SOC is the physical environment and entity housing the Operational team folks. SOC as a location where all the Corporate systems are monitored, assessed, and alerted on anomalies and breaches … log collection, correlation and analysis are done in SOC
CERT (Computer Emergency Response Team) is to work with the Internet community to facilitate its response to computer security events involving Internet hosts, to take proactive steps to raise the community’s awareness of computer security issues and to conduct research targeted at improving the security of existing systems
CIRT (Computer Incident Response Team) is a service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity. Their services are usually performed for a defined constituency
A typical help desk can effectively perform several functions. It provides a single (or multiple) point of contact for users to gain assistance in troubleshooting, get answers to questions, and solve known problems like resetting password and performing patching or other issues
The SOC team usually collects and correlates all security based data and in case of breach alerts the CERT or CIRT.
Key difference between CERT and CIRT is their size. The CERT is typically comprised of a dedicated team of full-time personnel but a CIRT may consist of a limited part-time staff or additional-duty employees which takes up work when any incident occurs. Small-range organizations often hire one or two full-time employees for the CIRT, while holding numerous trained staff members on retainer. The reserve members are available and ready to respond when an incident occurs, while performing their primary duties and job functions as usual. http://www.networkworld.com/article/2317581/lan-wan/certs-and-cirts–homonyms-but-not-synonyms–part-1.html
Role of helpdesk-wiki
Many articles I have looked up does not differentiate CERT and CIRT, but you point their difference in size and requirements in incidence response in term of timeliness. While the setting up CERT and CIRT follows the principle of cos-effectiveness, CERT always have security professionals in place to contains the damage of incidence on detecting attacks.
Yes Zhengshu very well pointed out the cost effectiveness factor .The CERT and CIRT doesn’t differentiate in terms of functions performed as both respond to the emergency security breach or incident and only difference between them illustrated was in terms of team composition when there is not a full time dedicated team in CIRT surely it responds to business demand of cost effective measure
I agree with Vaibhav that they do not differentiate much but CERT is more proactive and CIRT is more reactive. I consider a CIRT team as a manufactured team on a need to do basis. Sometimes its with people wear a security hat on top of their normal role. This is not ideal but as you said it is cost effective for sure.
Help Desk in IT is typically a service provided to end-users of a product. No matter what product you are using, whether it is relating to your internet service or you have a problem logging in to your Temple account, organizations usually have a Help Desk to provide information and support relating to products and services offered by an organization. Help Desk many times is seen as Level-1 support. Help Desk is usually the first point of contact and end-user will have with an organization. Help Desk is often the source that reports an issue to an organization based on feedback they’re receiving from callers. Help Desks can generally be reached by calling a local or toll-free number, using a chat feature, or e-mailing a product’s support.
SOC is an acronym referring to the Security Operations Center. Typically a SOC focuses on security issues on an organizational and technical level. SOC is not a level-1 support like the Help Desk and generally does not have contact with the end-user. The SOC is usually a centralized location and has control over physical controls in an organization, such as lighting, alarm systems, and physical barriers.
The CERT acronym refers to the Computer Emergency Readiness Team. “CERT focuses on security breach and denial-of-service incidents, providing alerts and incident-handling and avoidance guidelines. CERT also conducts an ongoing public awareness campaign and engages in research aimed at improving security systems.” (http://whatis.techtarget.com/definition/CERT-Computer-Emergency-Readiness-Team). This differs from the SOC because it doesn’t focus on physical breaches more so than technical breaches.
Lastly, CIRT stands for Computer Incident Response Team. As mentioned above by Vaibhav, CERT and CIRT are almost similar and both deal with the handling of breaches and differences between the two may be in how they are staffed. (https://www.techopedia.com/definition/24135/computer-incident-response-team-cirt).
I want to add the relationship between Help Desk and the other units. The CSIRT will perform most actions in response to an incident, but IT staff including Help Desk report incidents internally. End users report suspicious activity to help desk rather than and Help Desk forward it to the CSIRT.
The Help Desk is generally the first support tier for a product or service. Most companies offer a Help Desk type resource because it acts as an all-encompassing channel for support. This model is greatly more efficient than any model made up of decentralized support teams. If Help Desk staff cannot resolve the end users’ issue on their own, they can refer the request to the appropriate 2nd or 3rd tier support group for assistance.
A Security Operations Center (SOC) is different from a Help Desk in that it deals only with organizational security issues. SOC teams focus on monitoring and improving organizational security.
great way in differentiating CERT and CIRT in that CERT is more of a formal team and would exist in a larger organization with fine-tuned IT structure. I also like how you detailed what a help desk is capable of doing. In some organizations, they may just field calls and create tickets\tasks. I have worked in organization where help-desk includes duties such as desktop support yet are the backbone to a centralized IT department.
While Help Desk generally provides trouble shooting and other services in the organization, it does not directly involve in information security management and operation.
SOC team Responsibilities include:
• Executing against the overall company security strategy under the head of security
• Overseeing the security of systems, applications, and users
• Integrating security systems with other operational tools
• Preventing, detecting, and responding to ongoing security threats
• Governance, risk, and compliance
• Policy and procedure creation and management
CIRT/CERT Team Responsibilities include:
• Preventing, detecting, and responding to ongoing security threats
• Ranking and escalating alerts and tasks
• Investigating, analyzing, and conducting deeper forensics on incidents
• Developing communication plans (for public relations, customers, board members, etc.)
• Coordinating and executing response strategies
• Maintaining a repository of log data related to events for future reference, as well as for compliance or legal purposes
Therefore, SOC is in charge of the overall security management while CSIRT focus on incidence response. if there is no formal CSIRT, the SOC will also be responsible for incident response. If there is a CSIRT in place, the SOC will aid the CSIRT in gathering all the necessary information to respond effectively to a threat.
Hello Zhengshu, nice breakdown of groups’ responsibilities. While CIRT and CERT have similarities, they are not considered synonyms. CERT exits for those organizations who have authority or permission from Carnegie Mellon University as their registered trademark. CERT is for the organizations who are specifically dedicated to CERT’s mission. I would also add that CERT’s mission is to alert the Internet community to vulnerabilities and attacks, and conduct research and training in the areas of information security incident response. Whereas, CIRT does not require any special permission and can be used by any organization, from small business to large companies, who wants to build their own CIRT comprising of either dedicated staff or a mix of cross-functional groups.
Helpdesk: The purpose of helpdesk is basically to troubleshoot problems or provide information, support, guidance or assistance for end users. Helpdesk is the front-end support responsible for basic issues and known problems, and if the issues and problems cannot be solved in this level, helpdesk can help refer the issues to higher tier for higher-level supports. For incident response, users can report incidents or suspicious activities through a helpdesk, and helpdesk will refer it them to the CIRT. Helpdesk support can be provided through various channels including hotline, instant messaging or email.
Security operations center (SOC): SOC is a centralized unit dealing with security issues on an organizational and technical level. It monitors and analyzes an organization’s security posture on an ongoing basis. It monitors and analyzes activities on websites, servers, databases, networks, systems and applications to look for suspicious activities, and detect and respond to cybersecurity incidents using a combination of technology solutions and a strong set of processes.
Computer Emergency response team (CERT): CERT is an expert group handling computer security incidents. Basically CERT and CIRT can be used interchangeably. However, the term “CERT” is registered for patent and trademark by the Software Engineering Institute at Carnegie Mellon University. It is typically reserved for the predominant computer security organizations and entities throughout the various global sectors of government, commerce, and academia.
Computer incident response team (CIRT)/ computer security incident response team (CSIRT): CIRT is a carefully selected and well-trained group of people whose purpose is to promptly and correctly handle an incident so that it can be quickly contained, investigated, and recovered from. A CIRT can be a formalized team or an ad-hoc team. A formalized team performs incident response work as its major job function, while an ad-hoc team is usually called together during an ongoing incident and is comprised of members that can drop what they’re doing and have the authority to make decisions and take actions. CIRT usually operates in conjunction with other groups, such as site security, public-relations and disaster recovery teams.
SOC more focuses on intrusion detection and analysis, while CIRT more focusses on incident response, containment and recovery. There may be overlaps and a security gap between SOC and CIRT that makes incident respond ineffective, if they work separately. Sometimes, an organization have a SOC before they have a CIRT and the SOC will do what CIRT does, or have the CIRT work under SOC
What are the similarities and differences from the following groups (Help Desk, SOC, CERT, CIRT, etc) within an enterprise?
Help Desk-A help desk in IT is a department inside an organization that is responsible for answering the technical questions of its users. There are also help desk for internal employees.
A standard help desk offers a single point of contact for users to get assistance. Normally, the help desks handle requests by using help desk software, or issue tracking system, which enables the help desk operators to keep track of the user requests using a unique identifier, easily find solutions to common queries, prioritize cases, and so on.
SOC-security operations center. A security operations center is a facility that houses an information security team responsible for monitoring and analyzing an organization’s security posture on an ongoing basis.
CERT-computer emergency response teams. Computer Emergency Response Team (CERT) will help to identify and respond to cyber risks and limit their impact on organization’s operations. CERT establishes detection rules and coordinates a response.
CIRT-computer incident response team. reviewing, and responding to computer security incident reports and activity. Their services are usually performed for a defined constituency that could be a parent entity such as a corporate, governmental, or educational organization; a region or country; a research network; or a paid client.
Similarity of these terms is they are all used for helping organization to deal with security issues. Help desk is the first place to reach when employees or customers have any problems (security, service, policy, etc.). Then SOC is the place to monitor and control an organization’s security related operations. It can be understood as detective control too. CERT/CIRT are similar that makes many people confused. I think the significant difference between this two terms should be how the company identify emergency and incident. If organization defines this two terms very differently, then this two teams have totally different responsibilities. If not, there can only be one team that serve for emergency/incident response.
Hello Mengxue, I like your concise breakdown of group’s functions. I agree that CERT/CIRT creates a confusion. As you mentioned, it is really important for the organization to understand the definition of emergency vs. incident. In our organization we had confusion about when/how to respond to incident versus emergency. Some times later a confusion was clarified by proposing a well-defined difference between the two and processes involved. So, when we have an incident, it would go through normal process from Help Desk with appropriate escalation process up to our CIRT team. However, when there is an emergency, it would be directed to our CIRT group immediately where we would follow defined procedure and response.
Ruslan, the definition of emergency and incident is very similar. Sometimes, when organization can’t be sure about which one should be consider during the crisis. I am curious what they do. Is there any this kind of situation happened in your company? Should organization put emergency as a higher level of incident? If they can’t sure about the type of crisis, they can deal with them with emergency as the general level of all crisis. n, the definition of emergency and incident is very similar. Sometimes, when organization can’t be sure about which one should be consider during the crisis.
CERT (Computer Emergency Response Team) – In 1988, the US Department of Defense established the CERT, whose mission is to work with the internet community to prevent and respond to computer and network security breaches. CERT/CC has developed and published a wealth of information on the development of security incident response capabilities. http://www.cert.org/csirts (Vacca, 2013)
CIRT/CSRIT (Computer Incident Response Team/ Computer Security Incident Response Team) – is a service organization who is responsible for responding to security incidents within an organization. Typically responds to data breaches, viruses and other incidents that give rise to significant security risks for the enterprise. The CIRT normally works with other enterprise groups, such as security, public relations and disaster recovery teams. http://www.gartner.com/it-glossary/cirt-cyber-incident-response-team
Help Desk – Most organizations have several tiers or levels of support personnel. The help desk is the first line of support for users. It is focused on end user functionality and is responsible for quick resolution of immediate needs, incidents and technical issues of end users. https://www.invensis.net/blog/customer-service/what-is-help-desk-and-its-importance-for-your-organization/
These groups provide the organization with the support and technical expertise to respond to security incidents. Help desk personnel although more focused on end user functionality, may be the first to identify an event as an incident. They may report it to the CIRT, which will perform necessary steps required to respond, escalate, or eradicate the threat. The CERT provides guidelines in developing the CIRTs incident response capabilities.
Loi, great summary. I especially like the last paragraph. I think that sums up the relationship between the three groups. For organizations without a proper CERT and CIRT groups, there is usually an Security team which is more all-encompassing in it’s responsibilities.
The help desk and security operation center (SOC) are similar in the sense that they are often the first to learn of a potential incident. They differ because the help desk is oriented towards providing Tier 1 technical support for end users, whereas the SOC specifically focuses on the detection and analysis of and response to information security incidents.
There seems to be some misunderstanding about the difference between CERT and CIRT. The Computer Emergency Response Team (CERT) is a unique group at Carnegie Mellon, dedicated to researching and reporting on cyber-security. In contrast, a Computer Incident Response Team (CIRT) can be found in many IT organizations. It is the group actually responsible for responding to information security incidents. There’s some obvious overlap between the mission of the SOC and a CIRT. In most organizations, I would expect some or all of the SOC staff to be members of their CIRT.
Josh, thanks for citing those Gartner definitions. Interesting how it seems that the definitions for these groups are a little hazy. Sources on the internet are mixed as to what the real differences are.
Josh, I agree with you that there are overlaps between SOC and CIRT. I think part of the SOC members should be in the CIRT, but not all, because there still should be some experts to keep monitoring and analyzing the organization’s system. The CIRT can work under SOC and can be formalized or ad hoc. In either way, the CIRT should be consist of IT experts, senior managers and other experts from ares related to the incident.
Great post. It’s really interesting to think how the Help Desk really is the first to learn about the incident and plays a larger role than the Help Desk usually gets credit for. The Help Desk may not even know it’s an incident but The SOC really relies on the Help Desk to identify when things are out of the norm and be able to know when something should be escalated. Outside of the normal obvious signs (large user volume, same outages, etc.) I think this can be harder when these potential issues are not so obvious.
Help Desk team usually performs various activities such as responding to phone calls or any incoming service tickets from end users, gathering details of a technical problem, triaging appropriate actions with the team and further determining whether a ticket needs to be delegated to appropriate group or escalated based on an incident request. In most cases, Help Desk personnel consists of fully dedicated employees who respond to incoming tickets and deal with customers. However, depending on the organization, Help Desk personnel might be also a part of IT Desktop Services team who handle multiple duties.
CIRT (Computer Incident Response Team) is responsible for analysis of event notifications, responding to incidents upon confirmation that events are truly threats, escalate path procedures followed by resolution, follow up and reporting to an appropriate party such as mid-level and senior managers, public relation staff, affected system and network administrators and others appropriate departments. In many companies, usually IT personnel are wearing multiple hats in terms of cross-functional responsibilities, which forms a CIRT within the enterprise. Depending on the incident, certain infrastructure groups (security, network, database, storage and other teams) get involved in the process.
CERT (Computer Emergency Response Team) is part of the Internet constituency and is known as a unit of Carnegie Mellon University. CERT’s mission is to alert the Internet community to vulnerabilities and attacks, and conduct research and training in the areas of information security incident response. Alternate name for CERT is CSIRT – Computer Security Incident Response Team.
SOC (Security Operation Center) is a centralized unit or division with computer security technologies that performs deep monitoring of network activities and responds to security threats. Typically, it consists of dedicated SOC unit with full time employees focusing on proactive monitoring, surveillance, intrusion detection, alerts and abnormal behavior of targeted systems and networks.
While all groups perform similar activities in terms of dealing with incidents, they all operate slightly different in terms of geographical scale, goal, type and complexities of incidents. For example, HelpDesk would operate as a Level-1 technical support for incoming incident tickets from end users with impact levels and attack surfaces that are different from those processed by CIRT or SOC, which would deal with large-scale and company-wide incidents involving serious response tactics, external parties and entities, special processes and procedures. Also, while SOC deals with detection and analysis, CIRT deals with detection, containment, response and recovery. However, at the same time, both can interchangeably perform all functions depending on the organization and their structure. In addition, groups get different IT teams involved depending on the type and size of the organizations.
Ruslan,
Very thorough response and differentiation between these different elements and how they operate in the organization. I especially like how you broke down the CIRT and SOC, in that SOC is generally focused on detection and analysis, while the CIRT has the responsibility to detect, contain, respond and recover. You made it clear as to why both groups might be needed within a single organization.
Ruslan, It’s interesting that you mentioned that how these four groups work together in an incident. Helpdesk as the basic-level protection, is usually implemented by most organizations, but not all organizations have SOC and CIRT. I think Helpdesk, CIRT and CERT focus on the detective and corrective controls to respond to an incident that has occurred, while SOC can provide some preventive controls reducing the probability of the occurrence of an incident. That’s why some organizations may not have CIRT/CERT, but could probably have a SOC to conduct organization-wide control. They usually have a SOC first, and then have the CIRT later if they get more resources. In this case, SOC will do the CIRT’s work if there’s no CIRT.
Just want to correct my response. Helpdesk usually provide technical support for known problems and can refer unsolved problems to the SOC. SOC focus on detecting and handling an incident, and it can help call up a CIRT to respond the incident. CIRT is consist of IT expert to respond to and recover the incident through techniques including analysis and investigation.
Within SOC there are four levels of expertise and responsibilities:
– Tier1: Alert Analyst
– Perform continuous monitoring and collects data and context
necessary to initiate Tier 2 work.
-Tier2: Incident Responder
– Perform deep-dive incident analysis
– determines impacts on system or data
– advises on remediation;
– Provides for detecting threats.
-Tier 3: Subject Matter Expert
– Possesses in-depth knowledge of network, forensics and
malware reverse engineering
– acts as an incident hunter
– developing, tuning and implementing threat detection analytics.
– SOC Manager:
– Manages resources
– communicates with management
– provides overall direction for the SOC and input to
the overall security strategy.
Nice explanation of SOC, joseph. I believe help desk will fall into tier1 because they are the first step that should be taken and analyze the issue. For CERT and CIRT, should both of them fall into tier 3? I think they may be involved in tier 2 and tier 3, but I am not sure should they both get involved or separately used.
great job Mengxue and Joseph, I think helpdesk would be tier 1. I think CERT\CIRT would be tier 3. In our organization and issue is escalated to tier 2 where they can look at logs, activity or causes. Yet tier 3 are the ones who resolve the issue and\or put in a permanent fix.
Mangxue, yes HelpDesk can be in tier1 I think. I found more information on CIRT team that can be composed of highly technical skills like in SOC’s team plus people with the more diverse background like:
– Upper-level Management is involved where big decisions can be made and support for financial/active resources
– IT Auditor, where to role is to observe, to make sure procedures are followed and to learn why incident came to by.
– Financial Auditor, is frequently required for insurance companies to put a monetary figure on the damage as a result of an incident.
– The Attorney is useful in the event of legal action and providing advice regarding liability.
– Public Relations role is important when the company is publicly traded and have to share information to protect company’s image. Sometimes it’s not an option but a must to have.
This is how I would define the 4 Helpdesk, SOC, CIRT, and CERT:
HelpDesk is what at my job cosider to be the front line of Information technology accessibility to the end users. If a user has an IT issue they would typically contact the Help Desk to put in a formal request. This can be communication through a web form, phone call, email, or even through a tracking system. Each help desk has a tracking system that is used to assign a ticket to whoever handles that function and where progress of the issue can be tracked. Some Helpdesk associates, like myself at one time, has certain AD rights to reset password, create network accounts, or specific system admin access.
Computer Incident Response Team (CERT) is a service group with an IS department within an organization that is designated to handle security issues. This team will look into security breaches, respond to and suspicious activity and review reports. Usually there are designated team members with specific tasks and roles that can technical, communication and process\escalation oriented.
Computer Emergency Response Team (CERT) is a proactive team to handle security incidents, whereas CIRT is more reactive. We have a team that does tests for malmare and viruses by going to specific websites that may or may not have reputation of being malicious. The key concept for this team in an IS department is that it prepares the organization and for readiness. For instance my company has been sending phishing emails within the organization to diagnose the severity of people downloading a virus and how quick the response team can rectify the issue.
Security Operations Center (SOC) is in charge of the overall security management of an organization. Whereas CERT and CIRT are for IT security also, those focus on incident response or proactive testing. SOC is more of day-to-day security and compliance of a company. This can be hardware, infrastructure, strategy, and execution of leadership decisions on how the IT department remains secure on operational basis.
SOC is the physical environment and entity housing the Operational team folks. SOC as a location where all the Corporate systems are monitored, assessed, and alerted on anomalies and breaches … log collection, correlation and analysis are done in SOC
CERT (Computer Emergency Response Team) is to work with the Internet community to facilitate its response to computer security events involving Internet hosts, to take proactive steps to raise the community’s awareness of computer security issues and to conduct research targeted at improving the security of existing systems
CIRT (Computer Incident Response Team) is a service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity. Their services are usually performed for a defined constituency
A typical help desk can effectively perform several functions. It provides a single (or multiple) point of contact for users to gain assistance in troubleshooting, get answers to questions, and solve known problems like resetting password and performing patching or other issues
The SOC team usually collects and correlates all security based data and in case of breach alerts the CERT or CIRT.
Key difference between CERT and CIRT is their size. The CERT is typically comprised of a dedicated team of full-time personnel but a CIRT may consist of a limited part-time staff or additional-duty employees which takes up work when any incident occurs. Small-range organizations often hire one or two full-time employees for the CIRT, while holding numerous trained staff members on retainer. The reserve members are available and ready to respond when an incident occurs, while performing their primary duties and job functions as usual.
http://www.networkworld.com/article/2317581/lan-wan/certs-and-cirts–homonyms-but-not-synonyms–part-1.html
Role of helpdesk-wiki
Vaibhav, well put.
Many articles I have looked up does not differentiate CERT and CIRT, but you point their difference in size and requirements in incidence response in term of timeliness. While the setting up CERT and CIRT follows the principle of cos-effectiveness, CERT always have security professionals in place to contains the damage of incidence on detecting attacks.
Yes Zhengshu very well pointed out the cost effectiveness factor .The CERT and CIRT doesn’t differentiate in terms of functions performed as both respond to the emergency security breach or incident and only difference between them illustrated was in terms of team composition when there is not a full time dedicated team in CIRT surely it responds to business demand of cost effective measure
I agree with Vaibhav that they do not differentiate much but CERT is more proactive and CIRT is more reactive. I consider a CIRT team as a manufactured team on a need to do basis. Sometimes its with people wear a security hat on top of their normal role. This is not ideal but as you said it is cost effective for sure.
Help Desk in IT is typically a service provided to end-users of a product. No matter what product you are using, whether it is relating to your internet service or you have a problem logging in to your Temple account, organizations usually have a Help Desk to provide information and support relating to products and services offered by an organization. Help Desk many times is seen as Level-1 support. Help Desk is usually the first point of contact and end-user will have with an organization. Help Desk is often the source that reports an issue to an organization based on feedback they’re receiving from callers. Help Desks can generally be reached by calling a local or toll-free number, using a chat feature, or e-mailing a product’s support.
SOC is an acronym referring to the Security Operations Center. Typically a SOC focuses on security issues on an organizational and technical level. SOC is not a level-1 support like the Help Desk and generally does not have contact with the end-user. The SOC is usually a centralized location and has control over physical controls in an organization, such as lighting, alarm systems, and physical barriers.
The CERT acronym refers to the Computer Emergency Readiness Team. “CERT focuses on security breach and denial-of-service incidents, providing alerts and incident-handling and avoidance guidelines. CERT also conducts an ongoing public awareness campaign and engages in research aimed at improving security systems.” (http://whatis.techtarget.com/definition/CERT-Computer-Emergency-Readiness-Team). This differs from the SOC because it doesn’t focus on physical breaches more so than technical breaches.
Lastly, CIRT stands for Computer Incident Response Team. As mentioned above by Vaibhav, CERT and CIRT are almost similar and both deal with the handling of breaches and differences between the two may be in how they are staffed. (https://www.techopedia.com/definition/24135/computer-incident-response-team-cirt).
Shain, clear explaination.
I want to add the relationship between Help Desk and the other units. The CSIRT will perform most actions in response to an incident, but IT staff including Help Desk report incidents internally. End users report suspicious activity to help desk rather than and Help Desk forward it to the CSIRT.
The Help Desk is generally the first support tier for a product or service. Most companies offer a Help Desk type resource because it acts as an all-encompassing channel for support. This model is greatly more efficient than any model made up of decentralized support teams. If Help Desk staff cannot resolve the end users’ issue on their own, they can refer the request to the appropriate 2nd or 3rd tier support group for assistance.
A Security Operations Center (SOC) is different from a Help Desk in that it deals only with organizational security issues. SOC teams focus on monitoring and improving organizational security.
Computer Emergency Response Teams (CERT) identify and respond to security incidents. As stated by our colleagues above, Computer Incident Response Teams (CIRT) are similar however CERTs are typically more formal in how they function and how they’re staffed. (http://www.networkworld.com/article/2328305/lan-wan/certs-and-cirts–homonyms-but-not-synonyms–part-1.html )
great way in differentiating CERT and CIRT in that CERT is more of a formal team and would exist in a larger organization with fine-tuned IT structure. I also like how you detailed what a help desk is capable of doing. In some organizations, they may just field calls and create tickets\tasks. I have worked in organization where help-desk includes duties such as desktop support yet are the backbone to a centralized IT department.
While Help Desk generally provides trouble shooting and other services in the organization, it does not directly involve in information security management and operation.
SOC team Responsibilities include:
• Executing against the overall company security strategy under the head of security
• Overseeing the security of systems, applications, and users
• Integrating security systems with other operational tools
• Preventing, detecting, and responding to ongoing security threats
• Governance, risk, and compliance
• Policy and procedure creation and management
CIRT/CERT Team Responsibilities include:
• Preventing, detecting, and responding to ongoing security threats
• Ranking and escalating alerts and tasks
• Investigating, analyzing, and conducting deeper forensics on incidents
• Developing communication plans (for public relations, customers, board members, etc.)
• Coordinating and executing response strategies
• Maintaining a repository of log data related to events for future reference, as well as for compliance or legal purposes
Therefore, SOC is in charge of the overall security management while CSIRT focus on incidence response. if there is no formal CSIRT, the SOC will also be responsible for incident response. If there is a CSIRT in place, the SOC will aid the CSIRT in gathering all the necessary information to respond effectively to a threat.
source: https://blog.komand.com/difference-between-a-soc-and-a-csirt
Hello Zhengshu, nice breakdown of groups’ responsibilities. While CIRT and CERT have similarities, they are not considered synonyms. CERT exits for those organizations who have authority or permission from Carnegie Mellon University as their registered trademark. CERT is for the organizations who are specifically dedicated to CERT’s mission. I would also add that CERT’s mission is to alert the Internet community to vulnerabilities and attacks, and conduct research and training in the areas of information security incident response. Whereas, CIRT does not require any special permission and can be used by any organization, from small business to large companies, who wants to build their own CIRT comprising of either dedicated staff or a mix of cross-functional groups.
Helpdesk: The purpose of helpdesk is basically to troubleshoot problems or provide information, support, guidance or assistance for end users. Helpdesk is the front-end support responsible for basic issues and known problems, and if the issues and problems cannot be solved in this level, helpdesk can help refer the issues to higher tier for higher-level supports. For incident response, users can report incidents or suspicious activities through a helpdesk, and helpdesk will refer it them to the CIRT. Helpdesk support can be provided through various channels including hotline, instant messaging or email.
Security operations center (SOC): SOC is a centralized unit dealing with security issues on an organizational and technical level. It monitors and analyzes an organization’s security posture on an ongoing basis. It monitors and analyzes activities on websites, servers, databases, networks, systems and applications to look for suspicious activities, and detect and respond to cybersecurity incidents using a combination of technology solutions and a strong set of processes.
Computer Emergency response team (CERT): CERT is an expert group handling computer security incidents. Basically CERT and CIRT can be used interchangeably. However, the term “CERT” is registered for patent and trademark by the Software Engineering Institute at Carnegie Mellon University. It is typically reserved for the predominant computer security organizations and entities throughout the various global sectors of government, commerce, and academia.
Computer incident response team (CIRT)/ computer security incident response team (CSIRT): CIRT is a carefully selected and well-trained group of people whose purpose is to promptly and correctly handle an incident so that it can be quickly contained, investigated, and recovered from. A CIRT can be a formalized team or an ad-hoc team. A formalized team performs incident response work as its major job function, while an ad-hoc team is usually called together during an ongoing incident and is comprised of members that can drop what they’re doing and have the authority to make decisions and take actions. CIRT usually operates in conjunction with other groups, such as site security, public-relations and disaster recovery teams.
SOC more focuses on intrusion detection and analysis, while CIRT more focusses on incident response, containment and recovery. There may be overlaps and a security gap between SOC and CIRT that makes incident respond ineffective, if they work separately. Sometimes, an organization have a SOC before they have a CIRT and the SOC will do what CIRT does, or have the CIRT work under SOC
What are the similarities and differences from the following groups (Help Desk, SOC, CERT, CIRT, etc) within an enterprise?
Help Desk-A help desk in IT is a department inside an organization that is responsible for answering the technical questions of its users. There are also help desk for internal employees.
A standard help desk offers a single point of contact for users to get assistance. Normally, the help desks handle requests by using help desk software, or issue tracking system, which enables the help desk operators to keep track of the user requests using a unique identifier, easily find solutions to common queries, prioritize cases, and so on.
SOC-security operations center. A security operations center is a facility that houses an information security team responsible for monitoring and analyzing an organization’s security posture on an ongoing basis.
CERT-computer emergency response teams. Computer Emergency Response Team (CERT) will help to identify and respond to cyber risks and limit their impact on organization’s operations. CERT establishes detection rules and coordinates a response.
CIRT-computer incident response team. reviewing, and responding to computer security incident reports and activity. Their services are usually performed for a defined constituency that could be a parent entity such as a corporate, governmental, or educational organization; a region or country; a research network; or a paid client.
Similarity of these terms is they are all used for helping organization to deal with security issues. Help desk is the first place to reach when employees or customers have any problems (security, service, policy, etc.). Then SOC is the place to monitor and control an organization’s security related operations. It can be understood as detective control too. CERT/CIRT are similar that makes many people confused. I think the significant difference between this two terms should be how the company identify emergency and incident. If organization defines this two terms very differently, then this two teams have totally different responsibilities. If not, there can only be one team that serve for emergency/incident response.
Hello Mengxue, I like your concise breakdown of group’s functions. I agree that CERT/CIRT creates a confusion. As you mentioned, it is really important for the organization to understand the definition of emergency vs. incident. In our organization we had confusion about when/how to respond to incident versus emergency. Some times later a confusion was clarified by proposing a well-defined difference between the two and processes involved. So, when we have an incident, it would go through normal process from Help Desk with appropriate escalation process up to our CIRT team. However, when there is an emergency, it would be directed to our CIRT group immediately where we would follow defined procedure and response.
Ruslan, the definition of emergency and incident is very similar. Sometimes, when organization can’t be sure about which one should be consider during the crisis. I am curious what they do. Is there any this kind of situation happened in your company? Should organization put emergency as a higher level of incident? If they can’t sure about the type of crisis, they can deal with them with emergency as the general level of all crisis. n, the definition of emergency and incident is very similar. Sometimes, when organization can’t be sure about which one should be consider during the crisis.
CERT (Computer Emergency Response Team) – In 1988, the US Department of Defense established the CERT, whose mission is to work with the internet community to prevent and respond to computer and network security breaches. CERT/CC has developed and published a wealth of information on the development of security incident response capabilities. http://www.cert.org/csirts (Vacca, 2013)
CIRT/CSRIT (Computer Incident Response Team/ Computer Security Incident Response Team) – is a service organization who is responsible for responding to security incidents within an organization. Typically responds to data breaches, viruses and other incidents that give rise to significant security risks for the enterprise. The CIRT normally works with other enterprise groups, such as security, public relations and disaster recovery teams. http://www.gartner.com/it-glossary/cirt-cyber-incident-response-team
Help Desk – Most organizations have several tiers or levels of support personnel. The help desk is the first line of support for users. It is focused on end user functionality and is responsible for quick resolution of immediate needs, incidents and technical issues of end users. https://www.invensis.net/blog/customer-service/what-is-help-desk-and-its-importance-for-your-organization/
These groups provide the organization with the support and technical expertise to respond to security incidents. Help desk personnel although more focused on end user functionality, may be the first to identify an event as an incident. They may report it to the CIRT, which will perform necessary steps required to respond, escalate, or eradicate the threat. The CERT provides guidelines in developing the CIRTs incident response capabilities.
Loi, great summary. I especially like the last paragraph. I think that sums up the relationship between the three groups. For organizations without a proper CERT and CIRT groups, there is usually an Security team which is more all-encompassing in it’s responsibilities.
The help desk and security operation center (SOC) are similar in the sense that they are often the first to learn of a potential incident. They differ because the help desk is oriented towards providing Tier 1 technical support for end users, whereas the SOC specifically focuses on the detection and analysis of and response to information security incidents.
There seems to be some misunderstanding about the difference between CERT and CIRT. The Computer Emergency Response Team (CERT) is a unique group at Carnegie Mellon, dedicated to researching and reporting on cyber-security. In contrast, a Computer Incident Response Team (CIRT) can be found in many IT organizations. It is the group actually responsible for responding to information security incidents. There’s some obvious overlap between the mission of the SOC and a CIRT. In most organizations, I would expect some or all of the SOC staff to be members of their CIRT.
References:
http://www.gartner.com/it-glossary/cert-computer-emergency-response-team/
http://www.gartner.com/it-glossary/cirt-cyber-incident-response-team/
Josh, thanks for citing those Gartner definitions. Interesting how it seems that the definitions for these groups are a little hazy. Sources on the internet are mixed as to what the real differences are.
Josh, I agree with you that there are overlaps between SOC and CIRT. I think part of the SOC members should be in the CIRT, but not all, because there still should be some experts to keep monitoring and analyzing the organization’s system. The CIRT can work under SOC and can be formalized or ad hoc. In either way, the CIRT should be consist of IT experts, senior managers and other experts from ares related to the incident.
Josh,
Great post. It’s really interesting to think how the Help Desk really is the first to learn about the incident and plays a larger role than the Help Desk usually gets credit for. The Help Desk may not even know it’s an incident but The SOC really relies on the Help Desk to identify when things are out of the norm and be able to know when something should be escalated. Outside of the normal obvious signs (large user volume, same outages, etc.) I think this can be harder when these potential issues are not so obvious.
Help Desk team usually performs various activities such as responding to phone calls or any incoming service tickets from end users, gathering details of a technical problem, triaging appropriate actions with the team and further determining whether a ticket needs to be delegated to appropriate group or escalated based on an incident request. In most cases, Help Desk personnel consists of fully dedicated employees who respond to incoming tickets and deal with customers. However, depending on the organization, Help Desk personnel might be also a part of IT Desktop Services team who handle multiple duties.
CIRT (Computer Incident Response Team) is responsible for analysis of event notifications, responding to incidents upon confirmation that events are truly threats, escalate path procedures followed by resolution, follow up and reporting to an appropriate party such as mid-level and senior managers, public relation staff, affected system and network administrators and others appropriate departments. In many companies, usually IT personnel are wearing multiple hats in terms of cross-functional responsibilities, which forms a CIRT within the enterprise. Depending on the incident, certain infrastructure groups (security, network, database, storage and other teams) get involved in the process.
CERT (Computer Emergency Response Team) is part of the Internet constituency and is known as a unit of Carnegie Mellon University. CERT’s mission is to alert the Internet community to vulnerabilities and attacks, and conduct research and training in the areas of information security incident response. Alternate name for CERT is CSIRT – Computer Security Incident Response Team.
SOC (Security Operation Center) is a centralized unit or division with computer security technologies that performs deep monitoring of network activities and responds to security threats. Typically, it consists of dedicated SOC unit with full time employees focusing on proactive monitoring, surveillance, intrusion detection, alerts and abnormal behavior of targeted systems and networks.
While all groups perform similar activities in terms of dealing with incidents, they all operate slightly different in terms of geographical scale, goal, type and complexities of incidents. For example, HelpDesk would operate as a Level-1 technical support for incoming incident tickets from end users with impact levels and attack surfaces that are different from those processed by CIRT or SOC, which would deal with large-scale and company-wide incidents involving serious response tactics, external parties and entities, special processes and procedures. Also, while SOC deals with detection and analysis, CIRT deals with detection, containment, response and recovery. However, at the same time, both can interchangeably perform all functions depending on the organization and their structure. In addition, groups get different IT teams involved depending on the type and size of the organizations.
Ruslan,
Very thorough response and differentiation between these different elements and how they operate in the organization. I especially like how you broke down the CIRT and SOC, in that SOC is generally focused on detection and analysis, while the CIRT has the responsibility to detect, contain, respond and recover. You made it clear as to why both groups might be needed within a single organization.
Ruslan, It’s interesting that you mentioned that how these four groups work together in an incident. Helpdesk as the basic-level protection, is usually implemented by most organizations, but not all organizations have SOC and CIRT. I think Helpdesk, CIRT and CERT focus on the detective and corrective controls to respond to an incident that has occurred, while SOC can provide some preventive controls reducing the probability of the occurrence of an incident. That’s why some organizations may not have CIRT/CERT, but could probably have a SOC to conduct organization-wide control. They usually have a SOC first, and then have the CIRT later if they get more resources. In this case, SOC will do the CIRT’s work if there’s no CIRT.
Just want to correct my response. Helpdesk usually provide technical support for known problems and can refer unsolved problems to the SOC. SOC focus on detecting and handling an incident, and it can help call up a CIRT to respond the incident. CIRT is consist of IT expert to respond to and recover the incident through techniques including analysis and investigation.
Within SOC there are four levels of expertise and responsibilities:
– Tier1: Alert Analyst
– Perform continuous monitoring and collects data and context
necessary to initiate Tier 2 work.
-Tier2: Incident Responder
– Perform deep-dive incident analysis
– determines impacts on system or data
– advises on remediation;
– Provides for detecting threats.
-Tier 3: Subject Matter Expert
– Possesses in-depth knowledge of network, forensics and
malware reverse engineering
– acts as an incident hunter
– developing, tuning and implementing threat detection analytics.
– SOC Manager:
– Manages resources
– communicates with management
– provides overall direction for the SOC and input to
the overall security strategy.
https://www.sans.org/reading-room/whitepapers/analyst/building-world-class-security-operations-center-roadmap-35907
Nice explanation of SOC, joseph. I believe help desk will fall into tier1 because they are the first step that should be taken and analyze the issue. For CERT and CIRT, should both of them fall into tier 3? I think they may be involved in tier 2 and tier 3, but I am not sure should they both get involved or separately used.
great job Mengxue and Joseph, I think helpdesk would be tier 1. I think CERT\CIRT would be tier 3. In our organization and issue is escalated to tier 2 where they can look at logs, activity or causes. Yet tier 3 are the ones who resolve the issue and\or put in a permanent fix.
Mangxue, yes HelpDesk can be in tier1 I think. I found more information on CIRT team that can be composed of highly technical skills like in SOC’s team plus people with the more diverse background like:
– Upper-level Management is involved where big decisions can be made and support for financial/active resources
– IT Auditor, where to role is to observe, to make sure procedures are followed and to learn why incident came to by.
– Financial Auditor, is frequently required for insurance companies to put a monetary figure on the damage as a result of an incident.
– The Attorney is useful in the event of legal action and providing advice regarding liability.
– Public Relations role is important when the company is publicly traded and have to share information to protect company’s image. Sometimes it’s not an option but a must to have.
https://www.sans.org/reading-room/whitepapers/incident/computer-incident-response-team-641
This is how I would define the 4 Helpdesk, SOC, CIRT, and CERT:
HelpDesk is what at my job cosider to be the front line of Information technology accessibility to the end users. If a user has an IT issue they would typically contact the Help Desk to put in a formal request. This can be communication through a web form, phone call, email, or even through a tracking system. Each help desk has a tracking system that is used to assign a ticket to whoever handles that function and where progress of the issue can be tracked. Some Helpdesk associates, like myself at one time, has certain AD rights to reset password, create network accounts, or specific system admin access.
Computer Incident Response Team (CERT) is a service group with an IS department within an organization that is designated to handle security issues. This team will look into security breaches, respond to and suspicious activity and review reports. Usually there are designated team members with specific tasks and roles that can technical, communication and process\escalation oriented.
Computer Emergency Response Team (CERT) is a proactive team to handle security incidents, whereas CIRT is more reactive. We have a team that does tests for malmare and viruses by going to specific websites that may or may not have reputation of being malicious. The key concept for this team in an IS department is that it prepares the organization and for readiness. For instance my company has been sending phishing emails within the organization to diagnose the severity of people downloading a virus and how quick the response team can rectify the issue.
Security Operations Center (SOC) is in charge of the overall security management of an organization. Whereas CERT and CIRT are for IT security also, those focus on incident response or proactive testing. SOC is more of day-to-day security and compliance of a company. This can be hardware, infrastructure, strategy, and execution of leadership decisions on how the IT department remains secure on operational basis.