In this episode, Steve Winterfield, the Advisory CISO at Akamai joins us as we focus on how security organizations operate. Steve has the unique experience of handling different security operations centers and is the author of the books, Cyber Warfare and Basics of Cyber Warfare.
Security operations are at the very center of a security organization. Within them, there is a crossover between the tools being utilized and the business model that they follow. The security operations team has different functions, including incident response, digital forensics, security tools, automation, identity, network and firewall, shared security services, and access and management. Each of these functional teams will be discussed during this episode so that you can understand how they function and why they exist in a security organization.
In most large security organizations, about 40% of its employees and 45% of its budget are categorized under security operations. Therefore, there are many jobs available in this part of a company or organization.
Kip Boyle:
Hi, this is Your Cyber Path. We’re the podcast that helps you get your dream cybersecurity job. I’m Kip Boyle and Wes Shriner is here, and we are experienced hiring managers of cybersecurity professionals. So this episode is available as an audio only recording if you want to get into your favorite podcast app and search for us, Your Cyber Path podcast. And of course, we’re on YouTube now. We’ve got our own YouTube channel. We invite you to check it out, because you can see the visuals that we’re sharing. You can see our faces. It’s really cool. Just go to YouTube and search for Your Cyber Path podcast and you should go right to our channel.
So this is a series of episodes that’s designed to tell you all about the way that cybersecurity organizations are put together. Because we are thinking that if you’ve never worked in a cybersecurity organization before, how can you possibly be expected to know how it’s put together, what the different job opportunities are? And so we want you to know all about that. Today, we’re going to focus on the security operations organizational unit, and we’re going to tell you all about that and we’re going to do that with the help of a guest. Wes, would you please introduce Steve?
Wes Shriner:
Kip, it’s a good day. It’s good to be here. I am excited to be into 2021 and all that is to come. Today, we get to talk with Steve Winterfeld. Introducing Steve, he’s out of Denver, Colorado. He has some experience in multiple industries, some government, some retail, and let’s see, some energy department as well. So he’s been a lot of places. He’s written several books and I’m really excited to have him here. So Steve, can you tell us a bit about yourself and your career?
Kip Boyle:
Thanks for being here, Steve.
Steve Winterfel:
Yeah. And I’m excited to be here. This is an important topic and always good to give back. So yeah, I ended up coming into security as a passion. Back when we started, there were no classes, there were no university, there weren’t-
Wes Shriner:
No, there were not.
Steve Winterfel:
Certifications. And everything was just RTFM. And so my personal passion ended up turning into my job. I was getting out of military and my second job opportunity basically was to stand up a computer emergency response team, more commonly known as a security operation center, a SOC. So I did that for the army as a contractor. So really kind of jumped into the deep end there.
Kip Boyle:
Steve, I’m prior military as well. Thank you for your service.
Wes Shriner:
Indeed.
Steve Winterfel:
Same.
Wes Shriner:
So that’s how you got started with your cybersecurity career. You’ve got a couple books you’ve written, specifically, it looks like, Cyber Warfare, and, Basics of Cyber Warfare. How did you move into those topics? What’s the story there?
Steve Winterfel:
So I’m probably the only person that I’ve run into that accidentally ended up publishing a book. So-
Kip Boyle:
Is it like accidentally rear-ending the driver in front of you, like that?
Steve Winterfel:
[inaudible]. Basically I was doing acquisition editing. I was advising people, publishers on what books would sell in cybersecurity, revealing the topics outline. And I figured that’s about the amount of time I had. So I was doing that as a part-time job, and still hope to do that as my second career. And then they called me back and they said, “You know, the one book that you said the author may not have the broadest set of skills for this, we think you would be a great co-author.” And so I was like, “Well, tell you what, let me talk to this person.” Well, they lived a couple miles away from me. We got along great. And we ended up writing those two books together and it was just a passion of mine, both the topic and the ability to write something. It was phenomenal.
Wes Shriner:
[crosstalk].
Kip Boyle:
How long did it take you to get the manuscript, the first draft?
Steve Winterfel:
So interestingly enough, it was six months to get it out. I would’ve been on chapter one six months later, and he would’ve written every one of his chapters in a week. So we were a perfect blend of keeping each other’s quality and speed online.
Kip Boyle:
Perfect.
Wes Shriner:
I’ve spent some time with Jason and I can guarantee the two of you make an odd couple.
Kip Boyle:
Well, we got to get Jason on the guest list then, don’t we?
Wes Shriner:
I’ll just leave that one there.
Kip Boyle:
All right.
Wes Shriner:
So Steve, what are you up to now? What are you doing these days?
Steve Winterfel:
So I actually had a chance, after a career of building four different security operations centers, doing compliance for things like Global Hawk unmanned aerial vehicle, through both the DoD compliance and FAA compliance. I don’t recommend anybody do that. It’s not fun. But after doing all of those programs, I had a chance to come over to Akamai and help build tools that other people will use to build their programs. So now I’m the Advisory CISO at Akamai, looking at what pain points we should be solving and how our current capabilities are doing.
Kip Boyle:
Customer facing then?
Steve Winterfel:
Yes, very much so.
Kip Boyle:
Oh, that’s good stuff. I like that.
Wes Shriner:
Cool. Making our world a better place. I appreciate that. All right. I’m going to jump ahead here. But as we jump ahead, I got to tell you the farm story Kip, because we-
Kip Boyle:
Oh yeah.
Wes Shriner:
We can’t make it without a farm story.
Kip Boyle:
Well, you got the flannel shirt on, so you might as well.
Wes Shriner:
I heard it was a blue shirt club today and I needed to fit in somehow.
Kip Boyle:
Okay, Farmer Wes, what you got?
Wes Shriner:
What I got is, it is the middle of winter. It’s not yet Valentine’s day here in Washington State. And that means it’s time to prune your apple trees. If you’ve got an apple tree, it’s time to cut it back. And I want to talk about apple trees for just a second. There are two different kinds of branches on an apple tree. The branches that grow sideways on an apple tree are growing out, and those are the branches that are going to produce flowers and then ultimately fruit. You’re going to get a lot of fruit out of those horizontal new buds, new branches. When you have a branch that’s going straight up, that’s called a sucker.
Kip Boyle:
Oh man, I can see where this is going already just by the name.
Wes Shriner:
Branches that go straight up are suckers. And they take the energy in life out of the tree. You actually get less fruit if you leave the suckers on the tree. In fact, if those suckers continue to grow year over year, they will one day produce horizontal branches that will then grow fruit, but that fruit will be too high to reach and the birds will get it all or worse yet, the bears will climb your tree and break the lower branches on their way to the upper branches.
Kip Boyle:
Holy-shmoly.
Wes Shriner:
Either way-
Kip Boyle:
I’ve never thought about any of this.
Wes Shriner:
It’s not good for the tree.
Kip Boyle:
I’ve never thought about any of this Wes. This is fantastic.
Wes Shriner:
This stuff is not good for your tree. So if you’ve got suckers on your apple tree, you’ve got to cut them off because they’re running and sucking the energy out of the rest of the tree. And since we’re talking about careers and organizations, I want to think about that from a career perspective as well, right? If you’ve got climbers in an organization that go straight up and don’t have a chance to learn and grow at each level on their way up, they may be taking energy out of your organization and they may not be contributing to the fruit that you actually get to appreciate from your org. So if you’re between jobs right now, you don’t have to go straight up. In fact, it might really benefit you to go sideways and be able to produce fruit and flower and grow and become a productive branch before you move up. So-
Kip Boyle:
So do you actually call them suckers at work? The ones that are just going…
Wes Shriner:
I do not. I do not.
Kip Boyle:
I bet you don’t recommend anybody else does, right?
Wes Shriner:
I am not going there, my friend. That doesn’t end well.
Kip Boyle:
Okay. Okay.
Wes Shriner:
All right. So that is today’s farm metaphor. Thank you for joining me for that one. I’m going to remind you-
Kip Boyle:
It’s all about low hanging fruit. That’s the takeaway.
Wes Shriner:
Those farm metaphors are true and low hanging fruit is absolutely one of them.
Kip Boyle:
Mm-hmm (affirmative).
Wes Shriner:
But there’s many others.
Steve Winterfel:
Although for an organization, you don’t want your cybersecurity organization to be the low hanging fruit. So the analogy changes the script bad, depending on what you’re talking about.
Wes Shriner:
Points for Steve. All right. Well, I’m going to remind you that this is the placemat we’re using to understand the cybersecurity organization. Remember we’ve got four parts of our organization, the security operations, the engineering architecture and test, governance risk and compliance and then product security. We have spent the last three episodes looking at test, governance risk and compliance, and product security. Today, we get to deep dive into security operations. This is the heart and soul of your security organization, it’s going to be a lot of fun. I’m sorry, I’m talking fast, but this is the interesting part and I’m excited. So it’s going to be auctioneer night. That’s just how it’s going to be. Let’s jump in.
Steve Winterfel:
Go ahead.
Wes Shriner:
Here’s the focus. We’re going to leave the other parts of the org behind and focus specifically on security operations. Those specific operations are the teams that make that up. We’ve got our incident response team. We’ve got our security operations center, a digital forensics function. We’ve got in our security tools, a tools team, an automation team, and an identity and access management team. Yes, that’s intentionally crossed over between tools and lights on operations because there is really a crossover there. There’s also a network and firewall function and shared security services. Now, not all of these are always in a security organization. Sometimes your network and firewall live in an IT infrastructure team. And that’s just fine. This isn’t intended to direct or impose. But if you do have a network and firewall responsibility, then it’s probably going to be in a lights on operations inside your security operations function. How am I doing there, Steve? Would you, or Kip, would you guys add or change any of that as a layout?
Steve Winterfel:
So I think one of the keys here is this is a fairly stereotypical way to look at things. From a skill-
Wes Shriner:
That’s Wes. Stereotypical.
Kip Boyle:
Not going there, man. So many things to say. Nope, not going to do it.
Steve Winterfel:
So different organizations are trying to protect different business models and a different business model may force them into a different organization. But it’s key to learn this one because all those functions are going to be the same, no matter how they are organized. And it’s also interesting to think through as you go towards the left half of this slide, these are people doing analysis. As you go more towards the right side of this slide, these are people building things. Now there’s certainly overlap there. But as you think about where your passions are, just think of that as a guiding post.
Wes Shriner:
That’s awesome. Steve dropping the truth bombs on us at the beginning of the episode.
Kip Boyle:
Love it.
Wes Shriner:
So folks, that’s all we have for today. I guess we got it.
Kip Boyle:
We’re going to call it good early.
Steve Winterfel:
Score.
Wes Shriner:
Actually let’s take those reusable, the security service catalog, and let’s go a little deeper on that. We’ve got eight services in our cybersecurity service catalog, common services. There may be more, there may be less, but we’re going to count these eight today. The first one here is security inquiries. That happens with your SOC and your incident response team and your security operations function. What would be an example of a security inquiry we might get? Maybe one is, “Hey, my computer’s behaving funny, what should I do?” Or, “I clicked on an email and I shouldn’t have.” Or you might get one from your executive that says, “Hey, there’s a company over there that just got bit with a major vulnerability and we want to know if we are vulnerable to that also?” Right?
Those are all inquiries that might come into your security inquiries. Actually, I think there’s a fun race condition that also happens. If you got bit by ransomware and your organization is starting to be encrypted and to fall in order, it would be a really interesting tabletop exercise, but not very much fun in real life, to figure out whether or not your user reporting will get to you faster than your automated alerting. Which one’s going to tell you, you have an incident first? Oftentimes security inquiries is going to be the place where you’re going to hear about it first.
Steve Winterfel:
And I think one of the ways you can think about is they’re an indicator of compromise and some of them are going to be false positives. They’re not going to be a real incident. Some are going to actually grow into, like you said, maybe ransomware or an external distributed denial-of-service attack. You have an access issue. Some of them may be, “Hey, this other company is a third party we use, they were breached, what’s the impact to us?” And then the other extreme you’re going to see in this is probably, our data was compromised. Our customer information, our proprietary intellectual property, we lost something that’s going to impact our revenue. And ultimately everything we’re talking about here is protecting our revenue.
And so, as we talk through these, it’s interesting, everything I just described, everything leaning towards the left, you’re going to be working when the incident happens at 4:30 on Friday on a holiday weekend. If you work on the right half, you have a chance of maybe not working through that weekend. So these are intense jobs. These are fully committed jobs. These jobs are going to come with not necessarily nine to five.
Wes Shriner:
These are very much the scrappy and hungry jobs, right? I think I was working with you when I got the phone call on the 4th of July at 10:00 at night, and I had to walk off the dock and leave the family there so I could go in and handle the incident response, right?
Steve Winterfel:
That said, it’s intense. I love it. There’s energy. You’re the one protecting the company. You’re on the front lines. My military background is leaking out here, but you’re the point of the sphere. And it makes a difference. So if you want to be in this point of the sphere, this is where you should be.
Wes Shriner:
And if you’re a technical resource who wants to spend some time in security or make a career out of security, you do need to make a stop in this part of the organization, as you learn and grow. It takes a very special kind of person to stay here long-term though. This is a very hardened kind of job.
Kip Boyle:
That’s why we have Steve on the episode, right? Because that’s what you’ve done, Steve, right? You’re a lifer. You’re a security ops lifer.
Steve Winterfel:
I have done this for… This is a first job I’ve been in that I wasn’t on, either for Thanksgiving, Christmas or New Year’s, on an ops call. So yeah, this has been… But like I said, I mean, it makes a difference. If you want to be in the fight, this is where you should be.
Kip Boyle:
Bet your family didn’t know what to do with you.
Wes Shriner:
His family’s grown. He’s got some beautiful kids who are all citizens in this world and it’s tremendous. And his wife loves him and that’s a good thing, because when you’re in incident response, in security operations, you’re going to get the calls on the holidays. The bad guys know that IT went home for the three day weekend and they use that as their opportunity and they’re in. No one’s checking that alert on Thanksgiving. And Steve is, right? And security operations are. He didn’t say anything to that, so…
Kip Boyle:
That’s pretty much it, man.
Wes Shriner:
Must we agree? Holidays are favorite attack days. Yep.
Steve Winterfel:
Yep. Like I said, Friday, 4:30 on a long weekend, that’s when it hits.
Wes Shriner:
Yep. So let’s talk about monitoring security events. That’s the next thing. So we talked about first people call in and say, “Hey, there’s something weird.” Now I’m looking at my single pane of glass in my security operation center. I am the 5:00 am to 2:00 pm morning shift guy, and I got an alert. I’ve got an alert that says, “Hey, there’s something wrong in this machine over in my production environment. The network card is pegged at 100% and it shouldn’t be. Why is that?” And now I’m a skilled security operation center analyst, a SOC analyst, and I am going to check other logs of related systems. I’m going to check logs of that system. And ideally, I’ve been able to script that. So I can run my script kiddie and pull six pieces of information about that server in seconds and be able to see uh-oh, that network card is pegged because data is leaving my organization at a high rate of speed. Right?
That’s the alerting that I want to be watching for. And if I’ve got some thresholding there, thresholding means that alert has to happen for six seconds before I tell somebody, or eight seconds, or whatever that threshold is for. Okay, I can peg it for 10 seconds and not tell anybody, but when it gets to 11, throw the alert. Do you want to say something to that?
Steve Winterfel:
I would say a couple things. And the first is if you’re in a large mature organization, you’re going to be following processes. You’re going to be using tools that automate steps in that process. You know, if you’re in a more heavily regulated industry, then you are going to be draconically following processes. But you’re going to be doing research and analysis and getting on Google and figuring out what that snippet of code means. Now, if you’re in a much smaller organization, then you’re a Jack of all trades, you’re basically going to have to do a lot without automation on your own, a lot more research, a lot more intense. So there’s a kind of a benefit. If you want to learn everything, smaller shops are great. If you want to be part of a team that follows processes and you’re doing a lot, then larger organizations are great.
Kip Boyle:
Yeah. I think the thing that some people trip up on though, is they figure, “If I go join a large organization, I’m going to have all these runbooks. All I need to know is how to use a runbook.” Right? And I’ve seen a lot of people trying to get into the career field, make that mistake. They’re like, “Oh, I don’t need to know all that, because I’m going to be covered.” But I tell them, I’m like, “Don’t be so sure.” So, I mean, I’m sure you’ve seen that, right Steve? Where somebody takes a call in the SOC and somebody’s on the other end, it’s like, “Help, help the web servers are all under a DDoS attack.” And then, there’s no critical thinking about whether that’s really what’s going on or not.
Steve Winterfel:
If there’s no critical thinking, those are the steps we said got automated. The part where we have a person is a part where I need critical thinking. I need somebody to do analysis and figure out what the next step is. It may be another automated process. It may be alerting the CISO that you have a compromise. And so, a lot of responsibility there.
Wes Shriner:
So now we’re going to make the transition. We have an event, and I want to define some terms here for you. A security event is anything that happens that needs to be looked at to decide if it’s real or not. Once I have that event and determine that there’s something there, I’m going to declare an incident. Please don’t call an incident and an event the same thing. You have to grow up an event in order to be one day called an incident. You may have multiple events that become one incident. And the incident response function is the third one we’re going to talk about. That may begin in your SOC, but once it’s called an incident, it moves to your CIRT, your incident response team. It’s assigned an incident responder, and you very much are following a MITRE ATT&CK framework of containment and restoration of service.
Steve Winterfel:
So the MITRE ATT&CK framework is a great model. And just like this is a framework, it is a framework worth understanding. It really lays out all the possible threat vectors and allows you to talk in a quantified way. Because one of the challenges and the reason he explained the difference is we don’t have a governing body for terms. And so the MITRE ATT&CK framework, this framework that we’re sharing today, these are to get everybody talking in the same language with the same definitions and that’s critical.
Wes Shriner:
It is. It is. I do want to call out, and I’m sorry I missed it on the earlier one, if you want to be a SOC analyst, probably the most cool skill you can bring to the table is Python scripting, right? Because you’re going to be automating as much as you can along the way, if not Python scripting, maybe another scripting language that gets you to a place where you can automate as many of your tasks as possible. In career path language you can go from, and I think the SOC is a great place to start, incident responder is really that excellent career path forward from SOC, right? The top SOC analysts move into incident response. Anything about career pathing there?
Steve Winterfel:
I think you’re on it. I think it’s a natural step in the evolution because it requires more experience in critical thinking, but is foundationally the similar skillset. As we move into digital forensics, that’s a different and more unique skillset and it’s also a different mentality. Forensics is more about proving what happened and the way I think about it, in a way that can be turned over for HR to take an action or produced in a court of law in a post-breach class action lawsuit. And it’s a very disciplined group.
Wes Shriner:
If there’s ever a place that you must follow process to the nines, it’s going to be the digital forensics function. Many of the smaller companies don’t even try and do digital forensics in-house, because do I really have a security engineer so skilled in digital forensics that they can be deposed on a witness stand and be effective.
Kip Boyle:
Or can they even remember how to fire up the tool. I mean, if you don’t do it very often, you’re going to be like, “How did that go again?” So yeah, I mean, when I was CISO, we weren’t big enough to justify having somebody on the team and paying the license fees for the kits. And yeah. So that was 100% [crosstalk].
Wes Shriner:
Right, the FTK that you need.
Kip Boyle:
Mm-hmm (affirmative).
Wes Shriner:
Yeah.
Steve Winterfel:
Yeah. We definitely have, as far as salaried, taken a step up with each one of these discussions.
Wes Shriner:
We have. That is a career direction. We did skip over security countermeasures and that wasn’t intentional, but there’s not a lot there. This is an emerging area for security organizations and security operations. This is, I would argue, it’s called hack back or counterattacking, and threat attribution is a very difficult thing to do in our enterprise. Especially when, if they’re skilled enough to get into your organization, they’re skilled enough to convince you that it came from someone else. Right? And so security countermeasures is a growing field, but one that is mired with legal accountability and really unclear what the laws are in that space for each location that does it.
Kip Boyle:
Oh yeah. The term of art that I’m familiar with these days is active defense. And there’s quite a bit of material on the open internet about what is active defense and very concisely I’ll just try to say that it’s a continuum of stuff that’s a little bit more active than just passive defenses. And then, and on the other side of that continuum is like data rescue missions and botnet takedowns and that sort of stuff. And that’s where the legality is really gray and you don’t want to do anything without law, without an attorney guiding you and liaising with government, FBI, whomever, right? So it’s a continuum. You can go look it up. It’s fascinating. There’s stuff being done all the time these days. Steve, do you have any experience with active defense?
Steve Winterfel:
I mean, obviously it’s a big part of Cyber Warfare, so I have a chapter on it.
Wes Shriner:
Tell us.
Steve Winterfel:
It is something that typically is a nation-state level activity. This last year we saw both DHS and companies like Microsoft doing some of those active takedowns. Law enforcement is getting much more aggressive trying to do some of this. But let’s talk about attribution. If you’re going to do some kind of a countermeasure, you have to identify who you’re doing it against. The military wants a grid coordinate so they can take kinetic action. Law enforcement wants to know the actual-
Kip Boyle:
They want a street address so they can pound the door down.
Steve Winterfel:
Law enforcement wants to know whose fingers are on the keyboard. And then, we want to just know where the server is. And so depending on who you are, this means a lot of different things.
Kip Boyle:
Yeah. One of the active defenses that I have seen some people playing around with, which I think is pretty interesting, is just putting like a Web bug in a Word doc. That way, whoever opens it up, if they’re not being ultra cautious, that Web bug’s going to execute silently and can do all kinds of things like read the IP address and send it back.
Wes Shriner:
Alert.
Kip Boyle:
Mm-hmm (affirmative). Yeah. It can also do more sophisticated things, like it can attempt to issue queries for SSIDs and then run that back through a database lookup to try to figure out where in the world this doc was opened at.
Wes Shriner:
And that’s how you find Carmen Sandiego.
Steve Winterfel:
I’ve heard a lot of companies call that beaconing, another common term for that. Beaconing and watermarking are a couple ways people are trying to figure out maybe where a leak happened-
Kip Boyle:
That’s right.
Steve Winterfel:
to [inaudible] something in the future.
Kip Boyle:
Yeah.
Wes Shriner:
If you want to stay out of trouble and do something simple that you can do inside your organization, you might look at trapping them in a sinkhole, where it’s a virtual environment, a virtual playground that the attacker ends up exploring and isn’t aware that it is not your core enterprise.
Kip Boyle:
Well, we also call that a honeypot, right?
Wes Shriner:
Thank you. Well, it’s more than a honeypot. It’s a full virtual network in some cases.
Kip Boyle:
Hm.
Steve Winterfel:
So there’s honeypot, honeynet, and now there’s this deception technology. And the latest definition I’ve heard is vendors offering deception capabilities. The only thing I would highlight is if you do go out and build your own honeypot, and somebody uses your honeypot to attack someone else, you could be liable. So if you’re… And I encourage everybody to build a home lab, to experiment at home to do this. I often hire people based on how they answer the question, do you have a lab at home? Do you do this on your own? How do you learn? And people that tell me about their home network and their own cyber range that they’re attacking themselves, are impressive candidates.
Kip Boyle:
Yep. Yeah. Thank you for validating.
Wes Shriner:
Those are the same people that are making money out of bug bounty too, right?
Steve Winterfel:
Yep.
Wes Shriner:
If they’ve made a couple dollars doing bug bounty, they’re finding vulnerabilities and reporting them. Kip, did you have something there?
Kip Boyle:
I’m just vigorously agreeing.
Wes Shriner:
Well done.
Kip Boyle:
Yeah, we are in violent agreement.
Wes Shriner:
Outstanding. The blue shirt team agrees. So we go to the next item, which is really this continuous automation and security tools functions, and that’s called operate security tools. What would be the examples of security tools? It may be your antivirus, right? If I’m going to run antivirus as an organization, it’s probably going to be run from operating security tools team. Right? If I’ve got an endpoint detection and response, it’s going to run from here. Any of my security monitoring functions… Yeah. I’ll leave that as the setup there.
Steve Winterfel:
You know, I will say that at Akamai, I’ve talked to large international bank that has over 200 different security tools.
Kip Boyle:
Wow.
Steve Winterfel:
This can be large and complex. I would say a mid-range company could have between 50 to 75. The other thing to think through carefully, and Wes talked about this earlier. It’s a great point. As far as what skills you need, a lot of companies are moving away from deploying a data loss prevention server and different kind of servers. And they’re moving into DevOps and a term called DevSecOps, where you’re putting out just a function or a snippet of code in a serverless environment. If you were using AWS, something like Lambda. And that requires a different operational security group, different set of skills. So this is a very dynamic and in transition area. Kip?
Kip Boyle:
Oh man, I got to confess that I don’t know a whole lot about this changeover. The customers that I’m working with these days tend to be smaller and so they don’t have their own Sec DevOps team, but I find it fascinating, absolutely fascinating, these changes.
Wes Shriner:
So yeah, Steve, those teams that have 200 or even 50 security tools, what percentage of those are actually deployed and in use for their intended purpose? Security has a really bad habit of buying shelfware, right? When we buy that shelfware, we see it, we had to spend the budget at the end of the year, because it’s a use it or lose it situation, and then we never had the time to deploy it or the deployment plan and project that was scheduled got backburnered because some money making project took its place instead. And then we have to make some decision. I’m sorry, I’m going to keep jumping here, because I’m excited about the topic, right?
The other challenge is, do we want to build the tools or do we want to buy them? And if we buy the tools, do we want to buy a single vendor and own the whole stack or do we want to buy best of breed for each tool we’re purchasing? And I would argue that many of our current purchasing RFP processes prefer best of breed, best of price, whereas an integrated stack of services may give us a better team. Do you have some thoughts on that?
Steve Winterfel:
So I’m going to try to roll my answers right behind your questions here. So the first part is, you buy a tool based on a gap in your security portfolio. You have a risk, you need to mitigate that risk, you buy a tool to do it. When you deploy that, so you deploy-
Wes Shriner:
Don’t do that.
Steve Winterfel:
[inaudible] prevention only to stop credit cards going out of your company. So you are now using 10% of the capabilities of that tool. So that’s not uncommon. You then six months later have not updated that to the latest version. So now you’re getting technical debt because you have 75 tools. And you’re laughing about technical debt, because I used to beat you about that all the time. Technical debt is the death. I mean, because technical debt basically neutralizes your security controls. And then how much time are you spending in vendor management versus security? And so, there are a lot of frameworks out there that the analysts put out and one of the recent ones came out by Gartner and it was just reinforced because Forrester put out its version.
And these are two analytical firms that put out a lot of information about security capabilities, great things to go see where you can read the kind of things we’re talking about. What I’m going to talk about is called SASE. It is a secure access service edge. You’ve got a lot of vendors that download that white paper because they’re offering it free because it’s one of the things they provide, Akamai, I didn’t say my name, Akamai. And so when we do this…
Kip Boyle:
Well done. Well done.
Steve Winterfel:
And the reason this is catching on, is it’s about vendor consolidation for both connectivity and security. And if you can get 20 features or 20 tools in one vendor, that’s much easier. And so I think the trend is away from best athlete and towards best teammate.
Kip Boyle:
Hm.
Wes Shriner:
Away from best athlete and towards best teammate. So far that’s the quote of the day. If we get better, we’ll call it out, but that’s the winner so far.
Kip Boyle:
I want to just add one more thought for those of you who are job seeking, please remember that what we’re showing you here is a large organization, like the representation of what it looks like in a large org. And this conversation about tools, when you’re in a medium-sized shop or a small-sized shop, they’re going to probably lean towards integrated solutions rather than best of breed, simply because of staffing and budget constraints. And when you’re doing best of breed, you have to do a lot of systems integration work and so forth. So I just wanted to add that thought.
Wes Shriner:
Call out to Trey Blalock who gave me a wonderful beard comb a couple years ago. I want to call out one other thing on the operate security tools and that’s that this is an excellent, excellent place for a senior technology person to move into security. This is the kind of area where you’re already doing IT operations. You’re already doing system build, deploy, and the whole system management life cycle. You’re already doing IT disciplines and this is IT disciplines applied to security tools.
Kip Boyle:
Yeah.
Wes Shriner:
Right? You want to get closer to security from your 20 year DBA job? This is the way to do it. Come on in, the water’s warm.
Kip Boyle:
Yeah. And you can start just by picking up some additional duties in your current job that are security oriented and then use that as a leaping point.
Wes Shriner:
It is.
Steve Winterfel:
If you go to the security team and say you want to be their evangelist within the team, they will give you all sorts of responsibility.
Wes Shriner:
Just for free.
Kip Boyle:
We are overworked and understaffed, welcome aboard.
Wes Shriner:
Indeed. Well, we’re going to continue moving right from the analyst side and the incident response side and the work all night, all weekend sometimes side, towards the IT operations functions on the right hand side. And that’s where we get to identity and access management. And this is shown both in security tools and keep the lights on operations because parts of identity are really the security tool because identity is the new firewall. Right? I didn’t coin it, but I heard it and it’s right so I’m passing it along. That’s free, I won’t charge you for that one. It’s also in the keep the lights on operations function, because if your identity infrastructure goes down, so does your company. You’re not going to be making money if you can’t log into a server, if you can’t log into your own NT environment.
So that identity, if I can’t reset my password, I can’t go to work that day. Right? And so identity is part of how our business makes money and that’s why it crosses over in the keep the lights on function. Identity is one of the larger parts of our organization in part, because if you’ve got a larger security organization, then you’ve also got a larger identity and access management team because you’ve got compliance requirements like Sarbanes–Oxley that require segregation of duties and lease privileged access, which drives you into a role-based access control model RBAC or RBAC. And that access model takes a little bit more energy in order to put into your organization and then to maintain.
Oftentimes, many of your tickets are going to be, “I need authorization to get to this next thing.” They don’t say authorization. They say, “I can’t log into the thing.” Right? Or, “I can’t see the screen I need.” And this identity access management needs to have a quick turnaround provisioning for new hires, job transfers, separations, terminations, and also the access entitlements that you may need along the way. Thoughts on that?
Steve Winterfel:
I’m going to call this the unsung hero. It truly is, because the number of compromises that come back to identity is huge.
Kip Boyle:
Mm.
Steve Winterfel:
And Wes talked a lot about identity management of employees. And most of what we’ve talked about is protecting the company, but a lot of the things you’re getting involved in now are going to be protecting the customer’s identity and that can live inside security or outside security depending on the culture. But it is vital to understand, is the right person there? Is the person authorized? Did that person leave and I didn’t deprovision them? Very complex. What infrastructure am I using? Am I using Zero Trust to application level? Am I using microsegmentation VPN, virtual private networks, or am I using these Citrix boxes, which just gives you an image. And so this is dynamic, it is critical to the company. And now you’ve got things like you’re making decisions about two-factor auth. And just a fascinating area will continue to grow.
Kip Boyle:
Steve, what about… You gave a list of questions, Steve, that you want to know about when an account is being used. One thing you didn’t say, which I was kind of surprised at, is I would want to know is this a bot using this account?
Steve Winterfel:
So it turns out the fact that my dad has one password for everything is bad. And so despite a number of discussions, and everybody on this call and most of the people watching, we are our family’s IT desk already. So having said that, when my dad’s account at a retail store is compromised, they now have his username and password, his credentials for his bank, and they’re just going to put it on this network of systems that just try every possible compromised password against multiple companies.
Kip Boyle:
Yeah.
Steve Winterfel:
And so they try it and they hit the right bank and now there’s an account takeover. And so [inaudible] how do you know it’s a bot? How do you know that’s unauthorized?
Kip Boyle:
Yeah.
Steve Winterfel:
The deeper you get into this, if you’re into commerce or finance or a lot of these, you’re going to learn a lot about fraud.
Kip Boyle:
Yeah. Yeah. And you’re also going to learn that that little check box that says I’m human, yeah, that’s been defeated. Just so you know. Because I’ve seen the YouTube videos of the click farms, supposedly in China where they actually have little robot arms with little styluses pecking on those things.
Steve Winterfel:
And capture which one of these [inaudible] it has been defeated and some two-factor authentication has been defeated. That’s why you’ve got to go to the 502 standards now to make sure that you have secure the number of SIM cards that are compromised, more in Europe than the US now, your phones are no longer the security device. They were never designed to be one.
Kip Boyle:
Yeah. So things change. And I guess, that’s another takeaway really from all this stuff is that as the adversary improves their methods, as they innovate because we block and then they figure out a new way to come in. I mean, if you’re an infinite learner, if you love to learn and you want to always be figuring out what’s new and next, man, this is the place to be.
Steve Winterfel:
And if you’re not, you may not [crosstalk].
Wes Shriner:
And I think this is one of the hottest… Go ahead.
Kip Boyle:
If you want every day to be the same as every other day, this may not be a good choice.
Wes Shriner:
Well, and I will… I’ve said it before, the identity infrastructure was listed as number 14 on the top 20 security controls we want to see at an enterprise. And you start with asset inventory and a software asset inventory and you have to get down to number 14 to get to user inventory. And I just… Because I call identity user inventory, right? Because that’s really what it is. And it disturbs me that that was number 14, and 10 years ago that’s how we treated it, was it’s down the list, it’s a second class security function. And now identity is emerging, especially with the cloud as the elite primary security function. If we can get October and the Security Awareness Training Month right, then the next thing we need to do is identity and access management. Because the most vulnerable part of this entire chain is the wetware sitting in the chair.
Kip Boyle:
Yeah. I mean it used to be the firewall. It used to be the lack of a firewall. I remember when there were no firewalls on the internet and everybody needed a firewall.
Wes Shriner:
Are you that old?
Kip Boyle:
I am that old. Dude, when I first started using the internet, it was against the acceptable use policy to sell anything. Now look at where we are. When I started using on the internet, there were 10 web servers and I had to download a hosts file in order to find any of them. So figure that out everybody.
Wes Shriner:
Good stuff.
Steve Winterfel:
[inaudible] back when you were talking about the baud modem speed. Yep.
Kip Boyle:
Yeah, absolutely. Right? Oh, my gosh. Don’t take me back there, the bad old days. I much prefer my high bandwidth connection to my house. Thank you very much. I do not want to go back screechy modem tones. Yikes.
Wes Shriner:
I want to leave a couple keywords here in case somebody’s using their Wikipedia and wants to look up and see what else we’ve got going on in the identity space. If you’re doing internal identity, that’s probably going to be identity and access management. If you’re doing external identity, that’s probably going to be called enterprise identity. Usually those are two separate systems. They are not related. I’ve never seen a company do one identity system to handle both internal and external customers, right? The internal customers being the lower case C and the external customers being the paying ones and those are capital C.
There’s all sorts of interesting innovations happening in this space. There are behavioral heuristics that are coming out that are replacing the password. So as long as you walk with the same gait that you normally have and your cell phone is still in your left hand pocket, it is going to let you log in without a password, right? That’s a very interesting direction for passwordless solutions. Your credentials become what you do and how you behave, where you’re located. Another neat control right now… Neat. Wow. That’s going to be a fun word, I’m going to [crosstalk].
Kip Boyle:
You didn’t say neato, so you got that [crosstalk].
Wes Shriner:
That is neat. It’s some of these biscuits that they hand you and you can use this biscuit or your smart card in order to log into multiple activities. Your smart card might be enterprise or company or government issued, but you can carry a YubiKey and that can act as your password. And it’s something you have that is you logging in everywhere you go. Yeah.
Steve Winterfel:
I wish I was in a couple of the war rooms that use facial recognition right after all the masks started being worn, because a lot of passwords suddenly got taken away in public.
Wes Shriner:
Isn’t that the truth. All right. So folks, we’re going to hit the gas and try and move a little bit here. We’ve been talking and having fun. I hope you’ve enjoyed it. But operations are shared security services. Those shared security services might be encryption as a service. They might be a tokenization function in your organization. They might be your network and firewall functions. How am I doing? Would you have any other shared security services that you want to call out there?
Steve Winterfel:
And I think they’re varied. I mean, it’s very much by culture. It is those things that… I don’t even know how to categorize it. I think shared services, just those things don’t fit tightly under the CISO.
Wes Shriner:
And they end up being functions that any one of six teams could own in the organization. And somehow it ended up being our budget that’s funding it. So we can cover that another day.
Kip Boyle:
I think squirrelly things can end up in here.
Wes Shriner:
Let’s jump ahead if we can.
Kip Boyle:
Yeah. Let’s keep going.
Wes Shriner:
All right. So the security operations function is going to have a common set of functions and tools, processes, and standards. I want to call out some of them here and if you want to dive deeper into them, I would encourage that. You’re probably going to have your SEIM for logging and alerting or some method of centralized logging and knowing which logs I need to look at when. Even if you’re not carrying a SEIM, you might carry something of a similar capability. Please don’t call it a SEIM. It’s not a SEIM, it’s a SEIM. That’s free.
Kip Boyle:
That’s free.
Wes Shriner:
Security tools monitoring. We’re going to be doing that because we got to keep those tools alive. And that’s more about IT operations monitoring. We’re going to do sys admin work. So that’s going to be your network administration, your database administration, your operating systems, whether you’re Windows are Linux or something else. We’re going to have a lot of scripting. We’re going to have Forensic Toolkit if you’re doing your own forensics. And come on people we’ve got to have a ticketing system. You’re are not allowed to do a whole lot of security work without keeping track of how much work got done and who asked for it.
Steve Winterfel:
And then how do you integrate that ticketing system across both the network operation center, the security operation center, and report up to the risk. And so these tools have to be integrated and have processes that make them collaborate across, to reduce risk as a portfolio.
Wes Shriner:
Agreed. In fact, I didn’t say it earlier, but I want to say it now, don’t buy a tool people. If you don’t have a process and someone doing that process manually, it does not make sense to buy the tool because a tool solution organization is one that looks like it got left at the mall with daddy’s credit card. It just doesn’t look good. Right? It just is not a healthy organization. All right. So on the processes and standards, since we just kind of prioritized that, we’re going to see a lot of 24/7 monitoring in this group. We’ve talked a little bit about the ATT&CK framework. We’re also going to see the NIST, that’s the US standard cybersecurity framework that’s out there. I recommend understanding that one a little bit as well. If you’re going to jump into MITRE, jump into NIST as well.
Steve Winterfel:
I would say NIST, really almost all the incident response you’ll see is based on the NIST lifecycle, detect, respond, remediate, recover. NIST is going to put out documentation on Zero Trust. So they just put out a standard for that. NIST put out a standard for resiliency. NIST has 853, they just published Revision 5. So if you thought you knew 853, you no longer do. And so NIST is a huge US component. If you are looking internationally, you may end up with ISO 2700 versus NIST.
Wes Shriner:
Good point.
Steve Winterfel:
But this is just a core resource you should understand.
Wes Shriner:
It is. It’s one I would spend some hours on, because it’s really fun to read. No, because it’s really valuable to know as you step into these roles. ITIL operations is the next one. ITIL is the IT infrastructure library. That’s really about how we do IT operations in IT. It’s not specific to security, but it is absolutely core to understanding how do we operate keep the lights on function in the security group. If we don’t do that well, our firewalls will go down twice a week for six months straight. They will cost the entire IT team, not just the security team, but the entire IT team, their annual bonus for the year. And there will be much weeping and gnashing of teeth.
Kip Boyle:
Will there be rending of clothing? I mean just get the whole thing out.
Wes Shriner:
Many will be stricken with grief, right? I would like to make a suggestion at this point. One of my favorite books out there is, The Phoenix Project by Gene Kim. Gene Kim does a great job of understanding DevSec Operations, Dev Operations. But in this case, The Phoenix Project, is really about how do I do IT operations well? If I could do my brief commercial for it, and he’s not paying me yet for this, it’s an interesting story about a guy who got double promoted out of his head and isn’t sure what he’s supposed to do next. He explores and understands his organizational problems. And as he moves through the problems, you get 10 pages of story. And then wow, in this problem, I sure could use some way to track changes when they go into production. And then you have one page on change management. Here’s what change management is. Here’s what it does. Here’s how it’s done.
Then you have 10 pages of story. Wow. If I’m going to have change management, I need some way to track which change goes into production. Here is version control and you get one page on version control and you move through that. So I do recommend, The Phoenix Project, it’s a fun read and one that helps you understand IT operations. But I will call out the security fellow in that book. Oh, that’s just wrong. He treats the security guy all wrong. And I actually had this conversation with him, we’ll take it up another day, but Gene and I have thrown down on what happens to John, the security guy in his book. We’ll take it on another day.
Kip Boyle:
Okay. Okay. I got to… I can’t resist. I have to tell you something.
Wes Shriner:
Tell me.
Kip Boyle:
I helped Gene, there are many other people who helped Gene, but I was a manuscript reviewer for that book. And the original version of John, the security guy, was worse.
Wes Shriner:
Oh, no.
Kip Boyle:
Was worse. And I sent him note after note, after note saying tone it down, nobody’s this bad. Nobody.
Wes Shriner:
I love it.
Steve Winterfel:
So that is a great book. The second book he put out after that, The DevOps Handbook, is-
Wes Shriner:
It’s great.
Steve Winterfel:
more the how to. So I think they’re both a great combination read. My handbook is got three different colors of highlights and it’s heavily highlighted.
Kip Boyle:
It’s good stuff.
Wes Shriner:
That’s excellent.
Kip Boyle:
It’s good stuff.
Wes Shriner:
Oh, I will leave that there. Kip, let’s come back to that another episode, if we get a chance, because I think there’s-
Kip Boyle:
There’s goodness there.
Wes Shriner:
You’ve actually inspired me on Dr. McCoy in your story.
Kip Boyle:
Ah. Okay.
Wes Shriner:
But that’s for another day. We’ll talk about [crosstalk].
Kip Boyle:
Yeah, yeah, yeah. Because we’re at 55 minutes. This is a big one.
Wes Shriner:
We’ve lost our audience. The only people listening at this point are my wife and your wife. So thank you for sticking with us, ladies. We’ll keep going here. So we’ve got internal security relationships and our security operations team is going to be making friends with our incident response functions across the organization. We’re going to have vulnerability management partners, because every time we want to… If we get popped in one area, we want to know if that’s everywhere. If we’ve got an indicator of compromise here, we want to know where else those IOCs are and that scanning team with home management is going to be able to tell us that. Our engineering and architecture team is going to take the feedback on what we got popped on recently and they’re going to drive those changes into future build so we don’t get popped on that next year. Our risk management function is going to record where we can’t fix things right away. And we’re going to change and drive changes to our policies and standards so that we have a better next year because of the things we learned this year.
Steve Winterfel:
And always [inaudible] in a way that it is auditable and provable.
Wes Shriner:
Indeed. Indeed. Jumping ahead, we’ve also got common enterprise partners. These are the partners that are outside of security, but are critical to the success of our security operations function. We need to know what our asset inventory is, and we’ve got to be best friends with our infrastructure service team, right? That’s your sys admins, your database admins, your network teams. If we don’t own identity management, we better be best friends with them, including our cloud identity infrastructure. We’ve got to know what’s going on with our network and our firewalls and how traffic is moving and we’ve got to understand. And this is probably a little bit new, it’s probably in the last couple years, we’ve got to be best friends with our coding standards and our Dev teams. Right?
Steve Winterfel:
[inaudible] share one war story, had my security plan, my whole program worked out, very proud. And then had them come and say, “Hey, we’re moving these applications over to Google public cloud,” and just blew up my security controls. And so when we’re talking about this partnership, this is critical.
Kip Boyle:
So had they already moved it and then they told you after the fact? Because that’s what normally happens.
Steve Winterfel:
They-
Wes Shriner:
Don’t be bitter, Kip.
Steve Winterfel:
I’m just going to [inaudible] there was no sensitive data in the public cloud.
Kip Boyle:
That’s good.
Wes Shriner:
So the common partnerships that we’re going to see from this incident response and operations team, we’re going to build that partnership with software dev, with our sys admins, our cloud team. And then I think we’ve got to take on what happens in case of breach, right? And we’ve been careful not to use that word. And I want to remind you as a security professional, do not use the word breach unless your lawyer has called it a breach. Until such time, it is an event or it is a security-
Kip Boyle:
Incident.
Wes Shriner:
security incident, but it is not a breach until your lawyer calls it that. With that said, some of your key relationships are going to be with legal and with media relation-
Steve Winterfel:
The reason…
Wes Shriner:
Yes?
Steve Winterfel:
The reason why is you, by some regulations may have 72 hours before you tell the public, it will come up in a class action lawsuit when you knew about it and what you did about it. And so the reason you have to be careful about language is there are consequences.
Kip Boyle:
It matters.
Wes Shriner:
The moment your security professional calls it a breach, the clock starts ticking. If it’s done in email.
Kip Boyle:
And if you don’t have legal representation on your team, then be looking at your boss.
Wes Shriner:
Indeed. Indeed. So now let’s go into some of the partners you’re going to want to have in that scenario, right? Your corporate communications team is going to be critical. You’re not going to want to talk to the press, you’re dealing with the problem, but you need a media relations function. You’ve got to figure out how you’re going to do your digital forensics. Are you going to do it or is someone else going to do it? Because that deposition is going to be hard later, right? You’re going to want to have friends with law enforcement, with your regulators and with your board of directors.
And Steve, you asked a really interesting question just before the show. It’s stuck in my head. So I’m going to throw it out here and see if maybe you can help us answer this, right? If you are experiencing a real breach, who do you call first? We’ve got an interesting list of five choices there. I’ve confirmed I have an event, that’s confirmed as an incident. I have an active exploit happening in my environment with a threat actor that’s identified, and I can see that they have removed at least some data, who do I call first?
Steve Winterfel:
I think the first thing you want to do is be conscious of protecting the customer in the company. So law enforcement is a great resource to collaborate with. You then are going to reach out to leadership and leadership is going to reach out, depending on severity. If it’s going to have a breach on the entire brand, then they’re going to reach up to the board level. Now, once you’ve notified the leadership, the leadership is going to make a decision that as soon as they confirm that it is no longer an incident, that it is now, let’s say the word breach, then they typically will go out and notify the regulators and the general public in rapid succession. Oh, by the way, while all of this is going on, Kip told his wife who told his sister who told a reporter, and now you’re getting phone calls. And so this time sequencing could be just blown up by something like that. It’s very difficult.
Wes Shriner:
And what’s worse is his brother’s sister’s cousin’s nephew actually sold some of the stock before it got out.
Kip Boyle:
And then my niece actually sold us the tool that caused… Anyway. If you’re not a large enterprise, everything we just said probably isn’t going to work. You don’t have these people just sitting around waiting to do all this stuff for you. So if you’re working in a mid-sized or a small-sized company, what I tell my customers is, is you need a really great cyber liability insurance policy that has a 24/7 hotline to a data breach coach. And then you call them up and you say this is what’s going on. What do we do? The data breach coach is usually an attorney with lots of experience in this sort of thing. And the insurance company will send data forensics people, they’ll send incident responders, they’ll contact law enforcement. They’ll put attorneys on the case. No medium size or small business can do that for themselves in any economic quick way. So that’s what I counsel our customers in those size of companies.
Steve Winterfel:
And most large companies do the same thing. They go to outside expertise, proving due diligence for all of that. So yes, this is something that is better done with a plan than in a crisis.
Kip Boyle:
Mm-hmm (affirmative). Yeah. Don’t make it up as you go along. You will make big mistakes.
Wes Shriner:
And that’s what the tabletop exercise is for.
Kip Boyle:
Yeah.
Wes Shriner:
Do the tabletops ahead of time. All right, friends, we’re going to keep moving here. Right foot on the gas pedal. We’re going to move into a quick understanding of the sizing of these organizations. You can see in the deep blue on these diagrams that 40%-
Kip Boyle:
Well, I thought they were iCharts. They’re diagrams?
Wes Shriner:
Well, and that’s a little bit of what it is right now, because we did this in episode 33. So I don’t want to take it and redo it here as much as-
Kip Boyle:
Well done.
Steve Winterfel:
just kind of recognize, wave to it, and then we’ll keep moving.
Kip Boyle:
Okay.
Wes Shriner:
About 40% of a large organization of headcount is in the security operations function. And the majority of those security operations headcount are going to go to the SOC, identity management, and your incident response team. That’s where the heads are going to be. And that’s a great place to find work. If you’re looking for identity or security analyst, technical analyst roles, that’s a great place to get started. I will also call out… Yeah.
Steve Winterfel:
I will also say that a lot of vendors offer those services. And so some companies will do that internally. Some will go to a managed… You talked about a small company, a small company may hire a managed service company to do all their SOC work. So many people, like we have customers that know we are expert in denial-of-service protection, so they outsource just that sliver to us. So you can come to a vendor and get a security job focused just in denial-of-service protection. You can go to a provider that does MSSP and your SOC could be handling 15 different customers. There are some options here than just one company.
Wes Shriner:
Thank you.
Kip Boyle:
Love it.
Wes Shriner:
Good call out. And you’re going to find the managed security service providers, the MSSPs, at least in the greater Seattle area, there are a lot of opportunities for those careers. Those are not brand name companies in every case. Sometimes they’re the smaller shops. But keep your eyes open for MSSP SOC analyst roles.
Kip Boyle:
Yep.
Wes Shriner:
Okay. The budget, right? The security operations budget is actually 45% of your security organization total CapEx dollars. We did cover CapEx, is your capital expenses. A lot of that is going to go into your operating security tools because you’ve got to buy licenses for your endpoint detection response, for your entire organization and licenses cost money, right? If we’ve also got an identity and access management infrastructure, that’s going to cost a license fee as well. We’re going to see some of that licensing fees for our firewalls and for our other security tools. If we’ve got a governance risk compliance tool, a GRC tool in our environment or our SEIM, those are both going to cost…
Kip Boyle:
Wes? Did we lose Wes?
Steve Winterfel:
I don’t hear him either.
Kip Boyle:
Yeah. He looks to be frozen. Oh-oh. Well, this is the risk that you take when you record these things without editing and so forth. So let’s give him a moment and see if he comes back. This has never happened before, by the way. Yeah. Well, we haven’t lost the slides yet, so that’s good. He’s still there somewhere.
Wes Shriner:
So you’ll just cut this segment out and we’ll wait until it gets back.
Kip Boyle:
No, I generally won’t cut anything out. So we’re going to have to tap dance right now and fill in the time. Oh, no. Wes is gone. Well, that’s never happened before. Wow. Okay. Well, I don’t know if Wes is coming back. That could have been a catastrophic failure. No, he’s back. Welcome back.
Wes Shriner:
Outstanding. I hope you guys were really entertaining while I was gone.
Kip Boyle:
Mostly it was just like astonished looks on our faces and wondering-
Steve Winterfel:
We were talking about-
Kip Boyle:
is he ever coming back?
Steve Winterfel:
how much better the second half of this was going to be.
Wes Shriner:
Let’s see if I can get a shared screen going again.
Kip Boyle:
Okay, cool.
Wes Shriner:
We have to do…
Kip Boyle:
I mean, we’re almost done here, right?
Steve Winterfel:
Yeah. We’ve only got a couple left.
Wes Shriner:
All right. Am I sharing the right screen here?
Kip Boyle:
I see it. Looks good.
Wes Shriner:
Looks like it.
Kip Boyle:
Yep. Senior positions.
Wes Shriner:
All right. Shall we jump back in? There are several different types of career opportunities. We’ve touched on it today. I want to summarize here for you. Senior positions in this organization are those that senior technologists have been doing their sys admin role for many, many years or network administrator, database administrator, maybe they’re developers and they do deployment or automation. Maybe they’ve been in technical deployment teams for some time. You’ve also got senior opportunities as a SOC Lead or as an Incident Responder. A lot of opportunities for a senior individual contributor professional in this part of the organization.
Additionally, this is the great place to get started with the SOC Analyst, the SOC Lead, the Security Analyst, a Forensics Analyst. And I know we talked a little bit about that. So if you’re trained in digital forensics, it’s a fun place to be. We’ve got your Sys Admins because you can be a senior or a junior Sys Admin and have an opportunity and a career in this part of security. Automation Developers, we saw continuous delivery, continuous integration, that continuous development is critical in your security team as well. We need to lead the way in what a delivery pipeline looks like and how we secure it because you’ve got to eat your own dog food.
Steve Winterfel:
Well, I do want to highlight something here, that this is a great sample. These are the right terms to go out and look for. But ultimately it is your responsibility to go out on Monster or Indeed or Dice or whatever you want, look for jobs. Find the jobs that sound interesting to you. Read the skillset you need to get that job and start working on those skills. You are the only one that’s responsible for your next job. Go find that job and make yourself into that person.
Kip Boyle:
Definitely. And pay close attention to what that job description says that they want. It’s a wish list, right? But it’s the best thing you’ve got going for you. And don’t value the opinions of somebody working at a different company over what you see in that job posting. Be careful.
Steve Winterfel:
And I will tell you that this came out recently from our HR. You know, men tend to apply for jobs they’re under qualified for. Apply for the job, have a discussion, sell yourself, talk about what your value proposition is. Don’t walk away from any opportunity that you’re passionate about.
Kip Boyle:
Definitely. Go for it.
Wes Shriner:
I don’t need you as a hiring manager. I don’t need you to have 100% of the skills on the job description. I need you to get somewhere in that 80% range and have an amazing enthusiastic attitude.
Kip Boyle:
And we’ve talked about this quite a bit in previous episodes. So check the list of back episodes and you’ll see a lot of good stuff on this.
Wes Shriner:
But Steve won’t be there. And so it might not be as much fun.
Steve Winterfel:
It’ll be more coherent.
Wes Shriner:
All right. But I do want to give Steve the last word, right? Steve has been a friend of mine for many years. I respect him highly and his contributions, both to the security world and to my life as we sit at lunch and we have great conversations about how would you handle this, how do you handle that? And so, Steve, can you tell us what have been the keys to your success? And some of these other questions you see on the screen here, help us out. What wisdom have you got for us?
Steve Winterfel:
I have a little book of rules that I live by and I’ll share a couple rules that I think are really relevant to this first question. My success, never walk by a problem. If you’re in security, when you see a problem, you need to stop, address it, remediate it. Our job in security is not to get rid of risk. It is to make sure leadership is aware of the risk they’ve accepted. And at a minimum you have to do that. The second is security is a team sport. Come in here, collaborate, share, be a teammate, be somebody that’s making the company stronger and safer.
So I’ll transition to the second question. What would I say to somebody just coming into the field? I generally want to talk about your first job and your last job. So your first job you’re going to do better if you do something you’re passionate about, excited to go to work. You may want to make more money and do something else, that’s your decision. But generally speaking, I bucket into three things. You’re going to do something around governance, risk and compliance. You’re going to do the paperwork. You’re going to make sure that the PCI rules to accept credit cards are followed, and you’re going to make the company safe.
The next thing you’re going to do is some analytical work. You’re going to look at data to see what’s happening real time or forensically to prove what happened, but you’re doing some kind of analytical work, be it threat intelligence, SOC operation, incident, response, forensics, something like that. And then that last bucket is you’re going to build things. You’re going to build the tools that actually protect the company. And so you pick one of those buckets, develop the skillsets in there. And I think generally track your career inside that bucket.
The second thing I want to talk about is your last job, because you’re going to have to make decisions along the way about what’s the next opportunity? You can either just accept whatever is given to you, or you can say, “Is that job going to get me where I want to get?” And maybe turn down this job and try to lean into something else. So I call this your North Star. Is your North Star that your last job is you want to be the CISO? Do you want to be the CEO of your own cyber company? Or do you want to be the CTO focused on technology?And once you pick that North Star, and there may be a different North Star, that’s fine, but then you can map your career out and say, “If I want to be a CTO, I don’t want this manager job. The company wants me to be a manager, but I want to go be a senior tech fellow next. And how do I do that?”
So those would be the two first and last things that I like to keep in mind. And then, “What do you know now that you wish you knew then?” One of my jobs, if I was on a penetration testing team is probably more around social engineering. And that’s probably going to be a reflected in my answer here. Never go into a discussion without mapping out the outcome. Understand what they’re going to say, how you’re going to respond, have that discussion in a format that you’re going to get the results you want. Map it out, go in, have the discussion, lead them to the decision you want, and walk away successful. And I think that’s just something that’s a skill. I don’t consider it manipulation. I just consider it good communication.
Wes Shriner:
That’s your planning [crosstalk]. That’s the planning. That’s the emotional intelligence, the EQ that we’ve talked about in other episodes. Another way to say it and I love it. Thank you. All right, folks, that brings us to some key takeaways for today. And I think the two of them are listed up here. One is, “Security Operations is a great place for a senior technologist to transfer in or a junior technologist to get a start in security.” This is an excellent place to get started, right? And the second key takeaway, which maybe should have been the first is, “Security Operations is where security happens in real life.” This is your IRL of security. And if you get a chance to spend some time here, it’s a great place to be.
For our next episode, we’re going to talk a little bit about the job transition that I’ve made in the last couple of months. And so we’ll get a chance to do that in two weeks. I hope you’ll join us.
Kip Boyle:
Oh, that’s going to be a good one, Wes. I really appreciate your willingness to share with our audience what your personal journey has been. And hopefully you’re going to tell us what worked and what didn’t work if there was anything that didn’t work. I believe the phrase you used was, “Eat your own dog food.”
Wes Shriner:
Let’s do it.
Kip Boyle:
Well, cool.
Steve Winterfel:
I think you’re supposed to say, “Drink your own champagne.”
Kip Boyle:
Oh, wow. I’d prefer champagne to dog food. So I’m good with that. Well, listen, thank you, Steve, for being here. Let’s wrap this up. Hey, listen, if you like what we’re doing with these episodes, then I just want to let you know about a free resource that we put together that you can get your hands on. It’s called, Play to Win: Getting Your Dream Cybersecurity Job. And you can a screen capture of pages six and seven here on your slide. And if you want to get it, what it does is it describes how you can take a capture the flag approach to competing and winning in your job hunt. It’s about 20 pages, very, very visual, and it talks about blockers and how you can overcome those blockers. If you want to go grab a copy, just go to YourCyberPath.com/pdf. It’s right there on your screen.
Well, listen, that’s all we have for today. Thanks for hanging in there with us. This was a long episode full of good stuff I think. So remember, you’re just one path away from your dream cybersecurity job. We’ll see you next time.
Wes Shriner:
Bye all.
Steve Winterfel:
Thanks.
YOUR HOST:
Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
YOUR CO-HOST:
Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.
Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!