To borrow from the Nobel Prize winning songwriter, the (security) times, they are a-changin’. When the commercial Internet was young – say in 1995 – IT structure was relatively simple. It consisted of just three layers: server, network and client. Each had its own security component.
Ah, the good old days. Growing complexity is one of today’s IT’s biggest security challenges. The more complex the system, the greater the attack surface (in general). It is much easier now to hide multi-pronged canattacks in different layers and parts of the IT infrastructure.
Digital systems are dynamic. In today’s “-aaS” environments, it can be tough to track security events through these dynamic environments. Before, if someone was installing a new server in your computer room, others would notice this physical event. They would ask the installer’s identity, authorization and purpose of their activities. Who are you and what are you doing here? What’s this new machine’s purpose?
Not any longer. Today’s world has thousands of virtual machines. They move constantly between cloud datacenters, appearing and disappearing on demand. It is almost impossible to notice one extra virtual machine that doesn’t belong, and may exist only for a few minutes at a time.
Some digital systems provide too much visibility. These make it hard to spot the needle in the haystack and separate truly threatening incidents from merely unusual events, in logs of thousands or millions of transactions.
New Threats, New Adversaries
In this post desktop era, employees use their own laptops, smartphones and tablets. Everything from a doorbell to a camera to an automobile has an embedded system. As a result, even formerly mundane objects, such as lightbulbs and thermostats, can be exploited. This greatly expands the attack surface. Cybersecurity professionals have their hands full patching and plugging holes across a huge variety of devices and systems, and checking to make sure each type of device (many low-powered) is up-to-date (fully patched), not being compromised, or leveraged as a pivot-point in an attack.
Hyper-connectivity is another big security issue. Everything today seems to have an always-on connection to high-speed networks. Every device has an intelligent system embedded in it. These systems often use dynamic, on-demand services across ever-changing topologies. The security risks associated with always connected people, machines and devices can be a huge headache.
Automation may be more efficient, but it adds to security risks. Automatic controls now have the same permission levels as a system administrator. The integrity of those controls is vital.
Then there are the external factors like the bad actors. Organizations no longer face lone attackers working from one location. Many of today’s cyber thieves are loosely organized and dispersed individuals forming ad-hoc associations. These groups work together for a short time to exploit security holes and monetize the information assets that they compromise.
There are also professional cybercriminals. These specialists for hire may be working for organized crime syndicates, or be sponsored by nation-states. They can be hired over the Dark Web, and paid in hard-to-trace digital currencies, changing the economics of cybercrime. There has been steep rise in the volume of information and technology assets sold on the global underworld market.
In short, there is a nonstop, ever-escalating arms race between attackers and defenders. This has been ongoing over many years and does not look like it will end any time soon.
Evolving Models for Security Teams
Back in 2005, the U.S. Department of Defense (DoD) introduced Directive 8570 as an information security workforce organization model. It was an effort to keep up with changing security needs. It outlined 14 specific job roles under four categories. The categories include Management (Information Assurance Manager), Architect (Information Assurance Manager), Technician (Information Assurance Technician), and Operations (Computer Network Defense).
In 2015, the DoD introduced Directive 8140, beginning the multi-year move towards the new NICE cybersecurity workforce framework developed by the Department of Homeland Security (DHS) in conjunction with private sector, academia, and government. This more thorough workforce framework divides information security into seven activity categories and 31 specialty areas. The activity categories are: analyze, collect and operate, investigate, operate and maintain, oversight and development, protect and defend and securely provision.
The goal of the NICE cybersecurity workforce framework is to align all U.S. federal information security jobs with this new framework. Although the process of standardization has begun, it will be two to three years before many federal agencies are on board with an implementation plan. Thus 8570 is relevant for the time being.
This latest cybersecurity workforce framework will have a big impact on IT professionals looking for cybersecurity jobs, and on organizations putting together security teams. It comes along at the same time that enterprise information security shifted away from a focus on perimeter security, a major transition in strategy. It also eases the ability of workers to move between similar roles in different parts of the federal government, including among military, civilian and contractor positions. Using a standard team framework and teams built in similar structures will allow departments to work more smoothly together in joint exercises and learning projects.
The IT industry’s security focus formerly relied on perimeter security, layered security and defense-in-depth. These were regarded as best practices for information security preparations. A strong castle made the organization safe by keeping intruders and security risks outside, and away from the organization. That was the philosophy behind this approach.
Perimeter security by itself is not effective in today’s virtual systems, however. Even the strongest castles are not dynamic. They do not adapt to rapidly changing circumstances. They do not guard or defend themselves. Enterprise faith in strong perimeters was further weakened by the examples of Edward Snowden, Private Manning and other famous insider-threat breaches. Throw in endless advanced attacks that broke through the defenses of many a well-fortified organization, and even the most diehard perimeter-focused strategists saw the need for a new approach.
The current security approach adds guards to the castle. Organizations need guards in addition to stout walls. Guards know what suspicious behavior is, and note if people are not where they ought to be, or doing things they shouldn’t. They notice when an area is under attack. They sniff out holes in the castle defenses, and work with architects and builders to recommend reinforcements to the castle walls.
This guard function is providing a security operations function. Leading organizations are now making security operations part of the overall information security team, helping the organization gain awareness of external and internal security issues. These organizations then also remain aware of their security status and are well equipped to detect and defend against any attacks.
Cybersecurity Needs Teams
Much of the growth in cybersecurity jobs under the new U.S. Federal NICE Workforce Framework comes from new roles and responsibilities. One of the big takeaways from this latest model is the necessity of teams. Cybersecurity is much too big a task now for just one lone defender, or even a tiny band of professionals.
It’s hardly surprising that cybersecurity jobs are growing three times faster right now than IT jobs in general, and 12-times faster than the overall job market. In a 10-year period, cybersecurity jobs grew 74 percent. That growth is continuing to accelerate.
Organizations everywhere face a global shortfall of 1.5 million cybersecurity trained workers by 2019. This crunch has boosted cybersecurity job salaries 9-percent higher than other IT professional positions. Hiring qualified, trained cybersecurity professionals is a huge challenge. That’s why more than one-third of employers ask job candidates for industry certifications.
In the DoD 8750 framework, each job role has a set of certifications designed to help show that a person has the minimal amount of training, knowledge, skills and abilities to perform that role. New certifications are now also being mapped into the NICE Cybersecurity Workforce Framework (NCWF) too.
In the NCWF, a large percentage of the new security specialty areas have some operations aspect. In the “real world,” many job roles overlap specialty areas, and may be covered at least in part by the same certifications. For example, a Computer & Network Defense job role may include elements of detection, response, forensic investigation, or “clean up” activities, depending on the person’s skills and the size of their team.
Although developed for the U.S. Federal government, the NCWF may also be suited for large enterprise organizations that can support security departments numbering in the hundreds. For smaller businesses or organizations, this large-scale framework can be overwhelming, especially considering that many of the many of the job roles must be staffed 24/7. This means organizations need many more than one person to fill them.
A Simplified Security Team Model
To get a handle on staffing the security team and covering all the bases, smaller organizations should look at a simplified model. A simplified model provides a great starting point to helping management understand how to meet the entire spectrum of their security needs.
Start by breaking down security job functions into four teams.
The first team includes CISOs, CSOs, executives and managers. Their job is to:
Set budgets, and organizational priorities and policies.
Understand regulatory and legal compliance.
Understand business risks, priorities and tradeoffs.
The second team is made up of security architects. They:
Understand and evaluate new and existing security technologies.
Design security controls to meet requirements and budgets.
Define and revise security architecture and controls.
Define security procedures and best practices.
Frequently also hire and build out the rest of the security team.
Set security strategy.
The third team is comprised of security engineers, technicians and administrators. Their jobs are to:
Build out and implement the security architecture.
Deploy new systems using best practices and architect guidelines.
Respond to requests from the architect and security operations, making changes to existing security controls as needed.
Finally, the fourth team is security operations. This is frequently the front-lines of information security. The job of SOC team members is to:
Analyze security events.
Ensure security equipment operates effectively/properly.
Detect security attacks and events.
Respond to and investigate security attacks or events.
Mitigate/clean up after security breaches.
The number of security team members needed will vary with each organization’s unique requirements. No matter how an organization configures its team, the team members should keep their security skills current, and have a training and development program in place for their team members to grow their skills, and keep current with the latest threats and security technologies. Given the widespread shortage of professionals with cybersecurity skills, a strong talent development program can be an attractive asset for employees to stay onboard. Ultimately, the right training and certifications will make in a huge difference in the quality of the team and how quickly and effectively it works together to detect and respond to both current and future security incidents.