Hard-to-find cyber pros in urgent demand
Security threats proliferate faster than cyber pros cadre
In the end, the biggest problem facing government when it comes to security in the age of advanced persistent threats and advanced malware is not the availability of good technology. There’s already plenty of that. It’s the dearth of the security professionals who know what to do with that technology and how to apply it to hunt for and deal with the threats.
Consider the situation the government faces. Go back five years or so, when most attacks against government systems were from lone hackers who attempted their exploits as part-timers. Many of them were smart enough but had limited resources.
The adversaries today — at least those that government needs to take the most notice of — are full-time employees of well-funded criminal or national organizations. The attacks are highly sophisticated and very targeted, and they are designed and controlled by people who can afford to be very patient. It’s a whole new ballgame.
Countering APT malware requires an extremely high level of skill, said Stephen Northcutt, CEO of the SANS Institute.
“Incident responders of this type can understand malware they’ve never seen before, which is quite a skill,” he said. “There’s a rapidly growing need for these people, and right now, both government and the defense industrial base has been a little slower than banks, insurance companies and others with deep pockets in making the investment.”
A senior professional at the top of his or her game can bring in $200,000 a year in many markets in the United States, he said, and even more than that in the really expensive markets.
Government actually spends more money on security than industry does, Northcutt said, but it doesn’t spend it wisely. The average IT department in government, especially in the Defense Department, will have more people with information assurance or security in their titles than you will find in industry, “but because the pay rates are lower, so is their skill level,” he said.
Because there are so many aspects to security management and technology, security professionals need a wide range of skills if they are to prosper in today’s environment, said Shon Harris, president of Logical Security. They have to understand intrusion detection and intrusion prevention and how to run those systems, they have to understand firewalls and identity management, and they need to have basic network skills.
People think they have those things, she said, but many in the security field today don’t have even that foundational base of knowledge. They don’t necessarily understand how a computer works from the ground up, and they don’t understand how the protocols and various software work.
“I’ve taught security for 12 years to every three-letter organization, to federal agencies, to all of the large banks, and I’m constantly blown away by the stuff so-called security professionals and engineers don’t know,” she said.
Even when agencies seem to be doing the right thing, it’s simply not enough to counter today’s threats. Many have formed incident response teams to fight intrusions, for example, but most of them are made up of people who normally have other duties to perform. They get pulled off those for three or four days to tackle the incident then pick up their regular jobs afterward.
That was fine in the past, when these teams would, once they had determined what the intrusion was, simply pull compromised systems off-line to reinstall them. And that might have been enough to prevent attacks from advancing, said Rob Lee, the lead for SANS’ digital forensics training.
“But adversaries today are using techniques that basically put them on so many machines in the network it’s like playing a game of Whac-a-Mole,” he said. “You can rebuild a specific machine, but you’ll find so many other systems and servers that have been compromised that you’ll never be able to make any headway.”
The adversary’s strategy is to be around for the long term and simply wear down incident response teams until they are too exhausted to continue, Lee said.
Agencies are starting to realize the need for dedicated response teams, he said, and there’s progress evident in other areas. Two years ago, you would never have seen a dedicated malware analyst inside a government agency, he said, and now there are hundreds of them.
The problem is they are “not very good,” he said. And training people from scratch will not meet the immediate need, as it takes at least a couple of years to get someone up to the level of skill that’s needed to deal with modern malware.
The individuals who can do this task well are in very high demand; there just aren't enough of them, Lee said. Until acquiring the skills needed to deal with the kind of malware APTs use becomes a prerequisite for government security professionals, those threats will continue to be a problem.