We need all of these capabilities in IR/SecOps. Having each in the right measure is the trick. A few Eagles and no Janitors isn't going to work.
Janitor
Firefighter
Eagle
Janitor
Not glorious or proactive, the Janitor is tasked with clean
up. This occurs after the incident has transpired. This is a necessary
capability, is usually the first capability to be developed, and should be
operational to the degree that the janitorial services is low cost,
effective, and capable of dealing with the sorts of messes the organization
produces.
The janitor sometimes finds things left behind that are
interesting, and should know to bring this to the attention of the appropriate component
of security operations. Janitorial services are frequently outsourced, should
be relatively low cost, measurable, and repeatable. These tasks can be level 4
(measured) or 5 (optimized) on the CMMI scale.
Janitors infrequently have the agency within the
organization to affect change. Albert Einstein famously discussed his most
difficult problems with the janitor. Maybe it was because the janitor was the
only one around at his odd work hours. Maybe the conversation proceeded because
the janitor could see all the details of tings left undone by people that made
his job unnecessarily difficult.
Firefighter
A proactive capability, with the opportunity to minimize
damage. Firefighters are trained to address the most critical aspects first: save
the people and the animal’s lives first. In information security terms, this
includes tasks of preventing exfiltration or more generally actions on
objectives, to use the Cyber Kill Chain® terminology.
The next order of business for firefighters is to
simultaneously prevent the spread of the current blaze to nearby fire sources.
This might be buildings, or it might be portions of the landscape when dealing
with wildfires. When conditions are optimal, stopping the spread of the fire is
relatively easy. If the nearby buildings are made of concrete with metal roofs,
the required temperature to catch on fire is likely too high. But, if there are
high winds, the nearby pine forest is parched due to drought, and the current
fire is burning hot enough to send embers flying, the likelihood of the fire
spreading out of control of the current fire-fighting team increases.
Firefighters are often volunteer teams that have funding
from the community to protect any resource that might encounter a problem.
Resource rich areas with high rise buildings, dense populations, and greater environmental
risk often have more restrictive controls in place. Specialized equipment like
ladder trucks for tall buildings are deployed as needed. Community requirements
like smoke detectors, fire suppression systems, automatically closing and fire
rated doors are common in public spaces.
The information security analogy is obvious. Preventive and
detective measures built in to systems is the result of diligent, persistent
community awareness around risks of information systems. The systems with the
most information density typically have formal requirements associated with
risk management. The less important, resource constrained areas are often left
to cobble together the response capability for the response team. The skillset
of a volunteer, self-trained force is often less than a professional response
capability. However, the ownership and agency that volunteers might have
frequently creates circumstances where they outperform their fully funded
counterparts on a dollar-wise comparison basis. That sense of ownership and
heroism usually cannot be sustained perpetually. Ad hoc response teams try to demonstrate
the need for additional funding by citing current successes and the substantial
and growing demand for the service.
Eagle
Most eagle species are apex predators. With impressive optic
acuity, they catch prey unaware. The eagle can strike and kill prey
substantially larger than itself, sometimes killing prey 6 times its own
weight.
The threat hunting responder who knows the narrow passes in
the network, and can use the likely places an attacker must traverse to perform
actions on objectives is an IR eagle. The eagle can scan massive areas, locate minutiae
that everyone else would miss, and take out an intruder with speed and
precision.
Once the IR eagle chooses to focus in on one specific prey,
it loses sight of the other, potentially more important attackers. It’s
expensive to maintain a lot of top performers within an IR group, and like the
actual eagle, these hunters are often solitary and territorial.
