Story image

How to staff your team across the security kill chain

08 Aug 2016

Effective digital security needs people as well as technology. Most organisations are aware of the need to staff up to improve their security against cyber-crime, and there is no shortage of options: experts, service bureau, staff training and more.

They also take into account capital expenditure (Capex), operating expenditure (Opex), projects, operations, organisation charts and head count.

But to become effective they need to take a close look at the cyber criminals’ kill chain and ensure they staff each vulnerable point where human intervention is required. Let us reimagine the kill chain for security projects and operations.

Reconnaissance encompasses updating skills, eyeing attack patterns, considering threat landscapes and formulating new approaches. Weaponisation takes in technology procurement, engineering and automation, training and certification.

Delivery requires close attention to project delivery, infrastructure installation and process implementation, while Exploitation covers communication and consensus, corporate deployment and stabilisation.

Installation includes tracking and retention, enforcement levels and advanced analytics, while Command and Control covers threat intelligence, daily triage, engineering and orchestration, and response automation.

Finally Actions & Objectives includes stopping attacks, detecting breaches and responding to incidents.

It is easy to see which of these terms are technical – automation, technology and infrastructure, and which are human – communication, triage and skills. What may be less obvious is the way in which certain staffing models or assumptions can create weaknesses in the chain.

An obvious one is lean staffing, possibly even a single-person responsibility. Where is that most likely to affect the kill chain?

In reconnaissance, the security person does not have the time to update his/her knowledge or skills, research threats or trends, and keep up with the hackers who DO have that time every day.

In delivery, the security solution may be highly efficient, but delivering it can require a significant effort, and a single person has too many distractions.

In command and control, daily triage means daily effort, typically structured and scheduled, and a sole security person has too many unstructured interrupts and insufficient energy to concentrate.

Clearly there is a pressing need to become creative about remedies. For command and control, consider outsourcing detection to a managed security service provider (MSSP).

For delivery, go with a full-service vendor or partner that can implement a complete solution, and build in plenty of package-based and consulting-based training/education for your security team.

Since security is a full-time job, possibly a less expensive solution for reconnaissance would be to hire people to wear some of the other hats your security person is wearing. For a smaller business, perhaps it’s time to hire a help desk person to support your lone wolf.

Outsourcing might be considered a remedy for weakness in a so-called command and control link, but it covers other areas too. These include skills updates in the reconnaissance area and potentially infrastructure in our delivery section.

But does that approach bring, or reveal, weakness in other links?  Cyber attacks often strike in delivery. A services partner may have a preferred way of engineering and orchestrating a physical technology solution, but does the organisation’s technology vendor or implementation partner mesh with that approach?

If management need to ‘sell’ exploitation to the organisation, who knows best how to work the angle? Is it another vendor, or is it the company?

When the MSSP detects a cyber attack, do they also offer responder services?  Or can in-house security do this? Do they have the bandwidth and the skills?

Get creative about remedies

Delivery: Choose vendors that reference and partner with one another. Use a trusted adviser to co-ordinate parties and envision solutions.

Exploitation: Choose an implementation partner or technology vendor that has a methodology, sample deliverables, collateral and communication plans.

Actions and Objectives:  Go with best-of-breed, one-stop shopping, training your team, or a combination of the above – just think in terms of covering all the links in the chain.

Bottom line: Security is not just about staffing up, it’s about staffing right. Don’t worry about exactly what the right answer is because there is no single answer.  Rather, be guided by knowledge of the kill chain, and of your own organisation and operations.

Article by Kane Lightowler, Managing Director Asia Pacific + Japan, Carbon Black.

Why SD-WAN is key for expanding businesses - SonicWall
One cost every organisation cannot compromise on is reliable and quick internet connection.
New threat rears its head in new malware report
Check Point’s researchers view Speakup as a significant threat, as it can be used to download and spread any malware.
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.