Welcome to Defender Spotlight! In this weekly blog series, we interview cybersecurity defenders of all varieties about their experience working in security operations. We’ll inquire about their favorite tools, and ask advice on security topics, trends, and other know-how.
Mandy, currently a Senior Incident Analyst at GE, has been in the security space for 8 years and counting. She defends networks and endpoints in the finance, manufacturing, and retail industries alongside a global conglomerate focused on 9 different industry verticals within finance, energy, healthcare, aviation and manufacturing. Mandy has previously held IT operation positions at IKEA, Border’s, Republic Bank, and Reuter’s before joining the security scene.
Let's get her insight on cybersecurity happenings.
Tell us about yourself, and your history working in security operations.
When I finished high school in a very small town in Southeast Michigan, I went to a technology school where I gained a Network Administration Diploma. I just finished the year long program when I attended a funeral where I met someone who was a Technology Director (no joke). We started talking and after interviewing, his manager offered me my first “real” job as a Helpdesk Admin.
Well, it was more like the personal assistant, where I delivered my manager’s mail and filled up copiers with paper every Tuesday and Thursday, along with answering the helpdesk phone, but hey, it was my first job and it was better than my various jobs of retail stores: Target, Lowes, Staples, and local pizza places.
I then moved around industries as a System Admin where I did Anti-Virus deployments in the banking industry and at Border’s Books. Since I was deploying it, I was responsible for machine infections, which made me start asking questions such as ‘why these infection or outbreaks were happening’ and ‘what was malware the doing’.
GE was making its debut in Michigan and Border’s was in the toilet, so I decided to apply at the conglomerate. After being with GE for two and a half years and working with some of the best mentors in the industry, I decided to see if the grass was greener on the other side at Rockwell Automation where I was a Senior Analyst and moved to Fannie Mae where I worked my way up from an Analyst to the Security Manager for Detection, Response and Intel. After realizing the grass wasn't greener, I decided to part ways and moved back to GE as a Senior Analyst on the GE-CIRT.
In your opinion, what are the most important elements of implementing a successful security operations center capability? What do companies struggle with the most?
Important elements of implementing a SOC is hiring humans to analyze threats. I think over-automation, where you don’t have a human checking an event or a threat, can be what companies struggle with most. If you rely solely on a machine to do detection, prevention, and intel for you, you’ll miss an attack eventually.
What are the top 3 things defenders should be worrying about today? What worries you the most personally?
- The number one issue that concerns me is companies buying tools to create an appearance of being secure. Many companies experience a breach and spend millions on clean up and tools, yet have no one to monitor the tools. There is a mentality of “set it and forget it”, or they buy the hardware and it takes years for it to be installed, rendering it obsolete before implementation.
- The other concern that defenders should be worried about is their company products and operational technology being sold to consumers which are being compromised or exploited. Some customers do not even have a security team and either have to replace or rebuild their product, resulting in lost dollars.
- Lastly, I think defenders should worry about is encrypted traffic. 70% of enterprise traffic is encrypted. Having host and network based detection is imperative nowadays. When you cannot detect a threat through SSL/TLS on the network, then having host based detection on your endpoints is the next best thing.
What advice would you give to someone getting started in security?
Live, eat, and breathe security. Security is not just a career for many. The best defenders I know make it a lifestyle. Most of my dinner conversations with my husband are related to some security issue. Pick up a book about network security or TCP/IP and setup a home lab. Security Onion is probably the best place to start and gives you a well rounded look at what tools are being used in the industry.
Break stuff, infect your home computer (kidding, setup a virtual machine) and learn how to clean it or what the malware did. Google is your friend. Go to local security meetups and network with people. I think the most important thing is: do not be afraid to be wrong, but learn from your mistakes and make yourself a better defender because of it.
What does a good team structure look like when setting up a security operations center? What qualities and skills do the ideal team members have?
Having a team with different skills whether it’s scripting, networking, sys admin skills or reverse engineering. I think having a diverse set of skills, along with passion and motivation, each team member can learn from each other, but also lean on each other when there is an incident.
What are some of the best industry events to attend and why?
I think some of the smaller groups where it’s local and you can have an intimate conversation or network with someone about security is the best. Some can be at your local University. The bigger events like Blackhat and DefCon are cool, but can be overwhelming or expensive for some.
That's it for today! If you'd like to ask Mandy more questions, or you'd just like to connect with her, follow Mandy on Twitter.