The Cybersecurity Team Process: Cyberdefence Crews Work Hand in Glove

No information system can be completely secure without a team of people with various talents and specialized knowledge working in concert to keep it safe.

IT security is all about depth of layers and diversity of knowledge. Having players in multiple roles with various sorts of expertise on one cybersecurity team prevents groupthink and blindspots, and allows each individual to develop a higher degree of expertise within their own speciality.

The back-story of the players in the various roles that comprise IT security teams can be as diverse as the roles themselves.

Whatever their background, security professionals of all stripes come together to form a contingent that stands against a common enemy: malicious hackers and cybercriminals.

Featured Programs:

The Backbone – Security engineers, technicians and administrators are all likely to come into the security field from traditional IT jobs. They are former system administrators, data administrators, and network engineers.

The Misfits – Hackers and analysts often have less formal education and more street sense and cunning. They come into the process less because of what they know and more for how they think: like black hat hackers, viewing the cascading green spray of the Matrix in terms of holes and vulnerabilities. They might have been the problem children in school, constantly poking at the system, looking for chinks to penetrate and exploit.

The Brains – Cybersecurity architects and network security consultants, on the other hand, tend to be planners, thoughtful types with a deep understanding of the underpinnings of modern technology systems. They might come from any number of areas in the technology field and hold advanced degrees, but they will tend to have more experience and have worked with larger and more diverse systems than many others.

Organizing the Cybersecurity Team for Maximum Effectiveness

Information security teams have the same options for internal organization as any other information technology team:

  • Functional silos
  • Matrix-managed mission-oriented teams

Working in the silo model, similar roles find themselves grouped together in fixed departments …

  • Administrators and specialists in Security Operations
  • Analysts in Risk Management
  • Engineers and architects in Security Engineering
  • Auditors and ethical hackers in Security Oversight

The matrix structure mixes and matches each of those areas of expertise into a task-focused team that may stay together over time to take on various projects, or be assembled for one particular job and then split off again, to be put together in another combination for the next. For example, when a new product or site is being rolled out, a cross-functional team could be assembled from each specialty and deployed together to work closely on the project. Or, when a major security incident occurs, a response team might consist of a mix of roles working together on isolating and repairing the breach.

Some companies might also divide their information security professionals geographically or by business division, depending on how the larger information systems department is organized.

Building Safety Into the System with Security Architects, Analysts, and Engineers

Any system that has not been designed to be secure from the ground up is a nightmare to monitor and safeguard. A good network security architect can make the jobs of every other cybersecurity professional on the team much easier by adopting the right design principals.

But even the best architect can’t design a secure system without some idea of the valuable data it will contain or the threats that it will face. So cybersecurity analysts are the first people a business will turn to when designing a security posture.

The Analyst – The analysts work closely with executives and other departments to familiarize themselves with the key components of information used and stored by the business. Either individually, or as part of a separate threat research team, analysts investigate likely dangers, both those posed by nature and happenstance—natural disasters, power failures, and the like—and by malicious actors. They might rank the importance of various internal information stores as well as the danger posed by specific threats to each of them.

Beyond that, analysts take information from both open sources, such as the OWASP (Open Web Application Security Project) Top 10 list and CERT advisories, and from less public sources like private intelligence firms and direct monitoring of known hacker chatrooms, and compile the types of tools and techniques that may be leveraged against the business to compromise its information systems.

The Architect – Analysts then hand off both data and recommendations to the cybersecurity architect, whose responsibility will be to design a system that is resistant to those threats. The network will have gateways and DMZs, presenting a layered security model, with specifications for Intrusion Detection Systems (IDS) and access control systems baked into the design. Architects might consult with outside network security experts on some design details, brought in expressly for their experience in securing large networks.

The Engineer – The responsibility for putting all that together falls largely to cybersecurity engineers. Who is racking the Firebox firewall and Barracuda email screening appliances in the data center and configuring them? Security engineers. They will set up monitoring software like Splunk and help regular IT engineers configure overarching access control systems like Microsoft’s Active Directory, spinning a coherent web out over every workstation and handheld device in the company.

Data Security Administrators and Specialist Technicians Patrol the Perimeter

The Administrator – Although the machinery of information systems is largely solid-state, it nonetheless requires a kind of grease to keep the virtual gears turning. Even after a system has been set up and configured, as people interact with the system, it will require adjustment and support. Data and cloud security administrators and security technicians work together with security engineers to provide that support by interacting with users, managing incidents, and tweaking configurations to deal with the ever-changing threat models of the Internet landscape.

When users lose their password or receive a strange message in their email, data security administrators are usually the people who answer the support calls. They are responsible for handling the daily operation of the security systems, which includes:

  • Responding to security incidents
  • Monitoring log and IDS software for red flags
  • Provisioning new user and group accounts
  • Restricting and removing old or terminated user accounts
  • Adjusting permissions on files and data stores in accordance with business demands

Cloud security administrators perform much the same role, but specialize in running cloud-based systems. These have unique requirements due to the multi-tenant architecture behind them and public connections they have to internal corporate systems. Because of the specialized knowledge they have of these systems, cloud security admins are often brought in to work with security architects and engineers when the time comes to help link cloud and on-premises networks safely and securely.

The Specialist – Cybersecurity specialists typically have a more narrowly defined role that is equally important. They deal with niche systems with complex configurations or operating demands, such as SCADA (Supervisory Control and Data Acquisition) or custom line-of-business software packages that require unique and specialized skillsets to program and manage.

Specialists might be responsible for overseeing security in systems that include:

  • Large scale databases
  • Industrial control systems
  • Specialized IDS applications

Or they might specialize in certain aspects of security support, dealing directly with users of two-factor authentication systems or physical site control systems.

Typically, the specialists and administrators will handle the front-line aspects of these security features and escalate serious incidents to the security engineers or security analysts for further investigation or long-term solutions.

White Hat Hackers and Security Auditors Rattle Virtual Doorknobs

The Auditor – Backstopping and double-checking all the other roles are the IT auditors. Dry and methodical, their role is to work through every aspect of the system to catalog potential security holes.

Auditors are responsible for developing audit plans for reviewing network security and then executing them – usually repeatedly after establishing a baseline – to assess compliance and detect the exposure of any new security holes opened through misuse or configuration changes. Using tools like Nessus and Metasploit, or creating their own custom assessment scripts to automatically comb through networked devices, auditors look for the common vulnerabilities that give rise to some 80 percent of all security breaches.

Having detected such vulnerabilities, auditors then work closely with security analysts, engineers, and administrators to address them. They may brief other members of the security team as well, providing proactive as well as reactive responses to common threats.

The Hacker – If every potential hole were exposed on a best-practices checklist, auditors would represent the last line of defense in the security process. But black hat hackers are wily predators, and many security holes exist as an expression of a creative process that isn’t easily reduced to an enumerated list. In fact, many breaches result from vagaries of human credulity and laziness, variable factors that no auditor can measure. Phishing attacks, poor password discipline, and stolen laptops can’t be prevented by noting them in an audit.

Enter the white hat hacker. Thinking along the same lines as a black hat, but working with the IT security team instead of against it, ethical hackers exploit the same bag of dirty tricks that the worst of the opposition can deploy in order to find vulnerabilities that aren’t simple matters of configuration.

Ethical hackers also spend a considerable amount of time producing reports and briefing other elements of the security team. Their unique view of the information system, from the perspective of the opposition, is inordinately valuable to conventional security staff who may otherwise tend to fall into the groupthink that is so antithetical to maintaining security.

Security is a Never-Ending Cycle

Although each of the members of the security team has a role that appears to hand-off to others down the line, until the system is perfectly secure, the reality is that new threats emerge constantly and no system is without flaws. Moreover, a business’s most urgent needs will require changes to the underlying information system, each with the possibility of introducing new vulnerabilities.

Cybersecurity is a cycle that ultimately circles back into the hands of analysts and architects who never stop investigating potential threats and actual attacks, and who constantly redesign the network to adjust to new and emerging threats.

Unlike network security architects, analysts are usually presented with already functioning systems and given the task of evaluating and improving them within current operational constraints. They may not have the luxury of forcing significant redesign, although security architects use their opinions and recommendations to plot future revisions or expansions of the network.

The security team works best when this cycle is compressed, and each role understands and appreciates the contributions of the others. Education remains key to staffing a well-oiled security team, and members in every role benefit from advanced degrees, specialty certification, and perhaps more than anything, specialized experience in the field.

Back to Top