Building a Security TeamBy: Dell SecureWorks
Network protection is a priority for an increasing number of companies.
Network protection is a priority for an increasing number of companies. For some organizations, it makes sense to keep the security experts on staff, and for others, outsourcing to network monitoring services is the answer. Before you can make the decision to manage security and network protection internally or outsource it, you should have a good idea of what it takes to build out a security team and keep the members on top of their game. This article explores what it takes to build a team to help your organization make a decision about whether to go in-house or outsource network monitoring services and response.
Your journey towards building out a team will begin with identifying what a network protection expert looks like. The bad news is that hiring experienced security help is exceedingly difficult. The industry suffers from a lack of qualified talent and high salaries among the experienced. The good news is that security experts can be made from existing employees, as long as you avoid some common mistakes.
Hiring or transferring talent into a network protection team is just the first step. Next, "you're going to have to invest some of [the team's] time on learning about new vulnerabilities and techniques for protecting against them," says Raven Alder, an incident response and network monitoring services expert. Getting serious about security means more than dedicating capital resources to the task. Hardware is great, but even better is a team that holds the most current knowledge about vulnerabilities and ways to protect networks from being exploited. As you'll see, training is vital.
System Administrators Are Not Security Experts
A common mistake made by IT managers is to ask system administrators or network monitoring professions to handle security duties as part of their daily routine. According to over 1800 computer security experts surveyed by the System Administration, Networking and Security (SANS) Institute, the worst mistake a company can make that'll lead to breach is to place untrained people in security roles.
System administration is a full-time job. So is working as a security expert. Neither one can or should be a collateral duty of the other. Some companies have it half right -- they ask that their system administrators not focus on network protection. These companies frown on their system administrators, or network monitoring services team, reading the authoritative mailing list on software vulnerabilities -- Bugtraq -- because it takes too much company time.
How are system administrators supposed to keep their networks secure? Create a team of security experts whose mission in life is to tell the system administrators what's vulnerable, how, and how the vulnerability can be fixed. The network protection experts should be reading Bugtraq and the system administrators should be applying the patches.
Applying security patches is a system administration duty, not a security duty. Administrators' primary duty is to ensure availability of system resources. Installing patches may require downtime, and therefore it makes more sense for administrators to include patching in their administrative downtime, rather than security personnel potentially affecting sysadmin job metrics." Its also important that management support the security team's efforts with the system administrators. The need for security patches will not be apparent until there is a security breach, at which point the downtime will eclipse the minor inconvenience of patching.
Making of an Expert: Training & Knowledge
Some companies opt to transfer employees from system administration or network monitoring services roles into security. This can be a wise decision because your security team will need to work closely with system administrators in the event of break-ins and need to have a strong knowledge of how the network is set up.
The first step to converting a system administrator is gaining an understanding of security and network protection. According to Michelle Murrain, an independent technology consultant, there are three components to understanding security:
- A basic understanding about what is vulnerable
- Knowing where to find up-to-date info on new vulnerabilities
- Knowing how to address new vulnerabilities where they occur
A security expert knows all of these for the environment (network) in which he or she operates.
Understand What's Vulnerable
The easy answer is, "everything". Ultimately, every piece of software on your network could be vulnerable to attack. Network protection experts need to know exactly what's installed and how its configured.
The security team needs a deep understanding of all the software installed anywhere on the network. A classic worm attack took advantage of a vulnerability in a Microsoft database server which left the administrator account unprotected by a password and allowed Microsoft server applications to install SQL Server. The end result was that an attacker could identify vulnerable systems and "execute arbitrary commands," which is the security world's way of saying an attacker can do just about anything they want.
The Computer Emergency Response Team (CERT), a federally funded reporting center for computer security issues, issued a vulnerability notice about the problem.
In understanding what's vulnerable, a security team would probably read the CERT announcement. The next step would be to identify if their network is running any vulnerable software relating to this announcement.
Here's where a big trick lies -- the worm in this example did a lot of damage on networks where administrators didn't even realize they were running SQL Server. You see, SQL Server comes bundled with many other pieces of software. Knowing exactly what additional pieces of software are being installed by applications is a big part of knowing what's vulnerable.
Understand Where to Find Up-To-Date Information
In the network security community, one name is synonymous with current vulnerability information -- "Bugtraq". Bugtraq is a mailing list, administered by SecurityFocus, that "is a full disclosure moderated mailing list for the detailed discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them."
Bugtraq is one source of current information about vulnerabilities. Vendor web sites and mailing lists are also excellent sources. Security experts will subscribe to Bugtraq and vendor lists to hear about vulnerabilities as soon as they're announced.
For more in-depth analysis and vulnerability disclosure, CERT's vulnerability announcements and the National Infrastructure Protection Center (NIPC) provide detailed announcements. Frequently, information is duplicated across Bugtraq, vendor mailing lists, CERT, and NIPC but isn't ensured. Network protection experts need to monitor all sources because there is no centralized reporting of security issues.
Besides knowing exactly where to find current vulnerability information, security experts must have the time to read these sources regularly. Bugtraq alone can take 1/2 to 1 hour per day to read and digest. And that's just one of several sources on which a security professional must keep current.
Understand How to Address New Vulnerabilities
How will your team fix the vulnerabilities after they're announced? We're talking about your business' lifeblood here -- its connection to the Internet and the services you provide to your customers.
Have the security team write a plan for what to do when vulnerabilities are announced. Procedures will typically take into account suggestions from the source of the vulnerability announcement. For example, whenever CERT announces a new vulnerability, the announcement frequently includes suggestions on how to address the problem. Their suggestions generally take the following form:
- Turn off or filter vulnerable services
- Apply workaround solutions as temporary fixes
- Notify network monitoring services
- Obtain and install vendor patches
Each organization needs to determine how they'll apply patches or otherwise fix the vulnerability. Some questions to consider are:
- Will production services (that the outside world use) be out during the patch?
- Are there notification requirements within the company before the patch can be applied?
- How will a new patch be tested?
- What are the fallback procedures in the case of patch failure?
Knowing what might be vulnerable, where to find current information about vulnerabilities, and what to do to address them can all be learned by your security team without expensive training and certifications. What else should a network protection team know and how might they learn it?
What about Security Certifications?
Theory behind technologies used in security, such as cryptography, is another aspect that needs to be understood by a security team. Advances in the state of the art in intrusion detection, firewalls, and incident response are other examples of areas where training is called for. External certification programs are a popular source of this information.
Two major certifications dominate the industry: SANS GIAC and CISSP from (ISC)2. The CISSP certification has been around longer than SANS and boasts more certified individuals. The relative upstart, SANS with GIAC, is probably more appropriate for the "security engineer" type of work while CISSP is more suited towards policy-makers.
The SANS Institute offers the Global Information Assurance Certification program. SANS GIAC offers 11 different certifications, including Security Essentials and Security Leadership.
Another certification is Certified Information Systems Security Professional) CISSP from the International Information Systems Security Certification Consortium, (ISC)2. A newer entry in the certification game from (ISC)2 has been the Systems Security Certified Practitioner (SSCP), a practical course focusing on risk, response, and recovery among other day-to-day concerns.
Find people who know how to apply what they've learned. Certification may help you find such people. Earlier, I introduced three keys to understanding security (know what's vulnerable, where to find current information on vulnerabilities, and how to address them). When building your team, quiz candidates about these three areas of understanding.
After you've built your security team and provided initial training (through a combination of external and internal sources), keep in mind that you'll need to provide for continuing education for the team. Sending a team member or two to security conferences or new certification courses is a good idea.
Security is a Team Sport
Throughout this article, I've talked about a security team. Notice that there's no I in team. Don't be tempted to save some money and have a single security expert on your staff. During an emergency, you'll need a team of experts to work together and minimize a breach.
Having a critical mass of security experts ensures the team can share knowledge, make up for gaps in knowledge, and allow for specialization. In a network security organization of one, this sharing cannot take place. One person cannot do it all on their own.
The temptation will be strong to cut back on the security team because the members may appear idle for relatively long periods of time. That's because you'll only see them working when a crisis occurs.
Security experts are a bit like firefighters. They go through intensive training that prepares them for an emergency. Firefighters spend the time between fires preparing for emergencies, spreading the word on prevention, and gaining additional knowledge. When the emergency arrives, they have to operate on little more than instinct. There's no time to look things up or make sure it's being done right. When it's all done, they return to the firehouse and start the cycle again. There is a big difference between firefighters and security experts -- the latter don't get to use the cool fireman's pole.
Is Outsourcing A Good Idea?
Building a team to manage network security is a huge task. You'll need to:
- Hire the right people or transfer existing people (a team of three people is probably the minimum size that's viable)
- Continually provide for expanding their knowledge (training with SANS, CISSP, etc. is one way)
- Establish and maintain procedures for incident response
If the task is too daunting or expensive for your company, you might consider outsourcing security management. These organizations can monitor your network for attacks on a continuous basis, in effect providing the security team for you.
How expensive is outsourcing? Generally speaking, the up-front costs are much smaller than in-house management. Outsourcing saves you the cost of hiring, paying, and training a security team.
No matter how you decide to manage security, remember that according to SANS, the biggest mistake management can make that leads to security vulnerabilities is to assign untrained people to maintain security. Don't be guilty of bad security.