Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Demonstrating the value of your Intrusion Detection Program and Analysts - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Demonstrating the value of your Intrusion Detection Program and Analysts

Bojan's last couple of diaries on Analyzing Network Traffic Part 1 and Part 2, got me to thinking about all the knowledge required as well as the work and effort that intrusion analysts go through to protect the networks they monitor.  Often times, this knowledge and skill is gained on off duty hours because this world is more than just a job.  So, how do you demonstrate to management the value of your intrusion detection program and your analysts?  One of the toughest barriers to breach is taking data from the technical side and presenting it in a meaningful way to the management side.  In this specific instance, I wanted to focus on translating to management the value of Intrusion Detection and the analysts.  I have heard it said more than once "We have a firewall and IDS, they will alert us when something happens" or "We have a tool that can monitor our network, we don't need all these people do we?" and one of my favorites "We have Antivirus, isn't that enough?"  In today's tough economic times, one of the first things that usually gets cut in the budget is security.  The tools generally stay in place, but the number of people required to manage and monitor them drops.  The goal to to make management know and understand the value of your intrusion detection program so they realize they can't afford to lose the service you provide.

Generally, the role performed by the analysts is usually only brought to light when there is an incident.  Day after day goes by without a major issue and the analysts are out of sight and out of mind.  That often includes holidays when everyone else is off but the analyst is still working to protect the network. There are many ways that you can bring to light what your analysts are doing.  Metrics are always to first thing that comes to mind, but sometimes its difficult to measure what an analyst does in a way that means something to management.  There are also many positions on whether these numbers should be tangible or theoretical. I think its more than metrics, but metrics have their place as well.  No matter how you approach this, you have to show value added to your company/organization's mission by making sure management understands that your group exists and the role it performs.   Here are some thoughts:

  1. Have a one page newsletter highlighting your group and its accomplishments as well as what its working on. (Does management know that you had a block put in place for a significant threat until a patch was issued which means your network did not suffer any impact?)  I have found that management likes to brag about things like this when others are suffering the effects from it.  It also makes them appreciate your efforts. 
  2. Highlight each of your analysts and their success by having a "Catch of the Week/month" writeup and include their photo.
  3. Keep them informed of current and emerging threats (in easy to understand non-technical terms)  Alot of times they have no idea such a threat was possible or exists.
  4. Provide them metrics of the number of alerts that occur during each shift and approximately how long it takes to look at them.  This being tracked by the number of analysts on a shift will show the residual, if any,  of what did not get looked at in a timely fashion.  Management needs to understand the risk and agree that they are willing to accept the risk.
  5. How many many blocks (firewall, email, web, etc.) were put in place to protect the network?  That shows management a proactive stance.
  6. Keep management informed of the costs being incurred by other companies who have to clean up after being compromised.  Do not imply that it won't happen on your network. It will, its just a matter of time.  But the cost is much less if early detection occurs.  Skilled analysts to key to early detection. 

These are just a few ideas and you will have to tailor this to what means something to your management.  Solicit their feedback and ask them if there is something more/less they would like to see.  Start with something for them to look at, they usually do not know what to ask you for because they don't  understand this world.  The bottom line is to make sure management knows your team exists and the efforts that your team is putting forth to protect the network.  If you have ideas or things that worked for you, please let us know.

 

Lorna

165 Posts
ISC Handler
Since you say the tools usually stay in place, but the number of analysts gets cut... Do you think it's best for analysts to move from specializing in network analysis, and acquire skills in host based forensics and malware analysis?
Anonymous
Very good article! I'm always looking for new ways to increase the team dynamic while still recognizing individual successes. You just have to be careful with metrics, because they can easily get into the hands of a level of management who can't properly interpret them.

I'm big on stressing the importance of team learning from incidents. I just wrote an article on this a few days ago that discusses using the medical practice of Morbidity and Mortality (M&M) conferences to learn from incidents. This is pretty relavent to this article.

http://chrissanders.org/2012/08/information-security-incident-morbidity-and-mortality/
Anonymous
I should say I meant *also* acquire skills in host based forensics and malware analysis.
Anonymous
Joe, That's a hard question for me because I have the mentality of focusing on what I love to do. For me its packets and malware. If you enjoy malware analysis and forensics, then by all means work to learn those areas. They are full time worlds all on their own:) Both will also make you a much better network analyst and a more well rounded security professional. I think the need for analysts is very much alive and well; the tools are only as good as the analysts understanding and interpreting what they are saying. I do believe that the problem lies in management not understanding the importance of a network analysis team. Management won't keep around any team they don't see as essential. I would submit if they get reduce the number of analysts, they probably won't keep around a malware team:( Just my opinion.
Lorna

165 Posts
ISC Handler
Chris, I liked your article. The M&M described here is very similar to the military side of doing an After Action Review (AAR) and I am a BIG fan of this process. I make them small group size and we really look at what we did right, what we did wrong and where we need to improve and how. No finger pointing is allowed. There is always more than one way to approach things. I agree that metrics can cause problems. Its a balancing act to get them right and the consumers of them trained to understand their meaning. Thanks for the comments.
Lorna

165 Posts
ISC Handler
Working at a shop where I am the only intrusion analyst, number four is a great idea to me. It's a rare and uncluttered day that I can get through most of the alerts by the end of my shift, and evening, weekend and holiday coverage consists of me occasionally looking at alerts sent to my smart phone. I think keeping some metrics of the number of alerts reviewed, alerts NOT reviewed and how many required analysis and how many required some sort of action would be a great idea.
JeffSoh

31 Posts

Sign Up for Free or Log In to start participating in the conversation!