2016 is well under way and this time of year it can be tough to justify training budgets. As an instructor for our Experiential Cyber Immersion Training and Exercises® (EXCITE®) course here at Lockheed Martin, I interface with a lot of computer network defense teams. Over the years I've noticed organizations fall into the trend of allowing the newest tools to drive their analyst training program. Others let their employees self-select training they feel would be the best fit for their role. But these routes can lead to over-reliance on technology, skill set gaps, and disjointed teams. I'd like to take a slightly different approach and suggest three things to add to your in-house training program that you won’t find in traditional classroom curriculums.
1. Focus less on tools and more on mindset
Technology is a resource that demands more resources. The true value of cybersecurity tools is the operator behind them. I've never seen an Intrusion Detection System find malware it doesn’t have a signature for and I've never seen a proxy block a command and control channel without having that URL on either a black or white list. Now don’t get me wrong, I'm not suggesting that you stop buying tools or training for the tools you already have – but the question should be, are your analysts being trained to simply operate the tool or truly leverage the technology? Tools should be deployed to serve the analyst, not the other way around.
Anyone can be trained to operate a tool but an analytic mindset is needed to turn data into actionable intelligence. I've noticed that one of the hardest things for newer analysts to comprehend is how to analyze artifacts of compromise. They struggle with being able to take the output from multiple tools and correlate that data in the investigative process. By having your training focus on the analytic mindset and process as opposed to how to use the tools, your analyst will be more effective.
In-house, we train our cyber analysts to adopt an Intelligence Driven Defense® mindset. By training our analysts to identify data points that contribute to contextual intelligence our team is empowered to leverage technology output to inform a proactive defense strategy. Central to the Intelligence Driven Defense® mindset is the Cyber Kill Chain®. This analytic framework provides a repeatable process and a common vernacular within which to organize and communicate investigative findings. This allows analysts to see the whole picture and understand the context necessary to process the alerts and output from all the tools provided to them.
2. Empower employees to self-learn
Another way to get your employees trained up in a short amount of time is to allow them to "play" in an environment that is low risk. Creating a digital playground where employees have the ability to try new techniques and make mistakes can be a valuable tool in the development of the analyst mindset. I find that I learn more from mistakes that I've made than by my successful experiments. By having a safe area where employees can challenge themselves you will find that they are both happier and better trained.
For example, one of the things that Lockheed Martin did to enable this for its cyber workforce is to create a “cyber challenge”. Employees were able to sign up for the challenge and work on it on their own time. We found that those who participated enjoyed the freedom to explore technologies and experiment with techniques in a low consequence environment. It also created a little friendly competition between departments which added excitement to the whole process. A final, unintended benefit of this cyber challenge was that as a business we were able to identify new and upcoming talent. Employees who were absorbed by the event revealed their analytic potential and were given opportunities to advance their skills and careers to the benefit of the organization.
3. Invest in mentoring relationships
Most organizational structures include a tiered hierarchy that include both senior and junior analyst. Are you effectively leveraging the experience of your senior analysts? This seemingly obvious resource is often overlooked. By encouraging senior analysts to mentor junior analysts you do three things. First, you create an instant value-add to your internal training program. While this sounds an obvious example it is important because by learning from experience your greener employees will get up to speed much more quickly than if they were left to learn on their own. Second, you empower your senior analysts. The added responsibility for the development of the more junior employees demonstrate to them that you are confident in their abilities. In my experience this promotes job satisfaction and encourages the employees to work together to solve problems. And finally, you encourage your senior analysts to learn new techniques. What better way to inspire skilled analysts to stay on their game than to make them teachers! This is one of the core benefits of mentoring relationships, the mentors are forced to teach the mentees. This means that they will take the time to truly research and understand the concepts that they need to impart on their mentees.
This is by far one of the easiest things to implement in your organization now. Start by assigning a "buddy" to your next new employee. Tell your senior employee that they are responsible for bringing the new guy up to speed. After doing that you can then start to reinforce the process with check lists and formal mentoring plans. In the end you will have created bonds between the employees that are crucial to the collaborative environment needed to run an effective cyber defensive organization.
This is one of the techniques our EXCITE® instructors use to assist students in the class. In every class we find a wide range of skill level in the students. As teachers we try to pair up stronger skill set students with student who have a more beginner level skill set. I’ve found that the satisfaction of both students is higher when we do this.
So to conclude my thoughts, these are three relatively easy things you can implement with little to no cost to the organization:
- Focus your training on the analyst mindset
- Challenge your team with sandbox exercises
- Develop a mentor program
These action items, coupled with continued formalized classroom training, will empower your employees to learn on their own and provide them opportunities to grow their individual tradecraft.
Train for proactive defense.
If information is our defense, then people are our offense. Advance the capabilities of your analysts with real-world, scenario-driven EXCITE® courses.
Speak with one of our cybersecurity consultants to discuss your training requirements and discuss how Lockheed Martin’s cyber training capabilities map to your unique needs.