When You Point a Finger, Three Point Back At You

Sometimes, you reach a point where when you look back, you shake your head and wonder how it ever was that you got there. That’s a bit how I feel about the security industry. It took off like a bat out of hell, full of a bunch of misfit kids trying to do good and satisfy their inner curiosities, took a turn at federal backing through regulations, and got lost in the woods of bureaucracy. Meanwhile, we were all trying to convince ourselves that we hadn’t sold out – we’d bought in, and we were making a difference, but that difference has to be glamorous and sexy. 

I hate to break it to everyone, but security isn’t sexy. Sure, the very visible pentesting and malware research seems sexy on the surface, but for every one of them, there’s a thousand more fighting the good fight on the front lines of battle – inside the organizations being targeted for breach. And yet somehow, we’ve left those valiant soldiers with the idea that if they do their time in the trenches, they too can grow up to be posterchildren for the revolution on the offensive side. It is a prize to be obtained, while the true heroes are unappreciated and unrewarded. 

This has led us to our typical career progression in security. We have our fresh little newblets start out in a SOC rotation, slaving away at odd hours, mindlessly watching for alerts to pop up. When they get a little more seasoned, we move them into analyst roles, pouring over scan results and trying to predict where an attack may be likely. Finally, when they have a good idea of where attacks are possible, we let them try their hand at the offensive side. It seems logical, right? 

Except that it’s not. Look at the recent breaches – what is the one thing we’re consistently hearing? Alerts were ignored. Target and Neiman Marcus both have shown that some of those fresh little newblets ignored critical alerts. As a former fresh little newblet in a SOC rotation, I recall oh so clearly what happened the first time I saw one of these alerts on my shift. 

Hey, what’s this mean? 

Oh, that’s noise. We see those all the time. Just hit “ignore all”. 

As simple as that, I could have become the person on the end of the finger pointing. With little training, little supervision, and little sleep, our most critical frontline roles are staffed by those least able to recognize a legitimate attack. Even with a few years experience, security operations folks learn only to recognize regular patterns and not to detect anomalies. 

Personally, I think we’re doing it all backwards. Taking our newblets under our wings, we should teach them to think like hackers as penetration testers. Only then can they progress into understanding how to remediate vulnerabilities and detect attacks in progress from the defensive side. Instead of asking them to prove themselves doing the dirty work that we don’t want to touch, we should ensure our SOCs are staffed with the appropriate seniority and expertise to detect these real-time threats. 

How can we bring sexy back to the trenches? Maybe if we get a new movie with someone as hot as Trinity using Snort instead of Nmap, we’ll finally attract the highly skilled talent we so desperately need. Until then, it’s up to the business side to ensure these positions are sufficiently attractive by demanding expertise and providing appropriate compensation. As long as the salaries for operations remain firmly entreched in “entry level”, we will continue to see cases like this where alerts are ignored and dismissed without a full understanding of the impact.