Re: RESEARCH: Staffing of a Security Team
From: SomeLoser (N0*Sp@m@not-here-not-now.com)Date: 10/21/02
- Next message: : "iptables 8.0 vs. 7.3"
- Previous message: RAV: "Re: ZA 3.0082 crashing system"
- In reply to: : "RESEARCH: Staffing of a Security Team"
- Next in thread: TemplarKnight: "Re: RESEARCH: Staffing of a Security Team"
- Reply: TemplarKnight: "Re: RESEARCH: Staffing of a Security Team"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "SomeLoser" <N0*Sp@m@not-here-not-now.com> Date: Sun, 20 Oct 2002 23:07:31 GMT
I recently heard that Cornell University released some sort of "guide" for
the ratio of systems to administrators. I have not read the
article/paper/recommendation - thus no link to post, but search their site
(http://www.cornell.edu/) and I'm guessing it is up there somewhere. I
think it was an industry review, and not just for them inhouse -- but
understand they want to better their standing in their own finding.
Also, I believe this was simply for "general" system administration and
support; and not security-related. You can make your own determination, but
it might provide someplace to start. The numbers I was quoted that the
average is around one admin per 100 systems. However, the report also felt
that a more acceptable number would be a ratio of one to fifty.
IMHO - the "upfront" efforts will require a greater investment to reduce the
man-hours required on the 'back-end'. Determining *what* the appropriate
policies should be for the fiewalls and IDS's will reduce the amount of
information (true, false, and otherwise) that someone must wade through as
part of the log reviews, etc. (perhaps policy and procedure definition below
here, no?) Part of that will be dictated by exactly what each of these
disperse sites does. It may not even be worthwhile to have IDS at certain
sites.
It sounds like one of three situations:
a) you have a staff and this configuration, but are just swamped and
getting slack;
b) this setup needs rolled out (with or without any policies in place
already); or
c) You've been hired to estimate this for a client and are stiking out
thus far on your net searches.
Realistically - somewhere in between a&b.
Depending upon how confident you are that the currently enabled firewall
rulebase(s) and IDS policy(ies) match your risks, you may be able to skip
this 'upfront' effort. However, if that were true, I'd imagine you would
have some idea of what it is currently taking to control/monitor/update what
you already have -- and could then extrappolate those numbers to at least
reach an educated guess at your staffing requirements. Also, you need to
determine how outsourcing may fit within your needs. As noted in
Computerworld, Oct7 - watch for the "gotcha" reports.
Depending upon your company setup, you may be able to task some of these
items out to your internal (or external) audit department. (that also
depends upon your definition of some of the terms below).
If this is for you, sometimes an outside estimate - based upon your unique
architecture, risks, and tollerance - would assist in your budget plight.
Finding the stats from the org's as FireFox noted will help, but you still
have to justify it for your situation.
"TemplarKnight" <paladium@paladiumdesigns.com> wrote in message
news:ur5ja96vhja929@corp.supernews.com...
> Interesting research problem.....
>
> For a global network running both Checkpoint Provider-1 and ISS RealSecure
> Site Protector, 100+ sites, 100+ sensors, 100+ enforcement points, what do
> you think the proper number of security professionals should be to support
> this sized network? Keep in mind that all staff members will be
functioning
> at ~80% efficiency level.
>
> - # Firewall Admins?
> - # IDS Analysts?
> - # DBA's?
> - # Other staff performing various functions, such as:
> CERT Review & Implementations
> Anti-Virus Research & Auditing
> COOP
> Vulnerability Assessments
> OS Auditing (W2K, HP-UX, Linux)
> Router Auditing
> R&D
> Policy Development & Documentation
>
> Research on the web for this data has been unsuccessful. Vendors are
> unwilling to "recommend" or "suggest" due to legal implications. No White
> Papers seem to exist that address this issue. No known formulas that
> clearly calculate the RISK vs. STAFF vs. EFFICIENCY LEVEL.
>
> Other then professional opinion, what's a poor Security Manager to do to
> justify an increase in staff to support such a network? The most
expensive
> aspect of a global network security infrastructure is staffing costs. But
> without proper (trained) staff, all the security gadgets in the world
won't
> keep the network safe... well, there IS the off switch :)
>
> Thoughts??? Inputs????
>
> Thanks in advance!
>
>
>
> DAC
> ------------------------------------
> Security Manager
> Nameless Company
>
>
- Next message: : "iptables 8.0 vs. 7.3"
- Previous message: RAV: "Re: ZA 3.0082 crashing system"
- In reply to: : "RESEARCH: Staffing of a Security Team"
- Next in thread: TemplarKnight: "Re: RESEARCH: Staffing of a Security Team"
- Reply: TemplarKnight: "Re: RESEARCH: Staffing of a Security Team"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
