Welcome to Defender Spotlight! In this weekly blog series, we interview cybersecurity defenders of all varieties about their experience working in security operations. We’ll inquire about their favorite tools, and ask advice on security topics, trends, and other know-how.
1. Tell us about yourself, and your history working in security operations.
Yeah, so I’m ex-Military, ex-NSA, and ex-MegaCorp. I focus on technical leadership, incident response, proactive adversary hunting, and advanced threats. My niche tends to be the use of offensive security knowledge for defensive security purposes; I believe studying the enemy is the best way to understand how you’re being attacked and how to turn the tables on your adversary.
2. What you are working on these days?
I’m at a security startup called Cybereason, founded by some fantastic hackers who came from the Israeli equivalent of NSA. We’re building a capability to detect the various behaviors of bad actors and sew them together into a cohesive story, called a “Malicious Operation”, or MalOp, which highlights all their activity through the various phases of an intrusion. Since many of us come from the offense side of the cyber game, we know what it takes to plan and execute a successful attack campaign, so we know what it takes to disrupt one.
3. Can you tell us about a moment in your career where you were proud to be working as a defender?
I can remember the fire in my padawans’ eyes when I started mapping back the Indicators of Compromise (IOCs) we were seeing to a set of attacker Tactics, Techniques, and Procedures (TTPs). Once they understood that they were playing against a thinking adversary with motives, wants, and needs, they started extrapolating all the things they could do to ruin that guy’s day.
I enjoy teaching, but nothing beats the seeing the wide-eyed grin creep across their face when a “eureka” hits and you *know* your understudies will soon be able to hunt for themselves.
4. In your opinion, what are the most important elements of implementing a successful security operations center capability? What do companies struggle with the most?
A Security Operations Center (SOC) is only as good as its’ talent. Most companies can’t sift through the muck to find top talent, and they can’t build a successful SOC without it. How do you evaluate the quality of someone’s skills when you’ve never practiced those skills yourself?
Certifications have failed us and degrees haven’t caught up yet. Talent can make up for a lot of ills in the SOC environment including bad tools and low budget, but you’ve got to make your spend somewhere. Don’t skimp on high-skilled labor… it can only hurt you.
5. What are some of your favorite products, software, or tools that you use on a daily basis? How do they make your job easier?
I’m huge on automation -- anything I have to do routinely *must* be converted to an automated process. There’s no reason to spend human time or brain cells on something that can be accomplished with CPU cycles. Use your smart people to solve *new* problems, not repeat previously solved ones. This makes your people sharper, it reduces cost, and it keeps them from quitting to go find a job that actually needs their best work.
Remember the LinkedIn article a few months back that said there are 5 jobs for every 3 InfoSec Professionals? After a certain number of years of experience, we go where the interesting work is. Python is my weapon of choice for automation.
6. What are some of the trends in the security industry that you find encouraging?
I appreciate the fact that people have gotten tired of buying the “one true way”-type solutions. For awhile there, companies were successfully selling products that promised to do everything for everyone, all the time. I can think of endpoint antivirus solutions and next-gen firewalls that were both guilty of the same grandiose pitch.
Defenders need diversity of detection methods as much as they need defense-in-depth. If all your defensive tooling uses the same strategy, say, known-pattern matching like most Antivirus and IDS solutions, you’re gonna have a bad time. Diversity of approach and overlapping detections are crucial in today’s security environment because it’s a lot harder to evade detection when multiple sensors are watching you from completely different angles -- you just can’t account for all the ways you’ll get caught!
7. What are the top 3 things defenders should be worrying about today? What worries you the most personally?
Off the top of my head I’d say Ransomware, Fileless Malware, and Cooption of Security Infrastructure. As much as I like taking apart malware (and I do!), the scariest of the lot has to be cooption. Imagine the attacker getting into your normal software management processes (maybe Puppet or Powershell) and using your exact same methods of managing your systems against you. Could they lay down their own nefarious payloads? Could you tell them apart from normal administrator activity?
What if they borrowed the credentials of your legitimate admins (perhaps via Mimikatz) to do it? If they’d been there long enough, how could you even tell what parts of your environment were clean and which parts were tainted? How would you know? That’s the stuff that makes me both giggle and grimace. Go check out the recent BSides Boston talk on abusing Windows’ SCCM by @harmj0y and @enigma0x3 for a more concrete example.
8. What advice would you give to someone getting started in security?
Study your enemy. Skip the CEH, ignore the CISSP, go straight for the OSCP. Think like the attacker. Red Team your own systems. Take the divergent path and evaluate your defenses as they are, not as they were intended to work. Go break some sh!t. :D
9. What do successful security processes look like? For daily workflows, but also from a strategic standpoint?
There are basically three types of security processes:
- Those that require human intervention in all cases (eg, triaging alerts via email)
- Those that require human intervention in some cases (ie, management-by-exception)
- Those that do not require human intervention except when they’re broken (the verification of which you can typically also automate!)
Good security processes should focus on getting the operator out of the loop for any process whose inputs and outputs are predictable. There are plenty of nebulous security challenges for a good security team to be working on; re-architecting apps, redesigning networks to be more resilient, fixing credential management nightmares… these things require interaction with other thoughtful humans in order to accomplish common goals. Why waste time and talent on anything a machine could do faster?
The biggest problem I see in SOCs lately is that talented professionals don’t have time to air their heads out and take the wider view of what’s happening in (and to) their environments. They’re too far in the weeds fighting fires, whacking moles, and acknowledging alerts. They need to create the space to take a wider view so they can apply their expertise holistically. That’s the only way things will get better. You *want* your security team to look bored; a purely reactive security team can’t innovate.
10. What does a good team structure look like when setting up a security operations center? What qualities and skills do the ideal team members have?
Great question! I’ve worked with a lot of SOCs in a lot of verticals lately, mostly teaching hunting and ferreting out bad actors in their environments. A *lot* of them are understaffed and underskilled. Under a CSO/CISO’s purview, I like the idea of splitting your AppSec, InfoSec, and GRC (Governance, Regulatory, and Compliance) functions into separate teams so they can specialize and focus.
A good AppSec team does more than just QA the product, they also manage external vulnerability reporting and perform product-level pentesting. A good InfoSec team keeps the environment tight and runs the SOC, but they also focus on threat intelligence and play regular red-versus-blue games against external pentesters. Constantly probing your defenses keeps an InfoSec team sharp, especially if they’re playing against well qualified Red Teams who bring modern attack techniques and can accurately model a representative threat for that vertical across your entire organization’s attack surface.
If you don’t allow your security team to specialize they’ll end up spending all their time on compliance work, or worse, get drafted to run physical security instead. Structure matters a lot when the goal is to keep your network defenders at the top of their game.
11. What are some of the best industry events to attend and why?
Personally, I love the local conferences and meetups. You won’t catch me at any of the product-oriented trade shows (eg, RSA), instead, I spend my time where local security practitioners get together to keep each other apprised of the state of the art. I still do the big national conferences (eg, DEFCON) in order to stay on the bleeding edge of the field, but there’s a *lot* to be said for building up your local community and learning from your peers. You can learn so much more by asking questions of the folks who are doing interesting work or breaking new ground in the field.
Don’t miss your local Bsides or Capture-the-Flag competition. You don’t have to be the apex predator of the hacker community to contribute; volunteer, organize, and get involved. It’s also a great place to build your personal network, recruit talent, and figure out which security teams have it together and which ones are barely keeping their head above water.
Thank you again for your time and valuable insight, Will!
If you'd like to ask Will more questions, or you'd just like to connect with him, follow Will on Twitter. He's pretty entertaining. :)