The vast majority of security teams, including those responsible for Security Operations and Incident Response, have been trained and mentored, rising within their functions within the frame of infrastructure protection and compliance. Understanding and putting effective measures in place to manage vulnerabilities, risk and controls has been the focus. A strong technical component has underpinned it all. This has lead to the development of more effective and better processes for security, including responding to incidents and threats. It has also typically led to improvements in core metrics such as how quickly high severity alerts are resolved, and how many threats are blocked. However, the threat environment has fundamentally changed, and the specter of “mainstream” security operations and incident response has shifted towards interpreting and searching for signs of attacks already within the walls of the “network.”
The challenges in finding skilled security staff is a known and oft discussed issue; intensifying as demand increases for cybersecurity expertise. Developing and training talent has become the priority for every CISO or security leader. Yet where a major new talent pool may come from, and the type of training required to ramp them up, may be the greatest major departure, and opportunity, the industry has seen in decades.
A New Breed of Security Analysts
Organizations that have standalone intelligence, or have well developed Incident Response “Red” teams, have typically recruited leaders and members with human and political intelligence backgrounds. These team members have often spent time in Government or very large financial services security functions. They are focused on understanding the adversary, the motivations and the patterns of an attack. Piecing together the breadcrumbs of an attack, or determining where and when to look for an attack, is the focus.
As a broader set of organizations look to either set up an Incident Response team, or evolve their existing one to include more proactive, intelligence-driven processes and workflow, new competencies among security team members is needed. Many teams are looking to quickly sift through myriad intelligence sources to map new workflows into place that show signs of trends, removing the need for more manual reviews by team members. Being able to cross the chasm from disparate sources of intelligence, and map it visually, is a critical need for many teams. There is an existing technology gap where no tools exist or maybe will ever exist to automate this fully.
Adding A New Skill Set and Competency for the Incident Response Team
Thinking in pictures and connecting dots is often not a skill set that has been honed or developed in vocational training or security certifications that the majority of Security Infrastructure or Response teams may hold. Hiring a more diverse set of team members– including those with political science and interactive design and data modeling backgrounds still an “outlier” trend even in “early adopter” Incident Response organizations. Individuals with strong aptitude and training in critical thinking, interpreting ambiguous data sets, and an ability to turn human perception into visual and analytical models, are core tool-sets for the next era of more effective security and incident response.
Early adopter security teams that hire individuals from these less typical paths often have skilled staff and training in both Intelligence interpretation, in addition to core technical skills to make team members a quickly functioning member of a security team. This will be the challenge for mainstream security teams to recruit members with this needed competency and skill set and enable them for security. But it can be done, and in the coming months, expect to see and also write more security job descriptions that ask for a Certificate in Visualization and Design versus the CISSP.
Have you been following along in our incident response series? Catch up here:
- Connecting the dots: Business benefits of threat hunting
- Crossing the Chasm From ‘Prevent and Respond:’ How do you start?
- Tales from The Trenches: Going from 0-60 Seconds with an Incident Response Team