Resources to help security professionals and teams succeed

feature-soc-vs-csirt.jpg

What is the Difference Between a SOC and a CSIRT?

April 19, 2017   |   Jen Andre   |   SecOps

Building an effective security organization requires a mix of the right people, processes, and technologies, and there are many different ways in which you can organize your security team and strategy.

Two types of teams you most often hear about are security operations centers (or SOCs) and computer security incident response teams (or CSIRTs). Which one is best for your organization depends on a few factors. Let's cover the differences between the structure of each team type, and how to decide which best suits your organization.

What is a SOC?

A security operations center, or SOC for short, centralizes the roles responsible for protecting information security in the organization, and includes prevention; detection; incident management and response; reporting; governance, risk, and compliance; and anything to do with managing and defending information security within the organization.

SOCs often have regulatory requirementssuch as PCI DSS or CESG GPG53and oversee the people, process, and technology involved in all these operational aspects. More often than not, a company will have a SOC before they have a separate CSIRT, or the CSIRT function will initially roll under the SOC. Sometimes, a CSIRT will exist before a formal SOC is created.

The goal of a SOC is to implement and oversee network, application, cloud, and user security, among other operational functions.

SOC Team Responsibilities

  • Executing against the overall company security strategy under the head of security
  • Overseeing the security of systems, applications, and users
  • Integrating security systems with other operational tools
  • Preventing, detecting, and responding to ongoing security threats
  • Governance, risk, and compliance
  • Policy and procedure creation and management

If there is no formal CSIRT, the SOC will also be responsible for incident response. If there is a CSIRT in place, the SOC will aid the CSIRT in gathering all the necessary information to respond effectively to a threat.

When to Create a SOC

While smaller organizations may not require a full-blown SOC, there are several factors that indicate it’s time to create one. In this post, we explain the seven key indicators in detail:

  1. Your organization is handling increasing amounts of sensitive data
  2. Your emerging threat landscape requires dedicated security resources
  3. Your organization is growing
  4. There are no standard processes, procedures, or ownership over security
  5. It’s difficult to measure the ROI on security spend because security is a part of another function (e.g. IT)
  6. You need improved monitoring and response capabilities
  7. You’ve outgrown your managed security service provider (MSSP)

When a company feels strained by one or more of the above indicators, it’s likely time to implement a SOC. When your organization is ready, here’s our step-by-step guide to structuring a SOC team.

SOC Roles

A SOC centralizes everyone with a role in security under one umbrella. Depending on the mix of security employees within your org, this could include, among other titles:

  • Security analysts
  • Security engineers
  • Security architects
  • Security directors and/or managers 
  • Head of Security (VP or CISO)

All of these roles will likely roll up under the direction of a CISO or VP of Security who oversees the strategy and execution of the SOC. C-level management may not be involved in the day-to-day operation of the SOC, as they are most often collaborating with other departments (e.g. IT, Product and Development), but they are the kingpin of the organization.

What is a CSIRT?

A computer security incident response teamor CSIRT for short, and sometimes called a CERT or CIRT—is a centralized function for information security incident management and response in an organization. It may roll up under a SOC, or it may act as the main security organization depending on your company’s structure and security needs. It may also exist as a separate team in larger organizations.

What makes a CSIRT distinctly different from a SOC is that it’s usually a conglomeration of roles across the enterprise that are involved in all types of incident response functions. While incident responders are, of course, at the helm of the incident response process itself, other functionsincluding public relations (PR), marketing, customer support, and managementoften collaborate with a CSIRT, though do not report into that department (see full list of CSIRT roles below).

The ultimate goal of a CSIRT is to minimize and control the damage resulting from an incident, which is why so many different functions can be involved in some capacity. You need to not only address the threat itself, but also communicate to customers, your board, and the public about the incident. If a malicious internal actor caused the event, disciplinary, and perhaps legal action will need to be taken on involved employees.

CSIRT Team Responsibilities

  • Preventing, detecting, and responding to ongoing security threats
  • Ranking and escalating alerts and tasks
  • Investigating, analyzing, and conducting deeper forensics on incidents
  • Developing communication plans (for public relations, customers, board members, etc.)
  • Coordinating and executing response strategies
  • Maintaining a repository of log data related to events for future reference, as well as for compliance or legal purposes

When to Create a CSIRT

The CSIRT may be a formal or informal organization, depending on your company’s unique needs. If you’re not faced with threats on a regular basis, the CSIRT may come together only on an as-needed basis. But if you’re in a high-risk industry (e.g. government, healthcare, finance) where responding to threats is a regular and vital part of your business strategy, a formal and full-time CSIRT may be necessary.

Your CSIRT may evolve over time, too. While it may start off as an informal team that gathers on an as-needed basis, it may develop into a full-on function if incident response needs necessitate it.

CSIRT Roles

  • Security analysts
  • Event and incident handlers
  • Network and system administrators
  • Security management
  • C-level managers (e.g. CIO, CISO, CTO, CRO)

CSIRT Collaborators

  • Human resources
  • Public relations
  • Marketing
  • Customer support
  • Product and engineering teams
  • ...and more

Defining Your Path

Whichever type of team is required for your organization, be sure that roles are clearly defined, processes are efficient and can be automated, and the right technologies are in place that enable your team to do their jobs better and faster.

To help you achieve these goals, we have a bundle of guides on how to hire an awesome team, create practical processes, and build a powerful technology arsenal for your cybersecurity function. Simply download below. 

Cybersecurity Starter Bundle
ebook

Cybersecurity Starter Bundle

Jen Andre

About Jen Andre

Jen is the founder and CEO of Komand. Before Komand, she co-founded Threat Stack, a leading innovative cloud security monitoring company based out of Boston. She has spent a career in security working at companies Mandiant and Symantec and has a background in engineering and security operations.