So, You Wanna Be A Security Star?

2930 0

Well, here’s where you can start and learn the ropes.

There are over 350,000 security analyst job openings currently available and many have starting salaries in the six-digits. On top of that, organizations are struggling to find good security analysts due to the shortage of cybersecurity skills. And that will continue to be the case in the coming years. There could be a 1.8 million cybersecurity talent shortage by 2022. (1)

So what’s the deal? Why is this happening?

Many reasons but most of all, we’re human. We are creative, social beings that need to grow, learn, evolve and have a passion for what we do.

Information security analysts plan and execute security plans to protect an organization’s networks, computers and systems. They also monitor those systems for security breaches and investigate any violations. They install software or firewalls or other security measures to protect sensitive information. In addition, they prepare risk analysis/mitigation plans, document breaches, report on damages of a breach, conduct penetration testing, stay relevant with security trends, develop security best practices for an organization, ensure regulatory compliance, recommend security enhancements and help determine the disaster recovery plan. In a nut shell, their job is to monitor the network and hosts therein to identify and mitigate security threats.

Even with that list, their responsibilities are continually growing as the number and rate of cyberattacks increases.

Historically, they typically worked for financial organizations, consulting firms, technology & service providers, and those that endured digital attacks. But in over the last decade, as more businesses built a digital presence, as clouds grew and as more things/nouns contained software and became internet connected, security analysists are now needed in almost every sector. Often involved from conception to completion depending on the product or service.

They are sorely needed in this great battle of internet good vs. evil.

A Typical Day

Probably the first thing about a security analyst job is that there is no typical day and unpredictability is the norm. Sure, there might be certain tasks that an analyst performs daily, but in the wild west of cybercrime, you follow the evidence. And often, it comes in the form of Dashboard alerts. Examining alert logs is a very common task for security analysts since they need to understand what happened (past), the current situation (present) and what might occur (future) for each incident. Classic risk analysis.

With the massive increase in organization’s multitude of security alerts, staffers can get bogged down triaging and trying to determine appropriate counter measures to the vulnerability. On average, it takes around 45 minutes to investigate each alert. Within that, it could be intrusion attempts or policy violations of users. Events of concern should always have some human review and a resolution, even if it’s simply a report.

And that’s just the incident alerts.

In addition, security teams routinely install, manage and maintain security devices like firewalls. They also manage IDP/IPS, ICAP, SSL, PKI, etc along with the policy, change management and troubleshooting of those devices. Knowing how stuff works and who owns it makes incident response much easier. For instance, a compromised host requesting malware updates requires a different approach than defending a DDoS attack.

Then there are the tools. The success of any security operations center (SOC) depends on having the right tools, processes and, most importantly, efficient and effective analysis. (2) As more security solutions enter the SOC, it becomes difficult to monitor all the data being generated by all the sources. There could be dozens of technologies being used and managing those independently is cumbersome. A central source on a single platform can make it easier to manage, monitor and measure security ops and incident response.

F5 SOC Analyst Paul Dockter explains,

Security is an ever-evolving game of constant adaptation and my goal as a security analyst is to make sure that I stay ahead of this game. This requires that I stay up to date on current malware trends and variants and phishing attack vectors.

My daily responsibilities include alert analysis, monitoring for potential attacks, along with proactive research to find attacks before they end up generating alerts. Taking the results of these sources I work with internet authorities from Hosting and Registrar providers to CERTs and Law Enforcement around the world to swiftly eradicate detected attacks before they can be fully leveraged to target our customers.

Additionally, I work with our customers providing product support to make sure that their products are operating correctly to generate future alerts. Beyond these responsibilities my day is made up of reading security articles, brainstorming issues with Analysts on the other SOC teams, and working on tasks as provided by my managers.

Educational Background

Typically, a bachelor’s degree in a computer related field is certainly a good starting point, experience in a related occupation is preferred. Many of today’s InfoSec old-timers, grew up playing with computers systems alongside the growth of computer networking, application delivery and the internet.

They started out as the early network engineers and as the threats came their way, they defended as best they knew. They’d run an application with a sniffer to see what ports/protocols are passing to ensure a proper firewall policy. They stayed cognizant of the criminal mindset and developed solutions to protect against the bad actors. Signature one day, blocked port/IP address another. And kept current on new techniques and vulnerabilities along with doing some of their own penetration testing as research. Many InfoSec pros have gained notoriety for discovering serious flaws in systems. Often these discoveries have forced technology manufacturers to fix critical flaws that could have had devastating consequences. The great ones are experts at recognizing patterns. See something that looks weird and dig a bit deeper.

Today’s Landscape

‘With the retirement of many of those early security pioneers and immense outsourcing over the last decade, today we face a shortage of cybersecurity talent. The depth of individual expertise across the security framework has diminished. This, at a time, when cyber-threats have escalated to insane. The industry has a massive supply and demand problem where organizations must invest in their own people. It’s becoming clear that any size organization with security needs should provide career development, training and mentoring to talent who show interest and have the technical skills. Opportunities such as security research, threat hunting and certifications, along with compensation, are key.

In terms of building future talent, the good news is that colleges and universities are now offering cybersecurity programs. George Washington University has the Institute for Information Infrastructure Protection and Marymount University offers a MS in Cybersecurity. While many programs focus on coding, cryptography and ethical hacking, it’s also important to understand some basic business decision making. Cybersecurity roles can encompass not only the technical realm but also legal, policy and management. You need operations with incident management.

At a national level, The National Security Agency (NSA) and the Department of Homeland Security (DHS) jointly sponsor the National Centers of Academic Excellence in Cyber Defense (CAE-CD) program. One in Cyber Defense and one in Cyber Operations. The goal, according to the agencies, is to reduce vulnerability in our national information infrastructure by promoting higher education and research in cyber defense and producing professionals with cyber defense expertise.  Many colleges and universities in the US are eligible to apply to become a CAE-CD school. In fact, F5’s own F5 Labs Threat Research Team has partnered with several Universities and has published research findings with them. (UW, UWT, Whatcom)

Likewise, in the UK, a new National College of Cyber Security will open in 2019 and their Cyber Discovery program focuses on kids 14-18, teaching teenagers about cybersecurity in a fun and assessable way.

The one thing about this field is that you’ll always be learning. With the Internet of things, new threats are a daily occurrence along with malicious data exfiltration techniques. If you hated studying in college, this might not be the career for you as this job requires constant training, learning and studying the latest trends and techniques. You must have passion for this project.

Job Fatigue

Is very real.

According to ESG, 63 percent of organizations say the cybersecurity skills shortage has led to increased workloads on existing staff. Security analysis are typically consumed by the routines of their job and many reach burnout within 1 to 3 years. Being manually intensive, procedures are very static, and numbness can creep quickly. In fact, many analysts feel that they haven’t contributed at all to the overall security posture of an organization.

In recent months, several respected InfoSec pros have decided to take a step back from the security scene, particularly on social media. There have been stories of people stealing research, claiming as their own and one respected expert noted on twitter, ‘I see what was once a community driven on knowledge, sharing, or working together to make a positive difference, regardless of who you were or where you were from, completely shift towards going after one another’

The InfoSec industry can’t sustain with that mentality.

A 2015 study, A Human Capital Model for Mitigating Security Analyst Burnout, took an anthropological approach to explore the burnout phenomenon. They were able to train and then place a researcher within a Security Operations Center (SOC) to better understand, beyond interviews, what is driving the exhaustion. Trust is important within SOCs, and this embedded researcher had to have the skills to do the job along with noting the daily reflections of the operation.

The SOC team was comprised of an operations team and an incident management crew. Each with Level 1 and Level 2 analysts. L1 analysts were the first line of defense monitoring the Security Information Event Management (SIEM) console for any possible attempted breaches. L2 were more senior providing mentoring, management, reporting and in-depth analysis of incidents.

According to the researchers, Human capital, in the context of a SOC, refers to the knowledge, talents, skills, experience, intelligence, training, judgment, and wisdom possessed by individual analysts and the team as a whole. Human capital can also be defined as the collective and individual intellectual stock of a SOC.

They looked at morale, automation, operational efficiency, management metrics and of course, how this leads to analyst burnout. Specifically, they noted, the cyclic interaction of Human Capital with Automation, Operational Efficiency and Management Metrics contributes to burnout.

One analyst shared that he wanted to work in an environment where he was continuously learning and have the opportunity to analyze malware. As a level 1 engineer, he felt dismayed that he wasn’t doing any real threat detection and lamented about potentially making a bad career choice. Lack of intellectual growth can be a huge issue for morale. Other morale tugs include things like step-by-step mundane procedures, tasks without consultation and certainly, compensation…or perceived lack thereof.

There are also operational efficiency gaps when there is a lack of cooperation between groups or incomplete information (from other groups) when investigating an event. Even a misunderstanding or lack of clarity for a given task can lead to inefficiencies. In the security world, details matter.

One may think automation would be the perfect solution for an overworked staff but that takes the whole human element out of it. Sure, you could write a script to automate ‘look for this!’ but often automation is inserted without a review of procedures suitable for automation. In addition, if the automated process fails to identify a threat, then liability rears its head again.

———————-

A Path Forward

Proper development and management of security analysts is vital for a SOC’s success.

A Human Capital Model for Mitigating Security Analyst Burnout study identified four factors that impact the creation and preservation of efficient security analysts: Skills, Empowerment, Creativity and Growth.

The right skills are important for a security analyst to do their job and can be gained by education or experience. It is vital that both L1 and L2 teams share and exchange training about their responsibilities. If someone is not properly trained, their confidence in addressing an issue diminishes. This lack of confidence can lead to frustration as opportunities are passed by due to not having the proper knowledge.

From an empowerment standpoint, when analysts are encouraged to contribute to ideas or investigate new threat data, they feel excited and empowered. Empowerment and morale go hand in hand so as the analyst grows, so should the responsibilities and trust since the risk of screw-up is diminished.

Humans are creative beings and the report notes that empowerment directly affects an analyst’s creativity. The creativity to handle a scenario that is different from anything in the past. When empowered, they might go outside the normal written procedures to creatively figure out the issue. They are not afraid to try new ideas since they are empowered to think outside the SIEM box. Empowerment encourages creativity and offering creative outlets to staff when things get repetitive leads to a more enjoyable job, thus good morale. Skills, empowerment and creativity gives SOC personnel the confidence to handle any situation in real time.

Growth for security staff involves increasing the intellectual capacity of any analyst. Most growth usually happens on the job handling incidents but its important to work different types of security events to learn new skills and improve knowledge. When one learns there is a sense of accomplishment and purpose on the job. With accomplishment, comes confidence and growth. Growth is influenced by creativity. Dull activities doing the same thing leads to lower creative development. Lower creative development means that the analyst uses the same skills daily, inhibiting growth. It’s all intertwined. On the flip side, growth often comes in the form of mentors, teaching and leaning new skills.

Even highly skilled, empowered employees may find a lack of growth due to no mentors or anyone more knowledgeable. They may be the smartest cat in the room but that’s where they’ll stay. Often one of the reasons why highly skilled InfoSec pros move on. They want to find something more challenging or work on a variety of issues…not just the daily bells. There needs to be a good balance, so all can learn, grow and feel good about what they are doing.

You can see how low skills, low growth, low empowerment and low creativity can lead to dissatisfaction and low morale. This is the vicious cycle of Human Capital according to the study. As long as there are positive outcomes among the factors, then morale can remain high. Frequent turnover can also lead to spending more on new folks and training.

You easily understand how a pattern of lower empowerment leads to lower creativity which then leads to lower growth and skills. Burnout occurs when one gets stuck in that vicious cycle. Same with skill level. If there’s lower skills, management trust is lower leading to less empowerment (no creativity) and no opportunity to grow. When you’re not accomplishing anything, the daily routine and monotony brings exhaustion.

With lower skilled employees, gradually increasing trust and empowerment allows them to learn and thus, improve their skills. Now that they’re skilled, they get more privileges and grow as analysts. That fuels creativity and now the cycle is virtuous rather than vicious. As one outgrows their position, a new, more challenging one could be offered ensuring growth and potentially saving a quitter.

Earlier we mentioned that automation, while beneficial for repetitive tasks, cold take away the human element. If humans are involved with determining the operational bottlenecks that would benefit from automation, then it could alleviate some staff stress and allow them to focus on more interesting, challenging, growing projects. When the analysts are empowered to help make automation decisions and are part of the creative development process, they feel part of solution rather than having an automated tool shoved down their throat.

Automation could also triage individual security events to determine if it is an attacker and correlate it with other events that may be affecting the same devices. Machines can automate the scoring of the attacks and prioritize them based on risk or threat level. If it works well, manual work can be eliminated, and the analyst is presented with the right scenario to act with confidence.

Operational efficiency allows SOCs to utilize all resources to detect and respond to threats in real time. Since analysts are in the thick of it, they directly influence operational efficiency. One example in the study described the ticketing process. Case creation takes too long, filling a ticket to find the hosts, and selecting the proper dropdown for a field entry. Reflecting on what was needed, an engineer wrote a script to automate those tasks and it helped. They knew what was needed, was empowered to create a solution, and had a positive result for the SOC. With the dull out of the way, they were able to focus on more interesting and challenging investigations.

To measure a SOC’s efficiency, metrics provide management visibility. They can identify bottlenecks, measure intrusions, determine compensation, influence investment and to understand the SOC’s value to the organization. The appropriate metrics are important. Reports that are too technical might be misinterpreted by management and ones that are too ‘managerial’ might not reflect the actual SOC’s inner workings. Often, SOC’s workers are unsure what management needs. Every incident? Most detrimental attacks? Multiple teams involved? Missed threats?

Getting the reports right, not just generating numbers, can have a lasting effect on the SOC. It helps determine ROI and investment forward. It also has a direct effect on human capital. Metrics could decide exactly what an analyst works on creating some limited empowerment for the analyst. Metrics gives management perception of what’s happening which directly influences investment in the SOC. Again, with less budget, areas like training or compensation could be reduced, directly limiting analyst’s growth. Meaningful and good metrics on the other hand can lead to promotions and other perks for analysts.

Conclusion

Human analysts are the most important piece of the SOC puzzle, followed by tools and procedures. Humans are creative, passionate creatures and need to be nurtured as such. Skills, Empowerment, Creativity and Growth are the essential ingredients for a productive, resilient and well-maintained Security Ops Center, if done right. Organizations can reap benefits while keeping their infrastructure secure, and the hard-working analysts will finally feel like Security Stars.

Footnotes

Other References

Peter Silva
Peter Silva, Sr. Solutions Marketing Manager, Security at F5 Networks

Peter Silva Web Site

In this article