Mission Critical CyberSecurity Functions

Transcription

1 Mission Critical Cyber Functions Critical roles with the most technically sophisticated knowledge, skills and abilities for enterprise cybersecurity February N Moore St Ste 2100 Telephone: Arlington, VA 22209

2 Authors: Jane Lute Deirdre Durrance Maurice Uenuma Contributors: Tony Sager Members of the Roles & Controls panel: Linus Barloon, Chris Thompson, et al Department of Homeland HSARPA, Cyber Division February 2014 This material is based on research sponsored by Air Force Research Laboratory under agreement number FA The US Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of Air Force Research Laboratory or the US Government. 2

3 Introduction In an era of increasing vulnerability to cyber attack across industries and functions, including theft of sensitive information, disruption of information systems and even damage to critical infrastructure, it is essential that the right people, with the right capabilities to address these vulnerabilities, are properly identified, trained, developed and placed in the roles most impactful to improving enterprise cybersecurity. While there are numerous roles which play important parts in the overall effort to secure systems and data, the roles themselves vary greatly in the degree of technical sophistication required and the degree of criticality to the security function. Adding to this complexity, the profession itself often lacks clear definitions, training standards and assessment metrics to enable a broad understanding of the capabilities that an enterprise should expect from its cybersecurity professionals. An essential first step in addressing the challenge of developing the right workforce is to ensure the right people are at the top: the cybersecurity roles which are critical to the organization s mission and essential to the security function, while requiring the most advanced technical knowledge, skills and abilities. The intersection of these parameters are where the very best talent must be focused, even while the overall cybersecurity mission depends on the actions of people throughout the organization and across the spectrum of technical understanding. The Council on Cyber (the Council) has built upon the work of previous efforts to identify and validate the mission critical cybersecurity functions- the top ten list of roles which comprise the apex of professional skill in the field: System and Network Application Monitoring and Event Incident Responder In-Depth Counter-Intelligence/Insider Threat Risk Assessment Secure Coder and Code Reviewer /Architecture and Design /Operations Advanced Forensics These roles, if properly staffed, will provide the capability needed to both implement broad, effective, foundational controls (namely the top 20 Critical Controls), as well as address new, unforeseen threats and vulnerabilities. Background In an effort to bring greater coherence to the relatively new field of cybersecurity, the National Institute for Standards and Technology (NIST) launched the National Initiative for Cybersecurity Education (NICE) which, in turn, designed a framework to establish a common understanding and lexicon for cybersecurity functions. The NICE framework, which lists and defines 31 common types of cybersecurity work known as Specialty Areas grouped into seven categories, has done much to bring commonality to concepts and language. But it has not nor is it intended to provided any prioritization or ordering of functions in a way that better 3

4 focuses limited training, education, development and workforce management resources. In 2012, the Homeland Advisory Council (HSAC) convened a Task Force on CyberSkills, which delivered a set of recommendations for the development of the cybersecurity workforce, both at the Department of Homeland (DHS) and in the broader community. Included in the report was a list of mission-critical roles. Building upon both the NICE framework and the Task Force report, the Council has sought to add further clarity to the effort and provide useful material for all stakeholders by further refining, validating and publishing the list of Mission Critical Cyber Functions (mission-critical functions), with the intent to re-examine and refine this list on an ongoing basis. To reiterate, these are mission critical functions that require nuanced technical and analytic skills at a level of expertise well beyond those found in typical compliance-based approaches to cybersecurity or in security regimes that rely principally on running vulnerability testing or exploit tools. The NICE framework is thus made more useful for hiring highly proficient specialists by prioritizing the functional roles within the framework, and by defining specific requirements associated with these functions. With the NICE framework as the foundational reference, the Council developed an operationscentric Lifecycle view which captures the Design to Operations or Virtual to Live stages, by condensing the seven NICE categories into four, and the 31 associated tasks into ten mission critical cybersecurity functions. Thus, the Council s list of Mission Critical Cyber Functions remains aligned to the NICE framework: 4

5 The Council s list also aligns with the Cybersecurity Framework currently being developed by NIST. To ensure consistency with the reference taxonomies developed by NIST, for both cybersecurity operations (the Framework) and the workforce (NICE), the Council further maps its work to both frameworks: In this way, the top ten Mission Critical Cyber Functions align to, build upon and bring clarity to the foundational work of NIST, NICE Framework and the HSAC Task Force while maintaining a ready reference guide for enterprises to develop and manage the advanced practitioners they need. Indeed, advanced practitioners will demonstrate not only mastery of technical knowledge and skills necessary to protect systems and networks, they will also have the expertise to anticipate and counter sophisticated adversarial strategies. By identifying from among all IT and security-related functions those most important to protecting their specific networks and systems, enterprises will be able to direct scarce resources to their highest priority critical needs. Moreover, by committing to maintain competency for these professionals, enterprises will realize a valuable skills development program for their entire cybersecurity workforce. Findings The job market for cybersecurity talent remains clouded with unclear definitions and job descriptions. There is a significant amount of overlap in terms of functions and competencies listed under one job title or another, and titles tend to be used interchangeably throughout the industry (examples: malware analyst = reverse engineer; information assurance analyst = 5

6 information security analyst/engineer = risk/vulnerability analyst = cyber assessment engineer/analyst; secure coder & code reviewer = source code auditor, etc.). Federal agencies with the largest cybersecurity workforces- the National Agency, Department of Defense, Department of Homeland, and Department of Energy- rely on the NICE framework for job classifications and the definitions of associated tasks and knowledge, skills and abilities, with minor variations depending on the entity. The Department of Defense, for instance, substitutes Oversight and Development for Support within NICE as a high-level category, but retains the other six. However, while a given federal agency or enterprise will define and differentiate specific functions and emphasize certain skill sets that are mission critical for its own purposes, the demand for high-level expertise and cyber-savvy professionals extends to the entire security ecosystem. To facilitate consistency, descriptions of the top ten Mission Critical Cyber Functions, based on the Council s review of skill requirements, is provided: System and Network. This mission critical cybersecurity position requires a demonstrated ability to devise, analyze, and systematically assess the ability of systems and networks to withstand sophisticated adversaries (i.e., adversaries who have not only advanced technical skills, but also knowledge of the architecture and systems they are targeting). Competence here is demonstrated through an advanced ability to conduct sophisticated, methodical, comprehensive technical testing of configurations, pathways, and interactions between systems that mimic the techniques employed by advanced adversaries. Mastery is demonstrated by using knowledge of advanced attack strategies to devise superior processes for security monitoring, event analysis, security architecture and engineering to defeat these strategies whether mounted by external adversaries or insiders which might otherwise result in data exfiltration or captured command and control of internal systems and processes. Application. This position requires the demonstrated technical abilities necessary to conduct operational testing of applications before initial deployment and as they are subsequently updated. Competence is assessed on the ability to identify the program avenues most riddled with flaws and holes that give malicious actors access to important content or systems. Applications from the web are particularly vulnerable to malicious exploitation, frequently infecting visitors computers with troublesome viruses and other malware that can create access pathways for data exfiltration or worse. Mastery here includes knowing how to find and exploit an application vulnerability, a skill which, in turn, allows for better code reviews, forensics analysis, threat analysis, and incident response. Monitoring and Event. Competency here includes the dual abilities to identify indicators that show a malicious incident has occurred and to initiate swift, appropriate, and comprehensive responses. Because savvy adversaries can devise attacks to mimic old attack vectors and create easy ways to bypass defenses, mastery here includes the ability to differentiate between incidents that represent less sophisticated attacks from those that must be analyzed in-depth and defeated by rigorous incident response performed by an Incident Responder In-Depth. This role focuses on monitoring security logs from multiple sources, including firewalls, servers, and applications, in 6

7 order to detect suspicious events and identify possible security incidents. Another competency for this role is to understand the effective use of cyber threat data to generate signatures, alerts and the use of other technologies to detect and react to the new threats. This role must be able to properly report incidents to ensure timely and proper dissemination of information. Incident Responder In-Depth. This role requires the ability to deploy and manage active measures to contain incidents identified by analysts including rapid and accurate assessment of malware, isolation, characterization, and reverse engineering. It also includes the ability to recognize attacker-introduced local changes, suspect interactions, and targets that have been triggered to evoke malicious behaviors, as well as the ability to develop and rapidly deploy eradication tools. While less than ten percent of all malicious software must be subject to this deep analysis, these payloads are the most dangerous. Malicious software left undetected is able to burrow deeply, maintain control, and spread through agency systems, as well as leave back doors for unauthorized access at a later time. Undetected attacker access on the network equates to freedom of malicious movement and action, including malicious behavior by insiders. Moreover, attackers can reuse tactics and tools to re-attack or maintain control over systems for long periods, taking and changing data at will. Thus, mastery of skills in this role must reflect a deep understanding of attackers and their tools to thwart attempts to undercut effective defensive efforts. The advanced professional will also have the skills necessary to program custom tools to detect local changes, identify suspect interactions, and watch for and respond to intrusions and exploits reflecting up-to-the-minute situational awareness on what malicious actors are using and targeting. Because well-embedded adversaries often become privy to instructions and can work to stay a step ahead of observed defender actions, mastery in this competency will entail devising techniques to prevent the targeted installation of malicious software or use of techniques able to evade defenses without being spotted. An Incident Responder In-Depth would refer confirmed incidents that may have resulted in the theft of information or service disruption to an Advanced Forensics. Counter-Intelligence/Insider Threat. Competency in this role reflects deep and current knowledge of the organization s attack surface, its most vulnerable and high value targets, and how its technical vulnerabilities may be exploited. The will work closely with the Risk Assessment to ensure accurate threat data is provided to inform the development of effective mitigation strategies. In order to identify assets and systems at high risk, and address the most advanced, persistent threats, teams of professionals must be assembled with first-rate skills to understand attackers motivations, languages, organization, and social behaviors. With this knowledge, threat actors can be categorized by profile to help enterprises become proactive in enhancing their own security posture, and inform the broader cybersecurity ecosystem of important developments in the threat landscape. Risk Assessment. This role is responsible for identifying and assessing information technology and information security risks within a broader enterprise risk management program. Leveraging engineering, operational, and analyst team input, the Risk Assessment develops high-level strategies to address overall risk to systems and information introduced through changes to IT systems, deploying new 7

8 technologies, or external threat actors. Mastery requires significant hands-on technical expertise to assess how the threats will manifest and how to prioritize the deployment of effective defenses. Additionally, this role understands policy documents like NIST SP revision 2 which describes the risk assessment process. The engineer is able to understand the threats and threat data, capture vulnerabilities associated with the system or network, identify the likelihood of the threat exploiting the vulnerability, work with the data / information owner to determine the impact to the organization if the data was compromised and then develop mitigation strategies. Lastly, the engineer is able to develop these mitigation strategies leveraging people, process, and technology while balancing the constraints of resource scarcity. Secure Coder and Code Reviewer. Secure Coders (software security engineers) require expert knowledge of secure coding best practices, integrating secure development practices into the entire application lifecycle. Code Reviewers must demonstrate the ability to identify and fix flaws such as maliciously introduced additions, modifications, or deletions of legitimate code. Coders and Reviewers leverage Application Penetration Testers to perform static testing of source code or complied software, as well as dynamic testing of running applications. /Architecture and Design. Architects are responsible for designing IT infrastructure that is hardened and resistant to compromise. The role requires maintaining current knowledge of attack techniques used by adversaries against any of the components being engineered into new or updated systems. s can use their technical knowledge of current attacks to identify flaws and weaknesses in the composition and design of networks, remote access schemes, systems and applications to specify solutions, verify the solutions that have been implemented, and rapidly adjust designs based on new threat and attack information as acquired. Additionally, the engineer works with the Risk Assessment to ensure policy directives are followed and threats are taken into consideration to lower residual risk. /Operations. The most common forms of targeted intrusions easily penetrate network and system defenses because measures for basic cybersecurity hygiene have not been put in place. s must understand how to install and maintain such basic hygiene measures as configuration and application whitelisting, sensors for continuous diagnostics and monitoring, and real time patching of systems and applications. Mastery here includes an understanding of network, system, application, and database security, including the ability to implement and configure host and network firewalls, logging, and IPS/IDS at the highest appropriate level of security, as well as the skills to implement automated monitoring of configuration, patching, AV status, administrative rights, application white listing, and other security measures in order to give system and network administrators real time task lists to perform and monitor. This role would also have an understanding of threat data and work with the Risk Assessment. Advanced Forensics. Leveraging initial findings from Incident Responders In- Depth, an Advanced Forensic investigates intrusions or other malicious activity (including those which may constitute crimes or potential crimes). This role must perform many of the tasks of the Incident Responder In-Depth with special emphasis on 8

9 reverse engineering (in law enforcement, this will also include the requirement to establish evidence that will stand up in court). Competency here will include the clear ability to determine precisely which programs have been executed, find files that have been changed by an intruder (on disk and in memory), use time stamps to develop authoritative timelines of actions taken by intruders, find evidence of deleted files, and identify key information in browser histories, account usage, and USB usage. Mastery in this area also includes the ability to find unknown malware hidden in systems, also known as persistent presence. In addition to the top ten critical functions, the Council has identified the following functions which are essential supporting functions and critical to the cybersecurity mission. Beyond noting them here, these functions will be considered for inclusion in the Mission Critical Cyber Functions list in subsequent revisions: Disaster Recovery Specialist and Business Continuity. This professional represents the company as the leading specialist in disaster recovery and, as such, continually educates the management and IT staff on concepts. This role is responsible for creating and maintaining business impact analysis, working with the business units to determine the critical actions needed during a disaster and driving implementation of new policies and procedures. Competence includes the ability to develop standards for data back-up, perform gap analysis and recommend solutions. It also includes supporting periodic disaster recovery and business continuity exercises. Big Data. With the ever increasing volume, velocity and variety of network and corporate data flowing through wired and wireless networks, Big Data s may perform any of the ten roles above with the ability to use the appropriate SQL or no-sql big data platform for correlating structured, unstructured and hybrid data (including semantic data) to improve information security. This role may use proprietary (i.e. Splunk, Cloudera, sqrrl) or open source (i.e. Hadoop, accumulo, etc.) solutions to produce actionable operational intelligence for management, operations, and technical staff. Industrial Automation. With the accelerated growth of automation in critical infrastructure sectors, security analysts with expertise in DSC, SCADA, and PLC systems, protocols and architectures are needed to fulfill all of the roles listed above with a focus on industrial automation technologies. Comparison to Job Market A survey of job openings recently posted by some of the largest employers of cybersecurity professionals shows the variety of job titles with functions substantially similar to the list above. The Council has populated the tables below by checking each entity s use of the same title or different title(s) for a position requiring identical or near equivalent experience and competencies (Table 1). 9

10 Table 1 Sample of Recent Job Openings Mission Critical Functions NICE Lockheed Martin Northrop Grumman SAIC Symantec Booze Allen Hamilton System and Network System and Network System and Network System and Network Penetration Tester Penetration Tester System and Network Application Application Penetration Tester Monitoring and Event Information CND Monitoring and Event Monitoring and Event IT & Compliance Principal Monitoring and Event Incident Responder In-Depth Incident Response Coordinator Incident Handler Intrusion Incident Responder In- Depth Incident Responder In- Depth Service Desk Incident Coordinator Incident Response - Lead Investigator Incident Responder In- Depth Counter- Intelligence/Insider Threat Cyber Intelligence Technical Surveillance/ Counter-Measures Technician Counter- Intelligence/Insider Threat Counter- Intelligence/Insider Threat Principal Attack Investigation Counter- Intelligence/Insider Threat Risk Assessment Vulnerability Assessor Risk/Vulnerability Network Defense/ Network Risk Assessment Risk Assessment Internal Auditor Corporate Risk Assessment Focused Operations Secure Coder and Code Reviewer Cryptologists Cryptographers Code Reviewer /Architecture and Design /Architect /Architect /Architect System Safety Solution Systems - System /Architect /Operations Mission IT support - Infrastructure Advanced Forensics Computer Crime Investigator Computer Forensics /Examiner Special Agent Forensics /Examiner Forensics Forensics Forensics Forensics 10

11 Alignment with Certifications Needless to say, existing cybersecurity certifications should provide the essential knowledge and skills for competence in mission critical functions. A high-level review suggests that there are indeed certifications in the key functional areas (Table 2). The challenge is to ensure that these certifications are, in fact, delivering the necessary skill sets for successful performance on the job. Table 2 Alignment of Certifications to Mission Critical Functions Mission Critical Functions COMPTIA SANS (ISC) 2 EC-Council ISACA CASP GPEN LPT System and Network Advanced Practitioner GPXN Licensed Penetration Tester Exploit Researcher and Advanced Application Penetration Tester Mobile App + GWAPT CSSLP Web Application Secure Software Lifecycle Professional Monitoring and Event GSNA ECIH CISA Systems and Network Auditor Network Handler Information Systems Auditor Incident Responder In- Depth GCIH Certified Incident Handler Counter- Intelligence/Insider Threat GXPN Exploit Researcher and Advanced ECSA 11

12 CASP GCIA CAP CRISC Risk Assessment Advanced Practitioner Certified Intrusion Authorization Professional Risk and Information Systems Control Secure Coder and Code Reviewer GSSP Secure Software Programmer ECSP Secure Programmer /Architecture and Design + Mobility+ GCWN Windows Administrator CISSP Information Systems Professional CISM Information Manager Cloud+ /Operations + GCFW Server- Firewall Advanced Forensics GCFA CCFP CHFI Forensics Cyber Forensics Professional Forensics Investigator Recommendations Just as the top 20 Critical Controls helped to diffuse the Fog of More, i.e. defensive support overload, by prioritizing specific and actionable ways to thwart the most pervasive and sophisticated attacks, so will a consistent understanding of the top mission critical roles provide greater clarity on which functions to prioritize in order to ensure the strongest possible cyber defense. To that end, this list of the top ten Mission Critical Cyber Functions should form the basis for prioritized efforts in human resources management, setting academic standards, establishing training programs and building the bodies of knowledge which must underpin every professional certification. Given the urgent need for standardization in the cybersecurity industry, this work should also form the basis for a process of ongoing refinement and maintenance of the list. To that end, the Council has established a panel of recognized experts to steward this effort, and will publish revised lists on a periodic basis. To support this process, market surveys will be conducted with the leading cybersecurity product and service providers, as well as the broader market of end-users across various industries, to 12

13 assess and confirm their needs for security competencies, with the understanding that roles attributed to current titles will likely continue to evolve. Finally, one of the Council s primary goals is to leverage the work done to date to guide and support workforce planning through the design and implementation of common enterprise models in order to help both government agencies and private sector entities strategically build the strength of their cybersecurity workforce. This includes sustaining a body of work around job competency models by individual functions, enterprise-level assessments of skills, organizational planning tools, and ongoing development of various certification bodies of knowledge. 13

14 Appendix A- Research Methodology The following methodology outlines the Council s approach to identifying and prioritizing mission critical jobs intended to help public and private sector enterprises proactively establish and maintain a cybersecurity workforce planning strategy: Step 1 - First, with the NICE framework as the foundational reference, the Council on Cyber developed a security operations-centric lifecycle flow that captures the Design to Operations or Virtual to Live stages by condensing the seven NICE categories and 31 associated tasks into four classifications and ten mission critical cyber security specialties. Step 2 - The second step was to build upon the work of the DHS Task Force by validating its inventory of mission critical tasks through market surveys. These surveys focused on those federal agencies and departments with large numbers of cybersecurity professionals and some of the largest private sector employers, based on revenue tied to cyber intelligence professional services. The annexed table shows Lockheed Martin, Northrup Grumman, Booz Allen Hamilton, Symantec and SAIC rank among the top ten players in the global cybersecurity industry. Step 3 - Referring to NICE s comprehensive list of IT and Information related job titles within its framework, the Council conducted internet searches and collected data through reports and market surveys on job postings and vacancy announcements as advertised either directly through the federal agency or company s website and/or through job search engines. A thorough analysis and comparison across multiple sources of job titles, description of duties and responsibilities, and required knowledge, skills and abilities was performed in order to derive the highest priority cybersecurity roles. Step 4 - Equally important to understanding mission critical tasks was determining the specific certifications required to perform them. Such certifications are issued by vendor-neutral information technology personnel certification providers which include the International Information Systems Certifications Consortium Inc. (ISC) 2, Information Systems Audit and Control Association (ISACA), International Council of Electronic Commerce Consultants (EC-Council), Computing Technology Industry Association Inc (CompTIA), and SANS. Each of these organizations operates on a global scale, with certification programs offered in many countries. The largest of these organizations in the certifications industry, CompTIA, recorded over 200,000 certification unit sales worldwide in Others record between 30,000 and 90,000 certifications granted. 14

15 Appendix B- International Perspective Europe A European Union (EU) directive adopted in July 2013 will require that organizations circulate early warnings of cyber risks and incidents, and that actual security incidents are reported to cybersecurity authorities. Organizations that suffer a breach because they do not have sufficient security in place to protect their digital assets face fines of up to 2 % of their global revenue. The European Cyber Group is a private consortium and Europe s largest independent cyber defense force and provider of CERT services, created to address the growing threats to Europe s cybersecurity. Its founding members include: Danish CSIS, Dutch Fox-IT, French Lexsi, Spanish S21sec. The Council conducted research through language-specific search engines (French, Spanish, Italian, German, etc.) on over 50 companies located throughout Europe and the job descriptions corresponding to vacancies posted online by same. The research yielded to two observations: 1) There is an overwhelming demand for reactive expertise, namely cyber defense and cyber emergency response capabilities, as reflected by the numerous postings with a focus on forensics and fraud analysts, pen testing, mitigation of malware threats, intrusion handling/reverse engineering, disaster recovery. 2) European stakeholders tend to be of the view that legal, strategic and managerial expertise is as critical as purely technological skills, and enterprises on the continent are seeking to recruit cyber specialists who offer a combination of those KSA s. Highest growth is forecast to occur in cloud-based tokenization and encryption, security information and event management (SIEM), vulnerability assessment and web application firewalls. Through a report made public in October 2013, NIST confirmed the need for a workforce that is able to integrate cybersecurity with business, legal, and technical aspects. Asia The Council conducted a review of cyber roles and functions considered critical in China, South Korea and Japan. Although little information was available in the case of Japan (read accessible in Japanese only), staff proficient in Chinese and Korean were able to obtain relevant data, the majority of which refers to SANS and the Critical Controls as the benchmark of best practice. A survey of the leading Korean multinationals and their job postings (including Samsung, Hyundai Motors, POSCO, LG, SK Group, Shinhan Bank) shows that the mission critical functions in Korea correspond to those defined by the Council with particularly high demand for incident handlers and forensics analysts followed by penetration testers and security engineers/architecture. In China, the Council s research focused on the leading companies (including Sinopec, Industrial and Commercial Bank of China, State Grid Corporation and China Mobile Limited) in four sectors: oil and gas, banking, electricity and telecommunications. The list of cyber security mission critical specialties aligns closely with the Council s, and job vacancies confirm a shortage most notably among forensics analysts, disaster recovery experts and security engineers/architecture across all industries. 15

16 Appendix C- Sources Companies Revenue in $M (Cybersecurity or related) Percentage of Total Revenue Lockheed Martin 8, % Northrop Grumman 7, % Booz Allen 1,300 23% SAIC 3, % Symantec 1,965 29% Hewlett Packard Company 3, % IBM 17, % Boeing Company 7, % Computer Sciences Corporation (CSC) % L-3 Communications Holdings Inc. 1, % References K_Combo_August% pdf k.pdf 16