IDS mailing list archives

Re: IDS Analyst skill set

From: "Don Parker" <dparker () bridonsecurity com>
Date: Fri, 17 Mar 2006 17:09:49 -0500

Hello,

You may wish to give the below noted article series a read. It may helpanswer some of your questions.


http://www.securityfocus.com/infocus/1779

Salut!

Don

----- Original Message -----From: "Maarten Van Horenbeeck" <maarten () daemon be>

To: <focus-ids () securityfocus com>
Sent: Thursday, March 16, 2006 6:52 PM
Subject: Re: IDS Analyst skill set

Dear Naveen,

After reading your mail and the responses to it, I felt it would be
interesting to uncover at least one additional layer that most training
does not yet address.  You could say it is missing from the state of
the art of IDS analysis.

Regarding the technical training, I agree with most posters that SANS
does indeed have the most in-depth course.  However, in order to better
assess what type of training is required, we should actually look at
some of the activities that will be required from the analyst.

If I understand your setting correctly, an IDS analyst will classify
large (though hopefully pre-filtered) sets of batched information flows
(IDS events) into incidents, or discard them.  This is a significant
challenge.  It puts strain on your technical abilities, but also on your
ability to reason and analyze.

The degree of correctness is very important in this line of business, as
otherwise valuable data may not be used and an incident may not be
identified - potentially leading to a costly security breach.

As such we should consider at least part of our training process to make
sure that the analysis skills of the analysts are brought up-to-date.
Bringing analysis skills in line usually consists of identifying flaws
of thinking together with the new analysts, and making sure they are
aware of how the mind falls in these traps and how it can avoid these.
These "traps" are commonly known as cognitive biases and can be
described as e.g. being oversensitive to consistency or the persistence
of impressions.  There are however, many more.

A second issue is human error.  Every human has a certain flow of
incidents which he can handle - once the load goes above this flow, the
risk of human error increases dramatically.  With adequate insight into
how these issues occur, changes can be made in the environment which
decrease the amount of errors, or analysts can be made aware of common
pitfalls.

Besides the regular technical requirements, an intrusion detection
analyst should be someone who has thorough command of the capacity of
his mind to come to several insights based on high volume inputs, then
being able to decide on the most likely scenario, while not discarding
the other ones through his own conviction.  These are valuable skills
which need to be cultivated.

Some unfortunate news however.  I do not know of any formal training
courses geared towards security analysts that bring these skills into
the workplace.  As these skills are vital I would suggest you include
them into your induction sessions for new analysts.  A number of good
books on these skills can be found below:

[1] "Psychology of Intelligence Analysis"; Richards J. Heuer, Jr.
Center for the Study of Intelligence

[2] "Bias in Human Reasoning: Causes and Consequences"; B. Evans

[3] "Investigating Human Error: Incidents, Accidents and Complex
Systems"; Barry Strauch

Hope this information proves useful.

Cheers,
Maarten

--
Maarten Van Horenbeeck, CISSP GCIA GCIH
maarten () daemon be - http://www.daemon.be/maarten

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

------------------------------------------------------------------------

Current thread:

IDS Analyst skill set naveenkat (Mar 02)
- Re: IDS Analyst skill set Eric Hines (Mar 03)
- Re: IDS Analyst skill set Eric Grejda (Mar 03)
- <Possible follow-ups>
- Re: IDS Analyst skill set Maarten Van Horenbeeck (Mar 17)
  - Re: IDS Analyst skill set Don Parker (Mar 20)