The Security profession: Offense vs. Defense

Lately there has been some articles and conversations around the security profession, particularly the ‘how to get started’ aspect. My good friend, Aamir Lakhani wrote a great article on getting started in cyber security (http://www.drchaos.com/getting-started-with-a-career-in-cyber-security-and-information-security/)

I thought I would add some additional considerations for aspiring security professionals by describing the two primary aspects of operational security.

There are certainly more facets than fulfilling a defense or offense role within a security program or portfolio of services that are provided for the supported business. For instance, there are the following security program positions to consider:

  • Executive management, such as a Chief Information Security Officer role
  • Risk management – the operational identification of business or operations risk and how to best manage it within resource constraints
  • Security compliance management for assuring alignment to organizational and industry standards or requirements

This short article will focus on the two primary roles individuals typically fulfill within a security organization: the defensive position and the offensive position.

As a side note, many organizations are resource challenged when it comes to adequately trained and experienced personnel. The actual role a person plays can be one, the other, or at times both. For instance, when determining risk and how to best minimize it within an organization, the security professional must think in terms of offense and defense when creating risk treatment options.

Leveraging an offensive or defensive role depends on the availability of resources, the security posture or situation at any given moment, and the approach used to assign responsibilities and tasks within the security organization.

 

Defensive Security

Defensive security can be thought of as the things in the background to provide a program with the adequate framework, controls, goals, and business interaction to deliver the security program portfolio. Think in terms of a security strategy, policies, standards, and guidelines. Also think in terms of communicating the security strategy to the business, or providing some assurance of compliance with the stated security program requirements. Technical and non-technical controls are formulated in response to organizational to deliver security services according to the needs of that organization.

Defensive security also entails designing and implementing a secure architecture that integrates with the IT infrastructure and enables the business. Technical solutions are interlaced to provide a cohesive and layered approach for protecting critical IT assets and business processes.

For instance, industries….all industries require all of the following skills. The organizational structure, maturity, and availability of resources drives the fulfillment of the following roles. I know there was a caveat about not having all roles defined, but for a primer on offense vs. defense this is just too thin. I would need to expand this out quite a bit.

Give me another day to think about this…even if I state this is a view of offense/defense from a technical perspective it will probably need some serious fleshing out or rewrite.

The hardest thing is that you told me not to do too much to it, but it really needs a ton of work.

HAVING SAID THAT…I really like the concept of describing roles within a security organization as offense or defense. It is simply tough to call a particular role one or the other. For instance…is a CISO a defensive player or offensive player? What about the person monitoring the SIEM for intrusion activities? Defensive players turn into offensive players rapidly when shit hits the fan.

  • Security Architecture
    • Overview: Before you start typically you need to architect your security with the goal of reducing risk to the business.  This position will usually work closely with Security Management or could be the same role as Security Management.  These positions plan out what (TECHNOLOGIES) security controls to implement and how they relate to the overall system architecture. These controls can be technical, process or people and should address he Confidentiality, Integrity and Availability of the company assets. Security architecture is typically the technical overlay to an IT structure.
      • Skills Needed: An overall understanding of all technology controls and how they work together as well as understanding of the business.  It’s a big advantage if you know the various vendor technologies that are available within this security space.
      • Technical:   These positions require a solid understanding of the technical controls available and how they work together. 
      • Experience: Like the Security Management positions above these positions are usually for more senior/experienced people.
      • Position Names: Security Architect, Enterprise Security Architect, Product Security Architect
      • Industries: These positions span across all industries, but usually are found in companies with a more mature security program

  • Security Technology Management and Monitoring
    • Overview: Once the technology controls are chosen at some point they need to be installed, configured and then managed on an ongoing bases. These positions typically are responsible for your security technology such as Next Generation Firewalls, E-mail security, Endpoint security, Web Filtering, etc.  Depending on the size of the company, positions may be available specifically for the ongoing management and monitoring of these technology controls.  These positions usually work in what’s called a Security Operations Center (SOC).  This is simply not true…many organizations have the advisory approach for security controls. The security team creates the requirements and the IT staff actually implements accordingly. Think firewall admin or management vs. monitoring. The SOC is a monitoring and response function, not necessarily consisting of a group of people that implement the technologies. Smaller organizations – maybe. Also, many orgs outsource SOCs. I think the statements throughout the following are pretty pointed vs. describing the nature of the role and how it interplays with a security program.
    • Skills Needed: Deep technical knowledge in many technologies is ideal, but companies at a minimum want you to have good understanding of NG Firewalls from major vendors like Checkpoint, Cisco, Fortinet, Palo Alto. What about hunter/killer teams, incident response/forensics, SIEM knowledge, etc…?   
    • Technical: These positions are very technical in nature and a solid understanding of technology in general is usually required.
    • Experience: These positions can range from entry level to senor level positions.
    • Position Names: Security Engineer, IT security Engineer, Security Analyst, Security Operations Engineer, Security Operations Analyst.   
    • Industries: These our probably the most common as they are sought after in most companies across all industries. Companies looking for SOC positions will usually have a more mature security program.

 

  • Incident Response and Forensics
    • Overview: In the security industry we have an old saying that still holds true today.  “It’s not a matter of if, but when you get breached.”   This means that we need people who can respond to an incident and determine which machines are compromised and how they got in.  An incident responder/forensic investigator will do just that.  They will find the digital dust left behind to understand the who, how, what and when of the incident vary similar to a crime scene investigator.  Some specialized positions will work within or directly with law enforcement, government and Law industry.
    • Skills Needed: A though understanding of Operating Systems such as Windows, Linux and MacOS.  You should know how to read logs including full packet captures.  Also it helps to understand the various malware the bad guys use.  Many tools are available for you to use so a good understanding of them will help as well.
    • Technical: This is a very technical positon which usually requires a deep understanding of Operating Systems and log analysis. 
    • Experience: These positions usually require senior level experience, but some junior positons may be available.
    • Position Names: Incident Responder, Forensic Investigator/Examiner, Intrusion Analyst, Information Security Incident Response Engineer
    • Industries: The positions are usually found in companies with a more mature security program.  Many industries can have opening, but the retail, financial and now healthcare will have more positions available as they all have various government regulations tied to them.  Because this is a very hard skill set to find many consulting companies look for these types of positions.

 

  • Threat/Malware Analysis
    • Overview: A Threat Analyst will usually have similar skills of an Incident Responder or Forensics examiner, but the Threat Analyst will focus a bit more on understanding the malware itself.  These positions will reverse engineer the malware to understand what it’s trying to do.  In addition these positions will usually help create detections to find the malware in the future.
    • Skills Needed: Similar to an incident responder a good understanding of Operating systems is a must as well as various programing languages such as C and scripting programs such as Python.  Even low level languages such as assembly is important. 
    • Technical: This these positions are very technical.
    • Experience: Most of these positions are senior ones, however there are many junior positions available especially if you have a good programming background out of college.
    • Position Names: Threat Analyst, Malware Analyst, Reverse Malware Engineer
    • Industries: The positions are usually found in companies with a more mature security program.  Many industries can have opening, but the retail, financial and now healthcare will have more positions available as they all have various government regulations tied to them.  Because this is a very hard skill set to find many consulting companies look for these types of positions.

 

  • Application Security/Secure Coding (Developer)
    • Overview: One of the main problems with security today is that applications continue to be built insecurely.  The main goal of the developer is functionality and not security.  This is slowly changing, but still a big problem today.  Because of this application security has become a big area of focus for many companies.  Positions are available today with the main focus of protecting the exposed applications from potential compromise.  This could be done through installing and configuring specific technology to protect the application such as a web application firewall.  This type of position is usually part of the “Security Technology Management and Monitoring” section.  This could also be done and the reason I made this its own section is to ensure the coding of the application is done securely within the development process of the application prior to production.
    • Skills Needed: Strong programming skills are needed as well as a good understanding of common secure coding mistakes.
    • Technical:   This is a very technical position with deep knowledge in the various coding languages and common vulnerabilities found in each. 
    • Experience: These positions are usually more senior.  A traditional developer would be an ideal candidate to get into this security area. 
    • Position Names: Application Security Engineer, Secure Software Engineer, Secure Platform Security Engineer.
    • Industries: Larger companies with in-house development would have this positions available across all industries.  Many consulting companies with a focus on application security or penetration testing will have positions available.

 

  • Security Analytics /Data Science
    • Overview: Analytics, Big Data and Machine learning have been used for years in many different industries such as the finance for predicting market movements and in Marketing for predicting consumer buying habits.  Turns out the same technology can be leveraged in security to identify threats in the network that have circumvented a company’s protection technologies.  These positions will leverage these technologies to enhance a company’s ability to detect and analyze security threats. 
    • Skills Needed: Most if not all of these positions look for someone with a Ph.D in computer science. Typically deep knowledge of machine learning and data mining.
    • Technical: These positions are very technical.
    • Experience: This is a very new area within security so any experience in this area typically would be considered for these positons.
    • Position Names: Data Scientist, Cyber Security Data Scientist, Research Scientist, Research Scientist.
    • Industries: Most of these positions are offered by companies with more mature security programs like the financial industry.  Also many vendors including both established and start-up are looking to fill these positions. 
    • Data Mining /Machine Learning , etc

 

  • Offensive Security
    • Security Assessment/Auditing
      • Overview: Once a security program is in place it needs to be assessed to ensure the right controls are in place.  There are many regulations that require companies to either self-assess or have a 3rd party assess on a yearly bases.  Theses positons will review a company’s current security controls usually based off of some standard.  It could be based on what the company expects to be in place or a framework such as ISO or best security practices or a combination.
      • Skills Needed: These positions typically require an understanding of the various frameworks and regulations.  
      • Technical:   Usually these positions are not very technical, but do need to be aware of the various technologies and what they do.
      • Experience: These positons can range from junior to senior experience. Often times a senior person will run the assessment with the junior folks doing the grunt work.
      • Position Names: Security or Risk Consultant, Security Assessor, ??
      • Industries: These positions are sought after usually by companies with regulation requirements or with a more mature security program.  Even if a company is mandated to do an assessment once a year they usually will not hire an internal security assessor.  They will just use a third party consulting company so you can expect to see assessment positions from the third party consulting companies.  
    • Network/System/Application Ethical Hacking

Thoughts…

  • Keep in mind in all of these positions these days it is very useful to have good programming skills or at least a good understanding of it. At a minimum scripting skills using languages such as Python should be a skill in your tool belt.
  • Keep in mind there are many other job positions out there that we did not even discuss.

 

Experienced Information Security Executive, Evangelist, Entrepreneur and Mentor with over 18 years of experience. In his current position he is focused on delivering knowledge, tools and methodologies to properly demonstrate advanced threat concept and defense strategy using a practical approach to security.

He has presented, trained and mentored on various security concepts and strategies at many conferences, trade shows and media outlets including a weekly appearance on KHON2-TV morning news “Tech Buzz” segment and Technology News Bytes on OC16, providing monthly security advice.

Mr. Giandomenico founded and managed Secure DNA Inc. a global security consulting company focused on protecting critical infrastructures such as financial institutions, hospitals, and government agencies. Today, he works for one of the world’s leading and largest security and firewall manufacture. As a consultant Anthony provided expertise in many areas including security program development, defensive strategies, incident response and forensics procedures, security assessments, penetration testing, and security operations.