Wednesday, October 5, 2016

What is a cybersecurity architect, (and how to hire one)


According to the Burning Glass report titled Job Market Intelligence: Cybersecurity Jobs, 2015, 5% of all cybersecurity job postings are for a job title of Security Architect. Unfortunately, the industry is still unclear as to exactly what an IT Security Architect is. According to Payscale, the median compensation is $114,000/year, (which sounds a bit low). The concept is, however, starting to mature. Certifications are being developed for IT Security Architects, and training courses are offered by various organizations to help prepare one to be a Security Architect. The (ISC)2 organization has created an ISSAP (Information Systems Security Architecture Professional) certification. The SABSA organization offers a set of integrated frameworks, models, methods, and processes, used independently or as an integrated enterprise solution.  Monster.com listed a job description for a Senior Security Architect, that lists the following skills:"Network Security, Network Hardware Configuration, Network Protocols, Networking Standards, Supervision, Conceptual Skills, Decision Making, Informing Others, Functional and Technical Skills, Dependability, Information Security Policies".

 The TOGAF, (open architecture), certification has to do with thinking like an architect. A security architect needs to be able to function as a general systems architect for the enterprise. Without the big picture, it’s hard to provide big security solutions.

A security architect should have the ability to conduct "as is" process gap analysis, (where are we now, where do we need to be, how to get there). They generate technical implementation and management prioritized guidance that includes evaluation tests and metrics such as those identified in the CCS/CIS Critical Security Controls. The implementation is a cooperative effort between business management and the Security Architect who brings needed experience, expertise, and consultation to the decision-making process.


Engineer and Architect compared


Architects know what needs to be done to get you to end goal, engineers know how to do details of next tactical step in the project.

Architects tend to think in concepts; defense-in-depth, least privilege, breaking the exploit kill chain.  Engineers tend to think in products; Firewalls, IPS, Anti-malware, file integrity monitoring, DLP, etc.

Architects worry about how the ecosystem works together, engineers worry about how to keep things running and working.

An engineer can tell you how to design your network. An architect can tell you why it should be designed that way, and will be able to suggest changes based on your specific needs.

An engineer can tell you which protocols companies should use for discrete tasks. An architect can explain why those protocols make the most sense, and can usually detail the previous state of the art.


Architects want to know exploit vectors and what intellectual property was exfiltrated from the company, engineers want to collect evidence and remediate.

Architects think vulnerability management, engineers think patching, hardening and scanning.


Architects think big picture and are good presenters and salesmen of security ideas to upper management, engineers are where the rubber meets the road, (the real problem solvers in the trenches).

You have to have both, most security professionals function better on one side or the other, nothing is worse than having an architect that only wants to engineer or an engineer who only wants to architect.  However, many companies struggle because they ask a single person to do both and then are frustrated that that person has a weak spot on one side or the other. 

The key attributes of an architect in order of importance:

  • Analyze the business operations of the organization and map them to data flows between the information processing zones within, as well as to and from, the organization.
  • Design a security solution which suits the risk appetite and the real threats the enterprise faces. They use the basic classes of cybersecurity tools available, such as perimeter protection, detection, OS protection, identity management and SIEM style information correlation to implement defense in depth at choke, or control points, of the enterprise.
  • Understand the "big picture" in terms of all IT systems, if you don't securing them is impossible. In critical infrastructure organizations, understanding the physical security controls is crucial and architects may be "dual hatted", cybersecurity/physical security.

Ideal persons to help interview a candidate for an architect position include: the IT manager, (such as CIO), security manager, (or CISO), network manager, (or senior network analyst), systems manager, (or senior systems administrator), applications manager, (or senior software developer with a cybersecurity interest).


Interviewing an engineer for a network architecture position


We interviewed a number of GIAC Advisory Board members who have been working as architects for major enterprises as to what they look for an architecture position. They recommend that you be careful about giving candidates a real world problem (even pretending it is 'made up') as this could be dangerous to a company either from a PR or security perspective if it got posted on the Internet in some way. There are a number of practical assignments defining a mythical company called "GIAC Enterprises". If you Google that term you can get some scenarios to use for the exercise. Here are some questions they recommend asking:

Do you have a home network setup? Please describe it to me.

When designing an architect/infrastructure for security we have to be at least "aware" of the various protocols/technologies used within Corporate America. Please tell me a bit about:
  • Equal cost paths for egress traffic
  • High Availability Design issues
  • Packet shaping
  • The role of the network in compliance
  • What ideas do you have to improve our DR/BCP
Please tell me a bit about each of the technologies below and when and why you might use them:
  • OSPF
  • EIGRP
  • MPLS
  • RIP
  • GRE
  • IPv6
  • Proxy ARP
  • Static routing

Give them just the hex of an IPv4 packet or a DHCPv6 trace and ask them to tell you what is going on. They don't have to be packet ninjas, but they should know what is going on. We teach managers to do this with prospective employees, (in the course we author and teach, Management 512).

Interviewing an engineer for a security architecture position

  • What threats do you perceive in this company's environment?
  • What are the assets and/or business processes (5 maximum) you think are the most critical ones for the organization?
  • What assets do you think are the most exposed?
  • Identify the weakest links in the system as a whole (Networks, Systems, Applications, Data, Users).What basic access controls would you design into the network (relevant to my business)
  • What if any IH procedures would you put into place regarding the network.
  • If you were an attacker, what would you be after?
  • If you were an attacker what would your business model be? That is, how can an attacker make money by attacking us.
  • If you were an attacker, how would you go about penetrating us?
  • What architectural solutions (Protection, Detection and Reaction) would you propose for the different components (Networks, Systems, Applications, Data, Users) to address the threats and mitigate the risks?
  • Draw for me a high level (network) diagram that shows your proposed architectural changes and solutions.
  • Develop an implementation plan for those solutions (short/middle/long) term.
  • Out of the solutions you mentioned, what are the 5 ones that add the greatest value?
  • Show me how would you adapt your solutions and what would you prioritize according to different budgets: $1.000, $10.000 or $100.000
  • What are the solutions that you think would be more difficult to implement (due to technical, budget or cultural reasons)?
  • What policy / cultural changes do you think are needed (if any) for your long-term plan to succeed?
  • Propose a couple of security solutions that would enable this company to improve business by doing something it can't currently do.
More general questions
  • If we are looking more of general purpose architect, consider some of these questions. If our organization wants to field a new ecommerce sites, can you describe a couple different scenarios or approaches to the architecture. What are the primary tradeoffs between architectures? What vendors would you use and why?
  • Get your technical folks to help you identify a real world problem your organization is facing. Can the candidate engineer a "duct-tape" solution to temporarily address the issue. You don't want a candidate that is always relying on spending $$$ to accomplish a task.
  • Please explain a recently announced vulnerability of your choice, and what solutions you would implement to mitigate the threat.
  • Here is a whiteboard and some markers... draw me a diagram, design, or something of your choice using these tools to communicate a concept, architecture, or something of your choice.
  • Tell me about your experience with the open-source movement. What sources do you use to find information on new products related to network monitoring?
  • If there was a network problem, what are the basic steps you would go through to in order to troubleshoot the problem?
  • What architectures, software, or deployment strategies have you used successfully in the past, but would no longer use? Please tell us why.
  • Sell us on yourself. What are your strongest personal assets? What specific attributes would you be bringing into the organization that will make a positive contribution to our overall success?
  • Tell us about an instance when you had to communicate an idea/process/procedure to a customer that you know will be resistant to you. What was your initial approach? Did you have to change your approach? What was the outcome?
  • What approach do you take when you need to learn about a technology? Do you consider yourself a life-long learner? Why?
  • What was the one question we did not ask that you came prepared to answer?
Sample Candidate Profile & Requirements
Candidate has substantial experience researching, authoring, and implementing security configuration standards across multiple platforms. Candidate's experience includes a successful track record of evangelizing standards, managing and/or creating the standards compliance and remediation processes, as well as presenting the value propositions of standards-based security management to senior managers within a Fortune 500 organization, or similar scale environment.

The self-directed individual represents COMPANY as a participant in industry working groups and standards bodies. Candidate's familiarity with security industry standards, working group processes, and content lifecycle management adds great value. Active participation in - or contribution to - OASIS, Liberty Alliance Project, NIST, Center for Internet Security, or other similar open forum working groups and committees demonstrates candidate's ability to advance COMPANY's concerns within the broader security industry.

Candidate is familiar with threats, vulnerabilities, and exposures across diverse systems, and successfully communicates this data in terms of operational risk and business relevance. Candidate brings to COMPANY extensive background creating and executing closed-loop vulnerability management practices, and can leverage such experience in coordinating individuals with competing priorities across multiple departments to mitigate risk.

The ideal candidate has 5-7 years experience in the industry. Familiarity with types of products offered by COMPANY, and the core business processes needed to deliver services, is essential in making security relevant to the lines of business the team supports.

Candidate can demonstrate a proven track record of communicating and working proactively and professionally with internal and external auditors, and other groups responsible for ensuring that an organization is properly protecting the interests of its customers, shareholders, and employees.

Candidate is familiar with software development lifecycle methodologies. Demonstrated experience gathering and documenting business and technical requirements for implementation by internal development teams and/or external vendors shows that candidate can lead others in meeting COMPANY's security requirements.

Candidate must bring extensive experience leading and/or significantly contributing to cross-departmental technology projects. The candidate leverages an understanding of industry-standard project management methodologies, experience with project financial controls, and the ability to communicate the financial justification for security projects to deliver on COMPANY's Information Security Strategy.

Candidate has led, or significantly contributed to, enterprise projects to deliver security information management solutions. Candidate shows experience building an infrastructure to aggregate, deduplicate, and correlate massive streams of security log data; candidate has delivered processes and procedures to triage, analyze, and take action on such information; and candidate has designed management reporting to instrument and continuously improve security information management.

Candidate's significant experience with network security controls such as routers, switches, firewalls, intrusion management solutions, network access control, and related solutions is required when coordinating delivery of holistic security in partnership with COMPANY's Network Engineering group(s). Extensive understanding of network protocols, data flow analysis, and network design and troubleshooting assist the candidate in leading others to successfully deliver a security program.

Candidate's familiarity with application security practices such as secure coding and secure development lifecycle management is required in coordinating with application architecture and development groups, as well as positioning system security in the broader context of COMPANY's information security program.

Skills and background in computer programming are desirable, but not required; however, candidate must demonstrate knowledge of design patterns used in enterprise applications. Understanding of how applications are developed, deployed, and managed is essential to demonstrating that candidate can design security solutions to protect critical assets and data. Familiarity with security principles in Service Oriented Architecture, WS-Security standards, application frameworks (.NET Framework & J2EE/Java EE), and the use of cryptography in applications ensures that the candidate can explain complex issues.

Certification by industry standard certification bodies is encouraged, but not required. SANS/GIAC, ISSAP, or similar certifications will be considered as evidence of candidate's dedication and commitment to demonstrating an objective baseline of skills. However, keep in mind that according to Burning Glass 35% of all security job postings require a certification.

Candidate has 3-5 years experience designing, implementing, and measuring closed-loop security management workflow systems. Proven experience integrating security controls into enterprise workflow and incident/problem management systems is paramount in successfully delivering on the goals assigned to this position.


Acknowledgements

J Michael Butler who was a great help in previous versions
Roland Grefer helped me clean up the writing
Chad Lorenc really beefed up the architect engineer comparison
Thomas Williams TOGAF and the importance of physical security


References: All links valid 10/5/16 unless otherwise noted

http://burning-glass.com/research/cybersecurity/
http://www.payscale.com/research/US/Job=Security_Architect,_IT/Salary
ISSAP®: Information Systems Security Architecture Professional https://www.isc2.org/issap.aspx
SABSA (Sherwood Applied Business Security Architecture) www.sabsa-institute.org/
http://www.sabsa.org/node/73
http://hiring.monster.com/hr/hr-best-practices/recruiting-hiring-advice/job-descriptions/senior-security-architect-job-description.aspx
https://www.cisecurity.org/critical-controls.cfm
Information Security Forum (ISF) https://www.isfsecuritystandard.com/SOGP07/index.htm ***No longer worked when checked December 3, 2012
Department of Defense Architecture Framework (DoDAF). retrieved 10/5/16 (thanks to Chris Holabird)
Department of Defense Architecture Framework (DoDAF) v2 2009
http://jitc.fhu.disa.mil/jitc_dri/pdfs/dodaf_v2v1.pdf
http://jitc.fhu.disa.mil/jitc_dri/pdfs/dodaf_v2v2.pdf
http://jitc.fhu.disa.mil/jitc_dri/pdfs/dodaf_v2v3.pdf

Department of Defense Architecture Framework (DoDAF) v2.02 2015
http://dodcio.defense.gov/Portals/0/Documents/DODAF2/DoDAF%20v2.02%20Chg%201%20Vol%20I%20Final%202015-01-19.pdf
http://dodcio.defense.gov/Portals/0/Documents/DODAF2/DoDAF%20v2.02%20Chg%201%20Vol%20II%20Final%202015-01-19.pdf
http://dodcio.defense.gov/Portals/0/Documents/DODAF2/DoDAF%20v2.02%20Chg%201%20Vol%20III%20Final%202015-01-19.pdf
http://dodcio.defense.gov/Portals/0/Documents/DODAF2/DoDAF%20v2.02%20Chg%201%20Vol%20IV%20Final%202015-01-19.pdf
Zachman Institute for Framework Advancement (ZIFA) http://www.zifa.com/framework.html
NIST - Managing Risk from Information Systems http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

2 comments:

  1. Interesting analysis. Thanks!

    ReplyDelete
  2. My spouse and I love your blog and find almost all of your posts to be just what I’m looking for. Appreciating the persistence you put into your blog and the detailed information you provide. I found another one blog like you Cyberoam Administration .Actually I was looking for the same information on internet for Cyberoam Administration and came across your blog. I am impressed by the information that you have on this blog. Thanks once more for all the details.

    ReplyDelete