Thursday, March 12, 2020
An independent guest blogger wrote this blog.
If you do a web search for "cybersecurity skills gap," you'll get many, many pages of results. It's certainly a hot topic in our industry. And it's a matter that security practitioners and human resources people often disagree on.
But before I get further into the matter, it would help to know what it is we're talking about when we use the phrase "cybersecurity skills gap."
From the perspective of employers, it means that potential job applicants don't have the specific cybersecurity skills they're looking for, and possibly the people they already employ don't have the skills to be promoted into new cybersecurity related positions. This can be a really tricky area, because computer technology evolves very quickly, and often universities, colleges, and vocational schools cannot change their curriculum at the same speed. Accordingly, the cyber threat landscape can change quickly too!
From the perspective of many job seekers and security people, including myself and many of my colleagues I've spoken with, the phrase "cybersecurity skills gap" can sound like a taunt. Some of us have spent years in computer science programs, and many more years in IT courses and acquiring industry specific certifications. So we don't have a particular niche certification or ten years experience with Windows Server 2016. We have loads of related knowhow, and we match many of the other job requirements, why won't employers give us a chance and let us learn the rest? A few others have had a knack for computing since childhood, but the expense of college tuition and certification exams can seem insurmountable when you're just starting out and have little money. How do we get our foot in the door in the first place when you need experience for a job, but you can't get experience until you get a job?
The cybersecurity skills gap phenomenon can hurt people in the industry who want good jobs, but it hurts companies and the security of their networks even more. According to the 2018 (ISC)² Cybersecurity Workforce Study, more than 2.9 million cybersecurity related job positions worldwide were unfilled. In the time that's passed, that number likely grew. These are positions spanning a wide range of roles, from SOC analysts to DFIR, from penetration testers to application security specialists. Not having people work in these positions that organizations have recognized as needs inevitably weakens cybersecurity everywhere, and companies lose huge amounts of money in cyber attacks and data breaches.
I have my own personal views on the matter. But cybersecurity people on Twitter also talk a lot about unrealistic job posting expectations and their impact on the skills gap.
Shawn Thomas is a SOC manager. He tweeted about his exasperation with job posting requirements.
"If your entry level job in infosec requires:
At least 3 certs
Prefers two years of experience.
YOU ARE NOT ALLOWED TO COMPLAIN THAT ITS HARD TO FIND CANDIDATES
Additionally the discouragement students have when they hear that should make you feel bad about yourselves."
I also have an industry friend who has done a lot of her own research into the skills gap matter. Plus she has experience hiring for cybersecurity roles, experience that I lack. Alyssa Miller is a security evangelist and hacker, and she shares her knowledge at so many security conferences that it'd overwhelm me to do the same. She has written many posts on her blog about the skills gap, so I wanted to learn a bit from her.
She recognizes many factors in the skills gap problem, ranging from unrealistic job posting requirements ("Must have a CISSP, a Master's in Computer Science, and ten years experience with Metasploit Framework 5.0. An entry level role, salary $40,000 per year."), to interviewers' prejudice against body piercings and tattoos (of which I have many). But I wondered if a corporate reluctance to spend time and money on training may be a factor too.
She said, "I absolutely think companies are reluctant to invest in training people and it definitely is a contributing factor to the skills gap. Over the last few decades, budgets for training have been one of those easily leveraged pools of money that takes an early hit when cost cutting is needed. Additionally, some organizations seem to be afraid that if they pay to train their people, those people will be worth more in the open market and will leave the company, nullifying their investment. What they fail to see is that by investing in those people and showing that they value them, that actually encourages them to stay."
I hope an HR manager is reading this! Ping-pong tables may be nice, but providing your employees with specific training so they can take on roles with greater responsibility within your organization is much nicer.
Interviewers also need to broaden their idea of what a good security practitioner looks like. They could physically look like anyone! They could be a 40 year old white man in a Brooks Brothers suit, but they could also be a 20 year old multiracial woman in a wheelchair with purple hair and a wardrobe from Hot Topic. Conversely, you shouldn't be afraid to hire a 60 year old either. I asked Miller about a term frequently used in HR, "culture fit."
"There's a lot of bias in the hiring process and yes culture fit is one of them. Security and tech in general, thrive on diversity. More than that, we need it to truly advance and be better. Diversity of thoughts, experiences, ideas, backgrounds, it all helps create better technology and better solutions to problems. Culture fit is a term that gets overused and misapplied. As you pointed out, hiring managers who don't really understand how to develop culture or who are not well trained in evaluating talent will often default to finding someone who's like the people we have today and term it culture fit."
We'd like to have a positive impact on companies that hire cybersecurity people. So Miller has some advice for you.
"(My advice) first is investing in your people as we discussed, but not just the security team. Develop clear skills development plans that allow resources to transition from other non-security or even non-IT roles into security and then enable those plans. Second, you have to actively work to eliminate biases in your hiring. Not just along the lines of things like ethnicity, gender, and so forth, but things like appearance, experience, and so on. Be willing to hire the person with purple hair or a full sleeve tattoo. Artificially limiting your pool based on foolish criteria is always a bad idea. Finally, embrace remote working. I can't believe in 2020 we're still having this conversation but I'm amazed how many roles I see that still require a local in-office resource when the technology exists for people to do that job from a remote location. I've heard from hiring managers who are still afraid of how to manage remote people so they just don't allow it. That's wrong on so many levels."
I honestly believe that a lot of companies really do want to do something to help close the skills gap and improve the cybersecurity of their organizations by hiring more people. Millions of unfilled cybersecurity job roles hurts everyone involved-- people in the industry, people looking to get into the industry, businesses of all sizes in all industries, and everyone's security as a whole. Fortunately, this is a solvable problem. But it will take a lot of team work and a lot of mind opening.
But that's just my opinion and the opinion of many others in our industry.
What is LogRhythm Labs?
Research and deliver world-class security, compliance, intelligence, and operational risk content to protect our customers from damaging cyberthreats, meet their compliance needs, and reduce their operational risk.
Labs, therefore, exists to provide the threat, compliance, and operational content that enables the LogRhythm platform to provide out-of-the-box value and usability to our customers.
Labs content is delivered within discreet modules consisting of analytics rules, reports, searches, and dashboards. Additional content may also include automation via our SOAR offering, RespondX, or automated lookup via Web Contextualisation.
Content is regularly added, actively maintained, and released as part of our weekly Knowledge Base update directly into the platform. Customers can use as much or as little of the content as they like, and we include the ability to clone the provided content for bespoke requirements.
Labs consists of three focused teams: Compliance Research, Threat Research, and Strategic Integrations. I'll explain these in more detail below.
LogRhythm employs a team of subject matter experts in the compliance space. And when it comes to compliance, change seems to be the only constant. New regulations are released, existing regulations change over time, and our customers rely on LogRhythm to help them comply with complex regulatory frameworks and standards.
LogRhythm delivers compliance content in support of numerous regulatory frameworks, including NIST, HIPAA, ISO27001, GDPR, and PCI, as well as many other regulatory frameworks from the United States, Europe, the Middle East, and the Asia Pacific regions.
The Compliance Research team has also developed the Consolidated Compliance Framework. This is a unique offering designed to offer greater efficiency, and to reduce management and analyst overhead to customers needing to demonstrate compliance with multiple mandates or regulations.
When amendments are enacted to any of the supported regulations, we develop the necessary updates to the compliance module's library of report packages, investigations, rules, and alerts that are specifically mapped to individual controls as specified by the relevant regulations.
LogRhythm's Threat Research team continuously researches the latest trends in cyberthreats. Cyberthreats are constantly evolving, and the methods used in a malicious attempt change over time. Furthermore, as new technology (e.g., mobile devices, sensors, and internet of things, or IoT) is released by vendors, threat actors begin to look for methods and techniques to compromise those devices immediately.
The Threat Research team develops and maintains content aligned with the threat landscape as it evolves, considering the latest tactics and techniques that attackers are leveraging. The team leverages original research, threat intelligence, and other industry resources, as well as their own wide experience to deliver effective threat detection capabilities.
Skilled cybersecurity resources are at a premium, and it's beyond the reach of most organizations to build and resource their own threat research unit. Threat Research does the research and content development that provides all of our customers with wide and deep threat detection capability right out of the box, providing enormous added value beyond a simple software platform. Even those organizations that are resourced for their own threat research can get a significant boost to the efficacy of their operations by using our prebuilt content for their core requirements, and as a powerful basis for further development.
The team maintains our User and Entity Behavior module, as well as our Network Detection and Response module. During 2019 a brand-new module aligned to the MITRE ATT&CK framework was also released. Because ATT&CK is so comprehensive and constantly growing, we have adopted an Agile release methodology to enable iterative updates, thus allowing new content to be continually delivered to our customer base. This approach will also enable us to release content supporting the additional frameworks MITRE has launched aligned with Cloud and ICS.
Our Strategic Integrations team is comprised of subject matter experts in integration and operational technology. This teams' research spans a wide range of verticals, including healthcare, transport, energy, manufacturing and more. This research encompasses ICS, OT, sensors and medical devices, in addition to the operational systems used in the relevant industry vertical (for example electronic health record systems, human resource management systems, etc). The goal is to reduce risk and pre-emptively identify risk as it affects the operations of a business.
This team delivers content that can assist in reducing operational risk, gaining insight into OT, IoT, and IIoT device activities, promoting good IT hygiene, and integrating specialist device types into the LogRhythm ecosystem. As you can imagine, this is a busy and constantly changing environment as digital transformation affects every aspect of life, and more and more devices interact with our physical as well as digital lives.
What Content Did Labs Release in 2019?
- Extensive Revisions to Consolidated Compliance Framework (CCF)
- Criminal Justice Information Service Module
- ISO 27001 Module
- Australian Signal Directorate Module
- Strategic Integrations
- IT Operations Module
- Physical Security Integrations (three releases)
What Content is Available in the LogRhythm NextGen SIEM Platform?
ASD, NY DFS, CJIS, ISO 27001, UAE-NESA, PCI-DSS, MAS-TRMG, NIST, NERC CIP, GDPR, SOX, NEI, 201 CMR 17, NRC, HIPAA, GPG-13, DoDI 8500.2, FISMA, SOX COSO, GLBA, NIST CSF, NIST 800-53, CIS CSC
Core Threat Detection, UEBA, NDR, MITRE ATT&CK, Retail Cybercrime, Threat Feed integrations
IT Operations, Epic, Healthcare Security, Financial Fraud Detection
Embedded Expert Content Delivered Straight to Your Deployment
The LogRhythm Labs team works tirelessly to research and deliver new content into the LogRhythm NextGen SIEM Platform so your team can:
- Get immediate value from your deployment
- Easily keep up with the changing threat landscape and digital transformation
- Reduce the reliance on in-house research expertise
The Labs team is your partner in making sure you have content and resources that you need to be successful and get value from your LogRhythm investment — and all of this content comes at no extra cost to you.
Find documentation around all of our modules on the LogRhythm Community under Documentation and Downloads: https://community.logrhythm.com
Taking a look back at 2019 and presenting a 2020 roadmap for ATT&CK
Written by Blake Strom and Amy Robertson
We started 2019 with a bold series of goals, and with the help of the MITRE ATT&CK® community and hard work from our team, we've accomplished many of those and more.
With your input, we developed and published the Impact tactic to address integrity and availability attacks against enterprise systems. We reworked how mitigations are represented in ATT&CK to make the information easier to use. The (ongoing) Sightings pilot was launched to collect contributions on raw sightings of ATT&CK techniques, and we kicked-off the second round of ATT&CK Evaluations with a new actor and a new approach leveraging contributions. The "Getting Started with ATT&CK" series was unveiled, and we're looking forward to sharing more use cases in the coming months. We released ATT&CK for Cloud, a needed expansion to ATT&CK that wouldn't have been possible without significant community contributions. Our work on restructuring ATT&CK with the sub-techniques continued through feedback from the community, and we're targeting a release in the upcoming months. You told us that ATT&CKcon 2.0 was a success, and the Threat Report ATT&CK Mapper (TRAM) enjoyed a beta release. Finally, we started an ATT&CK training series which kicked off with the release of our ATT&CK for Cyber Threat Intelligence (CTI) training.
To our ATT&CK community, we're grateful for your passion, support and involvement and we're excited about a new decade of collaboration. Our team has been working towards some significant adjustments to ATT&CK in 2020, including a few new additions and several modifications that have been percolating for a while. We look forward to connecting with you as we forge ahead with our 2020 Roadmap.
Restructuring, Refinement and Revamping
We have a lot planned for Enterprise ATT&CK in 2020. We'll be restructuring the framework with sub-techniques, revamping ATT&CK's data sources, and refining Mobile, PRE-ATT&CK, Cloud, and ICS. We'll also be publishing a new extension of ATT&CK to cover behavior against network devices such as routers. Throughout all these updates and adjustments, we welcome your feedback. Our goal is to ensure that ATT&CK continues to be a valuable resource, and if an adjustment undermines usability, or if there are ways to enhance your overall experience, we want to know.
The sub-techniques journey is nearly complete — we're targeting a soft launch in March and you can read about the latest details here. We've been working to minimize the impact of the associated realignment and have addressed many of the concerns that you raised. To simplify the transition, we're refining a crosswalk from old technique IDs to new ones, or mapping newly broken out sub-techniques to higher level techniques.
The sub-techniques will be published on a companion site alongside the main ATT&CK site, clearly charting out the changes. This companion site will give everyone a few months to preview and process the full scope of the changes before we finalize that version and make it official. The old site will then be added to the previous versions for reference. Once we release the new ATT&CK framework with sub-techniques, we welcome your feedback on the good, the bad, and the needs-adjustments.
We're also nearly finished revamping the data sources used for Enterprise techniques and we're excited about the enhancements. Data sources are one of the most critical aspects of ATT&CK, and we'll be sharing some additional details in the coming weeks about our new methodology to define sources. The details won't be ready to be included in the sub-technique update, but we will be posting the new data sources definitions and details to GitHub to get them out faster. The updated data sources model will be implemented into the site after the sub-techniques are published.
On the ATT&CK for Cloud front, we've been working towards refining it into sub-techniques and getting new contributors on board to help us expand. ATT&CK for Cloud was built around nearly 100% community contributions for techniques, and we'll continue to leverage this expertise to add enhance the model. Our goal is to jump back into expanding Cloud with new techniques after sub-techniques is released and publish the second set of techniques in the fall.
The adversary behavior model for Network Infrastructure Devices is being developed with routers, switches, and firewalls in mind. We've been leveraging open source reporting and have coordinated closely with industry. The Network research will ultimately impact the current ATT&CK structure with a new platform, but we are developing it with sub-techniques in mind. We're targeting an initial release of our research in the fall and will use the contributor process you're already familiar with to keep it updated.
We're still working to improve consistency and integration between PRE-ATT&CK, Mobile ATT&CK, and Enterprise ATT&CK and are moving towards an eventual "One ATT&CK" model. This will include refining ATT&CK based on the changing threat landscape for enterprise systems focusing on Windows, Mac, and Linux. The technical content in PRE-ATT&CK will be brought up to the same level of ATT&CK for Enterprise and will be integrated into ATT&CK with two new tactics. Our goal with this revamp is to better prepare users to identify who to defend against and the applicable defensive options. The team will continue to refine the Mobile ATT&CK model focusing on Android and iOS, with the addition of sub-techniques and upgraded data sources. We plan to assess merging the Mobile and Enterprise ATT&CK models later in the year.
In the same vein, we're moving forward with our research and refinement of ATT&CK for ICS techniques. ATT&CK for ICS is a community-driven project, and we'll maintain this close collaboration with stakeholders to hone the knowledge base. All the technique adjustments and releases will be based on your input and any new threat reporting on incidents. The separate ATT&CK for ICS wiki that was published in January 2020 will allow the ICS knowledge base to mature separately from the rest of ATT&CK, allowing for more rapid updates. We also plan on evaluating if merging ATT&CK for ICS with the main ATT&CK knowledge base makes sense towards the end of the year, including translating the information into STIX and integrating it into the main ATT&CK website and tools like the ATT&CK Navigator. We'd appreciate your involvement on this approach, and we look forward to hearing about what you think as we move forward.
Mapping, Developing, and Sightings
On the mapping automation front, we're moving full speed ahead. The Threat Report ATT&CK Mapper (TRAM) was beta released in December, and we'll continue developing it this year. TRAM is currently a functional prototype and we plan on improving the interface, adding some new features, and enhancing overall functionality throughout the year. Some of our targeted updates include the ability to ingest additional file types, more output formats, and supporting multiple users simultaneously. As we add and update these features, we'll announce the changes and keep our public repository current. We're looking forward to hearing about your experience with TRAM as we move towards more feature implementations.
Our team has also been working to map ATT&CK to NIST 800.53 v4. Mapping ATT&CK to common control frameworks will better support efforts to identify controls that mitigate relevant threats, and identify capability gaps. We'll be collaborating with CIS on their current model that maps CIS controls to ATT&CK to expand the mappings into other frameworks. We hope to share more details on the model and where it'll be featured soon. Our current prototype for NIST 800.53 will be published to the ATT&CK GitHub and we'd like your involvement in maintaining and updating it. Our goal is to provide a flexible mapping structure that evolves with the environment, and is user-friendly. If you've already started a mapping, or have some ideas about what types of mappings would be most valuable, reach out and let us know.
Cyber Analytics Repository (CAR) will be updated this year with new analytics. We'll be developing analytics internally, working through external contributions, and adding implementations for new and existing analytics. We'll also be updating how we capture ATT&CK coverage for better accuracy and compatibility with sub-techniques. We're planning updates to CAR sensors to better reflect the current product landscape, and data model revisions showcasing modern sensor data, which will directly support the creation of analytics against the data. We're also hoping to update the CAR Exploration Tool (CARET) to improve UI, usability, and to take advantage of the other structural changes to ATT&CK.
We launched our ATT&CK Sightings pilot in 2019 to empower defenders globally by providing them with continuous information about what ATT&CK techniques adversaries are using and how they're using them. The Sightings program will do this by collecting anonymous contributions of observations of ATT&CK techniques in the wild from numerous, diverse sources and then publishing insights based on that data.
The pilot is ongoing, and we've set a deadline of April 30 to get commitments and pilot data sets from the initial cohort of contributors. We're actively working with contributors to overcome barriers and provide value back. This program is community-driven and can't be successful without your help. You can read our recent Sightings update for more information about how you can contribute and what's next for the Sightings pilot.
Finally, ATT&CK Evaluations will be conducting a new round under a new format emulating the Carbanak and FIN7 groups. MITRE-Engenuity will assume the reins moving forward, and continue to advance ATT&CK Evaluations. You can find more details about the Carbanak+FIN7 Evaluation here.
We will be hosting a new type of event May 18–20 to bring US government organizations together to discuss how they use ATT&CK and how they've overcome challenges. The call for presentations is open through March and you can find out more here.
We also know there's a lot of interest in the next ATT&CKcon. We're working through initial planning right now and we'll have more details to share in April.
ATT&CKing the Next Decade
The future of ATT&CK depends on community engagement as much as it does where adversaries go next. ATT&CK's success hinges on our partnership with the community and our collective ability to innovate and share knowledge. With you, as the community, serving as advisors, collaborators and champions, ATT&CK will be more impactful than ever.
We'll continue to leverage your input at every stage, including how to evolve ATT&CK. We're excited about how ATT&CK will advance in 2020, but we're even more energized by where we see ATT&CK going in the next few years.
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19–00696–24.