NICE Framework: "Collect and Operate" and "Investigate" Challenges

This is the final article in our six article series from Learning Tree instructor Aaron Kraus on the NICE Cybersecurity framework and common challenges many organizations face when trying to maintain vital cybersecurity skills and resources. To further your journey, read the rest of the blog series and learn more about Aaron Kraus here.

magnifying glass over technical illustration

Typical Roles/Skills for this Category

NICE provides a listing of typical roles or titles for staff working in the Collect and Operate and Investigate categories. Obviously all organizations are different so these are examples and not prescriptive, i.e., not all organizations will have these particular jobs, titles, or roles, and they may be combined with other functions, outsourced, or not performed if they are not required. The sample roles from the NICE documentation, as well as definitions and typical skills that individuals in these roles might need, are listed below:

    • All Source-Collection Manager, All Source-Collection Requirements Manager:
        • These roles are crucial for getting the data needed to perform security monitoring. They will be the ones who need to identify sources of information like logs generated on networking equipment, security devices, systems, and apps, and gather it into a usable repository such as a Security Information and Event Management (SIEM) platform. This requires knowledge of how the targets operate, the ability to gather the required log data, and tools to analyze it.
    • Cyber Intel Planner, Cyber Ops Planner, Partner Integration Planner:
        • Planners are required to be skilled in identifying likely or possible sources of information required, which can be converted into usable information (intelligence). They are often required to have knowledge of foundational security concepts such as data classification schemes as well as organization operations, to ensure data and systems are being adequately monitored for information needed.
    • Cyber Operator:
        • These are the offensive players in the NICE Framework, and will have many of the same skill requirements as the "hackers" depicted in movies, such as the ability to identify weaknesses in systems, networks, or applications, and exploit them. They may be tasked to gain unauthorized access to information systems and exfiltrate data for intelligence analysis, using network penetration techniques, malware, and social engineering
    • Cyber Crime Investigator, Law Enforcement/Counterintelligence Forensics Analyst, Cyber Defense Forensics Analyst:
        • These roles require skill sets similar to or built on law enforcement skills like forensic investigation, and may be performed in partnership with law enforcement agencies rather than as internal functions. This is due in part to the highly specialized nature of the skills, coupled with the (hopefully) infrequent need most organizations should have for these functions.

Pain Points

Gaining access to very highly specialized skills and resources is one of the main challenges, and for many organizations this will be an outsourced function as the cost of maintaining cyber intel and forensics skills may be prohibitive. Third party threat intelligence services, digital forensics firms, and law enforcement organizations may all be service providers an organization turns to, and the internal skills required may simply be to choose an appropriate third party, then coordinate efforts with them.

The Operate and Collect functions can also be a challenge due to a limited supply of skilled personnel. Defining processes, selecting and implementing tools, and running security data operations are all time and resource intensive, and the information must also be understood not only by analysts but also prepared for use by non-security personnel; in this translation critical information like priority or severity is often lost as data is "dumbed down".

Skills Development Opportunities

Collecting security data, operating security processes and tools, and performing investigations when necessary is one of the most skills-intensive areas of security. Virtually all the skills required are highly specialized and relatively new, as digital forensics is a field which is younger than many of its practitioners! When third parties are used for these functions organizations need to have adequately trained business decision makers to ensure a properly-qualified service provider is selected. However, even when these service providers are used there may be internal functions which are invoked before an incident is escalated to a service partner, e.g., an internal incident response team investigates and makes the determination that digital forensics or law enforcement are required. Skills required for this category include:

    • Business Intelligence and other analytical skills can be a useful ancillary capability for a team charged with identifying or collecting useful security information.