When a cyber incident occurs, there is an almost universal reaction to try and prevent a future breach by going on a shopping spree for the latest security gear. The sheer number of white papers, conferences and PowerPoint decks touting new tools and blinking lights causes many organizations to fixate on these seemingly easy fixes while ignoring the most fundamental aspect of their enterprise security.
Technology alone can’t defend your network: it’s all about the people.
That’s not to say that technology isn’t important. On the contrary, a comprehensive technology strategy is critical to security. Whether you’re employing firewall defenses, endpoint monitoring software, network sensors or any number of other important defensive approaches, the technology matters.
But hammers don’t drive nails on their own.
Here’s an example: in many organizations, cyber analysts don’t do much actual analyzing. Yes, they operate systems. But too often, analysts end up as button pushers and watchers of lights. When was the last time an analyst did custom work (such as advanced signature or correlation scripts) for a technological tool in your organization? Rest assured, the good ones want to ‒ but are they empowered to do so? And if they are empowered, how seamless is it to mitigate, or clean up, a threat? For large enterprises, particularly, the reality is that approving such custom analytical work can be difficult to the point of institutional paralysis. When your core analysts see a pressing need for mitigation, but the pathway to get such changes approved moves glacially, the time disparity between recognizing a threat and being able to do something about it only serves the bad guys.
Here’s a more specific, but perhaps more universal, example: firewall logs. Ask 5, 10 or 100 organizations if they capture and store firewall logs. Most likely, all will answer “yes.” Second question: how many organizations correlate those logs with other data feeds, learn from them and make relevant changes to their network defenses? The affirmative responses go way, way down.
Why does this happen — and what should we do about it?
No organization is trying to put the brakes on their cybersecurity. The sometimes painful reality is a reflection of the day-to-day needs of network defense and, particularly, the fact that network defenders are always operating in “real time.” For a global enterprise that is already operating and defending 24/7, making fundamental transformations (no matter how essential) is daunting ‒ but it can (and is) being done, effectively, efficiently and with compelling benefits.
Getting there is done best by focusing on three pillars ‒ albeit all of them from a people-centric perspective.
First is process.
Knowledge management is key. Analysts connected with one another across the network can build off each other instead of duplicating their efforts. A good knowledge management system can also reduce training time for new analysts, enabling them to review how their predecessors solved problems. Think of it as being able to see the steps someone took to answer a calculus question versus just the final answer. It’s not only easier to learn from the former but being able to follow the steps to the solution also has the benefit of making it easier to discover where errors may have occurred.
Second are skills.
Don’t focus solely on certifications. Instead, focus on the mindset and the motivation. The myopic focus on certifications leads many organizations to recruit a workforce with very similar backgrounds. Look for diversity across your team and exploit that diversity to your advantage. Encourage people to find their niche. Are they masters at pulling code apart? Are they developers that want to constantly innovate new monitoring scripts? Or are they type that can see the patterns in complex data? As long as it is focused on a common goal, letting people pursue their passion rarely backfires.
Third are tools ‒ because nails don’t hammer themselves, either.
Focus on the right tools to allow analysts to practice their craft. Analysts should drive the tools ‒ and not vice versa. After a cybersecurity incident, many organizations spend millions on tools only to find that, within a few months, those tools have been relegated to the shelf. Take the time to identify the gaps that exist in your company, look for your visibility gaps and ask your analysts where they have bottlenecks. Only then look at what technology makes sense. The answer may be reconfiguring a tool you already own or making a strategic investment to fill a gap rather than clearing out the trade show floor and installing a dozen new boxes that go “bing.”
“Calls to action” often make a case for spending more on this tool or that technology. I fully believe that most security organizations are under-resourced and that spending more would always be nice. But before you spend the next dollar on a blinking box, consider that a recent Ponemon Institute survey of IT leadership in North America revealed that 90 percent answered “yes” when asked if their organization scrapped, or never used, security technology they purchased. Rather than investing in such “shelfware,” look at your people first and how they can be leveraged most effectively. Your networks ‒ human and technological ‒ will benefit.
About the Author
Lawrence “Guy” Delp is the cyber and data analytics engineering director for Lockheed Martin. Delp leads a global team of subject matter experts specializing in computer network defense, information operations, data analytics and full spectrum cyber capabilities. Previously, Delp was the program manager for the DISA GSM-O Network Assurance Program, leading a global team of cybersecurity analysts that transformed the computer network defense mission for DISA and its customers across the largest DoD networks. Delp received his bachelor’s degree in computer science from Embry-Riddle University and a master’s in systems and industrial engineering from the University of Florida.