This is the first in a three-part blog series about the important parts of a threat-centric security capability.
This first part focuses on the people and skills needed to effectively detect and respond to threats. In the vulnerability-centric approach to security, the focus is on the tools used (firewalls, IDS/IPS, WAF) and the ability to configure these tools to prevent compromise.
While these tools are still important parts of the threat-centric approach, the primary focus in the security operations center is the people — the analysts who detect and respond to threats.
Measuring success or failure in the vulnerability-centric approach focuses on the ability to prevent compromise. This is an incorrect approach as prevention eventually fails. Success should be measured by how effectively the compromise is detected, analyzed and escalated to the appropriate response.
There are several important skills security operations center analysts should have. A baseline knowledge should be defined which every analyst is required to possess, alongside areas of specialization that will set analysts apart from their peers. The analysts that staff a threat-centric operations center will possess some or all of the following baseline skills:
- Understanding of continuous security monitoring and the cyber kill chain
- TCP/IP and common application layer protocols
- Packet analysis (i.e. tcpdump, Wireshark)
- Understanding of Windows, Linux and Mac architectures
- Data Parsing skills (i.e. bash, grep, sed, awk, etc.)
- Familiarity with both basic IDS (Snort, Suricata) as well as next-gen IDS (Bro)
- SIEM analysis
- Indicators of attack and indicators of compromise
- Threat intelligence gathering
- Malware analysis
- Programming skills (C/C++, Perl, python, php, java)
- Host-based forensics
- Offensive and defensive tactics
The security operations center will be comprised of junior and senior personnel, based not only on their years of experience but also on their abilities. Classifying analysts in this fashion will not only be useful for hiring purposes but will also provide the analysts with achievable goals to advance their careers.
The level one analyst will possess a fundamental understanding of the baseline skills mentioned above. However, the skillset will most likely not be specialized yet. The job of a typical level one analyst will be to spend time reviewing IDS and SIEM alerts and logs and performing analysis based on their findings. Gaining expertise is the objective of the level one analyst. The more protocols,
Gaining expertise is the objective of the level one analyst. The more protocols, packets and events viewed by the analyst, the better their understanding of threats to the environment becomes. In most organizations, the majority of analysts are at level one.
The level two analyst has a firm understanding of all of the baseline skills. At least one of these baseline skills will be the level two analyst’s area of specialty, and they will spend time outside of the normal event review and investigation, refining and improving their skills in their area(s) of expertise.
Mentoring level one analysts will also be a part of their job, as well as improving the operations center’s ability to detect and respond in a more efficient manner. As the level two analyst matures in their role, they will increasingly participate in the shaping of the detection and response processes within the security operations center.
This will involve tasks such as creating signatures based on network events and/or malware analysis as well as threat research into the tactics, techniques and procedures of potential adversaries. Further, the level two analyst will also develop the skillset needed to look through various data sources manually in an attempt to find indicators of attack and compromise instead of relying solely on automated tools.
Further, the level two analyst will also develop the skillset needed to look through various data sources manually in an attempt to find indicators of attack and compromise instead of relying solely on automated tools.
The level three analyst is the most senior analyst in the security operations center. These analysts will be skilled in all the areas mentioned above, with at least two areas of specialty. The level three analyst are the operations center’s thought leaders. Their time is not spent reviewing events, but instead mentoring other analysts, developing and providing training and leading efforts involving more complex forensic investigations.
The level three analyst are the operations center’s thought leaders. Their time is not spent reviewing events, but instead mentoring other analysts, developing and providing training and leading efforts involving more complex forensic investigations.
The level three analyst is also primarily responsible for developing and enhancing the operations center’s collection and detection capabilities. This may include evaluating existing operations center tools as well as conceptualizing and developing new tools. The level three analyst may also be the liaison with the personnel who managed the vulnerability-centric tools, to ensure that intelligence from these tools is being fed to the operations center.
It’s important that a culture of learning be created in your security operations center and among its members. The operations center thrives on ingenuity and innovation, which are the products of motivation and education.
The threat-centric security operations center’s work culture should be based not only on learning but also facilitating, encouraging and rewarding that learning. Team building is also an imperative and will require an extensive commitment from all analysts.
Analysts who trust one another and genuinely enjoy spending time together are going to be far more effective in detecting and responding to threats. Further, a cohesive team will also help promote a culture of learning.
In order to fully staff a 24x7x365 security operations center, at a minimum, 17 staff members (four level III, four level II, eight level I and one manager) would be needed.
Stay tuned for the second installment of this series, which will focus on security operations center processes and procedures for threat detection and response.
Do you have questions about threat-centric security capabilities, or want to learn more about building a security operations center? Visit Rackspace to find out more about our managed security services and the ways we help businesses keep the bad guys out.