Demonstrating the value of your Intrusion Detection Program and Analysts
Bojan's last couple of diaries on Analyzing Network Traffic Part 1 and Part 2, got me to thinking about all the knowledge required as well as the work and effort that intrusion analysts go through to protect the networks they monitor. Often times, this knowledge and skill is gained on off duty hours because this world is more than just a job. So, how do you demonstrate to management the value of your intrusion detection program and your analysts? One of the toughest barriers to breach is taking data from the technical side and presenting it in a meaningful way to the management side. In this specific instance, I wanted to focus on translating to management the value of Intrusion Detection and the analysts. I have heard it said more than once "We have a firewall and IDS, they will alert us when something happens" or "We have a tool that can monitor our network, we don't need all these people do we?" and one of my favorites "We have Antivirus, isn't that enough?" In today's tough economic times, one of the first things that usually gets cut in the budget is security. The tools generally stay in place, but the number of people required to manage and monitor them drops. The goal to to make management know and understand the value of your intrusion detection program so they realize they can't afford to lose the service you provide.
Generally, the role performed by the analysts is usually only brought to light when there is an incident. Day after day goes by without a major issue and the analysts are out of sight and out of mind. That often includes holidays when everyone else is off but the analyst is still working to protect the network. There are many ways that you can bring to light what your analysts are doing. Metrics are always to first thing that comes to mind, but sometimes its difficult to measure what an analyst does in a way that means something to management. There are also many positions on whether these numbers should be tangible or theoretical. I think its more than metrics, but metrics have their place as well. No matter how you approach this, you have to show value added to your company/organization's mission by making sure management understands that your group exists and the role it performs. Here are some thoughts:
- Have a one page newsletter highlighting your group and its accomplishments as well as what its working on. (Does management know that you had a block put in place for a significant threat until a patch was issued which means your network did not suffer any impact?) I have found that management likes to brag about things like this when others are suffering the effects from it. It also makes them appreciate your efforts.
- Highlight each of your analysts and their success by having a "Catch of the Week/month" writeup and include their photo.
- Keep them informed of current and emerging threats (in easy to understand non-technical terms) Alot of times they have no idea such a threat was possible or exists.
- Provide them metrics of the number of alerts that occur during each shift and approximately how long it takes to look at them. This being tracked by the number of analysts on a shift will show the residual, if any, of what did not get looked at in a timely fashion. Management needs to understand the risk and agree that they are willing to accept the risk.
- How many many blocks (firewall, email, web, etc.) were put in place to protect the network? That shows management a proactive stance.
- Keep management informed of the costs being incurred by other companies who have to clean up after being compromised. Do not imply that it won't happen on your network. It will, its just a matter of time. But the cost is much less if early detection occurs. Skilled analysts to key to early detection.
These are just a few ideas and you will have to tailor this to what means something to your management. Solicit their feedback and ask them if there is something more/less they would like to see. Start with something for them to look at, they usually do not know what to ask you for because they don't understand this world. The bottom line is to make sure management knows your team exists and the efforts that your team is putting forth to protect the network. If you have ideas or things that worked for you, please let us know.
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago