topic Re: Calling all Security Engineers in Career Discussions

Calling all Security Engineers

Jslaughter — Thu, 01 Mar 2018 20:59:33 GMT

Hey folks -

I am looking to operationalize and mature our security group. We have some engineers that are fantastic, but a bit unfocused.

Looking for feedback on the ideal day for a Sec Engineer. This means a day where you have all the data you need and the ability to do your job to the optimal level. Some specifics:

What's involved?

What do you have access to, and what is just provided?

What roadblocks that normally exist are no longer present?

How are you growing and developing daily, and longer-term?

Thanks

Re: Calling all Security Engineers

Bertikus — Fri, 02 Mar 2018 04:54:33 GMT

I don't think there is such a thing as "an ideal day". The first time you think you got one of those, a zero day hits you hard. You think it was an ideal day and you've just been owned. I've gotten to the point where I try to make things safer today than they were yesterday. I try to learn something in the process or help someone else learn something. Since there is no way to secure a network 100%. I also trying to do packet captures and look for odd stuff. Every now and then I will throw in odd stuff to see if anyone finds it. It helps to keep them focused and it becomes a bit of a challenge. When someone finds enough of the "odd traffic" I'll give them a day off. Then they are telling me what they need to do the job better, they are trying to learn the software better and so on. I'm not sure if that answers your question but I hope it helps.

Re: Calling all Security Engineers

Shannon — Fri, 02 Mar 2018 08:00:35 GMT

Information Technology is continually evolving, vulnerabilities are being discovered, & threats are emerging --- so the 'ideal day' for a security engineer would be a holiday.

Let's look at the answers to your questions in terms of what's expected, rather than typically encountered: -

1) What's involved?

The security of the organization’s entire IT infrastructure, scoping ALL of its components and users.

2) What do you have access to, and what is just provided?

Monitoring systems drawing real-time information from the IT infrastructure --- with the information properly analyzed and automated response mechanisms for alerts produced --- adequate visibility of operations, and a range of sources for vulnerability alerts.

3) What roadblocks that normally exist are no longer present?

A lack of support from senior management and / or a lack of resources (people, processes & technology) to secure the organization.

4) How are you growing and developing daily, and longer-term?

Learning about, encountering and responding to new systems, threats & vulnerabilities.

Since the desired circumstances may not be present, the only time a security engineer might be able to avoid having to deal with any inadequacies would be while on a holiday.

Re: Calling all Security Engineers

Beads — Fri, 02 Mar 2018 15:42:09 GMT

Let's try to focus your question a bit, shall we?

One way or another most of us have some type of tool set to do our jobs. With that note those tools may not be ideal for what we would like but tools can be very expensive to out right free. No excuses for blaming our lack of any tool to perform our tasks at hand.

A successful day starts with a full night's sleep, no phone calls the night before or first thing in the morning BEFORE I get to work. Second, no one waiting at the door for my arrival. This is not untypical. I have folks who start work before I get out of bed by practice, if not work ethic.

I agree with the other posts concerning making things better than the day before but no amount of preparation and diligence will stop every bad actor, every day. We fight the good fight or wallow in delusion. The choice is up to you.

Re: Calling all Security Engineers

jordanpw — Sat, 03 Mar 2018 20:47:43 GMT

Some very good answers above, so I'm enjoying this thread. I would just add that I think an ideal day might have these two elements:

-- A day where we can work on a more proactive basis. Not buried by governance sort of tasks or babysitting scans - but doing more work that justifies the word 'analyst' in a job title. A day that ends feeling like we maybe moved the needle even a little bit on the overall security maturity or posture of the place.

-- A day where we make good headway on establishing or improving an important process - one that hopefully makes us more efficient and/or effective tomorrow.

Re: Calling all Security Engineers

Jslaughter — Mon, 05 Mar 2018 15:26:41 GMT

Jordan

Thanks for the post. Good information here, for sure.

You mention the idea of making a difference and moving the needle a little bit each day. For you, is there a specific area where you would say is the most fulfilling part of your day as a Security Engineer/Analyst?

What do you define as babysitting?

Are there reports you want to see, versus noise you could do without?

Thanks,

Jonathan

Re: Calling all Security Engineers

Jslaughter — Mon, 05 Mar 2018 15:29:56 GMT

Beads -

Fair point. I get the reality of the daily threats for sure.

As for the start of the day - good sleep and no late night calls are a definite consensus.

When you start your day, what do you immediately want to have at your finger tips? What type of Threat Intelligence should be provided to you to make your day the most effective once you sit down?

How much of your day would you say should be directly "fighting the good fight" versus personal/professional development and hitting the growth edge of your skills?

Thanks,

Jonathan

Re: Calling all Security Engineers

Jslaughter — Mon, 05 Mar 2018 15:32:46 GMT

Shannon -

Thanks for the details in your response.

What I understand from your note is that a key component is the intelligence at your fingertips, and fully ready for use.

What does that ideal intelligence stack contain? Do you have a favorite set of applications or tools (i.e. Splunk, Guardacore, etc.)?

Re: Calling all Security Engineers

jordanpw — Tue, 06 Mar 2018 00:43:28 GMT

jslaughter

I have a number of things that would fit into the 'most fulfilling part of the day' category - a few top of the head would be: being involved in hardening reviews and seeing hardening changes made as a result of those (so a little less chasing down same vulnerabilities caused by same installed apps/services); talking or working with application/system owners who get it, or are beginning to get it, in terms of thinking about security a little more - I had an application owner say to me today that rather than updating an app version he might just see about removing it "to make the attack surface smaller" - it's awesome hearing that phrase from an app owner; evaluating and recommending cool new tools, especially when it's just getting more out of free or built-in tools (eg Sysmon, Windows Event Log Forwarding); and learning. There's always so much to learn - about our own environment, and about ICS in general

Babysitting - I was mainly thinking about just the volume of scans that need to be run, and sometimes kinda being a slave to getting them done and then having less time to really think on the results or the bigger picture.

Honestly, overall I enjoy my work, our work, tons. I go to work most every day pretty happy with what I need to get done, and enjoy reading, watching videos etc on work-related topics out of hours too. Having said that, shockingly I still manage to have a life as well - spend time with family, get out with the dog, play some sports etc.

Re: Calling all Security Engineers

Shannon — Tue, 06 Mar 2018 06:31:44 GMT

To answer your 1st question, Jslaughter, the ideal stack consists of at least 2 categories of information ---

Norms & Baselines - What's expected to happen. (What should be done, by whom, how, and when)
Real-time information - What's actually happening. (What is being done, by whom, how and when)

A SIEM / monitoring solution will give you the latter, but to effectively use this, you must correlate it with the former --- to perceive existing threats & foresee potential ones.

I'm not in a position to answer your 2nd question, as my current role (Information Security Officer) has me dealing with security policies, enforcement, compliance and risk management, with little exposure to the use of solutions, for which we have dedicated roles.

Re: Calling all Security Engineers

smgvbest — Mon, 23 Apr 2018 12:44:02 GMT

I can give you my view as a Mainframe Security Engineer.

For my role in our company is defined as maintaining and managing risk for our platform in addition to providing direction for our ID ADMIN team.

My typical day consistent of vulnerability management, report generation, meetings (my leadership, IRM, IAM and Audit) and training. Being the only CISSP on our team as well as the team lead it falls to me to train others on my team as well as training to other engineers (not only security but our OS, Network and tower engineers)

I typically start by pulling all the latest vulnerability reports as well as IBM Alerts specific to mainframe. these are reviewed, logged, tracked until resolution. Dashboard are prepared for leadership as well.

Other aspects include scheduling of A&P test for our platform. While A&P test typically go in-eventful one item recognized for us is we have no down time. Day is online processing and night is batch processing. both of which run the company. an outage due to a scan is not acceptable so they are planned for least impact times and systems

Project work is another area where IRM/IAM are making many changes and as the Security Engineer for our platform it falls to us to implement these items correctly.

Training is usually handle via working sessions. we identify an area we need work on then have a daily working session on it where we present the issue, work on how to solve it and then have one or more of our team implement it. we use these as training because most my team are not engineers, they are learning. so they are being taught engineering principles in these sessions

Other training consist of topics like vulnerability management. process management. out reach for our local users groups and attending training like our RACF users group which is our security product..

right now we're working on STIG compliance and developing the skills and tools to provide that compliance.

Hope some of that helps.

Sandra

Re: Calling all Security Engineers

Zonker — Mon, 23 Apr 2018 18:30:52 GMT

I have to say that my day as a Security Engineer is rarely scripted or even the same day to day. I do seem to have more meetings than deemed healthy for sanity, but Project Managers seem to only exist within the context of a meeting or TSP report.

Frankly, my charter is to 1) Serve as the go between (aka Translator) between the IA and IT staffs; 2) Try to solve the technical problems of conducting business and maintaining a reasonable security posture; 3) Talk the PMs off the ceiling whenever they hear that the cheapest solution still has a cost; 4) Ensure that solutions are installed and configured correctly, and stay that way; 5) Explain to engineers and developers why we cannot simply make the firewall any-any, set file permissions 777, use TELNET, RSH, etc..., or run CRON jobs as root. 6) Explain the same ideas to Windows SA's, but gentler so that I don't hurt their feelings. 7) Try to train the security staff to look for a solution, or at least talk to me, before saying No!; 😎 Write justifications (ROIs) for my boss for any expenditures for tools; 9) Spend 2-3 times as much money and time as the tool would have cost on labor and time trying to make the "same thing but free" that some budget manager heard about at his off-site team building leadership retreat in the Poconos. 10) Review scan reports, mitigation reports, track action items to completion.

There are a bunch of other things that go into my day. Many of them frustrating. Some of them rewarding. Rarely the same. But, I really like this job for the challenges it gives me every day. I look forward to coming in and trying to solve a problem. I don't mind staying late to make sure something is working as intended. I get to learn new things as well as teach. A good day for me is when I feel like I have accomplished something.

Re: Calling all Security Engineers

canLG0501 — Tue, 24 Apr 2018 16:15:37 GMT

What's involved? Being in a security conscious culture helps or an environment that supports you actively working to increase the security posture.

What do you have access to, and what is just provided? You have access to training material or able to travel to seek out unique training opportunities. Support from senior management and infrastructure teams is another bonus. Visibility into operational procedures is another plus.

What roadblocks that normally exist are no longer present? Visibility into systems or operational procedures may be the largest roadblock that is no longer present in our environment.

How are you growing and developing daily, and longer-term? Working toward helping developers receive additional training quarterly as a mandate and delivering more training in-house. When you can leverage your in-house security engineer talent to deliver training they feel valuable to the organization.

Re: Calling all Security Engineers

mgoblue93 — Tue, 24 Apr 2018 18:39:46 GMT

> We have some engineers that are fantastic, but a bit unfocused.

> Looking for feedback on the ideal day for a Sec Engineer.

Have you taken a look at any project management frameworks or tools?

Please don't take any of the following as a negative or a criticism of you; this is not personal -- my replies are process motivated only.

The first thing I would generically suggest is not to be passive/reactive about this, be active. Meaning, if your staff needs focus, if you need to know an ideal day, define it first and then plug the resources into it. Generally, service providers, and you are one, don't have a template day -- that's production speak.

If you've ever read any of the Situational Leadership stuff, recall three basic things about human behavior:

1. All people are motivated.

2. All people are motivated for their own reasons (yes, even slackers are motivated -- see #1).

3. No matter how hard one tries, you can never ultimately motivate people for your OWN reasons.

That, is also, the difference between leadership and management... but I digress.

One way to align a group of high performing but unfocused staff is through team building and accountability.

I have two thoughts for you off hand that are cheap to implement and pay big dividends. As another disclaimer, I understand some of what I'm going to write isn't trivial. Services organizations seem to have more challenges in the areas you mention than production organizations. But if one really looks at the situation without preconceived notions, they can see where parts of frameworks are applicable to their business processes and in turn leverage the cool stuff!

1. One technique you could use is document the work in kanban. It's basically a board which says what work is upcoming, which work is in progress, and which work is completed. Make the board public. Make the team accountable for it -- at all levels. The team should operate as a team and not a hierarchy of pay grades and job titles from a basic service provision perspective.

In kanban, if you have an unfocused employee -- there's no excuse for that anymore; they see the work they need to do (it's publicly posted), their teammates do too, and as staff progresses tasks from in-work to completed, they'll eventually get into the habit going to the upcoming work side of the board and starting a task on their own. They'll do that without team lead intervention and they'll have a lot of pride about it because they are executing autonomously (which is going to free you up for other things too).

An additional benefit is the team sees the work, the entire process is transparent. They will all own it. That's a very powerful motivator.

2. Have you looked at any SCRUM methods?

Implement a morning stand up, no more than 15 minutes and with all team members. During this stand-up, go around the circle and have each team member publicly talk to the team about what they accomplished yesterday, what they plan on doing today, and to escalate any barriers. This is a very powerful tool -- few people want to be a slacker in such an environment where they bring nothing to the stand-up while all their teammates are voicing their accomplishments.

I hope this helps.

Re: Calling all Security Engineers

Baechle — Wed, 25 Apr 2018 20:22:38 GMT

@Shannon;

Good call. I'd have to second your response:

Norms & Baselines - What's expected to happen. (What should be done, by whom, how, and when)
Real-time information - What's actually happening. (What is being done, by whom, how and when)

In my experience, the "tools" are the team that you interact with. If you're conflating "Engineering" with all of the operational tasks like configuration management, auditing, monitoring, and incident response - even longer term analysis, then you're probably not doing the essence of engineering.