It strikes me that much of the focus seems to be people on one hand wanting "deep security expertise", which is considered technical, and on another finding it difficult to actually have that single person be able to impact enterprise/network-wide security. Since "deep security" experts are a valuable commodity, it is unlikely that spreading them throughout an organization is feasible. What needs to change in this model is how one defines a "security expert". While some deep technical knowledge in security technologies relevant to your environment is critical, that person should hardly be a bottleneck for the security organization. In fact, that person should rarely--if ever--communicate outside his/her organization. What is needed is a someone capable of "creating" the pixie dust you spoke of, Sean. That dust has to be sprinkled, it's hard work, and a technical professional cannot do it. The problem is that when an organization sees a need to focus on security, the first thought tends to be to get an "expert" hired on. In reality, this expert will have little effect since he/she will not be able to stick a finger in every piece of pie around. Instead, getting the HR department to focus on a "strategic" security manager should be the first task on the security checklist. This person need not be a deep technical expert, though some level of technical expertise is usually desirable. Higher on the list is communication skills, management by influence (as opposed to authority), educational experience or talent, and a deep understanding of how to promote security awareness throughout an organization. Surprisingly, these people are both easier to work with and easier for HR to target than your average "deep security expert". If the goal is to establish security as a priority for an organization, and ultimately have far greater impact than a couple of security engineers, this is the type to be looking for. They don't need to have 20 years of security experience. People with *some* security experience and a whole boatload of business, education, management, and political experience fit this bill. The profile of this person usually lines up with what would be termed a CIO. Once this person is in place, it becomes a lot easier to coordinate security both within and outside of an organization. The "community" model for incident response has been shown inadequate by most institutions which value their privacy. I would think the ISP/network provider companies would be less sensitive to this, and look for meaningful ways to cooperate. Having a person where responsibility for this sort of thing would rest in each of the companies would go a long way to getting it started. "Deep security experts" are definitely not suited for this type of work. Just my $.02 Cheers, Ben
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of batz Sent: Wednesday, April 03, 2002 11:03 AM To: Sean Donelan Cc: Christopher E. Brown; NANOG Subject: Re: How to get better security people
On Wed, 3 Apr 2002, Sean Donelan wrote:
:Instead of a neighborhood watch do we need a network watch? :While we need a few people with "deep" security knowledge, we also :need to spread a thin layer of security pixie dust throughout the :entire organization.
The NIPC, CERT, OCIPEP(Canada) and other organizations try to fill this role. The Incidents mailing list also tries to do this on a more ad hoc basis, along with the honeynet projects, and to a great extent Nanog. If ones definition of security includes integrity and reliability, then Nanog has been performing that role since its creation.
The problem that exists with the neighbourhood watch model is that it assumes some sort of community and, despite a few exceptions, there is no community of internet providers.
There are communities of network engineers and other specialists, but the possibility of corporations getting together with a common goal, which may temporarily supercede their individual competetive advantage, is just not going to happen. They can have industry associations, lobby groups, interest groups, and other representative bodies, but community is not one of these, and thus any network watch program which depends on community will be hampered.
So, the challenge is to find a model of information sharing in which a balance between effectiveness and the protection of competitive information that is slanted heavilty to the latter. This on top of providing value to the participants.
There are some private security alert services like this. I can personally highly recommend the securityfocus ARIS tool and their commercial Threat Management System. NAI's virus alert system is excellent, as is a similar service from sophos.com.
The non-classified government briefings I have seen don't really provide value from an up to the minute threat analysis perspective. They might help an executive hold an intelligent conversation on current affairs, but they do little for people who are responsible for protecting the infrastructure.
Personally, I would like to see a mixture of the MAPS RBL and aris.securityfocus.com available, where emerging hostile netblocks can be blackholed for short periods of time using attack information gathered from and coroborated by a vast array of diverse sources.
-- batz