Flexible Consistency Improves Information Security

Training sessions, such as Cyber Shield 19, provide cybersecurity analysts opportunities to train, exchange best practices and test their cyber mettle. Credit: Army Staff Sgt. George B. Davis
The nature of military permanent change of station assignments can create gaps in the U.S. Defense Department’s protected posture to cyber assets. The current approach allows valuable institutional knowledge literally to walk out the door, often being replaced with inadequately prepared personnel walking in. This practice runs contrary to the Pentagon’s stated strategic goals that aim at building and maintaining a skilled workforce rather than solely acquiring new tools.
According to a report from the Defense Department’s Office of Inspector General, employing and deploying highly prepared and experienced personnel is a top priority in responding to modern cyber challenges. But security operations center teams are challenged by a daunting task. Chartered with defending the department’s networks from foreign and domestic threats, they lack trained experts and face a constant rotation of analysts.
“The DoD must ensure that it has a skilled cyber workforce capable of using necessary tools and capabilities to conduct cyberspace operations,” the report states. “The DoD must also secure and monitor the DODIN [Department of Defense information network] and its data to prevent … unauthorized disclosures and data exfiltration that could adversely affect national security. The DoD must also continuously identify, address and adapt to challenges affecting its ability to protect the DODIN and conduct cyberspace operations.”
However, there are ways to retain institutional knowledge in the midst of personnel turnover. Position successors can be situated to expand the positive impact of their predecessors rather than floundering while learning in the new position. By implementing the following steps, these outcomes can be successfully achieved.
The military is a huge collection of geographically dispersed agencies, each with different policies and routine practices. Establishing standardized tools and processes can go a long way to help professionals moved to new stations. Enterprise consolidation and digital collaboration make it possible to determine a unified, standardized set of tools and processes to protect systems.
Uniform devices and procedures will enable cybersecurity team members to make permanent change of station transitions easier because personnel won’t need to “learn a new language” every time they move to a new location or workplace.
It is comparable to learning to drive one particular make and model of a car, which enables people to drive nearly every make and model of automobile. Likewise, standardization would facilitate cyber assets defense from one assignment location to another similarly transferable.
In addition to standardizing tools and processes, applying consistent approaches to assigning personnel replacements who have similar skillsets to the departing staff member would support smooth turnover and, subsequently, a consistent level of mission operation success.
Returning to the automobile analogy, worn out tires are replaced with new or retread tires. When a battery can no longer be recharged, it is replaced with a new identical battery. The same thinking should carry over to the Defense Department in personnel transfer matters.
Currently, when a senior security operations center analyst moves to a different position and/or location, the replacement may be a junior-level systems administrator. Clearly, this is not an ideal approach to maintaining a consistent defensive posture against threats.
Avoiding these situations requires assigning replacements with equivalent skillsets as the departing staff members to vacant positions. Rather than leaving the decision up to military detailers, adding an interview process to the selection procedure would ensure the service member with skills best suited for the position fills a vacancy.
If the required skillsets are lacking among available candidates, then new personnel should undergo sufficient training to acquire the needed capabilities before they start their assignment. This process would enable them to make valuable contributions from day one on the job with minimal initiation or on-the-job training from colleagues.
In addition to losing well-trained personnel when they are moved to a new station, security analysts who walk out the door take institutional knowledge with them. Because no method exists to capture their expertise and experiences, this information is rarely collected and archived to pass along to their replacements.
Developing playbooks would help security teams codify both existing and outgoing knowledge so incoming team members don’t have to learn everything from scratch.
An effective playbook would focus on two key components: automatic response and continuous improvement.
Although different methods and types of attacks exist, automatic responses to each can be categorized and predetermined responses for each category designated.
For example, if the log says “X,” then this is the action to take. If the domain name system data is “Y,” then this is the tactic to deploy. Every indicator triggers a specific, automatic response, and the playbook clearly guides team members through these responses.
However, it is important to note that a playbook is never a finished product; it must remain a work in progress. Cybersecurity is a fluid space, so what works today, may not work tomorrow. For this reason, it is critical that knowledge not only be institutionalized but also improved.
To perform at their best, security teams must be able to act quickly and decisively, and that’s the purpose of the playbook, which serves the same purpose as a car’s owner’s manual. When a specific light flashes on the dashboard, the owner goes to the manual to identify the problem and determine how to fix it.
Providing set fixes in a playbook is helpful; however, security professionals are not a monolithic group. They bring to their mission a diverse set of talents and experiences. Team members must be able and allowed to leverage that expertise and support the mission of protecting the Defense Department’s networks on their first day on the job. Consequently, their observations and insights can be captured in a constantly updated playbook.
This approach will enable the military to stand ready for future threats and realize consistent and agile practices that can be ingrained in the military’s culture effectively and efficiently.
Matt Toth is a national defense security strategist at Splunk, and Richard Chitamitre is a federal sales engineer at Corelight.