…in order to catch up with attackers, we’re going to have to understand our information systems better so that we can detect, triage, and deal when we do get compromised, because it’s only a matter of time. And that does not include clicking on a management console somewhere.
I wholeheartedly agree with this. As defenders and even as *effective* attackers, the knowledge has to get deeper. I would also add that this understanding also does not include just having good inventory and documentation; we’re talking real, expert/working-level knowledge.
Sadly, I wanted to tackle this idea not to preach to the choir, but just to play devil’s advocate and not try to make it sound like once you accept this idea, your head is in the clouds where puppies and kitties frollick amongst forests of candycanes and pastures of skittles. Instead, there’s a heck of a lot of pressure that keeps us from being the experts we need to be in order to do security well.
1. Technology moves on – Lifelong learning is a mantra in security; duh. But there does need to be acknowledgement that even if you devote the time to learn something deeply, someday you’ll start the whole process over when your knowledge is obsolete and needs updated. Once you understand A, we’ll have B, C, and D beating down our doors. Security is one area where you need to have deep knowledge on things past as well as what’s coming tomorrow. That’s a tough job, and it’s ego-sapping. You can’t come in with an ego and expect someone to help you. We’re constantly wisened adults and learning infants at the same time.
2. Know your security tools as well – Deep knowledge on your own systems? Check. Deep knowledge on your security tools? Wait, what? As full-disclosure recently demonstrated, even security tools have issues. Could *you* have seen that Pangolin reported back to a mothership? The security community is just as interested as any in punking its own, and who better to pwn than the guys with the vuln reports, admin access, risk analyses?
3. Security dashboards don’t [always] help us – My one biggest issue with security suites and large management tools is the same interface that allows management of an enterprise-wide array of data/systems/information is the same interface that steals away our ability to be agile, hands-on, and expert with the underlying roles it serves. If you rely on a tool to do your nmap scans, you’ll lose the ability to do your own nmap scans without the tool. Layer such management tools on top of other management tools on top of other layers, and pretty soon security analysts can only work on those monolithic management dashboards and can’t do crap on the command line, hands-on. That’s not to say you should know how to write an AV detector rather than buy an AV suite, but you do need to be functional underneath the tool if need be. Low-level skills are important, like those found in forensics or coding or traffic analysis or reading your own damn logs, etc.
4. Experts at everything – Yeah, as if it didn’t suck enough all the technical things to know, we should also be aware of interpersonal social skills, both from an attacker perspective (SE) to inner political workings of a business. And the business processes, risks, and goals. Granted, this is why we make various levels in security, from technical analysts to risk managers, but still we’re far to few to rely on that stratification. We need to field questions and give actionable answers on a variety of topics including mobile security, virtualization and cloud, malware, espionage, physical theft, C++ code, .NET code, scripting, encryption cipher strengths, traffic captures, VOIP and VLANs, CCTV/IP cameras… Ever try to BS developers on security practices? 🙂 Ever get asked to prove that something is a risk or that the risk is more costly than the fix?
5. You don’t know enough – You know the saying, “There’s always someone better than you.” That’s true with knowledge as well; none of us will know everything about something. There will always be places to learn more, tricks to practice, technical talks to attend that don’t just speak obvious unhelpful generalities like, “security sucks.”