Where Are All the People to Staff Your Security Operations Center (SOC)?

Transcript

Opening

Welcome everybody to What's the Problem, the show that explores problems that buyers practitioners, business folks, and vendors in the world of cybersecurity face today.

Today, we are fortunate to have Aaron Rosenmund joining us.

Conversation

Mike Krass: Aaron, wave hello to our listeners, even though they can't see you.

Aaron Rosenmund: I'm definitely over here waving. Hey, everyone, thanks for having me.

Mike Krass: I can hear the air whooshing on your microphone. Let's get right into it as we do in all the shows. Aaron, question number one, tell our listeners why you are qualified to discuss security.

Aaron Rosenmund: Qualified is an interesting answer, especially with some of the stuff we will talk about. I'm the director of security research and curriculum at Pluralsight and got into a bunch of more advanced education and then doing research and new evolving spaces to build and provide that to enterprise companies. I've also worked part-time with the Air National Guard for ten years, and I've been doing cybersecurity in the offensive and defensive spaces building out secure networks. And doing that for quite some time, been in and out of doing a lot of consulting with large and small firms and state local tribal and been able to get a very broad spectrum of feedback from a lot of different industries on the different problems that they're working on and how to solve it.

Mike Krass: Awesome! I love it. Aaron, before we go any further, I just wanted to thank you for your service with our National Guard. We appreciate military service, whether active duty, part-time, or whatever. We've got a lot of folks on the show who come with one of those backgrounds, so I just wanted to thank you for your service.

Aaron Rosenmund:Thank you very much.

Mike Krass: There are a lot of problems out there. And you mentioned, public-private, you're talking about military, tribal, talking about a lot of things, and many problems can exist. But let's just name one problem you want to discuss with our listeners today. What's the name of a problem in cybersecurity that's on your mind?

Aaron Rosenmund: The biggest or not the biggest problem, but a problem that's on my mind and something that came up to me immediately with this question is the skills gap issue. With cybersecurity and the skills required to be efficient as cybersecurity evolves so quickly, at the same pace as that technology evolves, we have an issue with tenured-based roles.

As you move up through management and into senior roles, there are enough people with enough experience with the techniques and just the industry in general, as it boomed to fill all these roles. When we talk about the cybersecurity gap, one interesting thing everyone's worried about is how do I get into cybersecurity, and that's a need and thing we need to support people on. We also have this massive gap because of the expansion rate in intermediate to senior roles. It is where we see a lot of problems with just basic things being repetitive issues for how people are breached, for instance, phishing emails, valid password attacks, or just open ports to the internet that shouldn't be open. There are not enough people with enough experience to go around.

Mike Krass: It's funny, you mentioned open ports. A few weeks ago, we had a guest on the show talking about open ports. When we talk about some of these examples you gave, open ports or something else, not the right experience, managerial level. What corporations come to mind that has been breached recently?

Aaron Rosenmund: Colonial pipelines are a good example that everyone at least knows about. So maybe not particularly super recent, but at least something broad, and there's a lot of awareness about it.

SolarWinds is another issue, and it's another one that we can talk about because it's a supply chain attack, a software supply chain attack. Such an advanced attack highlighted the skills required to respond to such an advanced type of breach and the gap. Whereas Colonial Pipeline was more of a great example of an industry that is not probably doesn't consider itself a technology industry. It would struggle to find people who will come over to the IT environment and have the right skills and investment in cybersecurity to remove some of these really simple things that caused this issue. Using valid credentials can identify when people log in from the wrong place, but it requires a pretty developed mature security team if you haven't traditionally invested in that area or even if you decide to start investing in it. It takes quite some time to build. They're going to find people who are like; we just don't have the people to respond or build this properly.

Mike Krass: I'm going to play the pessimist, and I've got an optimist question for later. There's this shortage of people and qualified people. It's not the CPA exam, or we're talking about the Florentines creating a double-entry accounting back in the 14th century. If people aren't qualified, what do we even mean by qualify? Who's qualifying them for the right skills? And number two, does that mean that some people are getting promoted into roles in which I won't use the word qualified again, but maybe they're in over their heads?

Aaron Rosenmund: Most people would probably argue that most of us are generally in our heads. But speaking specifically, your CPA example that's an excellent example. Accounting and dual ledger systems existed for a very long time, and when you go to get an accountant, you have a CPA who has passed the CPA exam. It has been licensed to practice accounting, the same as a lawyer passing the bar or a doctor being given a doctorate and license to practice. It's a very similar situation, and you can trust because there's a unified method of developing trust that someone is qualified to do what they say they can do, or at least what you're asking them to do.

There's no such system in cybersecurity. Still, I would argue that the amount of information or knowledge required is equally as large as a doctorate or a lawyer to be efficient and to be able to sit by someone who can be trusted to ensure that what you're being asked to do is being done. There are a number of certifications that you can get, but they're all by these private bodies. There's no single certification that anyone would say, “Oh, if they have this certification, I know that they can do this job at a certain level of proficiency.” That's not an industry standard yet. It's a bit controversial. I would argue that we need something that says, “Hey, if this person says they've done cybersecurity, and there are all kinds of cybersecurity, it could have been that they reviewed RMF or Risk Management Framework and checkboxes of whether they felt like a given system met given requirements. It can be simple as it doesn't have a directory system for authentication. You can get pretty senior in that role, which is very required. It's only one specialized space within cybersecurity. But when you get senior in that role, people say, “Hey, you can do this risk and compliance stuff. You're probably also a senior person just in security in general. We'll put you over a security operations center.” And that's the more technical roles like incident response and security analyst and threat hunting, and you're not necessarily qualified to handle that because you haven't ever worked at that technical level.

Mike Krass: I just want to keep saying the word Florentine because it's fun. We're going to use this Florentine accounting example. And we're going to draw a correlation there, saying, “You are the best bookkeeper we've ever seen. And so we're going to make it the CFO of the whole company.” But the CFO role in your example of overseeing a security operations center is much different than just bookkeeping and basic general accounting, payables and receivables, and stuff. When you become a CFO, you start looking at how you can grow the business. You're not a marketing person, you're a salesperson, but it is your job to look at deals and deal flow to evaluate those opportunities and enter code into a command-line interface. It is not something you're going to do anymore, so it seems it's similar to the example of just like your responsibility. You're going to change in a huge way.

Aaron Rosenmund: There's a lot of what you don't know, and you've seen things from your perspective because it's potential that for a lot of senior roles in that industry didn't even exist, or at least like a sock. The security operations center is not necessarily a term that people would have known what it was ten years ago or 15 years ago. When we talk about that didn't even exist as you did when you were in a technical role. It's really difficult to understand exactly what that function is and how not just the things that current attacks. You can trust your people and all that kind of stuff. But even moving into a senior analyst role, you're not prepared to be a senior analyst and catch things because you're unaware of what that threat surface looks like.

Mike Krass: Adult learning theory teaches us that adults hear things like the ones we're saying and almost immediately get to. What am I supposed to do with this information? As much as we tried to retain our childlike curiosity, that cloud looks like a dinosaur and I'm okay with that. I don't need to think about how the clouds form. It's going to be a rain cloud. And oh, shoot, our barbecue grill out, or adults think too many kids are just like a dinosaur. It's beautiful.

Let's take it since most everyone here is an adult listening to the show. What do I do about this? Is it a public-private partnership to create some sort of international, or at least at the national level here in the United States, some sort of thing that you are just required to know? Accounting has GAAP accounting, Generally Accepted Accounting Principles (GAAP) accounting. Do you think it's a public-private partnership? Is it all in the public sector to figure this out in the private sector? What is your gut telling you?

Aaron Rosenmund: There are a lot of initiatives that are trying to approach. But because it's such a difficult thing to grasp, anything that moves too slowly has difficulty gaining traction. It's exactly what you said, a public-private partnership, where we're going to develop some independent nonprofit capability to provide a licensure mechanism for different roles. And I do realize that there is still a skills gap. We don't have enough employees in general, so I don't want that to discourage people from learning either. But I think my main point is, let's get the professionals at an expert level in their given areas. Let's all agree on what that looks like. Put them in a position of licensure, where we say, “Hey, you need to have at least one licensed person in this role,” And that’s how it has to be, but not everybody in your entire organization needs to be licensed, you have someone who doesn't know what they're talking about. I don't know what that scale would look like. If you're a larger company, you need five or four, whatever it is. But then underneath you, even something similar to the journeyman, like trade skill system where you're working to gain that license or capability.

You can now go fill that role in another organization or in the organization that you're in. Suppose we can develop into that system, where we do have that kind of beyond an internship. In that case, I can't think of the word I'm looking for here if the trade school program allows you to work towards it, but under the supervision and guidance of a licensed individual or licensed expert from a licensed organization that we agree on nationally.

Mike Krass: The word that comes to mind is an apprenticeship program. You're a true apprentice, and we can go back to 13th century Florence because I want to go there. It's like the blacksmith who always had a couple of guys working under him younger. You probably didn't hang out there because they were younger and are still learning the trade. Were they learning the business side of what we charge for this stuff? How long does it take to produce these five swords for the Medici family? How long is it going to take five sorts? How do we do deliveries? How do we do accounting? How do we secure our shops so people don't come in and just take the five beautiful swords that we're supposed to deliver to the men and cheese tomorrow? The most obvious is how do we make the swords and handles and assemble them? How do we show this craftsmanship? We're not just handing over-sharpened steel. I'm producing something that should last the balance of time for the owner, so it reminds me of an apprenticeship there.

Aaron Rosenmund: Apprenticeship is the exact word I was looking for. Thank you for that, Mike. And then when you went to when you send my Digi family, I'm now thinking of an apprenticeship like under DaVinci because I watched that show and stars. I thought it was great.

Mike Krass : There were many apprentices to sculptors, which is the easy one. Because they used to like Michelangelo's David, which is in Florence, was rubbed down by straw. And Michelangelo didn't sit there for 30 days after he finished it and rubbed it down with handfuls of straw, but his apprentices did right. Those people helped him bring the stone in and then evaluate different stones. And when he was out, they made the first cuts when David hadn't been sculpted. We need to take off the corner, like any apprentice can take off the corners, just take them off, write anything they need to go. And so it's those little pieces of seeing the project all the way through from the moment that stone left the quarry. The apprenticeship involved Michelangelo down to David, but this rock is scratchy a first-world problem. It's like this beautiful sculpture is scratchy. Let's just rub straw on it for a couple of months, and then it'll be soft and great. And that’s what they did from start to finish. They were that apprentice was involved in the process.

Aaron Rosenmund: That's an excellent example too. And I hope it fits me being able to say I don't want this to come across as gatekeeping. Education is always key for anyone getting into the industry or even transitioning from one industry to another. We can accomplish anything we want through education. We all agree that education is key to our future and general development, not just technology. But if anything, some structure like this would enable, as you said, some people who want to get into cybersecurity work to run the metaphorical straw and the sculpture. And that's okay, because that's your skill set, and you're going to be able to come to learn this. We have slots available for that because that's the system that's been put in place to develop you.

Mike Krass: Absolutely. We left 13th century Florence, unfortunately. Aaron, let's take this to the final question of the show. Tell us and tell the listeners about a terrible haircut you've had at one point in your life.

Aaron Rosenmund: The first thing that comes to mind is when I was a kid. When I was growing up, I occasionally went to get a haircut at the local Supercuts or whatever it was. Sometimes, my dad would get a wild hair and decide he wanted to cut my hair, and he could do it because he shaved it. But to be fair, he was significantly bolded at 30. That was a perfectly good haircut, and for me, not so much. He attempted to do better and do like a fade instead of ending up with a hard line around my head. It looks like a bowl cut except a buzz cut version of a bowl cut. It was probably the most embarrassing one that I couldn't wait for that thing to grow out and get fixed, and I had to live with that shame for a bit at school.

Mike Krass: Well, Aaron, I appreciate your vulnerability with our listeners. I'm sure they're all chuckling like I am right now. We've all had those haircuts as a kid. It happens, man. It's just part of growing up.

Aaron Rosenmund: It's a rite of passage.

Mike Krass: Awesome, Aaron. Well, thank you so much for spending time with our listeners today. And to our listeners, thank you for listening to What's the Problem, the show that explores cybersecurity problems that vendors, practitioners, business folks, operators and purchasers, and people who buy cybersecurity products or solutions based in today's world will hear you next time. Thanks, Mike.