Bojan's last couple of diaries on Analyzing Network Traffic Part 1 and Part 2, got me to thinking about all the knowledge required as well as the work and effort that intrusion analysts go through to protect the networks they monitor. Often times, this knowledge and skill is gained on off duty hours because this world is more than just a job. So, how do you demonstrate to management the value of your intrusion detection program and your analysts? One of the toughest barriers to breach is taking data from the technical side and presenting it in a meaningful way to the management side. In this specific instance, I wanted to focus on translating to management the value of Intrusion Detection and the analysts. I have heard it said more than once We have a firewall and IDS, they will alert us when something happens or We have a tool that can monitor our network, we don't need all these people do we? and one of my favorites We have Antivirus, isn't that enough? In today's tough economic times, one of the first things that usually gets cut in the budget is security. The tools generally stay in place, but the number of people required to manage and monitor them drops. The goal to to make management know and understand the value of your intrusion detection program so they realize they can't afford to lose the service you provide.
Generally, the role performed by the analysts is usually only brought to light when there is an incident. Day after day goes by without a major issue and the analysts are out of sight and out of mind. That often includes holidays when everyone else is off but the analyst is still working to protect the network. There are many ways that you can bring to light what your analysts are doing. Metrics are always to first thing that comes to mind, but sometimes its difficult to measure what an analyst does in a way that means something to management. There are also many positions on whether these numbers should be tangible or theoretical. I think its more than metrics, but metrics have their place as well. No matter how you approach this, you have to show value added to your company/organization's mission by making sure management understands that your group exists and the role it performs. Here are some thoughts:
Have a one page newsletter highlighting your group and its accomplishments as well as what its working on. (Does management know that you had a block put in place for a significant threat until a patch was issued which means your network did not suffer any impact?) I have found that management likes to brag about things like this when others are suffering the effects from it. It also makes them appreciate your efforts.
Highlight each of your analysts and their success by having a Catch of the Week/month writeup and include their photo.
Keep them informed of current and emerging threats (in easy to understand non-technical terms) Alot of times they have no idea such a threat was possible or exists.
Provide them metrics of the number of alerts that occur during each shift and approximately how long it takes to look at them. This being tracked by the number of analysts on a shift will show the residual, if any, of what did not get looked at in a timely fashion. Management needs to understand the risk and agree that they are willing to accept the risk.
How many many blocks (firewall, email, web, etc.) were put in place to protect the network? That shows management a proactive stance.
Keep management informed of the costs being incurred by other companies who have to clean up after being compromised. Do not imply that it won't happen on your network. It will, its just a matter of time. But the cost is much less if early detection occurs. Skilled analysts to key to early detection.
These are just a few ideas and you will have to tailor this to what means something to your management. Solicit their feedback and ask them if there is something more/less they would like to see. Start with something for them to look at, they usually do not know what to ask you for because they don't understand this world. The bottom line is to make sure management knows your team exists and the efforts that your team is putting forth to protect the network. If you have ideas or things that worked for you, please let us know.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.