Incident response and management requires continual growth. Your team will not become proficient overnight, and acquiring knowledge, expertise and maturity takes time, effort, training and a lot of practice. It’s also not a single milestone that you reach and then rest on your laurels. As attackers continue to apply innovative techniques and use new tools, it’s necessary to lay out a development plan to keep up with the ever-evolving threat landscape.

Create an Incident Response Development Plan

Building an incident response team can be a challenging task. Keeping the team relevant and up-to-date and making sure it gradually improves and becomes more mature can be even more difficult. The vast majority of services covered in the FIRST CSIRT Services Framework and the expectations around incident response in RFC2350 make it clear that you can not do it all at once. So which aspects of your team should you focus on first?

One of the common pitfalls in maturing an incident response team is only focusing on tooling. Naturally, this is an essential aspect of the job, but having a tool set under your belt with no standing guidance on how best to use it to provide repeatable results is a recipe for failure. After all, your constituency and stakeholders expect you to deliver a reliable, qualitative and somewhat predictable service, and that cannot be achieved with ad-hoc solutions only.

Additionally, when you respond to an incident, you’ll often have to work with other teams inside and outside your organization. This collaboration will only be effective if communication channels and trusted relationships were previously established and embedded in your processes and approach. To address all this with a properly developed security maturity model, you need to come up with a plan and focus on four key elements:

  • The organizational structure of your team and how it fits into the organization
  • A human development plan that includes pathways for team expansion
  • Improving processes for a more structured method of working
  • Acquiring essential incident response tools

As you develop your plan, it’s essential that you have a sustainable team with a clear mandate. Most of this should already be addressed in your team charter and will follow from management buy-in, sponsorship and a balanced budget. Other focal points for your plan will depend on the expectations of your stakeholders and will likely be influenced by compliance and regulatory requirements as well. Make sure your responsibilities, roles and constituencies are clearly defined in the early stages before you move on to frameworks.

Utilize Proven Frameworks to Measure Your Progress

There are a number of frameworks that can help you produce your security maturity model and give you guidance on where you need to invest energy and resources first.

NIST Cyber Security Framework

The NIST Cyber Security Framework (CSF) is based on existing standards and practices and allows you to better manage and reduce cybersecurity risks. The framework describes a set of actions, desired outcomes and applicable references. The actions are built around five functions that you will recognize from incident response methodology: identify, protect, detect, respond and recover.

These functions have categories to address objectives (for example, physical, personnel, asset management) and sub-categories, which are outcome-driven. Your organization can select the categories and sub-categories that align most with your business needs, collect them in a profile and determine what works best for your “Current” profile and the situation you eventually want to grow into, the “To Be” profile. Essentially, these profiles can be seen as a road map to identify areas for improvement within your organization.

Another component of the framework is the tiers, which represent the degree to which your organization implements the elements of your framework. This is characterized over a range, from partial to adoptive. According to NIST, tiers should not be seen as maturity levels, but you can use the concept of profiles to define the level you’d like to work toward and then use tiers as a check on the actual implementations.

Global CSIRT Maturity Framework

The Global CSIRT Maturity Framework is an approach from the GFCE for stimulating the development and maturity enhancements of national CSIRTs. Although it’s aimed toward national CSIRTs, the methodology and concepts can also be applied to other CSIRTs or incident response teams.

The framework relies on two building blocks: the Security Incident Management Maturity Model (SIM3) and a three-tier CSIRT maturity approach by ENISA.

The Security Incident Management Maturity Model (SIM3) is a maturity model that has been in use since 2009 and has been applied by teams all over the world. This includes the Nippon CSIRT Association (NCA) for improving the maturity of their members, TF-CSIRT as the basis for the highest tier of their membership and ENISA as the starting point for maturity of the national CSIRTs team.

SIM3 is built on three basic elements:

  • The parameters are the items for which maturity is being measured. A parameter represents an attribute that’s relevant to the operations or functions of a CSIRT.
  • Each parameter belongs to one of four categories or quadrants: organization, human, tools and processes.
  • A parameter is measured by level of maturity.

The quadrants can help you focus on the key parameters needed for improvement in a natural way. The maturity levels of these parameters express how well implemented they are. The levels include:

  • 0 — It does not exist, or we are not aware of it.
  • 1 — Implicit. It is known or considered but not written down. Seen as “tribal knowledge.”
  • 2 — Explicit, Internal. Written down but not formalized.
  • 3 — Explicit. Written and formalized on authority of the team lead.
  • 4 — Explicit. Audited on authority of governance levels above the team lead. Indicated by a control process.

The ENISA CSIRT maturity assessment model, on the other hand, applies a three-tiered approach:

  • The Basic level guarantees that the team has a mandate, authority, a service description and a basic process for handling incidents. This level requires that the activities on all parameters are started, but the primary focus is on organizational parameters.
  • An Intermediate level further pushes the organizational parameters and requires work on the human, tooling and process parameters. This includes internal processes and training of staff members. Almost all of the parameters require explicit documentation, either for internal use or publication. This is also the level required for teams to participate in joint activities.
  • The highest level, Advanced, means that the team pushed the remaining parameters for human, tooling and process and is able to coordinate incident handling and further support joint activities.

Implement and Track Your Security Maturity

If you’re measuring maturity via the SIM3 model, then you can advance by first raising awareness around a certain parameter (improve from 0 to 1), writing the procedure or process (1 to 2), making it part of the standard approved operating model (2 to 3) and introducing a review and control mechanism (3 to 4).

SIM3 supports three ways of reporting: a list of all parameters, a radar diagram of the parameters or a simplified chart per quadrant. The radar diagram is most suited if you want to have a visual representation of the areas where your team needs to improve or has improved.

Who should do the reporting and measuring? You can start with a self-assessment and determine which areas need immediate improvement. In the next iteration, you could request a peer review and proceed with a certified auditor of SIM3 to help with the improvement process.

By using the frameworks covered above, you should be able to start improving your organization’s incident response functions and your security team’s readiness as a whole. Remember, the key points to tackle are as follows:

  • Start with RFC2350 for a basic approach
  • Develop an organizational framework that is specific to your business
  • Describe your services and the expected service levels to outline the steps toward improvement
  • Have a clear hiring process and development program for staff
  • Set up escalation and feedback processes to ensure continual growth

More from Incident Response

SOCs Spend 32% of the Day On Incidents That Pose No Threat

4 min read - When it comes to the first line of defense for any company, its Security Operations Center (SOC) is an essential component. A SOC is a dedicated team of professionals who monitor networks and systems for potential threats, provide analysis of detected issues and take the necessary actions to remediate any risks they uncover. Unfortunately, SOC members spend nearly one-third (32%) of their day investigating incidents that don't actually pose a real threat to the business according to a new report…

4 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read