SANS Penetration Testing

Security ADD - Offense, Defense, Or What?

[Editor's Note: In this post, the unparalleled Seth Misenar tackles the question of whether it's OK for a security professional to walk the line between offense and defense, or whether someone should take the plunge on one of these two sides. He lays bare his very soul as he debates the options before us all.]

By Seth Misenar

I was recently asked by Ed Skoudis and Mike Poor to serve on a panel discussion at SANS Security West 2014. The panel topic is Offense Informs Defense, and is kind of a face off wherein SANS Pen Test instructors shoot out a bunch of new techniques and SANS Cyber Defense instructors discuss practical ways of handling the onslaught.

Sounds fun, so I immediately confirmed. Only later did it occur to me, that I wasn't sure which side I was supposed to rep. security ADD seems to rear its ugly head again.

I often joke with students that I appear to suffer a bit from an undiagnosed case of ADD because I seem to flit from topic to topic within security. One month I'm all about hardcore NSM practices, the next I'm focused on playing with weaponizing XSS and CSRF vulnerabilities, and the next... something completely different. I routinely get a bit distracted and only later realize that I have refocused my time and efforts. SQUIRREL! See... I did it again. This shifting seems normal to me, but is at odds with what most professionals do at my point in their careers?

So now, back to the question about the panel: which side am I supposed to rep, offense or defense? Got it, I will just check the schedule for to see which curriculum I am teaching under at that conference, and I'll "bet" that guy. No joy. I'm teaching 504 which actually makes matters worse since that course logically seems to fit under Pen Test, Cyber Defense, and Digital Forensics too. No obvious answer there... where to go from here?

Maybe I am just a generalist? That doesn't sound very desirable, even though most folks that I meet who work in security are expected to be some kind of generalist. An often-quoted phrase comes to mind, "Jack of All Trades Master of None". Am I forsaking my true potential in offense OR defense, because I choose offense AND defense? While it doesn't seem to have been a career-limiting move, I could certainly have sharper offensive or defensive skills if I neglected the other side of the coin, or could I?

Then I come back to the Skoudis mantra, "Offense Informs Defense."

I honestly think, and maybe this is simply rationalizing my own inherent behavior, that cyber/information security is better served as a whole by having both the single-minded, laser beam focused, offensive OR defensive experts as well as the security ADD encumb^H^H^H^H^H^Hmpowered offense AND defense professionals. Those of us who play on both sides can help synthesize and match offense to practical defenses, and can also think of new ways around the defenses we deployed. I don't mean to take anything away from those who have chosen to focus on one side such as our panel leads Ed (offense) and Mike (defense). But, those of us with InfoSec ADD are an important piece of the puzzle in constructing effective enterprise security programs.

Anyway, that is how I will justify answering for both the offensive and defensive curricula on the panel, if Ed and Mike let me get away with it.

So, feel free to point to this blog entry next time you start feeling a little disloyal to Pen Testing by moonlighting in Cyber Defense (or by taking <shameless plug> the soon-to-be-released SANS SEC511: Continuous Monitoring and Security Operations ? ) even though you are, by trade, a penetration tester. Or, if you are a Cyber Defense person, point your boss this way when you feel like you are stepping out of line by taking a hand in helping your organization with its next penetration test.

Remember Defense Informs Offense Informs Defense after all.

Come check out the panel on 5/11/2014 if you happen to be at SANS Security West, and then stick around for Eric Conrad and me giving our Continuous Ownage: Why You Need Continuous Monitoring talk.

-Seth Misenar


Posted February 22, 2014 at 6:23 AM | Permalink | Reply

Andre Gironda

First of all, it's not ADD ''" that's a bad metaphor. The model you are looking for to describe our dual reality is called the rubber-band model: you are being pushed or pulled towards opposing forces.
However, as you allude to, there are more factors than just offense and defense: DFIR and NSM as other key factors. Information security management and risk management are the primary disciplines with varying principles, and for security achitects, vaying control sets.
If I were to give some advice, having breached the information security community 20 years ago, I'd tell you to stop concentrating on the past/present situation and to focus on what is needed for the future. There are four realms of capital: infrastructure, social, individual, and instructional. Infrastructure-wise, I feel we are missing capital in the areas of DFIR and NSM. Socially, we are strong as a community, but the hardest bridges to build have historically been in appsec (especially between security architects) ''" we need more integration of general security architecture with projects like ESAPI and AppSensor.
Looking to the future, however, our greatest weakness both social capital and talent-wise is with data science: we need people who understand data products and how they integrate with information security management, risk models, and cyber insurance. With specific regards to instructional capital (the main realm of SANS), the industry has high demand for red team analysis ''" not just penetration testing, not just reversing, not just exploit development.

Posted December 1, 2015 at 6:38 AM | Permalink | Reply

printable Calendar 2016

I love what you guys are usually up too. This kind of clever work and coverage!
Keep up the superb works guys I've incorporated you guys
to my own blogroll.

Post a Comment


* Indicates a required field.