Every new year begins with the best of intentions, and I am going to try to blog at least once a month in 2016. There was an absolutely fabulous post by Scott Roberts in January called Introduction to DFIR (http://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/) that I highly recommend reading. That along with my steadfast belief that being good at infosec is primarily dependent on people and not technology, has inspired my first blog post of the year.
More than anything, infosec is a problem caused by people that can only be effectively addressed by people. Whether it is coders introducing bugs, business leaders taking excessive cyber risks to accomplish near term business goals, or oblivious users clicking on links and attachments in phishing emails, it a people problem. To drive home this point, lets make an example. Based on the following organizational descriptions, which ones do you think are most secure and alternately which one would you want to work for.
• CISO - Doug Steelman
• Director, IR & Forensics - Brian Carrier
• Director, Red Team - Dave Aitel
• Director, Threat Intelligence - Patton Adams
• SEIM - ArcSight
• Forensics - Encase Enterprise
• IDS - SourceFire
• CTI - Norse
• SEIM - Splunk
• Forensics - F-Response, SIFT
• NSM - Custom Bro/Surricata sensors
• CTI - ThreatConnect
I am not sure how other people would chose and what criteria they would apply. However for myself, it is clear that choosing to work for great people has the least amount of risk and the greatest amount of "top cover". My choice in order would be Stark Industries followed by Hooli. I wouldn't work for Massive Dynamic based on their choices. The key take away is that people matter more than anything when choosing either employment or how competent you expect that company to be in securing their information.
Most companies at least pay lip service to the idea that people are vital to success. However, there are some serious challenges in this space. Anyone can throw big money and big promises at a "cyber rockstar" and lure them in. Where corporations often fall flat on their face is retaining talent. Capable and motivated people will not sit around while you figure out what you want to be when you grow up. For instance, I once personally waited 18 months for network taps at a company and never got them. This was despite multiple meetings with network design and buy in from senior leadership. To add to the insult, there was already a tap aggregator in place! My time is worth more than that, so I decided to move on and it had nothing to do with money and everything to do with being in an environment where I could deliver tremendous results and succeed.
While the vast majority companies are self sabotaging when it comes to IT security talent retention, the ones who understand this will profit immensely. This brings me to the other big component of the people problem. There just aren't enough qualified candidates. Instead of whining about this at your elegant CISO roundtable dinners with a 24yr old single malt in your hand, take ownership of the problem. Talent has to be developed plain and simple. Every single person starts out knowing nothing. That is what I want to address starting in this post and a follow up one.
I think we need to develop infosec talent at an even lower level. Scott's great post is spot on for training up DFIR personnel, but I believe there are some fundamental IT skills that need to be in place first. The reason I believe this is that, there are quite a few people coming out of college "security" programs without critical foundational skills. And I'm not picking on edu, this is the case for the majority of entry level candidates regardless of background. Knowing something on paper is only the beginning of where you need to be at from a functional perspective.
IT Fundamentals for InfoSec
8. Programming Constructs
9. Collect & Analyze
10. Common Body of Knowledge
13. Live Response
14. Offensive Concepts
15. Defensive Concepts
Above would be my requirements for someone looking to get into a career in information security. I would expect them to have functional skills in items 1 through 9, followed by a basic understanding of items 10 through 15. Having this foundation ensures that a candidate is positioned to succeed in a junior IT security role. While there are always exceptions to the rule, I would strongly recommend anyone work 2-3 years in a general IT role before moving into security. It gives the person much more context and understanding of why things are they way they are and potentially insight on how to improve things. In part two of this blog post, I will detail out each of the 15 IT fundamentals, which in turn I hope will assist people looking to break into information security with a degree of competence.