Developing Situational AwarenessToday's Threats Require Network Security Pros to Broaden Skills
With continuous attacks on organizations' networks, it is impossible for network security analysts to mitigate them one by one. Instead, they must learn to identify and mitigate attacks on a broader level by combining and analyzing data with threat patterns across the network.
It's all about network situational awareness, says Ed Stoner, a senior researcher at the Software Engineering Institute at Carnegie Mellon University. Since 1998, Stoner has researched new approaches to analyzing broad network activity. A major part of his research focuses on this concept.
Network situational awareness is essentially the ability to monitor large networks and analyze bulk data collections from various data sources, with the ultimate goal of detecting malicious activity. According to Stoner, this approach is crucial for network and security analysts in order to effectively defend networks from new level of threats and malicious activity such as Stuxnet.
"The gap we often find is that network practitioners are still very narrowly focused in looking at network flow data for signs of intrusion," he says. "But from the network traffic alone, it is not easy to distinguish malicious traffic and not malicious traffic."
For example, if there is a piece of malware in the network, it may use the ACTP protocol and transfer data back and forth just like a web browser does. This may appear normal to a network analyst.
In this case, network security analysts need to combine behavioral data about malicious artifacts with the network traffic flow data to understand malicious activity across the network.
"Without combining relevant data sets impacting the network, security professionals will fail in characterizing threats and targeted intruder activity," Stoner says.
Broadened Career Options
The bonus: By effectively targeting vulnerabilities within networks, network security professionals who embrace situational awareness also can see a positive impact on their careers.
This broadened knowledge provides practitioners with more career options in multidisciplinary areas of incident response, malware analysis, web security and data analysis. "These are all hot, in-demand job skills within the IT security industry today," says John Reed, executive director at Robert Half International, an IT staffing firm.
Organizations are heavily investing in practitioners who are entrusted with network security tasks and have a holistic view of protecting their environment to ensure their data is safe.
The number of network security-related job openings listed on Dice.com, the largest IT job search site, has risen significantly in 2012. Employers have posted 13 percent more jobs for network specialists so far this year.
Reed also finds many network security specialists escalating to leadership positions in IT and information security. The key skill employer's demand is a broad understanding of protection and mitigation strategies to prevent attacks from taking place, he says.
"All they want is an individual who can keep their company's networks safe from ongoing cyber threats like malware and hacking."
But having a good situational awareness to proactively identify threats requires three key skills, Stoner says.
3 Key Skills
The must-have skills for network security pros who want to enhance their situational awareness:
- Incident Response: From the situational point-of-view, the network analyst should be able to prioritize among incidents such as insider threat or an external breach. Practitioners should know which type of incident needs immediate attention. They also should collect and analyze information based on the prevalence of incidents with insider threat behaviors or a breach activity and accordingly act to control the most damaging ones first.
- Malware Analysis: To be able to identify malicious activity, network security professionals must be aware of different behaviors malware exhibit. They must understand the network and host-based indicators that reveal the presence and activity of a malware.
For instance, network security pros should be able to identify if the malware is persistent and understand the mechanism it uses to keep running after a machine is rebooted, or how far the malware has spread and what likely attacks can be expected.
Practitioners who can conduct reverse-engineering are highly preferred because they are in a position to understand the inner workings of malware such as viruses, worms and trojans. Further, network professionals must be familiar with tools such as VMWare, Winalysis and Snort.
- Developing Algorithms: Network security professionals must be able to query and conduct interactive analysis to find meaningful correlations and patterns in the combined data sets to target intrusions on the network level.
Finding candidates with all of these skills is tough, Stoner says. But for information security pros looking to enter or transition into network security, they are a must. Stoner recommends they enroll in specific security networking degree programs, or the masters of science degree in information security offered by SANS Institute.
"These are skills which provide ground truth behavior to network professionals on what's going on in their environment," Stoner says. "Practitioners can no longer afford to shy away from this learning."