by Valerie Lopez of PRLinks for FIRST
Thursday, June 15th, 2017
Day four of the FIRST Conference began with a keynote presentation by Martijn de Hamer, the head of the National Cyber Security Operations Center (NCSOC) at the National Cyber Security Center (NCSC-NL) in the Netherlands. After having had various roles in the field of information security, de Hamer first started working for NCSC-NL (previously GOVCERT.NL) in 2005. Additionally, he is active in the field of CSIRT maturity and other aspects of CSIRT capacity building. The central idea of de Hamer’s talk was that “coming of age is something that no one should never do alone”, something that certainly applies to Cyber Security and Incident Response Teams (CSIRTs). Existing and established CSIRT teams have combined their efforts to pave the way for new and future teams by providing materials, guidance and a roadmap. In gaining maturity, self-assessment becomes a necessary and sometimes painful step. Even existing and established teams will also benefit from reflecting on their own work. To have an effective CSIRT team, it’s important to measure the velocity with which you meet set goals. de Hamer established an analogy between this and running a race like ROPARUN, a relay race from Rotterdam to Paris that raises funds for cancer patients, which he participates in. “In a race, you have to measure your speed and practice your endurance so you can reach your goal. With CSIRTs, it’s the same thing. You need to practice and keep measuring so you can reach the goals you set for your team.”
One thing that de Hamer considers extremely important is to “increase the overall capability, outreach and quality of the CSIRT community in order to improve cyber incident response all over the world.” This, he said, needs to take place in four different areas: policy and strategy, CSIRT maturity, CSIRT matrix improvement and operations. The CSIRT team community is establishing links with one another by reaching out and opening communication with different national and regional organizations.
Also essential to achieve better communication and cooperation among CSIRTs is to establish definitions of cyber security and develop models to follow. Some of the earliest models include the GOVCERT.NL’s CERT-in-a-Box from 2006 and SIM3, which came out in 2008. As cyber security concerns grew and teams gained more experience handling them, models became more thorough and defined.
Current models include the definition of National CSIRT, FIRST’s CSIRT Services Framework and the CSIRT Maturity Model. “These are steps to creating roadmaps for emerging CSIRTs so they have a way to mature,” de Hamer pointed out.
One important step in developing a more unified and thorough model is the GFCE CSIRT Maturity Initiative, which ties previous models together. It has been developed in various expert meetings in Prague, Seoul and Geneva during 2016.
The model incorporates the Definition of a National CSIRT. Prior to its establishment, there wasn’t a global definition for CSIRTs. As a matter of fact, there are many existing descriptions of a CSIRT. de Hamer noted the importance of working on a new national definition to achieve consensus and to facilitate communication and collaboration between different CSIRTs. “The process of acquiring feedback on this definition is ongoing and it will be a while before consensus is reached,” he explained.
The NCSOC head also mentioned FIRST’s CSIRT Services Framework as an important tool. It elaborated on original definitions published in 2003 in the Software Engineering Insitute’s Handbook for CSIRTs and has became a basis for CSIRT education.
Another important tool is the CSIRT Maturity Kit, which was presented at the Global Conference for Cyber Security (GCCS) in the Netherlands in 2015. “This is a guide of guides,” said de Hamer about the kit. “It points to existing documents with case studies, principles and a unified approach which gives a complete road map for emerging CSIRTs. It allows people to learn from others.”
The ongoing process of developing, educating and interlinking CSIRTs across nations and regions is important to improve cyber security incident response. According to de Hamer, it is encouraging to see regional initiatives take place around the globe. “One goal is to help other regional and national CSIRT teams take shape,” de Hamer said. This is especially true in developing regions such as Africa, which has great need of CSIRTs. Lots of countries in this region have lost large sums of money due to a growing amount of fraud cases.
Also essential in unifying CSIRT efforts is the Global Forum on Cyber Expertise’s Manifesto, which, in addition to tying previous models together, seeks to translate CSIRT work into policy and board domains.
Reflecting on 18 years of CSIRT work, de Hamer stated that teams measure their maturity by looking at their progress and what they have achieved. All CSIRTs go through growing pains and will make mistakes, he warned. It’s also important to take the time to grow and develop a diversity of skills in the process. He also said that teams are not infallible and needed to take care of themselves while handling incident responses. He also noted that networking with other CSIRTs and reaching out to experts is essential in that growth process. “You need to see the bigger picture,” he said.
The NCSC-NL’s head also talked about specific steps that his organization has taken to improve its CSIRT capability. Those include a tech advisory review, 24/7 on site operations, periodic trusted introducer (SIM3) re-certification, increasing network interaction and stepping up detection efforts, just to name a few. “And we are still telling people to patch,” he added.
To take things further and continue improving processes and communication, de Hamer thinks it’s important to identify ways to better collaborate with their constituency, which includes governments, academia and other sectors. “We also need to find ways to think outside regular patterns,” he added.
In conclusion, de Hamer urged teams to engage in self-assessment and peer-review exercises. But above all, he told the audience to “practice what you preach.”