Offense and Defense in your Infosec Department

It is now generally accepted that our job as infosec professionals is not to prevent compromise but to defend against it and operate in a compromised environment.  With that understanding the DFIR/infosec operations staff are the front lines of information security.

The operations team could be thought of as a sports team.  They need the right equipment, but nothing takes the place of practice.  And to practice you need a good practice squad.

Most large infosec departments have the staff to do this.  We have staff skilled in evaluating the security of products and tools.  Unfortunately, this body of staff is primarily focused on the acquisition side of infosec.

To fix this, lets switch things up a bit.  We probably already have 3 teams in infosec:

1. Operations - DFIR responsibilities (they'll be the blue team)
2. Engineering - Risk and Compliance responsibilities (they'll be the red team)
3. Architecture - Stategic vision (they'll be the white team)

In this model, operation's primary role is to prevent, identify and remediate incidents.  Their secondary role is to generate high-level security needs and provide them to Architecture for implementation.

Engineering's primary role is to validate that security requirements are appropriate implemented in a product's design and to assess the risk of those not implemented.  Their secondary role, however, is to attack Operations.  Because their skill set should be the ability to identify security vulnerabilities, a measurable amount of their time should be used attacking the internal network.  

In this way, we pit operations against engineering in friendly blue vs red battle.  Both teams benefit from the continuous training and the enterprise information system benefits from the identification of security weaknesses that can be remediated.  If you play both offense and defense on your home network, when attackers come to your turf, they shouldn't stand a chance.

Architecture plays the final role.  Their primary role is to help translate Operations' needs into requirements and then into designs.  They also play the white cell role, providing an unbiased referee for the competition between Engineering and Operations.

In this way, we keep the task of operationally defending the network forefront in everyone's mind.  We also make sure that the security we build is truly derived from operational needs rather than 'gut feelings' about what should be bought.  We merge operations and acquisition into a single process without adding any additional organizations.  And because of it, everyone benefits.