and metrics, security pros can demonstrate to upper management that they provide value to the enterprise, which is a skill that many security teams lack.


This was first published in July 2008

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.