In today’s computing world, enterprises experience malware attacks, system intrusions, DDOS attacks and countless other threats coming at them from every corner of the web, guided by every imaginable intent. It’s an ongoing onslaught that has fundamentally changed how enterprises and SMBs need to approach cybersecurity. Long gone are the days when a malware scanner with semi-regularly updated definitions could hope to stave off an enterprise security breach. The skyrocketing volume and the increasing sophistication of threats means that if enterprises want to stay cybersecure they need to approach the task a little differently – with data on their side and well-trained, insightful IT staff who know how to read it, interpret it and apply it.
Recognizing this cybersecurity sea-change, the top technology professionals from across the industry who act as Subject Matter Experts (SMEs) on CompTIA’s certifications convened to create a certification that speaks to these new industry needs. The CompTIA Cybersecurity Analyst+ (CSA+) certification sets the benchmarks for what a cybersecurity analyst has to know to do the job. And like all of CompTIA’s highly-regarded certifications, it’s one from which both the IT professionals that do the work and the businesses that rely on them will benefit greatly.
Cybersecurity Analytics: the Good, the Bad and the False Alert
CSA+ SME Christine Tuttleman, senior security, network and systems specialist at Joint Commission, has observed first-hand how important it is to have a certification like the CSA+ out there in the field. Networks, she notes, no longer only become compromised by people clicking through on phishing emails or visiting the wrong websites. From applications to phone systems, anything connected to a network is a potential vulnerability. It leads to a kind of information overload that only a dedicated, trained cybersecurity analyst can effectively handle.
“The security field is full of tools,” Tuttleman said. “We have tools for everything. We get alerts for everything. There's just so much data that comes out of all that. What's really needed is people who can look at this data and know what's important and what is noise; which alerts you need to pay attention to and which ones are just regular traffic.”
Popular network monitoring tools, while indispensable, are hardly perfect. False positives happen and so do false negatives. It takes a trained, tech-savvy eye to tell the difference. They’re also not simple, and even to a lower-level security pro at the CompTIA Security+ level can be mostly indecipherable. It takes a focused, practiced understanding of the tools to do the job. In fact, the question of which tool is often not as important as the quality of the analyst who’s monitoring it when it comes to mitigating the damage of a threat that hits a network.
“You can always buy more tools and you can gather more data, but if you don't know what data to act on it's just throwing your money away,” Tuttleman said.
And so, to confirm the skills that make those tools valuable – enter CSA+.
The CSA+ Certified Professional: Taking Action
Enterprises may sometimes implement network monitoring tools without recruiting the proper talent, under the mistaken impression that anyone at the CompTIA Security+ level, or anyone in IT, can muddle through them. But cybersecurity analytics is a different world, something that CSA+ SME Andrea Di Fabio, chief information security officer at Norfolk State University, described with an apt comparison.
“It's like, if you've seen The Matrix, it's like the guy that sits in front of that monitor and we see symbols, he's decoding that, he can see what’s going on.” Di Fabio said. “Same thing with [a cybersecurity analyst]. The tools are gathering a lot of data, they're flagging, they're identifying risk measures and saying high, medium, low. He’s really able to dig deeper and say, ‘now this is bad, now this is a false positive.’”
Being able to interpret the log files, however, is only one part of the job – and only one part of the skillset that CSA+ confirms. Professionals at the cybersecurity analyst level have been working in the industry for a few years. They’re not just reading data, they’re putting it into context and using it to inform a response strategy.
Though it differs on a company-by-company basis if a cybersecurity analyst is the person who pulls the alarm on a cybersecurity event or escalates it to a higher authority who responds, any IT professional in a cybersecurity analyst role needs to understand what they’re seeing in the logs, determine what it means and know what steps should be taken in response.
“I know that [a CSA+-certified IT pro] is able to take data and formulate his own ideas and opinions about what’s going on from a security perspective,” Di Fabio said.
And with its in-depth, scenario-based questions, the CSA+ exam tests to make sure that the certified professional is one who can think critically about the data that’s in front of them.
“I think the CSA+ does a really good job of really making sure that people have the skills they need to pull out those security events and make sure they're being active about it,” Tuttleman said.
Such skills are necessary not just for identifying threats on the network and mitigating their damage in the moment. In today’s complex security landscape, cybersecurity analysts are fundamental to building out an overall enterprise security strategy.
Going Beyond the Technical with Data-Driven Strategy
Steven Slawson, principal security architect at Dell SecureWorks, has spent 20 years in the cybersecurity industry. Having begun his career as a network engineer, he understands the overlap between IT operations and IT security – but he also sees big distinctions. IT security, increasingly, is its own entity that goes far beyond the firewall.
“If you focused your security program entirely on dealing with just the technical stuff, you still can't pass any kind of audit; you still won't actually in most cases have a very effective security posture,” Slawson said. “[To be effective] you want to compartmentalize things based on the overall risk.”
Knowing the major network analytics tools and being able to interpret and act on what they indicate to understand threats are big parts of what an analyst does. But determining where best to deploy resources based on risk, building out networks to mitigate possible damage, meeting regulatory burdens and setting up businesses to get back online after weathering cybersecurity events are all driven by the analyst’s guidance. So for the CSA+-certified IT professional, understanding the managerial, procedural and strategic sides of the business can be as important as knowing the tools.
In Slawson’s day-to-day professional life, he builds out and implements top-to-bottom strategies that address all these concerns. He was even slightly concerned that in helping to craft the exam, he would be personally over-invested in the non-technical portions. But there was no static between SMEs, from the most technical to the most business-oriented, on this question.
“I think everybody agreed that being able to work within the broader picture, within the business needs … that it all ties in,” Slawson said.
CSA+: Tying it All Together for Businesses and IT Pros
The cybersecurity analyst, then, is a position in enterprise security that ties together tech and business; security and strategy. And because an overall cybersecurity strategy is more critical than ever, an enterprise can’t afford to have someone underqualified in this role. And the skills that make a good cybersecurity analyst aren’t easy for a layperson to identify.
“When there isn’t an objective means to evaluate what someone should know you see crazy vacillations in the experience and skillset,” Slawson said. “It's not easy to tell.”
But now, with the CSA+, employers will have that all-important shorthand for determining that cybersecurity analysts knows their stuff. And for IT professionals looking to move up the job ladder, the CSA+ is a puzzle piece that fits perfectly into the existing world of CompTIA certifications while also bringing something new.
“It closes the gap between the entry level security exam, which is the CompTIA Security+, and the end-all be-all CASP … I think [the CSA+] fills that gap, but also focuses on something neither the Security+ or the CASP do, which is the analysis of the attacks.” Di Fabio said.
And so the CSA+ is here, to test and confirm the knowledge of how to use data analytics tools, the ability to tell people across an enterprise what that information means and the understanding to help determine what action it should inform. It’s imperative that enterprise security that businesses have a handle on their cybersecurity analytics – and now, thanks to CompTIA, there is a set of guidelines to validate skills thorough enough to match the importance of the task.
“[The CSA+ is] a good middle ground where you've got somebody who has some experience in the security field, they know what they're doing, they've got pretty good skills, and this just gives them that credential that shows everybody else they know what they're doing,” Tuttleman said. “I honestly think that’s a role that no other certifications out there fill for security right now.”
Matthew Stern is a freelance writer based in Chicago who covers information technology, retail and various other topics and industries.