How to staff your team across the security kill chain

By Kane Lightowler, Managing Director Asia Pacific + Japan, Carbon Black

Effective digital security needs people as well as technology. Most organisations are aware of the need to staff up to improve their security against cyber-crime, and there is no shortage of options: experts, service bureau, staff training and more.

They also take into account capital expenditure (Capex), operating expenditure (Opex), projects, operations, organisation charts and head count.

But to become effective they need to take a close look at the cyber criminals’ kill chain and ensure they staff each vulnerable point where human intervention is required. Let us reimagine the kill chain for security projects and operations.

Reconnaissance encompasses updating skills, eyeing attack patterns, considering threat landscapes and formulating new approaches. Weaponisation takes in technology procurement, engineering and automation, training and certification.

Delivery requires close attention to project delivery, infrastructure installation and process implementation, while Exploitation covers communication and consensus, corporate deployment and stabilisation.

Installation includes tracking and retention, enforcement levels and advanced analytics, while Command and Control covers threat intelligence, daily triage, engineering and orchestration, and response automation. Finally Actions & Objectives includes stopping attacks, detecting breaches and responding to incidents.

It is easy to see which of these terms are technical – automation, technology and infrastructure, and which are human – communication, triage and skills. What may be less obvious is the way in which certain staffing models or assumptions can create weaknesses in the chain.

An obvious one is lean staffing, possibly even a single-person responsibility. Where is that most likely to affect the kill chain?

In reconnaissance, the security person does not have the time to update his/her knowledge or skills, research threats or trends, and keep up with the hackers who DO have that time every day.

In delivery, the security solution may be highly efficient, but delivering it can require a significant effort, and a single person has too many distractions.

In command and control, daily triage means daily effort, typically structured and scheduled, and a sole security person has too many unstructured interrupts and insufficient energy to concentrate.

Clearly there is a pressing need to become creative about remedies. For command and control, consider outsourcing detection to a managed security service provider (MSSP).

For delivery, go with a full-service vendor or partner that can implement a complete solution, and build in plenty of package-based and consulting-based training/education for your security team.

Since security is a full-time job, possibly a less expensive solution for reconnaissance would be to hire people to wear some of the other hats your security person is wearing. For a smaller business, perhaps it’s time to hire a help desk person to support your lone wolf.

Outsourcing might be considered a remedy for weakness in a so-called command and control link, but it covers other areas too. These include skills updates in the reconnaissance area and potentially infrastructure in our delivery section.

But does that approach bring, or reveal, weakness in other links? Cyber attacks often strike in delivery. A services partner may have a preferred way of engineering and orchestrating a physical technology solution, but does the organisation’s technology vendor or implementation partner mesh with that approach?

If management need to ‘sell’ exploitation to the organisation, who knows best how to work the angle? Is it another vendor, or is it the company?

When the MSSP detects a cyber attack, do they also offer responder services? Or can in-house security do this? Do they have the bandwidth and the skills?

Get creative about remedies

Delivery: Choose vendors that reference and partner with one another. Use a trusted adviser to co-ordinate parties and envision solutions.

Exploitation: Choose an implementation partner or technology vendor that has a methodology, sample deliverables, collateral and communication plans.

Actions and Objectives: Go with best-of-breed, one-stop shopping, training your team, or a combination of the above – just think in terms of covering all the links in the chain.

Bottom line: Security is not just about staffing up, it’s about staffing right. Don’t worry about exactly what the right answer is because there is no single answer. Rather, be guided by knowledge of the kill chain, and of your own organisation and operations.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackerscyber criminalsIT SecurityIT managementransomwarestaff trainingcyber security

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kane Lightowler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place