11 March, 2013

Building an IR Team: Growth

This is a long overdue continuation of my posts regarding Building an Incident Response Team. I had a very rough outline of this post going all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way back to 2009! The good response I got on some of my previous posts on building IR teams made me come back and work on finishing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 posts I had planned when I first started cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 series.

Previous posts:

I believe one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hardest things to deal with when building a successful IR team is growth. If you build an IR team that is successful and gets management buy-in as a result, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a good chance that responsibilities, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount of work, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of incidents detected, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 size of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team will all grow. This will invariably cause growing pains, setbacks, and reevaluation of procedures.

I honestly could go on and on about dealing with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 growth of an IR team. There are so many things to consider that it is daunting to plan for growth ahead of time instead of just dealing with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hurdles as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y come. However, if you have a team that is growing it really helps to take a step back and plan for both immediate and long-term growth. It is so important that a fair amount of this post will reiterate what I have explicitly or implicitly said in some of my previous "Building an IR Team" posts.

There are a number of questions to keep in mind when an IR team grows. What are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 additional duties causing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 addition of positions? Are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 additional positions adequate to cover cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 additional duties and responsibilities? If not, how can expectations be managed so superiors understand what is actually feasible? Are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 duties just a higher volume of what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team already is responsible for, or are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re new areas that will require different types of team members and different types of training? What works well now but may be problematic with a larger team? Do we need to restructure? How do we maintain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 success that led to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team growth? The last question is one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most fundamental.

Relationships


At one point I worked on a team that, over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course of a few years, increased cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of personnel fourfold. This completely changed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dynamics of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team, from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lead all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way down to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most junior analyst. The more people you add, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more complex cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 relationships become. This applies not only to relationships within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team, but also relationships with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r parts of your organization and management.

With such growth, it became a lot more important to clearly define roles and responsibilities, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command structure, and get management support of decisions.
  • Command structure: As cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team grows, ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r groups in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company are less likely to know each person on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team. This means in a lot of cases it is helpful to have a few key people known to those ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r groups. These key people don't have to always be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ones to communicate with a specific group, but can be used as a fallback if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r group's first instinct is to be more adversarial with those people cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't know.
  • Intra-team relationships: The more people you have, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more you have to keep an eye on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 working relationship between members. When you have a team that numbers single digits, it is almost natural to know all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ins and outs of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 working relationships, for example who complements each ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r and who can be a good mentor to more junior analysts. It takes more conscious effort to track as you increase cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of people. Not only that, it requires more actively setting expectations about what you expect of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.
  • Management support and inter-team relationships: As a team gets bigger, its profile is raised throughout cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company. This can make dealing with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r groups easier, more difficult, or most likely a little bit of both. As we all know, IR teams sometimes need to make decisions or do things that are not popular and people outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team view as irritating to say cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 least. It is very important to have management support when you invariably have conflicts with those outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team. It's also important to have a manager that knows when to tell you that you're being unreasonable and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outside groups have a reasonable concern or complaint.
This is by no means a complete list of things to consider. The bottom line is that a larger team makes both intra- and inter-team relationships more complex.

Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Growing Pains


The simplest example I have from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past regarding growing pains was when I was on a team that was not gaining new areas of responsibility but was switching to coverage 24 hours a day seven days a week. As I covered in anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r blog post, it is important come up with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proper organization and make sure every shift was productive. Increasing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of hours of coverage also obviously means hiring new analysts, plus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 possibility of shifting current analysts to drastically different schedules.

Restructuring can often cause conflicts beyond those involving work schedules. On a small team, most people gravitate to a niche and can often be allowed to work in it as long as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y also can handle cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more generalized response duties. In a larger team, it's much harder to let members naturally gravitate towards certain areas while maintaining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to get all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work done. It certainly is nice to keep everyone happy and specializing in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 areas cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are most interested in, but it's not always realistic. One way to help with this is to make sure you follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 advice for redundancy in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Organization" post, plus allow members to rotate through different areas of specialty. This means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y won't be stuck in one particularly area in addition to providing redundancy of skills.

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r issue is making sure you formalize reporting to some degree. In a team of a few people, it's readily apparent what each person is doing. When you have a score of people, you need to get both formal and informal reporting from shift leads, team leads, mentors, and even individual analysts to properly understand who is doing what, workloads, what is working well, and what is not working. Regardless, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 structure of a larger IR team probably needs to be more formal when it is larger. Notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "probably." I think it is safe to say cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re may be exceptions to all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se points! The key is to find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proper balance that enables useful reporting while avoiding unneeded bureaucracy.

Hiring can also create growing pains. I must stress that you should do everything possible to maintain standards when hiring. That said, a bigger team can mean more room and opportunity for less experienced analysts. One weak link among five people is a much bigger deal than one weak link among 30, so a larger team can allow you to take a chance or two when hiring. I've always been an advocate of getting smart people that can learn and are legitimately interested in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field over those who have experience but less potential for growth, and a larger team can sometimes make this easier to justify.

Evaluation of Procedures and Operations


This advice really applies to all IR teams, but becomes more important with growth. Incident response procedures that work well in a small team may not work as well with a larger group. Even if your team has not grown, you may want to regularly reevaluate IR workflow, reporting, or just about any existing procedures and standards of operations. Sometimes it may mean more clearly codifying what were once informal standards, while ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r times it may mean completely rethinking how you operate because you have several tiers of analysts. Having good metrics so you can try to make reevaluation more objective and less subjective also helps. Unfortunately, metrics is a huge topic that I can't address in this post, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are many sites, papers, books, and more to help anyone interested in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 topic.

Standards for working with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field may also need to change. If you are in an enterprise where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team often is reaching out to "boots on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ground" like local system administrators or IT staff, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re may need to be changes in areas of responsibility when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team is larger. I partially covered this when mentioning inter-team relationships. Even if your IR team is comfortable contacting those in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field directly, those managing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field may want a more formal command structure so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can track requests and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r communications from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team. Contacts in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field may also want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir roles and responsibilities more formally or clearly defined. This is easier to work through when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team only has a few people, but once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are dozens it can cause problems if those in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field don't know upfront what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team expects and what qualifies as an unusual request from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IR team.

Training


A larger IR team means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company is spending a lot more money on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team and security in general. It also means you may have enough team members to form a class-sized group. Whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r you use in-house training, outsource, or a combination, a larger team means you will need to think about more formal training where a large group is in a classroom environment. This doesn't mean one-on-one or one-on-few mentoring and training should go away, but you will need to adapt to training larger groups. You also should consider setting aside money specifically for training if that was not done previously.

Be Flexible


Note that this is all based on my experiences in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past 10 or more years, but it is just cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tip of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 iceberg. Different teams may have different issues to consider when growing. Depending on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 specific IR team, none of what I wrote may apply directly. I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are two overriding concerns when an IR team grows. One is to be flexible as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team grows so your organization can really see what works and what does not. Two is to plan for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 growth instead of just letting it happen haphazardly. Some teams do quite well with very little change after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y've grown, while some may need drastic changes just because of adding a few people or analyst turnover.

Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Resources


There are some resources available to help deal with creating IR teams, and much of what applies at creation of a team can apply to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 growth of a team. When a team goes from a few people to 20-30 people, you essentially are destroying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old team and creating a new one. Most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 questions considered when creating an IR team can be asked once again and reevaluated as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team grows.
Richard Bejtlich has posted on his blog about many aspects of building and maintaining SOCs, and also mentioned that he will have a chapter in his new book titled "Network Security Monitoring Operations," focused on sharing "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author’s experience building and leading a global Computer Incident Response Team (CIRT), such that readers can apply those lessons to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own operations." I presume anyone regularly reading my blog is already reading Taosecurity, and also anticipate that his new book will be quite useful.

I hope to have at least one more post in my "Building an IR Team" series. I may also have additional material, or collate and improve all my existing posts if I feel it is worthwhile.

No comments:

Post a Comment