Originally published by Cloud Harmonics www.cloudharmonics.com. Reposted with permission.
My last blog looked at the complex, dynamic cybersecurity landscape that makes it very difficult for someone to step into a cybersecurity role and succeed. If we are to truly start to address the cybersecurity skills gap, we need to make it easier for someone to see, understand and shut down attacks – this requires a combination of technologies, services and experiential/educational components:
More than half of respondents (55%) to a survey by Intel Security “believe cyber-security technologies will evolve to help close the skills gap within five years.” Likely this will come in the form of advances in more autonomous cybersecurity. The US Department of Homeland Services painted a picture of what this might look like, back in 2011, in the paper, “Enabling Distributed Security in Cyberspace.” They described an ecosystem where “cyber participants, including cyber devices are able to work together in near-real time to anticipate and prevent cyberattacks, limit the spread of attacks across participating devices, minimize the consequences of attacks, and recover to a trusted state.”
This is in contrast to the typical cybersecurity landscape today – in which an organization has a host of different cybersecurity technologies to try to protect all their different users, systems/devices and workflows, many of which they are blind to (e.g. cloud applications) or have no control over (e.g. personal devices). Each device requires a cyber analyst to not only deploy and manage it, but also interpret the information it produces and try to link it to other data to make sense of what is happening. Often analysts are silo’d off, responsible for protecting one part of the network or managing one type of solution, making it hard to get access to everything they need to see the bigger, complete picture. Automation and orchestration can help bring all this information together to start to alleviate these problems.
As autonomous cars and drones have grown in popularity, so have more autonomous security measures, which are better able to keep pace with the automation being employed by hackers to launch their attacks. We have seen vendors increasingly leverage artificial intelligence (AI), machine learning, orchestration and automation in an effort to accelerate an organization’s ability to identify and respond to changing cybersecurity needs. These measures can dramatically simplify the deployment and ongoing management of the security infrastructure, particularly for those elements that are manually-intensive or lend themselves to ‘black and white’ decisions (e.g. when entities or events can be easily incriminated or exonerated).
For example, a large organization can average close to 17,000 alerts a week, and only one in five alerts ends up being something. Investigating each and every alert isn’t practical or an effective use of resources, but having a solution (e.g. incident response/analytics) that can automate investigations to enable analysts to quickly understand what’s going on and prioritize their activities is sustainable. Hence, we have seen an explosion in the IR automation market – the Enterprise Strategy Group found that 56% of enterprise organizations “are already taking action to automate and orchestrate incident response processes;” Technavio has the IR system market growing at a compound annual growth rate (CAGR) of 13%.
Other cybersecurity market segments and vendors are recognizing the need for automation/orchestration/machine learning/AI to address the skills gap. Palo Alto Networks latest release (8.0) of their platform had a number of capabilities that improve the efficiency and coordination between the cybersecurity infrastructure (see our blog, xxxxx). Our colleagues at SecureDynamics have told us of they’ve experienced an uptick in demand for their Rule Migration tool, which automates the translation of legacy firewall policies to next-generation application-based rule sets. There are also open source projects, such as MineMeld, that show us how organizations can potentially use external threat feeds to support self-configuring security policies.
To truly ease the burden on cybersecurity analysts and improve the efficiency and productivity of the cybersecurity infrastructure, we need more of these kinds of innovations and automations.
The reality is there are always times when organizations, even those with SOCs that are skilled and staffed appropriately, may need a little help. This is where services come in; we are finding there is greater acceptance that augmenting resources with a service offering can be a good way to enhance the effectiveness of an organization’s cybersecurity strategy and implementation. An outsider’s view can give organizations the knowledge they need, a fresh perspective or a new way of thinking that helps drive better decision-making and ultimately better security.
The problem is managed security services providers (MSSP) are having to staff up themselves to meet the demand. Research and Markets predicted the MSSP sector will reach $31.9 billion by 2019, with a CAGR of 17.3% - this may be low if you consider a new report by MarketsandMarkets puts the incident response services market, one of the segments within the overall MSSP market, at 30.29 billion by 2021, with a CAGR of 18.3%.
To address the demand and protect against the ever-expanding threat landscape, these MSSPs have to build (or acquire) the talent – which is why we’ve seen some a lot movement in this space (e.g. FireEye’s acquisition of Mandiant, IBM’s acquisition of Lighthouse Security Group LLC, and BAE System’s acquisition of SilverSky, etc.). Ultimately, being able to deliver the experience and know-how organizations need, we are back to the cybersecurity skills gap.
Nothing replaces the knowledge and expertise of a security analyst, in terms of being able to identify, contain and fully remediate an incident. Unfortunately, as we’ve already mentioned, these folks are in short supply, so organizations need to develop this in-house talent themselves. 73% of organizations in a SANS survey indicated “they intend to plan training and staff certifications in the next 12 months.”
But what kind of training do they need to do and what kinds of skills do they need to build? Due to the aforementioned breadth of threats, threat actors, systems/devices and workflows that could be involved in a cyber incident, it’s hard to create a concrete list of things to do or know. One such attempt might focus on the layer in which they are trying to secure – e.g. network, endpoint, application, server, data, cloud, etc.; while another might look at more general areas – e.g. intrusion detection, secure software development, risk mitigation, forensics, compliance, monitoring, identity management, etc. The reality is an organization needs to cover all these bases.
This is probably why half the companies in the “Hacking the Skills Shortage” study said they would like to see a bachelor’s degree in a relevant technical area. This gives analysts a general background that can be built upon to develop the deeper, relevant knowledge needed to better protect an organization’s specific environment.
The most effective skill building comes from real-world experience. I’m reminded of the Benjamin Franklin quote “Tell me and I forget, teach me and I may remember, involve me and I learn.” We have seen higher education institutions re-thinking the way they are structuring their learning to be much more hands on and interactive. Jelena Kovacevic, head of the electrical and computer engineering department at Carnegie Mellon University, explained to U.S. News, "At the center of meeting today's challenges is an age-old idea: Learn by making, doing and experimenting. We can do this by imbuing real-world problems into our curricula through projects, internships and collaboration with companies."
Not only seeing, but doing hacks firsthand is one of the best ways for individuals to start to identify, understand, and ultimately stop them. As a result, 68% of the respondents said hacking competitions are a good way for individuals to develop critical cybersecurity skills.
We, at Cloud Harmonics, have seen the difference that doing versus hearing or watching has on a person’s understanding. We developed our proprietary learning environment, Orchestra, to give attendees (we train more than 4000 users ever year) the opportunity to not only interact with the instructors who are leading the sessions, but also the solutions themselves. Our virtual sandbox (vSandbox) and Ultimate Test Drive (UTD) days give attendees real-world experience with solutions, in a way that enables them to see firsthand how they could deploy, use and benefit from their capabilities in their own environment.
Because there is really no substitute for experiential learning, we expect to see more users signing up to test and work with solutions in a safe environment to speed their deployment and use of advanced features in their own organization. Ultimately, to address the cybersecurity gap, it will take a confluence of technologies, services and experiential learning to build the skills and capabilities organizations need to keep up (and ideally get ahead) of all the threats targeting their organization.
Originally published by Cloud Harmonics - www.cloudharmonics.com, and reposted with permission.
Reflecting on the time I recently spent with some of our sales engineers, I was reminded that one of the biggest issues faced by most of the end-user organizations we work with (through our value added reseller (VAR) partners) is a lack of cybersecurity expertise. Organizations simply can’t recruit or retain all the talent they need to mount an effective defense against all the different threats they are facing.
We’ve all seen the stats – 82% of IT professionals report a lack of cybersecurity skills within their organization; more than 30% of cybersecurity openings in the U.S. go unfilled every year; by 2019, there will be one to two million jobs unfilled in the global cybersecurity workforce.
So, why aren’t more people flocking to cybersecurity? Particularly when cybersecurity professionals are being heralded as one of the job market’s hottest commodities, in a cybersecurity market that experts predict will grow to $170 billion by 2020? I think, to state the obvious, it’s because cybersecurity is hard, and only getting harder.
Cybersecurity experts have to stay on top of all the new threats facing their organization. That’s no small task, considering:
Cybersecurity experts also have to stay on top of the ever-growing number of highly skilled hackers targeting their organization, all of whom have different, yet extremely persistent motivations, such as:
In addition, cybersecurity experts have to try to identify and shut down all the different vulnerabilities (and ways attackers can get “in”) throughout their organization. The universe of attack vectors is exploding, as organizations increasingly rely on:
Cybersecurity experts have to deploy, manage and maintain a range of different cybersecurity technologies to try to protect against all the threats and attackers targeting their organization. They need to monitor, identify and shut down the attack’s ability to exploit all the different attack vectors that potentially exist.
As with everything in cybersecurity, determining what needs to be implemented to defend the ongoing operations of their business and the integrity and privacy of their critical assets is anything but simple. There were almost 600 vendors exhibiting at this year’s RSA and close to 250 startups doing things in and around the event. Almost all have marketing messages that make seemingly indistinguishable claims, offering overlapping capabilities that make the marketplace complex and confusing.
It’s hard for even seasoned cybersecurity professionals to navigate, so how do we expect someone entering the field to get up to speed on everything? How do we expect them to be able to identify all the different vulnerabilities, threats and actors they could come up against? How do we expect them to learn how to use all these different systems and figure out what to do?
The simple answer is we can’t expect them to do these things until we show them how to do them. If we are to address the cybersecurity shortage and recruit and retain vital cybersecurity personnel, we are going to have to change our expectations and adjust our approach. If we don’t, the cybersecurity skills gap is only going to get wider. For my thoughts on what these expectations should look like and what the approach should be to develop new talent to start to better address the skills shortage, check out part 2 of this blog series - "What Do We Need to Do to Address the Cybersecurity Expertise Shortage".