Originally published on Security Magazine, December 17th, 2021
The Product Security Incident Response Team (PSIRT) is not a firefighter team, but they should be your fire marshal. Your PSIRT is more than a first response team that only activates when an incident occurs. Businesses get the most out of their investment in this highly skilled team by leveraging the team’s expertise for proactive security activities.
An appropriately leveraged PSIRT works across business lines improving security processes and preventing incidents whenever possible. Properly utilized, your PSIRT stops being an expensive cyber firefighter, and instead, they become a valuable strategic cybersecurity initiative. Organizations rarely realize this additional value, so this article considers how PSIRT teams can add significant long-term value by helping to mature your security processes and strengthen your security posture year-round.
The PSIRT Responsibilities
The PSIRT is responsible for investigating post-production incidents, timely assessment of exploits, and incident resolution. When incidents occur, such as a vulnerability discovery or a device breach, the PSIRT is there to analyze the situation in-depth. Using root-cause analysis, they determine the cause and what underlying factors contributed to it.
As a core component of the incident response process, the PSIRT is responsible for stakeholder communication. This communication goes beyond just internal partners and includes external vendors, security researchers, and ethical hackers. They are accountable for creating incident mitigation plans in conjunction with development teams and external suppliers for the current incident and potential similar incidents in the future.
Peacetime PSIRT Activities
While a valuable asset during an incident, not every moment is an incident with all hands on deck. This could leave the PSIRT with a significant amount of free time on their hands. As the PSIRT comprises skilled individuals, letting them waste away waiting for an incident is not a good investment for the business. Instead, the PSIRT can be optimized to perform anticipatory steps to help prevent an incident from occurring in the first place.
One of the primary peacetime goals of the PSIRT is searching for problems before they become an actual incident. By looking outside the company through information sharing platforms, working with the government, or CERT forums, additional information about potential threats and vulnerabilities to their organization, product, libraries they use, or similar products and companies.
Using this information, they can take proactive steps to mitigate potential issues. For example, when a library provider is rumored to be breached or anticipated to be a target of an attack, the team can scrutinize any code from them in greater depth than usual. They can also set up additional monitoring and alerting related to their product.
If a similar company or product is rumored to be a target for cybercriminals, the PSIRT can take steps to respond in anticipation of being targeted as well. When a vulnerability is found in one product, it is reasonable to assume that a similar one will be located in an adjacent product.
The most dangerous vulnerabilities are easy to identify by their Common Vulnerability Scoring System (CVSS) scores, with numbers above 7.0 being high risk. This is a valuable metric for determining those vulnerabilities that must be addressed. The lower scores are not quite as clear. Sometimes multiple lower-scored vulnerabilities can be used together to create a higher severity issue.
PSIRT has experience reviewing vulnerabilities in an incident to assess known vulnerabilities in a product and its libraries. They can view the vulnerabilities as more than a list but in terms of how they might interact with one another. This data can be conveyed to product leads and teams to determine remediation priority, allowing a potential attack to be averted before someone else discovers the vulnerability interaction.
Bridging Vulnerability Gaps
When vulnerabilities are identified, whether with a vendor or the product itself, the developer may know it and work on a fix, but the patch may still be weeks away. Organizations have to do something about it in the meantime, and this is where the PSIRT can shine. Even though it is not yet an “incident,” it still requires addressing to prevent it from becoming one.
The PSIRT can work with product security and program teams to determine actions to reduce the risk. This is no substitute for a complete fix, but a risk reduction can help make it tenable until a proper patch is in place. These changes could be reconfigurations, tracking certain behaviors, or temporarily blocking non-critical functionality that could trigger the vulnerability. If there is a SOC or NOC, they can direct the team to watch for specific alerts or messages that would indicate the exposure is compromised.
Vulnerability Disclosure Program
A lesser-known functionality of the PSIRT is to manage the community intel-gathering programs such as Bug Bounty or disclosure program. These programs allow external ethical hackers or security researchers to provide vulnerability discoveries through a controlled channel, direct to the company. The PSIRT can assess the provided findings, determine what vulnerabilities are relevant, and score them appropriately to be communicated to other teams for prioritization.
The PSIRT is elevated beyond an insurance policy to a valuable part of the security ecosystem for preventing future attacks when used efficiently. This PSIRT is an experienced team, and this investment should not be wasted. To realize the optimum ROI from your PSIRT team you need to leverage their expertise to proactively hunt for threats and address vulnerabilities before they become incidents.