These are fascinating times we find ourselves in as security professionals, never has there been so much information at our fingertips on how to do our jobs in creative and outside the box ways! It’s literally like being Neo in the Matrix, you can find and follow bona fide rockstars such as Matt Graeber, Will Schroeder, Carlos Perez, the SANS Blue team instructors and the list could go on for days, read there blogs, tweets and videos, then work hard and you learn “Kung Fu”.
Step 1: The People
According to the HP State of the Security Operations Center 2017 Report of Capabilities and Maturity of Cyber Defense Organizations, people are one of the areas that consistently score poorly year after year. Why is this? Is it because the people lack the intellect to get the job done or maybe they have no passion or lack the training in a specific area? Hell maybe it’s all three for that matter! If organizations expect to secure their networks you have to hire the right people, plain and simple. They don’t need all the skills at first, but need to have a desire for self improvement, in their craft. Then you need to hone and develop that desire to create the analyst you need. Good people are not cheap and in the end after all that training and experience they may decide to leave, but do not let that discourage you. Ensure there are proper processes in place to transfer this knowledge to the junior analysts, which brings me to the next step, the process.
Step 2: The Process
Document, document and then document some more! I know this tends to be my weakest area as well. I’ll come up with some cool way to parse and analyze a particular file at scale and then fail to document the process of how I did it. Three months later down the road when I find myself wanting to use that technique again I have to take out time to troubleshoot and debug my scripts to get them working, if only I had documented my findings to begin with I would be on the road, hunting the adversary instead of tweaking my scripts. This is one of the main reasons I created this blog, so that I could have a central repository for my thoughts and techniques and along the way maybe help somebody out. Do not let your knowledge only be contained within your ears. That is called “Tribal Knowledge”, instead teach what you know. Strive to improve your peers! Create healthy competition amongst yourselves. Breed an environment that encourages teaching and learning! Chris Sanders says in his book Applied Network Security Monitoring, “Everyday you need to be learning or teaching!”
Step 3: The Tools
There are amazing open source tools out there with excellent documentation on how to use it that rival some of the there commercial brethren, or there are tools literally baked into the operating system you have already paid for that are being under utilized or not being used at all! Here is a quote from the HP State of the Security Operations Center 2017 Report of Capabilities and Maturity of Cyber Defense Organizations, “Many of the open source tools and community resources available for security operations require a degree of customization and ongoing maintenance that organizations must carefully evaluate.” This is what I’m talking about, here they make it sound like, if you don’t spend money on a tool you won’t be able to manage it. I would venture to say all tools require customization and ongoing maintenance that organizations must carefully evaluate. There is no tool on the market that you drop in your network with no customization or ongoing maintenance and magically it defends all the things and won’t begin to fall apart on you. I repeat, there is no tool on the market, that you drop in your network with no customization or ongoing maintenance and magically it defends all the things and won’t begin to fall apart on you. Take your SIEM for example, most commercial vendors are going to tell you that you need to collect everything and just dump it into your SIEM, when in reality there is really only a finite amount of things you should send to your SIEM if it’s main duty is hunting. Your SIEM should NOT be a huge database of all things collected in your environment. It should be a lean, fast and scalable threat hunting tool filled with tactical data that will allow you to hunt the adversary. Literally all my favorite tools are free like Bro, Elasticsearch, PowerShell, Python and etc. I challenge you, if you have the opportunity, master these and then if you find that there are gaps they can’t fill then do your research and actually challenge the vendors to solve your particular gaps.
So in conclusion, I would just like to encourage you to invest in and take care of the people, they will in turn create the processes that govern the tools. So until next time…