Welcome to Defender Spotlight! In this weekly blog series, we interview defenders of all varieties about their experience working in security operations, engineering, research, and more. We’ll inquire about their favorite tools, and ask advice on security topics, trends, and other know-how.

This week, we're featuring David Bianco, a Security Technologist and DFIR subject matter expert at Sqrrl. Before Sqrrl, David led the hunt team at Mandiant/FireEye, helping to develop and prototype innovative approaches to detect and respond to network attacks. Prior to that, he spent five years helping to build an intel-driven detection & response program for General Electric (GE-CIRT). He set detection strategies for a network of nearly 500 NSM sensors in over 160 countries and led response efforts for some of the company’s the most critical incidents.
_


Tell us about yourself, and your history working in security.  What roles have you held? How did you get started?

I started out as a Unix system administrator in college, with Sun 3/50 workstations running SunOS 4.2.  Virtually the entire Computer Science network was run by students, so I got a lot of great experience setting up networks and all the services that make them run correctly and do useful stuff.  I have fond memories of editing sendmail.cf bytecode, installing 100lb hard drives and debugging our UUCP connection to make FidoNet work correctly.  I may have shaved my Unix beard since then, but the experience stays with me, and is still incredibly valuable.  In order to know how an IT environment can be subverted, you have to know how it actually works in the first place, and I certainly learned that!

My first brush with security happened right after I read Clifford Stoll’s The Cuckoo’s Egg.  Someone had hacked their way into one of the university’s lab workstations and set up their own IRC chat bot.  I had read how Stoll was able to pull all sorts of brilliant maneuvers to track down the attacker and monitor his actions, and of course I wanted to give it a shot myself.  I failed miserably, of course, which I consider an early lesson in the value of planning and preparation for incident response.

Since then, I’ve worked at or consulted with large educational institutions, research labs, US government facilities, Fortune 5 corporations and even a few security vendors.  I very much enjoy the challenges of the incident detection and response field, and I consider myself very lucky to be able to do what I love every day!

What you are working on these days?

I lead the Security Technologist group at a Cambridge, MA area startup called Sqrrl.  Our product, Sqrrl Enterprise, is an incident investigation and threat hunting solution that combines Big Data to consume and store all your logs, a graph database to help see how they all relate to each other, and automated and machine-assisted analytics to help discover and get to the bottom of security incidents much more quickly than you can with traditional investigation tools like SIEM or Splunk.

I know that sounds a bit (a lot!) sales-pitchy, but I’m really excited about it because it’s a lot different than any other product, free or commercial, that I’ve ever worked with.  As the lead Security Technologist, I get to figure out what this new type of product needs to be able to do to surprise and delight analysts, then help make it happen.

Can you tell us about a moment in your career when you were proud to be working as a defender?

There was one time, I think it was in 2009, where I was working for a very large company CIRT.  We had only recently started building our CIRT, and had deployed our NSM system at the network egress points.  We had a select cadre of Tier 1 analysts that we were training to do the first level of event analysis based on playbooks for specific alert types we developed.

I remember that very early on in the process, we experienced a rash of infections by the Hanambot malware (AKA “prinimalka”), which was designed to steal credentials for banks and other financial services from individual user workstations. Once we started to see the first callbacks from this malware, I was able to quickly analyze our NSM data and create signatures for it.  With those alerts, I wrote a simple playbook entry that showed our Tier 1 analysts how to interpret the network traffic from PCAP, find the exact user who lost their credential and what service the credential was for. Thus, the team was able to quickly notify these users to change their passwords.

I know this is a very simple example, and really it’s nothing we defenders don’t do every day.  But this case really stuck with me because while I very much enjoy combatting nation-state APT style threats, this is an instance where our team was actually able to protect individual people and their families from real financial harm.  I like feeling that my work makes a difference, and it was very easy to see how it did here.

What advice would you give to someone getting started in security?

I said earlier that I feel very lucky to be able to do what I do every day.  Well, I certainly would not be able to do it now had it not been for the some fantastic mentors and an incredible community of people I interact with via Twitter, Slack and email.  I’m grateful to far too many people to list them all here, and I’d probably forget some and I’d feel terrible, so I won’t try, but I encourage everyone to get involved with the security community in some way.  

Whether you volunteer at a conference, take a n00b under your wing and teach them the ropes or blog/tweet/speak about what you know, you’ll not only gain a lot for yourself, you’ll help provide the same gain for others.  Even if you are new to the field, I guarantee you that there’s something you know or can do better than most of us, and that both sides will benefit from your participation in the community.

What do successful security teams look like?  What qualities and skills do the ideal team members have?  What do teams tend to struggle with the most?

There are many paths to success, so I don’t think they only look one way.  I do think they share some common characteristics, though, and chief among these is esprit de corps.  That’s a complex concept, having to do not only with a culture of pride in the team and in the members’ individual roles on it, but also with mutual respect, the willingness and freedom to ask for help without fear, and a positive commitment by all to do what they can to help the team, and the individuals on it, improve.  Add in a few senior members to act as mentors and seed the team’s growth (“rockstars” need not apply, thanks), and you’ve got a recipe for success.


David stays active in the community, speaking and writing on the subjects of Incident Detection & Response, Threat Intelligence and Security Analytics. He is also a member of the MLSec Project and the Cyber Threat Intelligence Studies Council (@ctiscouncil on Twitter). You can follow him on Twitter as @DavidJBianco or subscribe to his blog, Enterprise Detection & Response.