How to staff your team across the security kill chain
Effective digital security needs people as well as technology. Most organisations are aware of the need to staff up to improve their security against cyber-crime, and there is no shortage of options: experts, service bureau, staff training and more.
They also take into account capital expenditure (Capex), operating expenditure (Opex), projects, operations, organisation charts and head count.
But to become effective they need to take a close look at the cyber criminals' kill chain and ensure they staff each vulnerable point where human intervention is required. Let us reimagine the kill chain for security projects and operations.
Reconnaissance encompasses updating skills, eyeing attack patterns, considering threat landscapes and formulating new approaches. Weaponisation takes in technology procurement, engineering and automation, training and certification.
Delivery requires close attention to project delivery, infrastructure installation and process implementation, while Exploitation covers communication and consensus, corporate deployment and stabilisation.
Installation includes tracking and retention, enforcement levels and advanced analytics, while Command and Control covers threat intelligence, daily triage, engineering and orchestration, and response automation.
Finally Actions - Objectives includes stopping attacks, detecting breaches and responding to incidents.
It is easy to see which of these terms are technical – automation, technology and infrastructure, and which are human – communication, triage and skills. What may be less obvious is the way in which certain staffing models or assumptions can create weaknesses in the chain.
An obvious one is lean staffing, possibly even a single-person responsibility. Where is that most likely to affect the kill chain?
In reconnaissance, the security person does not have the time to update his/her knowledge or skills, research threats or trends, and keep up with the hackers who DO have that time every day.
In delivery, the security solution may be highly efficient, but delivering it can require a significant effort, and a single person has too many distractions.
In command and control, daily triage means daily effort, typically structured and scheduled, and a sole security person has too many unstructured interrupts and insufficient energy to concentrate.
Clearly there is a pressing need to become creative about remedies. For command and control, consider outsourcing detection to a managed security service provider (MSSP).
For delivery, go with a full-service vendor or partner that can implement a complete solution, and build in plenty of package-based and consulting-based training/education for your security team.
Since security is a full-time job, possibly a less expensive solution for reconnaissance would be to hire people to wear some of the other hats your security person is wearing. For a smaller business, perhaps it's time to hire a help desk person to support your lone wolf.
Outsourcing might be considered a remedy for weakness in a so-called command and control link, but it covers other areas too. These include skills updates in the reconnaissance area and potentially infrastructure in our delivery section.
But does that approach bring, or reveal, weakness in other links? Cyber attacks often strike in delivery. A services partner may have a preferred way of engineering and orchestrating a physical technology solution, but does the organisation's technology vendor or implementation partner mesh with that approach?
If management need to 'sell' exploitation to the organisation, who knows best how to work the angle? Is it another vendor, or is it the company?
When the MSSP detects a cyber attack, do they also offer responder services? Or can in-house security do this? Do they have the bandwidth and the skills?
Get creative about remedies
Delivery: Choose vendors that reference and partner with one another. Use a trusted adviser to co-ordinate parties and envision solutions.
Exploitation: Choose an implementation partner or technology vendor that has a methodology, sample deliverables, collateral and communication plans.
Actions and Objectives: Go with best-of-breed, one-stop shopping, training your team, or a combination of the above – just think in terms of covering all the links in the chain.
Bottom line: Security is not just about staffing up, it's about staffing right. Don't worry about exactly what the right answer is because there is no single answer. Rather, be guided by knowledge of the kill chain, and of your own organisation and operations.