Digital Security Lessons from Ice Hockey
I'm struck by the amount of attention we seem to be paying to discovering vulnerabilities and writing exploits. I call this "offensive" work, in the sense that the fruits of such labor can be used to attack and compromise targets. This work can be justified as a defensive activity if we accept the full disclosure argument that truly bad guys already know about these and similar vulnerabilities, or that so-called responsible disclosure motivates vendors to fix their software. This post isn't about the disclosure debate, however. Instead, I'm wondering what this means for those of us who don't do offensive work, either due to lack of skills or opportunity/responsibility.
It occurred to me today that we are witnessing the sort of change that happened to the National Hockey League in the late 1960s and early 1970s. During that time the player pictured at left, Bobby Orr, changed the game of ice hockey forever. For those of you unfamiliar with hockey, teams field six players: one goalie, who guards the net; two defensemen, who try to stop opposing players; and three forwards (one center and two wings), who try to score goals.
Prior to Orr, defensemen almost never took offensive roles. (Forwards didn't pay much attention to defense, either. Only in 1978 did the Selke Trophy, for best defensive forward, start being awarded.) When Orr began playing, he wasn't satisfied to control the puck in his defensive end and then hand it off to one of his forwards. He jumped into the play, sometimes carrying the puck end-to-end, finishing by scoring himself. Twice in his ten year career he even lead the league in scoring -- scoring more goals than forwards. He didn't neglect his defensive duties, either. He was named league best defensement eight years straight.
What does this mean for digital security? It's easy to identify the forwards in our game. They discover and write exploits. Some of them can play defense, while others cannot. Many of us are traditional defensemen. We know how to impede the opposing team, and we know enough offense to understand how the enemy forwards operate. A few of us are goalies. Aside from clearing the zone or maybe making a solid pass to a forward, goalies have near-zero ability to score goals. (Yes, I remember Ron Hextall.) That's the nature of their position -- they can't skate to the other end of the ice!
Anyone who plays a sport will probably recognize the term "well-rounded." Being well-rounded means knowledge and capability in offense and defense. I think it applies very well to ice hockey and basketball, less so to soccer, somewhat well to baseball, and not at all to football. I see well-roundedness as the proper trait for the general security practitioner, i.e., the sort of person who expects to work in a variety of roles during a career. This is the ice hockey model.
I do not recommend following what might be called the [American] football model. Football players are exceptionally specialized and usually ineffective when told to play out of position. (Could you imagine the kicker playing on the defensive line, or the center as a wide receiver?)
Returning to the hockey model, remember that there are three positions, with varying degrees of offensive and defensive responsibilities. Goalies focus almost exclusively on defense, but they try to make smart plays that lead to break-outs. Defensemen concentrate on defense but should contribute offensively where possible. Forwards concentrate on offense, but help the defensemen as well. How does this model apply to my position in digital security? I consider myself a defenseman, but I'm trying to develop my offensive skills. (At the very least, better knowledge of offensive tools and techniques helps me better defend against them.) I have no interest in being a goalie. Being a forward would be exciting, but I'm not sure I'll have an opportunity or job responsibility to fully develop those skills.
I suppose it's even possible to become a coach or trainer (like skating guru Laura Stamm). You don't have to actually play the game, but you quickly become irrelevant if you lose touch with the game.
Does the extreme specialization of the football model apply? I think it may for large consultancies (or perhaps for the security market as a whole). In a large consultancy, you can be the "Web app guy" or the "incident response gal" and make a living. Outside of that environment, perhaps at a general security job for a company, you're expected to be good at almost everything.
I've written before that it's unreasonable to be good at everything, despite the unrealistic desire of CIOs to hire so-called "multitalented specialists." I recommend choosing to be a goalie, defenseman, forward, or coach/trainer. Be solid in your core responsibilities, but remember Bobby Orr's example.
How do you fit into my hockey model?
It occurred to me today that we are witnessing the sort of change that happened to the National Hockey League in the late 1960s and early 1970s. During that time the player pictured at left, Bobby Orr, changed the game of ice hockey forever. For those of you unfamiliar with hockey, teams field six players: one goalie, who guards the net; two defensemen, who try to stop opposing players; and three forwards (one center and two wings), who try to score goals.
Prior to Orr, defensemen almost never took offensive roles. (Forwards didn't pay much attention to defense, either. Only in 1978 did the Selke Trophy, for best defensive forward, start being awarded.) When Orr began playing, he wasn't satisfied to control the puck in his defensive end and then hand it off to one of his forwards. He jumped into the play, sometimes carrying the puck end-to-end, finishing by scoring himself. Twice in his ten year career he even lead the league in scoring -- scoring more goals than forwards. He didn't neglect his defensive duties, either. He was named league best defensement eight years straight.
What does this mean for digital security? It's easy to identify the forwards in our game. They discover and write exploits. Some of them can play defense, while others cannot. Many of us are traditional defensemen. We know how to impede the opposing team, and we know enough offense to understand how the enemy forwards operate. A few of us are goalies. Aside from clearing the zone or maybe making a solid pass to a forward, goalies have near-zero ability to score goals. (Yes, I remember Ron Hextall.) That's the nature of their position -- they can't skate to the other end of the ice!
Anyone who plays a sport will probably recognize the term "well-rounded." Being well-rounded means knowledge and capability in offense and defense. I think it applies very well to ice hockey and basketball, less so to soccer, somewhat well to baseball, and not at all to football. I see well-roundedness as the proper trait for the general security practitioner, i.e., the sort of person who expects to work in a variety of roles during a career. This is the ice hockey model.
I do not recommend following what might be called the [American] football model. Football players are exceptionally specialized and usually ineffective when told to play out of position. (Could you imagine the kicker playing on the defensive line, or the center as a wide receiver?)
Returning to the hockey model, remember that there are three positions, with varying degrees of offensive and defensive responsibilities. Goalies focus almost exclusively on defense, but they try to make smart plays that lead to break-outs. Defensemen concentrate on defense but should contribute offensively where possible. Forwards concentrate on offense, but help the defensemen as well. How does this model apply to my position in digital security? I consider myself a defenseman, but I'm trying to develop my offensive skills. (At the very least, better knowledge of offensive tools and techniques helps me better defend against them.) I have no interest in being a goalie. Being a forward would be exciting, but I'm not sure I'll have an opportunity or job responsibility to fully develop those skills.
I suppose it's even possible to become a coach or trainer (like skating guru Laura Stamm). You don't have to actually play the game, but you quickly become irrelevant if you lose touch with the game.
Does the extreme specialization of the football model apply? I think it may for large consultancies (or perhaps for the security market as a whole). In a large consultancy, you can be the "Web app guy" or the "incident response gal" and make a living. Outside of that environment, perhaps at a general security job for a company, you're expected to be good at almost everything.
I've written before that it's unreasonable to be good at everything, despite the unrealistic desire of CIOs to hire so-called "multitalented specialists." I recommend choosing to be a goalie, defenseman, forward, or coach/trainer. Be solid in your core responsibilities, but remember Bobby Orr's example.
How do you fit into my hockey model?
Comments
There are special "utility" players out there. They are unique and do not represent the majority in any industry. When coach Belichick looks at putting players on the roster he doesn't look for the best at position, he looks for players that are "football smart".
I think we need more "security smart" players in IT. It doesn't mean that they are experts at a particular position, but have the intelligence to understand what is happening and when they need to engage additional "position" players.
Thoughts?
-Mark
3 to 2 to 1 is the ration you outline but I think the ratios in information security are much more slanted. It would seem to me that there are very few offensive security researchers focused solely on "scoring" an 0-day or big vulnerability. I'm sad to say there may be only slightly more defensive players who manage to play some offense as well. It strikes me that we're in an era of goalies, for one reason, in the infosec world "forwards" get the notoriety but "goalies" get paid.
With a few exceptions, such as pen-testers, some gov groups, and a few vulnerability researchers at think tank type companies, there aren't many offensive infosec jobs available. Like you (Richard) I've been working on my offensive skills but unless a person can already write win32 payloads by hand in their sleep there's not much work for a "transitional player" who's moving from offense to defense. It just won't pay the bills. My free time is spent almost exclusively on offensive work and reading, but its all for myself and maybe, someday, a job in the future. My job is still solely on defense, and until I'm given permission at work to "take the puck myself" Bobby Orr style that's what my role is confined to.
I'm not sure if that's right or wrong. The offense is the fun stuff. The few times in the lab I worked in at school where I got to pop boxes was among some of the most fun I've ever had on a computer. When my school team competing in iCTF got our first break through I don't know if I've ever felt so invigorated. But when the resumes got sent out and companies started coming back to me with jobs most of that offensive knowledge was in the back seat. The Shellcoders Handbook might be fun, but it's your Tao of Network Security Monitoring that's making me better at my job. I don't know what the future holds, but that's how it is at the present.
So for now I'll keep plugging away at the Gera Examples and see if I can "get a breakaway" sometime.
Fast forward a few years from Orr and you have a much more technical game, Devils playing the trap, the umbrella on the powerplay, boxing the penalty kill, and the effectiveness and importance of the line change.
The ice hockey model should be in your next book!
- Jon
Ignore the ratios. I did not intend for them to have any significance whatsoever. I was just explaining the game to those who might not know it.
Does "puck" count?
I agree that in a concrete sense the ratios really don't matter. In a more abstract sense I think they are important and I was simply trying to illustrate the huge gap between the relatively small number of "offensive" security pros and the much larger group of "defensive" security professionals, with very little overlap. My point, and I think more than somewhat yours, is that both groups need to move closer towards the middle, less goalies, and more defensemen who know how to shoot as well as check. It's my hope that these more well rounded security pros will be best equiped to face the challenges ahead.
fights during the game would equate to time spent arguing that additional budget is required to meet the requirements. (you win some, you lose some).
Penalty minutes are "time spent in irrelevant meetings"
Icing is what you do when you send your technical team to training/vacation.. you push as much work for later as possible why they are out.
Short handed goals - when your analysis process quickly identifies the attacks against your network and computing resources.
http://www.foxnews.com/story/0,2933,233037,00.html
On the left under VIDEO click on "YouTube Guide to Crime."