10 Tips for Building a Strong IT Security Team
By Justin C Miller
My mind has been digging into the question of what makes a good IT security team? If you're managing, building, or have a say in your company's IT security team, I hope the list below gets your brain churning and helps provide an advantage to the white hats.
Tip #1 - BREADTH OVER DEPTH - You cannot succeed with a team of network administrators who know everything about Firewalls, IDS, VPNs, and switches but no nothing about administering a server or securing an application. You cannot succeed with a team of server administrators who could harden a server in their sleep but know nothing about putting up a firewall or securing an application. Deep understanding of concepts is important, but what's more important is Defense-In-Depth, security at every layer, and the ability to speak the language of anybody in the company. That that means is your team needs BREADTH: for example somebody good at networks (administrator), somebody good as servers (administrator), somebody good at applications (a developer), somebody who is good at desktops (former help desk), and somebody who speaks the language of the business (perhaps a business analyst).
Tip #2 - EMPOWER DON'T DICTATE - You cannot have staff that just tell teams what they're doing wrong and what they must do to fix it. Your team will fall flat on your face eventually, and you're going to make enemies which makes life miserable. The better solution lies more in the concept of social engineering. You know what's right, what's the secure way to do it, but don't just slam your fist down on the conference room table and say it's my way or the highway. Instead you need to work with your team on getting their way through the power or empowerment. In every scenario where you need to convince somebody to do something the 'right way' ... you need to do your legwork, lay out the options, outline the risks, and empower them to make the decision. Get the other teams to believe they are making the decision not you, EMPOWER DON'T DICTATE.
Tip #3 - FOCUS - What is this team here for? Ask that question and know the answer before you start. You are NOT there to maintain a firewall, that's for the network team. You monitor the firewall logs and review the rules. You are NOT there to deploy an anti-virus solution to your enterprise, that is somebody like operations. You are there to monitor virus findings and trends. You are NOT there to run a malware removal tool or re-image workstations, that is also likely operations. You are there to know what malware is and suggest remediation solutions. You are NOT there to run an Identity Management solution, that is also somebody like operations. You are there to monitor login activity and correlate them with other events. I'm sure by now you get the picture. Say 'NO' to the side work. Stop chasing the squirrel (a cute reference to 2009 Disney movie UP). FOCUS on what you're here to do, things such as security policies, monitoring, incident response, and true pro-active security.
Tip #4 - EMBRACE INEXPERIENCE - You already know that a good team is not built with just junior level staff. But keep in mind a good team is also not built on just Senior staff. A strong team is built with the old and the young, the experienced and the youth. Why? Everybody should be in a constant learning cycle, and to promote that you of course need your Seniors to train the juniors, but what's also exciting is the fact that Juniors are excitable. They will bring fresh new ideas and will push your seniors to stay on the cutting edge and play with the new tools. Juniors bring energy which in turn gets the Seniors excited. EMBRACE INEXPERIENCE.
Tip #5 - CARE ABOUT YOUR IMAGE - You don't just want a team of doers. You know, those guys that sit down, put their earbuds in, their hoodie up, and pound out work till they notice it's getting dark out. Your team is going to interact a lot with the rest of the world including IT and Business staff. You team has to be generally liked, be seen as providing a benefit to the company, and also be known to get the job done. The Doers can certainly help out with the last one, but the other 2 get a bit trickier. That is where the communicators and social staff come into play. You know, those ones that have a tendency to talk about the latest news story, and always wants to go out to lunch and hang out. They are going to be the ones that make other teams smile in a meeting, that can sweet talk somebody into getting their way, and that can explain it in terms others will understand. Don't just do, make sure you CARE ABOUT YOUR IMAGE.
Tip #6 - OPEN DOOR - Your team must be approachable. They need their corporate instant messenger enabled. They need to pay attention to their inbox. They need to offer themselves up in meetings with statements like 'Feel free to reach out to me at anytime with questions' or 'I am always available if you need help'. In order to build a successful IT security team, you need to make friends, not enemies ... and an OPEN DOOR policy is a great way to do so.
Tip #7 - DO WHAT YOU DO WELL - You need a team where everybody knows their role and in general sticks to it. The interns and juniors do the dirty work like day-to-day monitoring. The seniors have to think big picture, understand the landscape and playing field, and give guidance to everybody else. But also remember to weave in cross training in both directions. The seniors need to sit down and show the juniors what the best methods are and give the occasional opportunity to step in and fill the big shoes (such as during a common Incident Response event for example). And it goes in reverse, the juniors need to show the seniors how monitoring and day-to-day works, because a Senior will fail at the big picture if they don't understand what the whole team is doing. Build an efficient team by having people DO WHAT YOU DO WELL, but cross train so eventually everybody does everything well.
Tip #8 - SECURITY NEVER STOPS - Your team needs to understand that security is 24/7 365 non-stop. You can't stop monitoring just because it's the weekend. You can't skip today's incident just because it's a holiday. How is that ever going to work? You need to make sure you have some early birds you love their morning cup of coffee at 5am. You need your night owls who can't fall asleep before midnight. You need your consistent friends who are going to be their day in day out Monday thru Friday. And you need those free spirits who like working weekends and holidays just so they can take a random Wednesday off. Remember you need to think about coverage because SECURITY NEVER STOPS.
Tip #9 - KNOW IT ALL - You can't protect what you don't know. Your team will need to be one that sucks in information and never forgets. Know your network topology, your network devices, and your servers, what they are for, how they are configured, and what data they hold. Know your corporate hierarchy and staff, what they do, why they do it, and what applications they need. Know all the applications they use, how they're used, and what data is in them. You absolutely must KNOW IT ALL, otherwise how will you ever realize that something abnormal is occurring?
Tip #10 - PAY ATTENTION - Teams cannot be stuck in their own little fantasy world, thinking about only their company, their projects, and their day to day tasks. A good team must pay attention to everything going on both inside and out. How can we do that? Of course internal log aggregation, change control board meetings, and project statuses will keep you abreast internally. Also consider that a good team needs to get out too ... to conferences, listening to podcasts, reading blogs, subscribing to mailing lists for vulnerabilities and patches ... and being able to PAY ATTENTION to what's going on in the real-world ... because that's where the attackers live.
Props to Ted Demopoulos for inspiring me to write this post with his awesome talk as SANS @ night in Chicago
Copyright © 2014, this post cannot be reproduced or retransmitted in any form without reference to the original post.