Welcome to Defender Spotlight! In this weekly blog series, we interview cybersecurity defenders of all varieties about their experience working in security operations. We’ll inquire about their favorite tools, and ask advice on security topics, trends, and other know-how._
Today, we're talking with April Wright. She is currently working for Verizon Enterprise Services as a Security Program Lead, and is a fellow lover of security defenses. April is devoted to teaching, creating, learning, and helping to make the world a more secure place, one encrypted bit at a time.
Now, without further ado...
Tell us about yourself, and your history working in security operations.
I have always been a sponge for knowledge. My non-security background includes being a sysadmin (System V FTW), web designer, graphic designer, photographer, SQL query builder, coder (perl, bash, C, etc), foodie, and gamer. I play multiple instruments, and I live for 80’s alt music and logic puzzles.
I’ve worked with the same company for one-third of my life, yet I am still constantly given opportunities to learn or take on new challenges. I accept those opportunities, and I’ve performed almost every sysadmin and SOC role I can think of. I’ve taken on tasks thought to be impossible. I’ve succeeded, I’ve failed, and I am still learning something new every day.
What you are working on these days?
Today, I spend most of my time in an Agile, SDL(C), and ISC2 CSSLP CBK type of world.
My primary role is leading the security program for my company’s enterprise product lifecycle management, primarily in terms of software development and software supply chain security. My position is one of security collaborator, being an ambassador to non-security teams, and an advocate for security in every stage of the software and systems lifecycle. I also manage the Threat Intelligence and Offensive Security (aka Penetration Testing) functions, both of which cyclically improve the design, engineering, and architecture of our various platforms and how each interacts in the ecosystem.
My major focus has been creating and managing an organizational “Security Culture” as it relates to products and projects, which ensures acceptable security has been “baked in” for all solutions. Any solution where security was considered as an afterthought should be avoided. If Security is engaged early, steps can be followed to reach a happy level of assurance before release.
For example, I evaluate our Suppliers’ products for security risk and suitability, including providing gap analysis and assessment, and engaging with both our internal developers and with our third party suppliers to evaluate and/or improve the security of systems, software, appliances, and other products. I analyze diagrams and data flows, identify shortcomings in design, architecture, compliance, etc.
A little threat modeling, requirements get prioritized, fixes or enhancements get roadmapped by the Supplier, and ultimately everyone wins because of iterative improvements driven by the market’s need for superior security controls. I want to implement solutions that not only meet compliance objectives, but also follow good practices.
I’m currently leading a large-scale, enterprise-wide Governance, Risk, and Compliance (GRC) effort that will consolidate and enhance those functions and improve the technology and methods we use to perform GRC via advanced technology and automated workflows. This is probably one of the most challenging projects I’ve ever worked on, but when it’s complete, it will completely transform the efficiency and insight we have in maintaining those functions.
Can you tell us about a moment in your career when you were proud to be a defender?
When intrusion prevention systems were neither popular nor robust, we had a need to perform IDP-like functions for entire networks. I helped develop for a framework to respond to NIDS activity in an automated way, blocking confirmed attacks in near-real-time without any capital expenditure. It was exciting to create something entirely new that had never been done before and to work with a team to develop the idea (and get to name it). The proudest moment, however, was learning many years later (at least ten!) that the automation was still operational - without issue! When something is engineered well, it can withstand the test of time.
In your opinion, what are the most important elements of implementing a successful security operations center capability? What do companies struggle with the most?
The most important element of implementing a successful security operations center is remaining prepared to fail and being ready for continuous improvement.
Successful security programs are built over time through a maturity process and require deep understanding of the needs and limitations of the organization. No two organizations are the same, and the same process or tool won’t work for everyone. One organization may need intense access controls around secret products, whereas another may need to collaborate extensively and freely. Start with the basics but don’t stop with them. Tailor controls to the needs of the organization; don’t just implement something because it’s what everyone does. Remain flexible and be willing to change what isn’t working.
Large and Small companies face very different issues. Large companies might struggle with turnover and/or insider threat, limited monitoring visibility (or monitoring overload), integration between tools and teams, red tape, and general security awareness issues. Large companies need to ensure they follow some battle-tested, structured ITSM best practices, or things will likely fall apart.
Small companies struggle with small budgets, not enough skilled personnel, enforcement of security, and a lack of GRC oversight or formalization of security programs. Successful security operations should occur autonomously from validation activities, and this isn’t always possible with a small team. Small companies might consider outsourcing security functions to gain access to greater, 24/7, and/or more knowledgeable resources for protection until they are large enough to bring these activities in-house.
Of course, outsourcing does not replace the need for good security practices or an in-house security function (if for no other reason than to evaluate, monitor, and liaison with third party providers) and outsourcing itself does introduce risk that must be evaluated based on a company’s tolerance. There’s a lot to make sense of, which can be a challenge, as well.
What are some of your favorite products, software, or tools that you use on a daily basis? How do they make your job easier?
The most important thing that I use on a daily basis is not software or hardware-based. It’s not a product, and it’s not something you can buy...
I would not be as successful today without the “soft skills” and “people skills” I’ve learned. My job involves a lot of social connections and interactions, so I have spent a lot of time hacking my own social abilities. Social Engineering is awesome and useful.
When a security defender can describe complex technical concepts and risks in an understandable way, it can be incredibly powerful. It can help you get funding, achieve goals, build trust, and enhance your career. Discussion, negotiation, and presentation are not security-relevant per se, but our security program would not succeed without it. Soft skills can take a great engineer from being one of the technical staff to becoming an indispensable organizational asset.
What are some of the trends in the security industry that you find encouraging?
It’s encouraging to see organizations moving away from having so much trust in ‘the Perimeter’. With hybrid environments now the norm, organizations are having to rethink their security strategies, which should be done regularly anyway. Zero-trust environments are becoming more and more popular.
I love that people are hacking IoT and cars and drones. These things need to be tested and pushed to the limits. If the community doesn’t find and fix flaws, then we know who will find and exploit them...
What are the top 3 things defenders should be worrying about today? What worries you the most personally?
- Social Engineering! - even people who know about these threats are still susceptible to this type of attack. It only takes one attachment…
- IoT - with no protection standards or focus on security yet, botnets and exploits are going to become more and more sophisticated. I don’t even think I need to mention the looming Robot uprising... When lawmakers try to ban activities like vehicle hacking, it is incredibly bad for society. We need to be continually improving the defenses of “smart locks”, home security cameras, SCADA, planes, cars, etc. through offensive testing and sheer curiosity.
- Laws that inhibit security research - when lawmakers try to ban activities like vehicle hacking, it is incredibly bad for society. We need to be continually improving the defenses of “smart locks”, home security cameras, SCADA, planes, cars, etc. through offensive testing and sheer curiosity.
I am a privacy advocate, so any infringement or encroachment on personal privacy is something that is concerning to me as both a Citizen and a Human.
What advice would you give to someone getting started in security?
In any career, it’s important to be passionate about what you do, and to enjoy and trust the people you work with. Managers can definitely tell the difference between someone who is just doing a job to someone who wants to succeed and be recognized and build a career around a real interest in security.
Learn a little bit about everything. Having an understanding of how or why something works is more important than just being able to secure it. Any knowledge about operating systems, software, programming languages, hardware, electronics, math (for encryption), radios, or other computing topics can potentially be useful while practicing security. Knowledge of military tactics can come into play. Patterns, logic, how to pick a lock, etc.
I learned a moderate level SQL to solve some business problems many years ago. Today, while I may not be able to craft a stored procedure, I understand the underlying ideas of how websites are created, how databases operate, how developers use sessions and ODBC connections or whatever, and all of that helps me evaluate and design solutions with security and pragmatism in mind.
If you haven’t figured out what you’re interested in, it might take time. There are a lot of options - offensive security, incident response, auditing, reporting, coding, engineering, architecture, etc. There are so many ways to have a security career and also do something that you enjoy.
On the other hand, you don’t need to specialize. I’m a generalist. I know a little bit about everything. For example, I know the basics of PCI-DSS, but I rely on specialists to evaluate or provide interpretations of specific compliance statements.
Being taught and teaching yourself is important, but teaching others will help solidify your knowledge and elevate you as an expert. Explaining something you learned to someone can help you understand it better. When you can teach someone how to avoid the latest security threat in easy-to-understand terms, it also makes the world a better place.
What do successful security processes look like? For daily workflows, but also from a strategic standpoint?
Successful security processes usually have a long list of versioning and changes :) In other words, successful security programs and processes are not built in a day. Security processes should be living documents; revisions to policy and process reflect a functioning security program that monitors changes in business needs. Don’t expect perfection and be willing to pivot if something isn’t working.
What does a good team structure look like when setting up a security operations center? What qualities and skills do the ideal team members have?
The ideal member of any team would be motivated, maybe by a good leader, by competition, or by their own success. They would want to succeed and would take steps to do so. Security requires constant learning and updating of skills, so they would have ability to pick up new technologies and spend time updating skills.
I believe a true “Defender” to be someone who considers security not just a job, not just a career, but almost a duty to themselves and society. Defenders must be protective, and may even consider attacks against their data as personal (“This is an attack against everything we’ve built!”), even if it’s not “their” data. But, in the end, someone is defending your data who is defending my data and our data is their data and my data is your data… Protect the data!
To a defender, data protection is de rigueur, and every valuable member in an ideal security team will operate at high efficiency and efficacy because they are empowered to do their jobs and trusted to do what’s right for the data and thus the organization. Defenders are often frustrated by people not understanding how important security can be. Defenders will go above and beyond in order to protect what they are responsible for.
What are some of the best industry events to attend and why?
I prefer smaller events, so my favorite con will always be Shmoocon! I would recommend going to your local BSides because it’s full of great talks by regular people who are into the same weird stuff you are and want to share their knowledge. I would also recommend trying a TOOOL event near you, because locksport alone is a fantastic hobby, but locksport with others is a party.
If you would like to reach out to April with additional security questions, or you just want to say hi - you can find her here on Twitter.