30 October, 2007

Better Work Means More Work

Security is one of those fields where, the better a job you do, the more work you have to do. To some extent, all jobs are like this. If you do a terrible job, nobody is going to want to give you more work. If you do a great job, people will give you as much or more work than you can handle. However, this is not really the type of extra work I am referring to.

One example of what I'm talking about is intrusion detection. The better you get at intrusion detection, the more incident response you will end up doing as a result. Getting better at security operations in general will often lead to the discovery of more intrusions as your knowledge increases, new systems are implemented, and security systems are improved. Someone who is good at penetration testing or application fuzzing may be able to find and exploit more vulnerabilities, and in the end do extra work because of that. I'm sure there are many more examples.

On the other hand, better work also means you can streamline processes or reduce the number of security incidents. Increasing the depth of your defense to reduce security incidents, automating processes, more clearly mapping processes, and more efficiently achieving an objective are all possibilities to reduce the amount of work. Being better at penetration testing may mean finding more useful information about the security of your target, but you may also perform the actual penetration test more quickly.

Richard Bejtlich likes to point out that prevention eventually fails. I agree but would like to add that I think there will always be security incidents that are missed. Getting better at detection means more time spent on incidents, which is a good thing by the way. However, no matter how good you get at detection, I firmly believe that nobody will catch everything worth catching. There are probably exceptions, but in the type of enterprise network I'm used to dealing with, catching every single noteworthy security incident seems unlikely.

Someone in operational security can also improve prevention. Just because prevention eventually fails doesn't mean it never works or should be ignored. You might think that getting better at prevention means you will have less work to do when it comes to detection and response. But better prevention generally means more work on design, testing, configuration, maintenance, documentation, and more.

Anyone that does a good job will be in demand, leading to more work. With security, I also think doing a good job means you may discover more work to do along every step of the way.

No comments:

Post a Comment