IDS mailing list archives
Re: IDS Analyst skill set
From: "Don Parker" <dparker () bridonsecurity com>
Date: Fri, 17 Mar 2006 17:09:49 -0500
Hello,You may wish to give the below noted article series a read. It may help answer some of your questions.
http://www.securityfocus.com/infocus/1779 Salut! Don----- Original Message ----- From: "Maarten Van Horenbeeck" <maarten () daemon be>
To: <focus-ids () securityfocus com> Sent: Thursday, March 16, 2006 6:52 PM Subject: Re: IDS Analyst skill set
Dear Naveen, After reading your mail and the responses to it, I felt it would be interesting to uncover at least one additional layer that most training does not yet address. You could say it is missing from the state of the art of IDS analysis. Regarding the technical training, I agree with most posters that SANS does indeed have the most in-depth course. However, in order to better assess what type of training is required, we should actually look at some of the activities that will be required from the analyst. If I understand your setting correctly, an IDS analyst will classify large (though hopefully pre-filtered) sets of batched information flows (IDS events) into incidents, or discard them. This is a significant challenge. It puts strain on your technical abilities, but also on your ability to reason and analyze. The degree of correctness is very important in this line of business, as otherwise valuable data may not be used and an incident may not be identified - potentially leading to a costly security breach. As such we should consider at least part of our training process to make sure that the analysis skills of the analysts are brought up-to-date. Bringing analysis skills in line usually consists of identifying flaws of thinking together with the new analysts, and making sure they are aware of how the mind falls in these traps and how it can avoid these. These "traps" are commonly known as cognitive biases and can be described as e.g. being oversensitive to consistency or the persistence of impressions. There are however, many more. A second issue is human error. Every human has a certain flow of incidents which he can handle - once the load goes above this flow, the risk of human error increases dramatically. With adequate insight into how these issues occur, changes can be made in the environment which decrease the amount of errors, or analysts can be made aware of common pitfalls. Besides the regular technical requirements, an intrusion detection analyst should be someone who has thorough command of the capacity of his mind to come to several insights based on high volume inputs, then being able to decide on the most likely scenario, while not discarding the other ones through his own conviction. These are valuable skills which need to be cultivated. Some unfortunate news however. I do not know of any formal training courses geared towards security analysts that bring these skills into the workplace. As these skills are vital I would suggest you include them into your induction sessions for new analysts. A number of good books on these skills can be found below: [1] "Psychology of Intelligence Analysis"; Richards J. Heuer, Jr. Center for the Study of Intelligence [2] "Bias in Human Reasoning: Causes and Consequences"; B. Evans [3] "Investigating Human Error: Incidents, Accidents and Complex Systems"; Barry Strauch Hope this information proves useful. Cheers, Maarten -- Maarten Van Horenbeeck, CISSP GCIA GCIH maarten () daemon be - http://www.daemon.be/maarten ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- IDS Analyst skill set naveenkat (Mar 02)
- Re: IDS Analyst skill set Eric Hines (Mar 03)
- Re: IDS Analyst skill set Eric Grejda (Mar 03)
- <Possible follow-ups>
- Re: IDS Analyst skill set Maarten Van Horenbeeck (Mar 17)
- Re: IDS Analyst skill set Don Parker (Mar 20)