Approaches to Improve the Activity of Computer Incident Response Teams

Today incident detection mechanisms, that define CERT / CSIRT effectiveness, based mostly on two principles - signature and heuristic. Their disadvantage is that they are focused on mathematical models, which require a lot of time to prepare statistics and so it decreases CERT/CSIRT efficiency. In this work, we have proposed approaches to ensure CERT / CSIRT high efficiency and its evaluation. To detect incidents we suggest using mathematical models based on expert's estimations. The proposed method allows solving the problem of incident detection and its identification based on expert judgments in fuzzy conditions. To estimate CERT / CSIRT effectiveness was introduce baselines. It enabled to determine CERT / CSIRT effectiveness during the necessary period. The report by the following parameters should be carried out regularly to get the full picture of their changes and identify the main trend.