Approaches to improve the activity of computer incident response teams

Today incident detection mechanisms, that define CERT / CSIRT effectiveness, based mostly on two principles - signature and heuristic. Their disadvantage is that they are focused on mathematical models, which require a lot of time to prepare statistics and so it decreases CERT/CSIRT efficiency. In this work, we have proposed approaches to ensure CERT / CSIRT high efficiency and its evaluation. To detect incidents we suggest using mathematical models based on expert´s estimations. The proposed method allows solving the problem of incident detection and its identification based on expert judgments in fuzzy conditions. To estimate CERT / CSIRT effectiveness was introduce baselines. It enabled to determine CERT / CSIRT effectiveness during the necessary period. The report by the following parameters should be carried out regularly to get the full picture of their changes and identify the main trend.