Skip to main content

The People Problem - Part 1

Every new year begins with the best of intentions, and I am going to try to blog at least once a month in 2016. There was an absolutely fabulous post by Scott Roberts in January called Introduction to DFIR (http://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/) that I highly recommend reading. That along with my steadfast belief that being good at infosec is primarily dependent on people and not technology, has inspired my first blog post of the year.

More than anything, infosec is a problem caused by people that can only be effectively addressed by people. Whether it is coders introducing bugs, business leaders taking excessive cyber risks to accomplish near term business goals, or oblivious users clicking on links and attachments in phishing emails, it a people problem. To drive home this point, lets make an example. Based on the following organizational descriptions, which ones do you think are most secure and alternately which one would you want to work for.

Stark Industries
• CISO - Doug Steelman
• Director, IR & Forensics - Brian Carrier
• Director, Red Team - Dave Aitel
• Director, Threat Intelligence - Patton Adams

Massive Dynamic
• SEIM - ArcSight
• Forensics - Encase Enterprise
• IDS - SourceFire
• CTI - Norse

Hooli
• SEIM - Splunk
• Forensics - F-Response, SIFT
• NSM - Custom Bro/Surricata sensors
• CTI -  ThreatConnect

I am not sure how other people would chose and what criteria they would apply. However for myself, it is clear that choosing to work for great people has the least amount of risk and the greatest amount of "top cover". My choice in order would be Stark Industries followed by Hooli. I wouldn't work for Massive Dynamic based on their choices. The key take away is that people matter more than anything when choosing either employment or how competent you expect that company to be in securing their information.

Most companies at least pay lip service to the idea that people are vital to success. However, there are some serious challenges in this space. Anyone can throw big money and big promises at a "cyber rockstar" and lure them in. Where corporations often fall flat on their face is retaining talent. Capable and motivated people will not sit around while you figure out what you want to be when you grow up. For instance, I once personally waited 18 months for network taps at a company and never got them. This was despite multiple meetings with network design and buy in from senior leadership. To add to the insult, there was already a tap aggregator in place! My time is worth more than that, so I decided to move on and it had nothing to do with money and everything to do with being in an environment where I could deliver tremendous results and succeed.

While the vast majority companies are self sabotaging when it comes to IT security talent retention, the ones who understand this will profit immensely. This brings me to the other big component of the people problem. There just aren't enough qualified candidates. Instead of whining about this at your elegant CISO roundtable dinners with a 24yr old single malt in your hand, take ownership of the problem. Talent has to be developed plain and simple. Every single person starts out knowing nothing. That is what I want to address starting in this post and a follow up one.

I think we need to develop infosec talent at an even lower level. Scott's great post is spot on for training up DFIR personnel, but I believe there are some fundamental IT skills that need to be in place first. The reason I believe this is that, there are quite a few people coming out of college "security" programs without critical foundational skills. And I'm not picking on edu, this is the case for the majority of entry level candidates regardless of background. Knowing something on paper is only the beginning of where you need to be at from a functional perspective.

IT Fundamentals for InfoSec

Operating Systems
1. Windows
2. Linux

Networking
3. TCP/IP
4. Routing/Switching
5. Firewall/VPN

Applications
6. Web
7. Database
8. Programming Constructs

Troubleshooting
9. Collect & Analyze

Security 
10. Common Body of Knowledge
11. Malware
12. NSM
13. Live Response
14. Offensive Concepts
15. Defensive Concepts

Above would be my requirements for someone looking to get into a career in information security. I would expect them to have functional skills in items 1 through 9, followed by a basic understanding of items 10 through 15. Having this foundation ensures that a candidate is positioned to succeed in a junior IT security role. While there are always exceptions to the rule, I would strongly recommend anyone work 2-3 years in a general IT role before moving into security. It gives the person much more context and understanding of why things are they way they are and potentially insight on how to improve things. In part two of this blog post, I will detail out each of the 15 IT fundamentals, which in turn I hope will assist people looking to break into information security with a degree of competence.

Comments

Post a Comment

Popular posts from this blog

2020 SANS CTI Summit Notes

Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland , @PDXbek , and @likethecoins , another great year of great content! Day 1 Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1579535253.pdf @CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.” "What we call common in #threatinel sharing is what a l
Post a Comment
Read more

FIRST Conference 2018 - Review (Kuala Lumpur Edition)

As apart of my new job, my employer is seeking to gain FIRST membership later this year. To support that goal, I was asked to attend the 30th FIRST Conference in Kuala Lumpur. For the travel weary, this is not a trip to take lightly. For me it was 3 flights and 28 hours total of travel just to arrive. I do have to say, the conference venue, the Shangri-La hotel is absolutely fabulous. Very nice, clean, and ultra courteous staff. The swag bag I was given at registration was also very nice, including 3 shirts, challenge coin, notebook, mini first aid kit, and a pretty decent backpack. I also have to say the lunch options for the conference are vastly superior to anything I have ever experienced. SANS and Blackhat could learn a few things. For a 5 day conference, you get a much greater value here. If you are interested in jumping straight the slides you can visit here . Opening The conference was kicked off on Day 1 by Thomas Schreck (@shrekts) who gave out some
Post a Comment
Read more

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your company. The key focus of
2 comments
Read more