Today every enterprise is undergoing a revolutionary digital transformation as it is deploying digital platforms which engage customers, partners and employees.
Every interaction creates data about who is doing what, when and where. BigData Analytics techniques are being leveraged to gain insights for competitive advantage.
Cyber-crime activities which breach organizational boundaries and steal valuable data resources including customer information and intellectual property are also becoming so sophisticated that many enterprises do not even realize for a long time that their information assets have been compromised.
The top two business cyber-risks are data loss & the concomitant disruption to smooth operations. According to industry estimates, cyber-attacks cost businesses as much as $400 billion a year, which includes direct damage plus post-attack disruption to the normal course of business
As business is now driven by complex software & information technology, no other business issue has the potential to result in massive customer drain, revenue losses, reputational risks & lawsuits from affected parties as breaches in cyber security. Hence corporate boards now have to play an active role in deciding strategies for mitigating cyber risks. There is now a vital board level role for a person who can put into place a strategy to govern across a vast & quickly evolving cybersecurity threat landscape.
The formal role created to manage Cyber Security is called CISO – Chief Information Security Officer.
The CISO typically heads an independent technology and business function with a dedicated budget and resources. Her or his mandate extends from physical security (equipment lockdown, role based access control etc. to setting architectural security standards for business applications as well as reviewing business processes. One of the CISO’s main goals is to standardize the internal taxonomy of cyber risk and to provide a framework for quantifying these risks across a global organization. To fulfil his responsibilities, the CISO today needs specialists with specific skillsets which are emerging as formally established roles.
Under the CISO’s leadership, security specialists’ form a team called the Security Operations Centre (SOC). The SOC is a formalized capability designed to handle any and all security incidents across millions of endpoints. The goal is to provide for a corporate wide data collection, data aggregation, threat detection, advanced analytic and workflow capabilities – all from a single area of management.
Thus SOC systems perform a highly essential function as they deal with massive amounts of data streams constantly being generated by many different systems, devices & business applications. These range from intrusion detection systems, firewalls, antivirus tools etc. as discussed above. All of this data is then pulled into Security Incident and Event Management (SIEM) tools, which then filter, aggregate, correlate and then, provide reporting functions from a security alert standpoint.
The typical workflow followed is to mimic the signature behavior of endpoint systems & applications into static models that reflect the typical behavior of applications using business rules & then flag any out of the band behavior. A security analyst then determines if this alert represents a specific threat or if it is just harmless noise. For example – a credit card usage event from a known bad IP address could signify a security compromise.
With the emergence of workflow automation platforms like for like OpenSoc and Apache Metron, we can expect the specialist job profiles to become mainstream. The complete set of roles in the SOC and their skillsets are as follows:
- SOC Analyst
Profile: Beginner, Junior-level analyst
Responsibilities: Monitor security SIEM tools, search/investigate breaches, malware, review alerts and determine to escalate as tickets or filter out, follow security playbooks, investigate script kiddie attacks.
Tools Used: SIEM tools/dashboards, Security endpoint UIs, Email/Ticketing/Workflow Systems
- SOC Investigator :
Profile: More advanced SME in cyber security, experienced security analyst, understands more advanced features of security tools, thorough understanding of networking and platform architecture (routers, switches, firewalls, security), ability to dig through and understand various logs (network, firewall, proxy, app, etc..)
Responsibilities: Investigate more complicated/escalated alerts, investigate breaches, takes necessary steps to remove/quarantine the malware, breach or infected system, hunter for malware attacks, investigate more complicated attacks like ADT (Advanced Persistent Threats)
Tools Used: SIEM/Security tools, scripting languages, SQL, command line
- SOC Manager:
Profile: Experience managing teams, security practitioner who has moved into management.
Responsibilities: Assigns cases to analysts. Verifies “completed” cases.
Tools Used: Workflow Systems, Ticket/Alerting Systems
- Forensic Investigator
Profile: E-discovery experience with security background.
Responsibilities: Collect evidence on breach/attack incident; prepare lawyer’s response to the incident of breach
Tools Used: SIEM and e-discovery tools
- Security Platform Operations Engineer
Profile: Computer science developer, and/or Dev/Ops Background. Experience with Big Data technologies and supported distributed applications/systems.
Responsibilities: Helps vet different security tools before bringing them into the enterprise. Establishes best practices and reference architecture with respect to provisioning, management and use of the security tools/ configures the system with respect to deployment/monitoring/etc. Maintains the probes to collect data, enrichment services, loading enrichment data, managing threat feeds, provides care and feeding of one or more point security solutions. Does capacity planning, system maintenance and upgrades.
Tools Used: Security tools (SIEM, endpoint solutions, UEBA solutions), provisioning, management and monitoring tooling, various programming languages, Big Data and distributing computing platforms.
- Security Data Scientist
Profile: Computer Science / Math Background, security domain experience, dig through as much data as available and should be able to look for patterns and build models
Responsibilities: Work with security data performing data munging, visualization, plotting, exploration, feature engineering and generation trains, evaluates and scores models
Tools Used: Python (scikit learn, Python Notebook), R, Rstudio, SAS, Jupyter, Spark (SparkML)
Cyber Security is growing rapidly and is opening up new growth opportunities for those who are willing to specialize in this domain.