Analysts assemble! - h41382. · •Score output •Level of expectation Weaknesses into action items . Training needs assessed . Steady and guaranteed growth . ... private concert

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Analysts assemble! Nick Magallanes, Sr. Consultant #HPProtect

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3

Founded: 2007

Security intelligence and operations consulting

Experience: • 35+ Fortune 500 and federal SOC builds • 100+ SOC Assessments across 76 distinct SOCs

Solution approach: • People, process, and technology

Accelerated success: • Mature project methodology • Best practices • Extensive intellectual capital

Expertise: • 50+ years of SOC experience within SIOC

leadership team

SIOC


Recruiting


Hiring skilled security analysts can be difficult

Organizations must develop their own analysts

*Demand for cyber-security professionals grew 3.5x faster than for other IT jobs Finding skilled analysts is a challenge

47%

31%

26%

27%

26%

23%

22%

Security Analyst

Security Auditor

Security Architect

Security Tester

Security Sys Admin

Web Security

Security Platform Engineer

Skill Shortage

*Source - 2013 BurningGlass Cyber Security Jobs Report


Analysts require knowledge of multiple domains

Security analysts need the skills to identify Indicators of Compromise (IOCs) IOCs are reported via one/many security controls systems Experience in one IT discipline is not enough!

Targeted threats evade controls

Research

Delivery

Compromise

Additional Recon

Lateral Movement

Persistence

Exploitation

Installation

C&C

Weaponization

Exfiltration

Infiltration

Attack lifecycle

Operating System WAF IDS/IPS IAM

DLP Threat Intelligence Proxy Application

Security

Physical Controls Firewall VPN Database

Antivirus File Integrity Management DNS


Analyst backgrounds


Backgrounds

IT backgrounds • Variety of IT niches

College new grads • IS/CS degrees

Military • Intel type positions

– Linguists – Intel analysts

Misc. • Former police • Former investigators • Break/fix technicians

Analyst backgrounds

Various IT niches

New Grads

Military

Former police

Break/fix techs

Linguists


Soft skills Interest

Skillset

Natural curiosity Strong soft skills Attitude / aptitude Stamina

– Often on console for long periods of time Exposure to security principles Think offensively Critical thinking Ability to correlate information

Analyst backgrounds Security principles

Stamina

Curiosity

Analyst


Interest levels

Ability to improve on/off job Immersion in security ecosphere • Keep up with current security news • Favorite blogs or feeds • Read security related books • Pursue certifications • Possibly have lab setup at home

Assess at time of interview

Analyst backgrounds


Job roles and skills definition


Level 1 Analyst

Level 2 Analyst

Lead

???

Job roles and skills definitions

Continual enforcement Skills definition demarcation • Scope of job role and individual qualification • Include minimum skill threshold

Progression path • Necessary for goal setting • Individual knowledge of one role to another


Skills assessment


Skills assessment

Before and after hire Gauge weak and strong points Questionnaire/test • Score output • Level of expectation

Weaknesses into action items Training needs assessed Steady and guaranteed growth

Annual Beneficial side effects • Higher levels of performance • Leadership skills • Accurate and intuitive analysis

Log analysis

Locate and view system logs

Hands on experience

In-depth understanding

Exploit analysis

Knowledge of current exploits

In-depth understanding

Development


Operational metrics


Operational metrics

Overview of operational metrics

Great to measure Possibly tricky and/or cumbersome • Metrics used to gauge and drive goals • Hazardous and possibly destructive Don’t let them work against you

0

1

2

3

4

5

6

Josh Clayton Matt Bob

Analyst output

EPAH Annotations Cases


Operational Metrics Destructive metrics

Management says: Number of cases = analyst output Contingent on dynamic content • Number of events ingested and/or correlated • Can depend on day/week/month

Event count down

Case # decreases

Assigned additional

tasks

Monitoring +

additional task

Case # decreases


Constructive metrics

Helpful to management and analyst personnel • EPAH (Events per analyst hour) • Number of events annotated • Raw/Base event count vs events of interest • Case time to close • When used positively, number of cases

opened

Instead of additional tasking • Deep dive • Presented events exploration • Variations of data mining • Satisfy natural curiosity Innovation • Explore different detection methods

Operational metrics


Retention


Retention Retention overview

Issues can stem from • Lack of upward mobility • Non-competitive pay • No development opportunity • No training • Low morale Several remediation tools available • Begin with career development and progression paths Inherent nature to be progressed


Retention From the management view

Coaching and mentoring is an obligation Junior vs. senior professionals • Juniors require

• Interactive management style • More focus

• Career development staple • Juniors perceive clear progression path • Seniors understand senior roles aren’t the ceiling

• Management works with HR


Retention Retention tools

Job and task rotation • Not always monitoring Consistent training • Formal and informal Project assignment • Complex problems eluding solution Temporary rotation to other teams

Find

Hire Train

Replace

Find Hire Train Grow


Monitor

Threat research

Signature development

Content creation

Maintenance

Job and task rotation

Cannot stare at events all shift • Allow to rotate off the glass for some period Exceptional analysts • Suggest and create new content • Comfortable on boxes of varying OSs • Possibly manage security devices Tasks are complementary • Necessary • Works against analyst boredom

Retention


Consistent training

Security is not a static field Formal training and real-world experience Formal training • Executed at on-boarding/during

employment • Priceless to a new analyst

• Info on network • Reinforce technical skills • Acclimation to new environment

• During employment • Introduce new skills and expand on known

Formal training can be vendor specific/web-based Informal training • Structured into daily tasks

• Lunch and learns • Webinars • OJT • Technical deep-dives

Retention


Retention Project assignment

Allow analysts to propose projects as part of annual plan Can tackle long-standing problems that are not time sensitive Allows for distraction from mundane Develop problem-solving skills


Temporary team rotation

Can be within SOC or external Allows for exposure to different tools and processes In turn, permits utilization of new-found knowledge in monitoring

Retention

Growing analyst

Processes from team

1

Technology from team

2 People

from team 3


Summary


For more information

Attend these sessions

• TB3057 - Defining, building, and making use cases work

• 9/11 10 a.m.

• TB3135 - Using baselining to detect anomalies in HP ArcSight ESM

• 9/11 10 a.m.

Visit these demos

• DEMO3527 - HP ArcSight Activate Framework

• DEMO3530 - HP ArcSight Threat Central

• Hunting for cyber criminals

After the event

• Visit the HP SIOC website at: hp.com/go/sioc

• Analyst Training Program

• Download "Growing the security analyst" whitepaper

• www.hp.com/go/GrowSecAnalyst

• Contact your sales rep

Your feedback is important to us. Please take a few minutes to complete the session survey.

http://www.hp.com/go/GrowSecAnalyst

http://www.hp.com/go/GrowSecAnalyst


Tonight’s party

Time 7:00 – 10: 00 pm Shuttles run between hotel’s Porte Cochere (Terrace Level, by registration) and Newseum from 6:30 - 10:00 pm Questions? Please visit the Info Desk by registration

@ Newseum Enjoy food, drinks, company, and a private concert by Counting Crows


Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session BB3269 Speaker Nick Magallanes

Please give me your feedback


Thank you

Documents

Analysts assemble! - h41382. · •Score output •Level of expectation Weaknesses into action items . Training needs assessed . Steady and guaranteed growth . ... private concert