NICE Framework: "Protect and Defend" and "Analyze" Challenges

This is the fifth of the six articles in our series from Learning Tree instructor Aaron Kraus on the NICE Cybersecurity framework and common challenges many organizations face when trying to maintain vital cybersecurity skills and resources. To further your journey, read the rest of the blog series and learn more about Aaron Kraus here.

hands holding cyber globe with key in the middle

Typical Roles/Skills for this Category

NICE provides a listing of typical roles or titles for staff working in the Protect and Defend and Analyze categories. Obviously all organizations are different so these are examples and not prescriptive, i.e., not all organizations will have these particular jobs, titles, or roles, and they may be combined with other functions, outsourced, or not performed if they are not required. The sample roles from the NICE documentation, as well as definitions and typical skills that individuals in these roles might need, are listed below:

    • Cyber Defense Analyst, Cyber Defense Infrastructure Support Specialist, Cyber Defense Incident Responder:
        • These roles are often part of a blue team or Security Operations Center (SOC), and are responsible for monitoring systems and organization resources for signs of infiltration or exploitation. They will be monitoring, analyzing, and prioritizing details of attacks or intrusions, and performing the actions required to respond to these security incidents such as investigation and defending the organization's assets or operations.
    • Vulnerability Assessment Analyst, Threat/Warning Analyst, Exploitation Analyst, All-Source Analyst, Mission Assessment Specialist, Multi-Disciplined Language Analyst:
        • This is one of the most exciting and "sexy" categories of work performed in the field of cybersecurity, and contains functions like red team, penetration testers, ethical hackers, and malware analysis. Although security is a much broader function encompassing boring aspects like policy writing and audit, the Hollywood image of a hacker in a dark room, wearing a hoodie, hacking high-level targets and easily bypassing firewalls is a well-defined trope. Movie magic aside, these workers need skills and experience with system configuration, identifying exploitable weaknesses, and combating malicious software - though the NICE framework is clear that these are to be used for defensive purposes only. This set of work roles also requires analysis skills to make sense of data and provide actionable intelligence to support cyber defenses.
    • Target Developer, Target Network Analyst:
        • This category includes skills required to identify targets and networks which could be exploited and monitor them. It may be part of a SOC or part of an IT function to create and maintain inventories of the organization's systems, which are potential targets for attack.

Pain Points

One of the biggest issues organizations face in both the Analyze and Protect and Defend categories is the sheer volume of data which must be collected, transformed into useful intelligence, and analyzed. Tools such as Security Information and Event Management (SIEM) platforms can gather the data, make it searchable, and potential identify security issues which require investigation, but they are not a magical solution. Appropriately skilled personnel are required to configure and tune them to weed out false positives and investigate the alerts that are generated.

The sheer volume of data, alerts, and activity on an organization's network can also be a major stumbling block, as the number of staff and time required to perform proper analysis simply may not exist. Many tools are sold with promises of artificial intelligence and machine learning (AI and ML) that can replace human skills, but these systems are still immature and are no replacement for properly-trained personnel.

Skills Development Opportunities

Analyzing security data and taking action to both proactively protect and defend networks against attack is largely a set of universal skills, i.e., a SOC analyst or cyber first responder's skills will be portable from one organization to the next. There will be vendor-specific skills that can be acquired either on the job or with vendor-provided training, such as how to configure a particular next generation firewall (NGFW) to perform intrusion prevention analysis and block malicious traffic. Skills and certifications which would be useful for workers in this role include: