What football teaches us about cybersecurity

This idea of football practice and cybersecurity practice came to me via a conversation with one of my co-workers at Verodin, an SE in Texas named Critt Golden. Critt said it very simply in true Texas succinctness, "In football if you don't practice you don't win and in cybersecurity if you don't practice you don't win." This concept was apparently brought to Critt's attention while working in the field with customers to improve their security talent.

If you're a football coach you wouldn't tell your team to take a year off, avoid getting on the field and don't touch a football then ask them to walk into a game with any expectation of success.  But this is essentially what we are asking security professionals to do: don't practice, but when you're attacked you better win.  

Practice in security, like in football, is a necessary element to success. In security, practice has been overlooked for far too long. In many organizations, this yields a chaotic, unprepared culture instead of one that is ready to win. In the words of Vince Lombardi, "The harder you work, the harder it is to surrender."

It's no shock to anyone in security that when we talk about people, process and technology we almost always default to technology as the primary and often only variable for incident mitigation. It's easy to forget the strongest assets organizations have for threat mitigation: people. Technology is simply a tool to augment human intuition and processes allow for improved coordination across people and tech.

Now it's not that we haven't tried to increase the capabilities of our people. We spend millions on trying to help security professionals become more effective with: training, certifications, conferences, professional consortiums, books, CBTs, etc. In some cases, to improve incident response, once or twice a year organizations might even conduct tabletop exercise and fire drills to review their readiness. Some organizations might also leverage an internal red team (offense) or hire a third party to "break in" and see how the blue team (defense) responds.

These methods of education and periodic assessments add some value but they also fail to address several key questions:

• Am I hiring people that will be effective in my environment based on my security tech?
• Can I accurately assess how effective my security team is at a point in time?
• Can trends be created to illustrate if team effectiveness is increasing or decreasing compared to last week, month or year?
• Can I ascertain if ineffectiveness exists because of my people, processes, technology or some combination?
• Can I put in place a mechanism to help my security team practice - so they are ready to win?

Just like football

To be effective your security team needs to practice, but it starts before you even make your first hire. 

Hiring: How are you evaluating talent? Maybe recruiters do some high-level screening for you, then you review their LinkedIn profile, you have everyone on the team interview them, give them a written test or task, etc. Based on these parameters the individual might seem like a perfect fit, or not, for your organization. But you don't have any real idea how they'll perform in your organization based on the security technology you have.

Consider adding some real-world evaluations to this process. An individual can be brought in and assessed. Based on the makeup of your security controls across incident prevention, detection and response how well will they perform when under an attack on game day?

Take a SOC analyst for example. Sit that analyst down in a SOC with supervised access to your security solutions. Then leverage your tools to launch attacks across your network and endpoint security controls. This will generate attack activity that the SOC analyst should be able to work with. See how they're able to work with your SIEM and log management solutions as well as understand your endpoint, IPS and firewall alerts and logs. Watch as they search for additional details and see what responses they suggest. Now they won't know your systems like you do and they won't know your processes, but this will give you a much better view into their ability to:

• Work with your SIEM or log manager
• Generate value from your logs, alerts and other messages from your security controls
• Glean additional information by researching the attacks using your tools
• Derive conclusions about what to do next predicated on your defensive stack

More simply put - beyond certifications and work history, can this person be a superstar in your organization with all its awesomeness and warts combined.

Practicing: The same evaluations that are applied to a new hire should be applied on an ongoing basis to existing employees. Keeping with the example of SOC analysts, periodic attacks can be run on the network so analysts can practice. This helps to:

• More efficiently and effectively mitigate attacks
• Reduce incident response times
• Measure team and individual effectiveness over time
• Highlight areas where additional training might be necessary
• Make a case for hiring additional employees
• Streamline processes
• Improve incident prevention configurations
• Tune SIEM and log management rules
• Calibrate integrations with case management and alerting mechanisms
• Define gaps in the security posture where additional controls are needed
• Illustrate security team effectiveness and readiness to executive management
• Demonstrate the value of security investments and or make a case for additional investments

If football players just talked about football while sitting around a table or practiced against fake, cardboard cutouts of the opposition, they wouldn't win. Your security analysts need real practice too. That practice needs to be on your real, production network leveraging your real security controls, processes and people against real attacks.

For your practice to be effective, real attacks must be used in a safe, ongoing basis so that your controls operate just as they will when the "bad guys" come. This approach will help you make better hires, improve existing hires, increase the value of your security controls and processes and allow for a measurable mechanism to further illustrate the value, needs of your security team. As Bear Bryant of the University of Alabama said, "It's not the will to win, but the will to prepare to win that makes the difference."