Security analysts evolving from security administrators

Colombia

Last week I was fortunate to return to Bogota, Colombia. Much like my recent travels and blogs around Brazil, Singapore and South Korea, I was able to spend time with government agencies and enterprises discussing cyber security, business trends, and experiencing the culture.  In this case that culture included drinking Pisco Sours and dancing to traditional Cumbia music while spending time with dozens of security practitioners and managers throughout Bogota.

In Latin America, Colombia is one of the most important countries from a business perspective along with Brazil, Mexico and Chile. Colombia also has the third largest population in Latin America with 46 million people after Brazil and Mexico.

With an improving economic and political environment, some controls around intellectual property and growing government support of industry, Colombia continues to strengthen. However, legal maturity, infrastructure and education are still behind when compared to other developing nations, according to Gartner’s “Analysis of Colombia as a Offshore Services Location.”

Gartner also points to Colombia’s 190 universities that graduate about 30,000 students with business degrees every year, and about half of those are engineers. The number of people with IT skills is increasing, but it’s still not enough to address the need. This supply and demand issue surrounding IT talent is on par with virtually the rest of the world.

Security Administrators

While in Bogota, it quickly became apparent that the security administrators of old are quickly changing. When I say “security administrators” I’m referencing a type of IT security professional that focuses on tasks like:

• Creating firewall and VPN rules
• Setting up proxy policies
• Defining IPS signatures
• Maintaining endpoint security controls like anti-virus
• Keeping the security infrastructure running

I’m not attempting to downplay the importance of these roles. These are all important and necessary tasks, but the skills required to be a security administrator are quickly becoming tasks associated with more junior security staff. They are considered the basics that every security practitioner needs to know just like basic system and network administration are requirements to be effective in security.

In Bogota many of the folks I talked with stated that the security administration tasks like those listed above were once the entirety of their security program. But over the last year or two they’ve had to adjust. Because of the changing threat landscape and the adoption of new organizational trends to use security to empower — not slow business — change was necessary. They’ve had to invest in more advanced security training for their staff as well as security solutions associated with incident detection and response, and modify their security programs to focus more largely on prevention, detection and response, as opposed to primarily preventative controls like firewalls and anti-virus alone.

Security Analysts

Many of the security practitioners I spent time with either considered themselves security analysts already or were working to achieve this designation. Part of this was for job security so they could differentiate themselves in the market, but honestly security people being who they are, there is always a new challenge to embrace, new technique to learn, and new technology to master. This constant change is want attracts most of us to this type of career to begin with.

These individuals all spent time as security administrators at one point in their career but have now moved on to what they consider more advanced tasks such as:

• Responding to incidents
• Dissecting malware
• Investing suspicious insider activity
• Pushing the limits of log capture and packet capture for analysis
• Integrating disparate products, vendors and intelligence feeds to improve efficiencies and effectiveness

Gap

There are various reasons for this change from administrator to analyst.  People want to be more marketable because they have these advanced skills.  They need to support more dynamic, agile businesses.  But the largest driver seems to be “gap.” There is a growing gap that most organizations realize exists between the time it takes for an organization to be compromised and the time it takes for an organization to detect and mitigate that compromise. Most studies state that an organization can be compromised in hours but most don’t even discover it for months. This gap, often called the “threat window,” is simply too large.  Trying to address it with the technology, talent and techniques associated with security administration is like fighting today’s war with yesterday’s technology:  it’s untenable.

In Bogota, even with extremely limited budgets and resources, they are adjusting to avoid being too focused on preventative controls and security administration, and are now including incident detection and response programs staffed with security analysts. Unfortunately there are fewer people with these skills and as such various steps that are being rapidly taken to rectify this so that the gap can be minimized quickly. Some steps include:

• Consultants – third party security analyst staff augmentation
• Outsourcing security administration to a managed security service provider or MSSP so that the limited staff can focus on analysis instead of administration
• Analyst certifications and training such as GIAC and SANS
• Investing in incident detection and response security technologies
• Engaging in hacker competitions – one telecommunications firm I talked with offers an internal hacker challenge to employees with a cash prize to keep their security team sharp

I’m curious to know what other organizations are doing to ensure their technology, talent and techniques are ready for today’s threat landscape and how they are minimizing the gap.

Image credit: Bogota, capital of Colombia by Naoki Nakashima (CC BY-SA 2.0)