Re: RESEARCH: Staffing of a Security Team

From: TemplarKnight (paladium@paladiumdesigns.com)
Date: 10/21/02 

From: "TemplarKnight" <paladium@paladiumdesigns.com>
Date: Sun, 20 Oct 2002 21:45:30 -0400

SomeLoser,

Thank you for the useful information. I am not a novice by any stretch of
the imagination. But I have some unique challenges in the current
organization, not to mention politics, that are creating difficulties. My
only real option is to minimize the challenges with facts, industry
standards, and risk analysis. I have attempted to do so briefly and have
been asked to provide more in-depth and justifiable information. I am
attempting to do so quickly and as clearly as possible since I have a short
suspense on deploying this enterprise. Hence, querying the NG's.

Some additional information to help you and the others help me nail this
down:

- We are associated with the Department of Defense... therefore,
outsourcing of security services is not an option.

- Current mandated policy requires all sites have RealSecure IDS's and
Checkpoint's. No option here.

- Current staff of 6 handles everything mentioned previously except the
Checkpoint's and IDS's. Checkpoint's and many more IDS's are being added to
the teams responsibilities.

- All security devices will run on the Nokia IP series platform... provides
a simplified management solution and is a standardized platform.

- There are no Checkpoint FW-1's in the current environment. Must add about
100. Have chosen to use Provider-1 as the enterprise management solution.
All 6 personnel have attended Checkpoint training, 5 have earned the CCSA,
one earned both the CCSA and the CCSE. I have two new CISSP's on staff and
a *** load of Cisco CERT's scattered among them. Combined experience in
excess of 50 years. We are not new at this...

- RealSecure Site Protector is already active and supporting 25+ sensors
which generate ~255,000 total events per 24-hour period. Policies are
trimmed down, though not as far as they could be. Required IDS's are
increasing to over 100. I only have one IDS analyst who maintains Site
Protector as well as analyzes the data and generates initial incident
reports when necessary. His current IDS workload is estimated to be
approximately 60-70% not counting his other assigned duties. Only one
person on my team has any RealSecure training and experience (myself), but
as the manager my duties prevent me from being as actively involved as I
would like. RealSecure training is being scheduled for three of my people.

- I have one security firm that has provided a recommendation, based upon
what they have seen in the industry. They do not provide managed security
services. Their recommendation, if the only one I can get, will not be
received well by senior management. They recommend 10-12 IDS's per analyst,
~15 Checkpoint's per administrator, and 2 DBA's. These numbers would
increase the staff to approximately 27 people (6 current staff + 12 IDS
analysts + 7 FW admins + 2 DBA's). I need a better cross reference of these
numbers from other industry security professionals if I'm going to be
successful in building the right sized team. Failure is not an option!

- One of our Corporate sites provides IT and security support for another
DoD agency. They have a comparable number of sites and a staff of 27
security personnel. Good info but easily deemed biased since we are a DoD
contractor providing services to a DoD agency... more people (contractors)
means an increased bottom line for the Corporation. Unfortunately that other
Corporate office is considered more important because of its mission, so
their DoD agency provides more resources and money to support the security
infrastructure.

Oh, Firefox, I did check SANS and spent several hours combing the search
engines... Notta! This is a slippery one to nail down. That's why I've
turned to the NG's. If you have a specific link to something relevant,
please post it. I would appreciate it.

Thanks again!

> I recently heard that Cornell University released some sort of "guide"
for
> the ratio of systems to administrators. I have not read the
> article/paper/recommendation - thus no link to post, but search their site
> (http://www.cornell.edu/) and I'm guessing it is up there somewhere. I
> think it was an industry review, and not just for them inhouse -- but
> understand they want to better their standing in their own finding.

[--SNIP--]

> IMHO - the "upfront" efforts will require a greater investment to reduce
the
> man-hours required on the 'back-end'. Determining *what* the appropriate
> policies should be for the fiewalls and IDS's will reduce the amount of
> information (true, false, and otherwise) that someone must wade through as
> part of the log reviews, etc. (perhaps policy and procedure definition
below
> here, no?) Part of that will be dictated by exactly what each of these
> disperse sites does. It may not even be worthwhile to have IDS at certain
> sites.

[--SNIP--]

> Depending upon how confident you are that the currently enabled firewall
> rulebase(s) and IDS policy(ies) match your risks, you may be able to skip
> this 'upfront' effort. However, if that were true, I'd imagine you would
> have some idea of what it is currently taking to control/monitor/update
what
> you already have -- and could then extrappolate those numbers to at least
> reach an educated guess at your staffing requirements. Also, you need to
> determine how outsourcing may fit within your needs. As noted in
> Computerworld, Oct7 - watch for the "gotcha" reports.

[--SNIP--]

> Depending upon your company setup, you may be able to task some of these
> items out to your internal (or external) audit department. (that also
> depends upon your definition of some of the terms below).
>
> If this is for you, sometimes an outside estimate - based upon your unique
> architecture, risks, and tollerance - would assist in your budget plight.
> Finding the stats from the org's as FireFox noted will help, but you still
> have to justify it for your situation.
>
>
>
> "TemplarKnight" <paladium@paladiumdesigns.com> wrote in message
> news:ur5ja96vhja929@corp.supernews.com...
> > Interesting research problem.....
> >
> > For a global network running both Checkpoint Provider-1 and ISS
RealSecure
> > Site Protector, 100+ sites, 100+ sensors, 100+ enforcement points, what
do
> > you think the proper number of security professionals should be to
support
> > this sized network? Keep in mind that all staff members will be
> functioning
> > at ~80% efficiency level.
> >
> > - # Firewall Admins?
> > - # IDS Analysts?
> > - # DBA's?
> > - # Other staff performing various functions, such as:
> > CERT Review & Implementations
> > Anti-Virus Research & Auditing
> > COOP
> > Vulnerability Assessments
> > OS Auditing (W2K, HP-UX, Linux)
> > Router Auditing
> > R&D
> > Policy Development & Documentation
> >
> > Research on the web for this data has been unsuccessful. Vendors are
> > unwilling to "recommend" or "suggest" due to legal implications. No
White
> > Papers seem to exist that address this issue. No known formulas that
> > clearly calculate the RISK vs. STAFF vs. EFFICIENCY LEVEL.
> >
> > Other then professional opinion, what's a poor Security Manager to do to
> > justify an increase in staff to support such a network? The most
> expensive
> > aspect of a global network security infrastructure is staffing costs.
But
> > without proper (trained) staff, all the security gadgets in the world
> won't
> > keep the network safe... well, there IS the off switch :)
> >
> > Thoughts??? Inputs????
> >
> > Thanks in advance!
> >
> >
> >
> > DAC
> > ------------------------------------
> > Security Manager
> > Nameless Company
> >
> >
>
>

Quantcast