To Provide a Robust Team Capable of Supporting 24×7 Coverage, a Team of Specialists is Paramount to Securing any Infrastructure.
In this column I intend to break away from the previous discussions about doctrine as it applies to operations and focus on something the military calls “force structure.”
Force structure is the composition of military units to conduct military objective. At the lowest level it involves military jobs filled by individuals such as riflemen, grenadiers, medics, etc. The makings of military units have evolved over hundreds of years through combat experience. In comparison, we only have 20+ years experience to determine that a cyber security team should look like today. The only parallel we can draw is that effective militaries establish specialties to organize battlefield efficiency and streamline training to provide proficiency in roles.
In the cybersecurity field today, there are several job descriptions associated with the profession including incident handler, intrusion analyst, forensic examiner, malware analyst, firewall analyst, penetration tester, and many more. There are also a variety of certifications available to go with these titles. These roles are based on today’s conventional wisdom of what cyber security teams need. But are they the right roles? They portray a reactive mindset focused on what has happened versus what is going to happen. The intent of this article is to offer some ideas on force structure in terms of individual roles in order to have an effective cyber security team.
Why is this important? Skilled cybersecurity professionals are a commodity nearly worth their weight in gold. They are in significant demand and short supply. They all compete from the same pool of skilled professionals. It would be nice to have a team where each member possessed the training, skills and aptitude to ”do it all.” But if you are fortunate enough to find that person, more than likely you cannot afford him. Unfortunately, in my career as a cyber security professional I have only encountered a handful of cybersecurity experts that possessed that ability. Therefore, we must create a team blended with the right skills to cover the terrain required to successfully defend our networks.
I am basing my team structure on my experience of providing enterprise data communications services, Commanding the US Army CERT and my support over the years to US CERT and other governmental and commercial organizations.
I believe the closest model in the military for our purposes is the US Army Special Forces “A Team” structure. This team has evolved after years of experience and operating in the toughest conditions with a small team that holds a great deal of responsibility and trust. (If that doesn’t sound like most of the SOC or CERT teams I know, I do not know what does…)
For those not familiar with Special Forces operations, the “Green Berets,” as they are also know by, are an elite group of soldiers responsible for strategic level operations behind enemy lines. “Special Forces groups are organized in small teams of 12 men — a.k.a. Operational Detachment Alpha (ODA). A typical Green Berets Team structure usually consists of two each of the following: Weapons Sergeants, Communications Sergeants, Medical Sergeants and Engineering Sergeants. A Commander, Assistant Commander (Warrant Officer), Operations/Intelligence Sergeant and Non-Commissioned Officer In Charge (NCOIC) complete the team.”
Using this example, I have identified my ideal Cyber Security Team including titles and role descriptions. To add some color to the discussion, I am using descriptive titles that help easily distinguish their role. Understanding today’s budget constrained environment, I have listed them in order of priority.
Netter – Someone who lives and breathes network operating systems and the OSI model. This position must be staffed with someone capable of making the network fabric the most secure and reliable as possible. They are skilled in determining baseline network behavior and detecting anomalies. They must truly understand how their network works and the devices connecting to it. I have too often been involved with mitigation efforts where network administrators did not know what was happening on their own networks. With the advent of Bring Your Own Devices, this position is paramount to a successful defense. Devices are cheap and replaceable – networks are dynamic and must be resilient.
Defender – Someone who owns the Security Zone. This battlespace, formerly known as the DMZ, is the first point of presence in any enterprise network that touches the security zone. The Defender is responsible for the defense of all devices in the security zone. This person must have the ability to choose his weapons. His weapons must have the ability to find, fix and finish his enemies within the security zone. If he is going to be held accountable for the security of this operational area, he has to work with tools with which he is trained. (By the way, this is more important than the having the “best” tools.) Also, just like in military operations, the Defender must have operational control of the defensive measures (aka configuration control) of devices in his operational area. He must understand impacts to business functions and weight those against risks, but he must have the autonomy to act in his organization’s best interest. He must have the trust and confidence of his superiors or he will not be effective.
Healer – Someone who owns the crisis de jour. In every cyber security organization I have been associated with, the crisis of the day derails all efforts to be proactive and get ahead of threats to any network. Leadership must accept this fact. Just like in military operations, the enemy will get through your defenses and good commanders plan for those contingencies. They have mobile forces ready to plug the breaches and contend with enemy forces throughout their battle space. They also have medics assigned to provide aide to fallen soldiers. The Healer is responsible to stop the breach when the defense has failed. He must stop the bleeding and prevent reinfection. He must have the weapons to find, fix and finish the enemy with the close combat area. In today’s vernacular this is your Incident Handler. However, this incident handler cannot be a ticket jockey. He should be responsible for problem solving not problem tracking.
Leader – At this point you need someone in charge – not to take the glory or credit. This person is responsible and accountable for the actions and productivity of the team. He must have a very good understanding of how the IT infrastructure supports the business and organizational processes. The Leader designates team priorities of work based on rules of engagement built with organizational leadership guidance. Just as important, this person must be able to talk to people in plain language, look them in the eyes, and coordinate the efforts of the team to greatest effect. In other words, he needs to have a technology background but doesn’t dream in 1s and 0s.
Fuser – This person owns the Areas of Influence and Interests. He provides intelligence support to the team. The Fuser is responsible for open source research, proprietary research and generally gathering all information regarding threats to his organizations information environment. The Fuser is also responsible for understanding the business process. With this background, he builds intelligence products and identifies specific threat types focused on the supported infrastructure. Based on this intelligence and the intelligence needs from the Leader’s guidance and derived Priority Intelligence Requirements, he develops a collection plan for internal and external assets.
Cryptor – This person is solely responsible is responsible for making the network or the data residing within it unusable by those not authorized to use/see it. He is the team cryptographer, Public Key Infrastructure (PKI), and two-factor authentication guru. To be very effective, this role is important enough to be a sole responsibility. However, this can be a secondary job for another team member – like the Leader. Regardless, the Cryptor must understand the nuances of encryption and the cost benefit analysis of implication at different levels of your infrastructure. In a related role, the Cryptor would own access control to emphasize compartmentalization.
Scrivener – Taken from medieval terminology, the Scrivener copies official documents. In plain English, the Scrivener is person who owns documentation. In the world of compliance, regardless of the value of compliance, documentation is necessary to meet regulatory requirements. More importantly, until you write it down, it’s not done. This takes a very patient, persistent and detailed oriented person.
Coder – AKA Someone who lives and breathes in software code languages. This is the geekiest geek amongst geeks – bathing irregularly and living off Monster drinks and Gummi Bears. This person intimately understands how software works. This person owns dynamic code review, aka penetration testing, of any custom code or scripts produced to fulfill business functions. The Coder delves into this code to identify vulnerabilities and determine behavior such as port, protocol and service dependencies. When not involved in code review, the Coder tests the network security posture.
In my experience, quality not quantity is the most important attribute of a cyber security team. One expert is sometimes worth a whole team. However, in order to provide a robust team capable of supporting 24×7 or even 16×5 coverage, a team of specialists is paramount to securing any infrastructure. Like any military operation, team composition and strength will depend on the operational environment.
Choose wisely, the bit you save may be your own!