FIRST: Global Forum Empowers Incident Response Teams to Fight Emerging Security Threats by Sharing Information and Expertise

TL; DR: Aiming to protect and preserve online information and infrastructure systems, the Forum of Incident Response and Security Teams (FIRST) attracts experts from various sectors around the world to collaboratively address emerging threats. FIRST members promote technical standards and best practices for sharing information and rapidly responding to security concerns. We spoke with Maarten Van Horenbeeck and Serge Droz as the two Directors attended the organization’s conference in Puerto Rico.

Fastly Vice President of Security Engineering Maarten Van Horenbeeck says he’ll never forget what he saw during his first conference by the Forum of Incident Response and Security Teams. In addition to the knowledge and exposure gained at educational sessions, he watched as a group of incident responders decided to get lunch together.

Instead of casually discussing some mindless topic while they ate, the security experts all brought out their laptops and feverishly wrote code to streamline data-sharing procedures when new breaches were discovered.

“The code actually turned into an open-source tool the entire community started using,” Maarten said. “I realized it was more than just a conference. As a participant in the community, one of the first things I noticed was how FIRST really brought people together to work on solving difficult problems at a very practical level.”

Six years later, Maarten now serves on the FIRST Board of Directors and continues to connect with incident response teams around the world. The organization, a central authority in computer security, provides tools, expertise, and best practices to help organizations more effectively prepare for and respond to security incidents.

FIRST: Nearly 30 Years of Security and a Rigorous Path to Membership

In late 1988, a piece of malware began infecting systems with self-replicating code. The worm caused major portions of the internet to go down, and organizations were unsure and clumsy in their responses.

“It wasn’t such a big thing as it’d be today, but it was a mess,” Maarten said.

Incidents continued to arise, and organizations began to recognize the need for coordination and collaboration. FIRST was established in 1990 and has since grown to include nearly 370 security teams from 81 countries among the likes of Adobe, Amazon, Apple, Cisco, Google, HP, IBM, Intel, Lenovo, Microsoft, Oracle, SalesForce, and Red Hat.

FIRST global conferences attract speakers from Microsoft, Google, and Facebook, among others.

FIRST membership comprises organizations based in sectors ranging from government and business to higher education. Becoming a member is more than “simply spending a little bit of money for an initiation fee,” Maarten said.

Prospective members must be nominated and supported by two existing member organizations, at least one of which must perform a site visit to evaluate the incident response team’s existing processes. The sponsoring members will then submit the team’s application for membership to the whole FIRST organization and Board of Directors for approval.

“It shows you’re actually making a commitment to getting into FIRST and can find members who say you’ll make a good addition to the community,” Maarten said.

Directors’ Choice: 3 Important Initiatives and Special Interest Groups

FIRST members can participate in more than a dozen special interest groups, working groups, and initiatives to explore areas of common interest. The groups establish standards and best practices, along with educational opportunities and partnerships, and Maarten picked out a few noteworthy collaborations.

“The easiest way to get to know these initiatives and others is to attend a conference or become a member and learn from others about what they’re interested in and working on,” he said.

1. Traffic Light Protocol: Standardizing How Information is Shared

Originally established in the UK to encourage sharing information security professionals, the Traffic Light Protocol has since been widely adopted around the world.

“It’s a really easy way of marking up a document to show to what degree that document can be shared,” Maarten said.

Information labeled as red should be contained to specifically named recipients, while amber information can be shared with discretion. Documents with the green designation can be spread widely within a particular community, and white documents have no restrictions.

2. Common Vulnerability Scoring System: Measuring Severity of Threats

A free and open standard for assessing the danger and priority of various vulnerabilities, the Common Vulnerability Scoring System assigns a numerical score to weaknesses based on several metrics.

FIRST’s interactive tool will calculate a vulnerability’s score so organizations can prioritize a response.

“The goal of that group is to update the standard that has now existed for more than 10 years,” Maarten said. It allows you to quickly identify how bad a particular vulnerability is and how it should be prioritized.”

FIRST provides a self-paced, online training course for interested security professionals to learn about the system, along with a calculator, now in its third version.

3. Internet Governance: Lending Technical Expertise to Public Policy

More recently, FIRST members began exploring security and incident response within the context of internet governance, privacy, and human rights.

“One of the problems today with security is that there are elements that are critically important but not necessarily things our community has worked on,” Maarten said. “From that perspective, we started collaborating more and more with other organizations in internet governance. We share with them our technical knowledge and best practices to promote awareness.”

FIRST’s Global Community Joins Forces to Support a Safer Internet

Serge Droz, Vice President of Incident Response at Open Systems AG in Switzerland, came to FIRST a few years after Maarten. He finds value in the wide networking opportunities FIRST provides at conferences around the world.

“If I try to solve all these problems on my own, I’m pretty lost,” he said. “With FIRST, there are thousands of people comparing notes and observations. That really allows me to act effectively.”

Incident Response Experts Network Across Borders and Cultures

By working with teams from various backgrounds — both in terms of technical expertise and cultural resources — Serge said FIRST coordinates a global response to security incidents.

“The internet does not stop at national borders,” he said. “It’s a global thing, and that’s how the attackers operate. FIRST really facilitates this collaboration across national and cultural borders. For me, that’s the biggest benefit.”

Competitors Collaborate to Combat Contentious Security Problems

Bringing together so many security experts naturally mean business rivals often interact at various meetings, Serge said. Instead of keeping a wary eye on each other, however, the peers collaborate on reaching a common goal.

“There are a lot of competitors here, but the message and understanding are that you don’t compete in security,” he said. “You compete in terms of services and products you want to sell your clients, but not in terms of security. FIRST is laying the basis for that to be possible.”

Fellowship Program for Security Teams From Emerging Countries

Extending the FIRST network into countries where residents are just starting to get online is a major priority for the organization, according to Serge and Maarten.

To attract security teams from underrepresented countries or regions, FIRST leaders recently established the Fellowship Program to provide a low-cost membership option for new organizations.

Security teams from Vietnam, Panama, Ecuador, and Moldova won fellowships in 2017 to participate in FIRST.

Two organizations from each of the countries will receive heavily discounted conference passes and membership for five years. This year, teams from Vietnam, Panama, Ecuador, and Moldova are participating in the program.

Relying on FIRST Expertise to Save Organizations Time and Money

Beyond networking and learning opportunities, Maarten has used FIRST resources in the workplace. Previously employed at large organizations with well-established malware analysis programs, he found himself at a smaller company with a less mature program.

“As an individual security professional, I can go and build all of that from scratch, but it would take a very significant amount of time and a very big investment of resources,” he said.

Rather, he turned to the FIRST Malware Analysis special interest group, which develops best practices around the detection and mitigation of malware.

“Instead of reinventing the wheel, I can go into FIRST and use a product they’re already working on and apply it to my organization,” he said.

ABOUT THE AUTHOR
Laura Stamey

Laura Stamey is a multi-talented communicator with a master's degree in web design and online communication and extensive experience creating web, print, and multimedia products. As a Contributing Editor for HostingAdvice.com, she combines her communication skills with web design experience, a passionate love for WordPress, and a strong desire to continue learning. When she's not addressing user questions via helpful how-to guides, you'll find her connecting with the folks behind companies that are powering the Web — covering their innovative technologies and the teams that engineer them.