Artwork for podcast The Cybersecurity Readiness Podcast Series
Skilling Up for Security Operations Center Roles
Episode 3331st August 2022 • The Cybersecurity Readiness Podcast Series • Dr. Dave Chatterjee
00:00:00 00:39:24

Share Episode

Shownotes

The Security Operations Center (SOC) is at the heart of an organization's cyber defense system. Highly skilled and motivated personnel must work in these centers. James Risler, Senior Manager, Cisco Learning and Certifications, discussed the roles of the security engineer and the security analyst and the hard and soft skills needed to be effective in those functions. While the ability to code, learn computer forensics techniques, and know how to operationalize MITRE attacks are top skills, the ability to communicate effectively is equally important. Jim strongly recommends that academic institutions partner up with industry to provide hands-on training opportunities and also engage in security solutions-focused research.

Time Stamps


01:24 -- Please share with listeners some highlights of your professional journey.

03:27 -- So Jim, for the benefit of our listeners, many of whom may not have a good insight on SOC (Security Operations Center), let's give them a bit of an overview of SOC. Why don't you start, and if I want to plug anything in, I will.

05:09 -- Jim, when we were having our planning meeting, we kind of agreed that we wanted to focus this discussion on the skill sets that need to be in place for effective SOC operations. So why don't you talk a little bit about that?

09:21 -- I'd like your thoughts on how threat intelligence should be managed and governed, from logging it to acting on it. What are some best practices out there?

12:29 -- People who are strong technically often are not the greatest communicator, and vice versa. What are your thoughts?

15:33 -- How should someone decide whether they would like to follow the track of an engineer or the track of an analyst?

19:24 -- Let me share another interesting finding from the Voice of the SOC Analyst report. The top three skills needed to succeed as an analyst came out to be: 1) learning to code, 2) learning computer forensics techniques, and 3) knowing how to operationalize MITRE attacks Jim, your reactions and thoughts, you'd like to add to that?

24:01 -- What advice do you have for the directors of these cyber security programs, whether they are housed in the business school or the engineering school?

30:44 -- So I'd like to give you the remaining time to sum it up for us, maybe share some key messages, and some final thoughts with the listeners.

35:27 -- Jim, I said you would have the last word; you still get to have the last word. And after that, we'll pack it up.

Memorable James Risler Quotes

The people that work in SOC, I call them the gatekeepers of this castle that the security engineers have built. They got to protect the castle against threats, both internal and external.

Some companies just want a SOC to check off the box. Oh, we have a SOC; ensure we follow HIPAA compliance and all other compliance requirements. And then there's some SOC out there that literally go on the offensive following leading threat hunters out there, finding the latest threats, and then taking those threats and going back and seeing if they've been successful in their organization or not.

If you look back at one of the most successful attacks that impacted many people with their credit cards, that retail organization was getting alerts about the intrusion on their network, but somebody went in to investigate it and said it was a false positive. You have to get down and find out what to your organization is a false positive and what's not a false positive, but what's a true positive indicator, and what's critical to communicate.

Playbooks inside SOCs are critical because they tell you the quality assurance of your process.

My number one recommendation is to partner with corporate America, find companies that want to give back, that want to partner with you, that want to create a communication pipeline and work with them to understand and see the problem you've got.

The future of IoT security is a risk to all of us.

Using the escape room analogy, one person coming into that room may have a philosophy background or may have been an accountant or a lawyer coming in and looking at the problem very differently, which might be the key to solving that puzzle that gets you out of that escape room.


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcripts

Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Introducer:

the book Cybersecurity Readiness: A Holistic and

Introducer:

High-Performance Approach, a SAGE publication. He has been

Introducer:

studying cybersecurity for over a decade, authored and edited

Introducer:

scholarly papers, delivered talks, conducted webinars and

Introducer:

workshops, consulted with companies and served on a

Introducer:

cybersecurity SWAT team with Chief Information Security

Introducer:

Officers (CISOs). Dr. Chatterjee is Associate Professor of

Introducer:

Management Information Systems at the Terry College of

Introducer:

Business, the University of Georgia. As a Duke University

Introducer:

Visiting Scholar Dr. Chatterjee has taught in the Master of

Introducer:

Engineering in Cybersecurity program at the Pratt School of

Introducer:

Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of The Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Our discussion today will revolve around the

Dr. Dave Chatterjee:

security operation center (SOC), its role, challenges, success

Dr. Dave Chatterjee:

factors with a special focus on how to effectively skill up for

Dr. Dave Chatterjee:

the different roles. I'm delighted and honored to have

Dr. Dave Chatterjee:

James Ressler, Senior Manager, Cisco Learning and

Dr. Dave Chatterjee:

Certifications with me as the guest. Welcome, Jim.

James Risler:

Thank you very much. Appreciated it.

Dr. Dave Chatterjee:

So Jim, as we recognize the Security

Dr. Dave Chatterjee:

Operations Center (SOC) is at the heart of an organization's

Dr. Dave Chatterjee:

cyber defense system. At a high level, the primary role of the

Dr. Dave Chatterjee:

SOC is to protect the organization against cyber

Dr. Dave Chatterjee:

attacks. So it's imperative that highly skilled and motivated

Dr. Dave Chatterjee:

personnel are working in these centers. Before we get into the

Dr. Dave Chatterjee:

details of SOC operations and relevant skill sets, let's talk

Dr. Dave Chatterjee:

a little bit about you. Please share with listeners some

Dr. Dave Chatterjee:

highlights of your professional journey.

James Risler:

All right, so, thank you very much again, Dave.

James Risler:

Really appreciate it. It's great to be here. I started my

James Risler:

security journey back in the late 90s, early 2000s, when I

James Risler:

was a route switch and network server guy. And I was doing a

James Risler:

lot of instruction on networking, specifically with

James Risler:

Cisco solutions. I was asked to come up to speed on teaching the

James Risler:

old PIX (Private Internet eXchange) firewall. So I started

James Risler:

that. And then that started my journey down the road where I

James Risler:

got involved with different things like Voice-over-IP,

James Risler:

Contact Center security, and then just kept evolving from

James Risler:

there before in 2010, I joined Cisco and started leading the

James Risler:

efforts in the training development wrapped around

James Risler:

security. I spearheaded the cyber ops certification, been

James Risler:

focused a lot on NIST 800-181 and DOD 8570, which is now

James Risler:

transitioning to 8140. So those are the types of things I've

James Risler:

been working on, I'd look at cyber and I break it down into

James Risler:

there's network engineers, which is kind of how I was I came

James Risler:

along focused like on VPN technology, firewalls and

James Risler:

securities in VLan, etc. And then there's people that work in

James Risler:

a SOC, which I call them the gatekeepers, the castle has been

James Risler:

built, and now they gotta go find and protect the castle

James Risler:

against threats, both internal and external.

Dr. Dave Chatterjee:

Excellent. Makes a lot of sense. So Jim,

Dr. Dave Chatterjee:

for the benefit of our listeners, many of whom may not

Dr. Dave Chatterjee:

have a good insight on SOC. Let's give them a little bit of

Dr. Dave Chatterjee:

an overview of SOC. Why don't you start and if I want to plug

Dr. Dave Chatterjee:

anything in, I will

James Risler:

All right. Well, I think the SOCs came out of the

James Risler:

necessity of what a NOC (network operations center), and they

James Risler:

started pushing NOCs to do more and more specific security

James Risler:

skills that the NOC some NOC people were like, okay, I can

James Risler:

transition over to this, I can start developing and writing

James Risler:

tools to find these threats. I can take on snort, signatures

James Risler:

and start developing snort signatures and looking through

James Risler:

databases. So I think that they kind of eventually separated off

James Risler:

because of the necessity and the breadth and depth of attacks we

James Risler:

face today. So I look at a SOC today primarily there's really

James Risler:

two types of SOC, those that are threat-oriented that are looking

James Risler:

for threats and those that are oriented to policies and

James Risler:

procedures and risk management. So, you know, some companies

James Risler:

just want a SOC, so they can check the box off. Oh, we have a

James Risler:

SOC they follow make sure that we're follow our HIPAA

James Risler:

compliance and all of our compliances and boom check. And

James Risler:

then there's some SOC out there that literally go on the

James Risler:

offensive that are following other you know, leading threat

James Risler:

hunters out there finding the latest threats and then taking

James Risler:

those threats and going back and seeing if they've been

James Risler:

successful in their organization or not.

Dr. Dave Chatterjee:

Absolutely. And thank you for saying that.

Dr. Dave Chatterjee:

I'm so big, even in my in my book, as well as in the talks

Dr. Dave Chatterjee:

that I give that we have to go beyond checking the box, we have

Dr. Dave Chatterjee:

to be very substantive in our approach to security, we have to

Dr. Dave Chatterjee:

be proactive, whatever we do, we have to do it well. So you know,

Dr. Dave Chatterjee:

coming back to SOC operations, as you said, security operations

Dr. Dave Chatterjee:

center function to monitor, prevent, detect, investigate and

Dr. Dave Chatterjee:

respond to cyber threats around the clock. There are lots of

Dr. Dave Chatterjee:

challenges in the SOC role; I had a guest speaker, a couple of

Dr. Dave Chatterjee:

episodes back, who talked about a high level of burnout, because

Dr. Dave Chatterjee:

a lot of the work is highly manual and tedious. So there are

Dr. Dave Chatterjee:

new platforms that are emerging to automate some of the tedious

Dr. Dave Chatterjee:

work, so the SOC analysts can stay excited and can find fun in

Dr. Dave Chatterjee:

their jobs, I can see why he would talk about the excitement,

Dr. Dave Chatterjee:

because I think it's exciting to analyze and see what kinds of

Dr. Dave Chatterjee:

threats are coming or what kind of threats could happen. So

Dr. Dave Chatterjee:

there are various aspects to the role that could be an attraction

Dr. Dave Chatterjee:

to future security professionals. And, Jim, when we

Dr. Dave Chatterjee:

were having our planning meeting, we kind of agreed that

Dr. Dave Chatterjee:

we want to focus this discussion on the skill sets that need to

Dr. Dave Chatterjee:

be in place for effective SOC operations. So why don't you

Dr. Dave Chatterjee:

talk a little bit about that?

James Risler:

Well, I mean, let's just talk about the first

James Risler:

frontline of a SOC out there. Yeah, these are what we call

James Risler:

eyes on glass. They're sitting in imagine a room with a bunch

James Risler:

of screens, they have screens on their desktop, they're looking

James Risler:

at the organizational screens, they're looking at third party

James Risler:

screens that are providing them intelligence, and they're

James Risler:

literally generating tickets all the time. So inbound event comes

James Risler:

in, trigger something off the they basically have to go triage

James Risler:

that they have the clock starts right there, they are frontline.

James Risler:

So the clock starts, they have to capture the 5- Tupple

James Risler:

information, what's the source, what's the destination, IP,

James Risler:

what's the protocol, etc, they have to basically start logging

James Risler:

this, have they seen this before, they have to go back and

James Risler:

look through their database, instead, they seen it before. If

James Risler:

they haven't, then they open up a ticket, and they probably get

James Risler:

it to the next tier up. So as you start your journey into the

James Risler:

SOC, you're gonna do time on the front line where burnout does

James Risler:

happen. You're in there looking at events all day, it's kind of

James Risler:

tedious, but you're thinking about the future of learning and

James Risler:

mastering skills, that you can jump from device device, whether

James Risler:

it be IoT device, to a switch, depending upon the vendor, be

James Risler:

able to capture data, look at the data and understand how that

James Risler:

vendor, brings that data together, and then turn it in

James Risler:

and normalize it into your system. So your skills have to

James Risler:

continue to grow and grow and grow. You're not necessarily a

James Risler:

guru in networking, but you're what I call a Jack of all

James Risler:

trades, master of none. You have a little bit, you're an inch

James Risler:

deep and a mile wide, because you can jump on to different

James Risler:

devices and be able to handle this. And as you get you build

James Risler:

up those skills, you get to the next level, you're now doing

James Risler:

research, you're now basically taking that threat that's been

James Risler:

opened up and then saying, Okay, well, not only are we seeing

James Risler:

this, but who else has seen this? What does it look like?

James Risler:

What is its end goal? And what are the defenses against it? Is

James Risler:

this just a distraction? Is there a secondary thing? Has

James Risler:

somebody actually executed this attack inside of our network? If

James Risler:

so, do we have to notify management? So as you said,

James Risler:

those different levels there they the response, you know,

James Risler:

always think of it before, during and after the attack. So

James Risler:

is the attack going on now? Or is that already occurred? What's

James Risler:

the triage that needs to occur? Who needs to be involved? And

James Risler:

what do you need to communicate out to the organization? And

James Risler:

sometimes you might have to bring in outside resources to

James Risler:

help you.

Dr. Dave Chatterjee:

Absolutely! talking about notifying

Dr. Dave Chatterjee:

management. I have a question for you. So you know, when we

Dr. Dave Chatterjee:

read about major breaches, and why they happened, often the

Dr. Dave Chatterjee:

reason put forward is that the company that was breached their

Dr. Dave Chatterjee:

personnel received the threat intelligence, but did not react

Dr. Dave Chatterjee:

to it promptly, did not send it on to the appropriate people. In

Dr. Dave Chatterjee:

other words, I'd like your thoughts on how should threat

Dr. Dave Chatterjee:

intelligence be managed, be governed, from logging it to

Dr. Dave Chatterjee:

acting on it? What are some best practices out there?

James Risler:

I think every organization has its own

James Risler:

perspective on best practices. I've actually worked and sat on

James Risler:

our frontline of our SOC and I've seen inbound incidents come

James Risler:

in, and organizations basically said, "that's not critical to

James Risler:

us." And that was back related to the SQL attack. And yet, as

James Risler:

the organization that I was working with was basically

James Risler:

trying to notify them, this is important to you, you do have

James Risler:

these devices. But the management team didn't really

James Risler:

consider a high priority. If you look back at one of the most

James Risler:

successful attacks that impacted a lot of people with their

James Risler:

credit cards, that retail organization was getting alert

James Risler:

about the intrusion on their network, but somebody went and

James Risler:

investigated and said it was a false positive. So I think that

James Risler:

my point is, you have to get down and find out really what to

James Risler:

your organization is a false positive and what's not a false

James Risler:

positive, but what's a true positive indicator, and the

James Risler:

dividing line about in your tracking database, in your

James Risler:

logging system, in your communication process, about

James Risler:

what's critical to communicate. I think I'd rather err I'd

James Risler:

rather over communicate and be wrong than under communicate,

James Risler:

and that for it to be successful. And I think in that

James Risler:

large retail organization, they decide not to communicate, and

James Risler:

it was a true attack going on. And nobody was aware of it. And

James Risler:

they didn't have the defenses for it. So I guess on false

James Risler:

positive, I would say that in that attack, you would say,

James Risler:

Okay, here's the potential outcome. If this was a real true

James Risler:

event, here's what it could look like. And to the organization,

James Risler:

here's the risk to the organization. So having that

James Risler:

risk indicator, and risk flag, even when it's a false positive,

James Risler:

allows the leadership and the executives to make a decision.

James Risler:

Yes, we don't want to research this or yes, we want to know

James Risler:

more, we want to put somebody on this. And it's just the time and

James Risler:

the events that are going on right now. It's we're all under

James Risler:

such a lot of pressure to to do these investigations, and

James Risler:

limited resources, there are truly not enough people working

James Risler:

in these Socs, they are overworked. And that's why

James Risler:

you're seeing burnout.

Dr. Dave Chatterjee:

Yes, that's exactly what I'm hearing. Going

Dr. Dave Chatterjee:

back to that episode I was talking about where I had Thomas

Dr. Dave Chatterjee:

Kinsella of Tines who worked in the SOCs operations for 12

Dr. Dave Chatterjee:

years, then he developed a platform that is helping

Dr. Dave Chatterjee:

automate some of those jobs that the SOCs folks do. So I'll share

Dr. Dave Chatterjee:

with the listeners, some stats that came out of a study that

Dr. Dave Chatterjee:

company did, it's called the Voice of the SOC Analyst, the

Dr. Dave Chatterjee:

top five time consuming tasks came out to be reporting,

Dr. Dave Chatterjee:

monitoring, intrusion detection, detecting, and finally,

Dr. Dave Chatterjee:

operations. But going back to what you were talking about,

Dr. Dave Chatterjee:

Jim, about the different roles and, you know, to kind of

Dr. Dave Chatterjee:

generalize, you know, you have to do the analysis very

Dr. Dave Chatterjee:

carefully. The threat analysis, you have to communicate, you

Dr. Dave Chatterjee:

have to communicate effectively. And effective communication is

Dr. Dave Chatterjee:

really about clearly laying out why you'd consider this to be a

Dr. Dave Chatterjee:

threat for that particular organization, because you're

Dr. Dave Chatterjee:

trying to in a in a, in a way, convince the leadership, so they

Dr. Dave Chatterjee:

would analyze further, take necessary action. So at one

Dr. Dave Chatterjee:

level, you need to have very good communication skills at the

Dr. Dave Chatterjee:

other. At the other end, you need to have very strong

Dr. Dave Chatterjee:

technical skills. Often, as an educator, I have found these two

Dr. Dave Chatterjee:

skills don't go well together. People who are strong

Dr. Dave Chatterjee:

technically, often are not the greatest communicator, and vice

Dr. Dave Chatterjee:

versa. What are your thoughts?

James Risler:

Oh, 100%. So one thing I didn't think about, it

James Risler:

just kind of came to my head. So I apologize, but upfront to the

James Risler:

listeners out there, but playbooks, playbooks inside of

James Risler:

SOCs are critical, because that tells you the quality assurance

James Risler:

of your process. How do you go through analyzing that attack?

James Risler:

How do you go through this deciding whether that attack is

James Risler:

something that you need to communicate up, and analysts

James Risler:

have to develop those playbooks and then refined and it's a it's

James Risler:

a kind of reiterative process, you kind of kind of got to keep

James Risler:

tweaking it and learning and reading about attacks. So there

James Risler:

you write to you what you're just saying, not only your

James Risler:

technical skill, but you also got to think about how to

James Risler:

communicate that out to the business, how to take that

James Risler:

streamline of technical jargon, and turn it into risk, business

James Risler:

processes, and long term impact to the organization. and think

James Risler:

about that. And that all starts in my mind with the playbook.

James Risler:

And then out through the communication process of the

James Risler:

organization. So yeah, that's the challenge, too, is finding

James Risler:

people that have those specific skill sets that can that can

James Risler:

wear many hats. That's why I said inch deep, mile wide. And

James Risler:

we don't know today, what that SOC analyst or investigators

James Risler:

going to look like tomorrow, because it's the game is

James Risler:

changing so fast on us. So today, you're playing Monopoly

James Risler:

tomorrow, you could be playing another game risk or something

James Risler:

else.

Dr. Dave Chatterjee:

Yep, the game is changing, the

Dr. Dave Chatterjee:

technologies are evolving. So the ability to, you know,

Dr. Dave Chatterjee:

quickly ramp up your skill sets, the ability to adapt to new

Dr. Dave Chatterjee:

technological platforms, plus having a very good sense of the

Dr. Dave Chatterjee:

business sense of the organization. So it is all

Dr. Dave Chatterjee:

leading to something that I once again, I emphasize a lot is a

Dr. Dave Chatterjee:

holistic approach to cyber, cyber education, there is the

Dr. Dave Chatterjee:

technical side, there is a managerial there's the

Dr. Dave Chatterjee:

governance side, there is the people side. And we have to find

Dr. Dave Chatterjee:

a way of instilling these different knowledge areas within

Dr. Dave Chatterjee:

students. So let's talk about students. And in that context,

Dr. Dave Chatterjee:

again, going back to our planning meeting, you you made a

Dr. Dave Chatterjee:

distinction between the analysts, and the engineers, the

Dr. Dave Chatterjee:

security engineers, versus the security analysts, how should

Dr. Dave Chatterjee:

somebody decide whether they would like to follow the track

Dr. Dave Chatterjee:

of an engineer or the track of an analyst? Maybe that's, that's

Dr. Dave Chatterjee:

the starting question. And you can take it from there.

James Risler:

Oh, great question. I think interest and

James Risler:

where your passion lies. Because if you're doing something that

James Risler:

you're passionate about it, you're not really showing up to

James Risler:

work, you're getting paid for something you love to do.

James Risler:

Engineers like to think about the design problems, the

James Risler:

providing the services and solutions out to the customers,

James Risler:

aka the people that work in that corporation organization on the

James Risler:

network and the ability to provide them with with what they

James Risler:

need at that moment. And then as technology deploying new

James Risler:

technologies, and migrating them to or which I've done hundreds

James Risler:

of times. Now, if you transition to somebody who is in a SOC,

James Risler:

they're taking something that's completely already built, and

James Risler:

then thinking about it as Okay, did the engineer do all the

James Risler:

pieces necessary when they set up the site to say VPN? What

James Risler:

encryption scheme did they use? Is that encryption scheme

James Risler:

vulnerable? How do they have it deployed? Do they have secondary

James Risler:

authentication on there? What's the pre shared key length, etc?

James Risler:

And they're, they're thinking about, is that vulnerable to

James Risler:

attack? And what can I log off of that event in that VPN tunnel

James Risler:

to make sure that that VPN tunnel is not susceptible to

James Risler:

attack? So they're taking and looking at a house that's

James Risler:

already built? And looking at all the vulnerabilities to that

James Risler:

house? burned down? Is it susceptible to a flood, where

James Risler:

are all the risk points in that organization? And where do we

James Risler:

have to monitor keep that organization secure? So I think

James Risler:

both are interesting challenges. And it just where your passion

James Risler:

lies, both require two sets of different sets of skills that

James Risler:

you got to develop, one, you're learning new skills, to deploy,

James Risler:

to engineer and design and the other side, you're basically

James Risler:

taking a design that's already done, and then trying to find

James Risler:

all the potential weak spots in it that the attacker can do. So

James Risler:

you're out researching the latest and greatest attacks, and

James Risler:

then taking that mindset and coming back and saying, Okay, if

James Risler:

I were an attacker coming back at this organization, what have

James Risler:

we not done in this organization that has making us more

James Risler:

vulnerable? Do we have one flat network where our POS system is

James Risler:

sitting on the same network as our servers? No, or, Yes. You

James Risler:

know, we know an organization that did that. But at the time,

James Risler:

were they asking questions like that, and challenging the

James Risler:

organization to think differently about security. So

James Risler:

it's a completely different mindset in my take. But both,

James Risler:

you know, if you're passionate about the finding puzzles and

James Risler:

undoing puzzles, both of them can be very valuable,

James Risler:

interesting careers.

Dr. Dave Chatterjee:

Excellent. In fact, let me share another

Dr. Dave Chatterjee:

interesting finding from the Voice of the SOC Analyst report.

Dr. Dave Chatterjee:

The top three skills needed to succeed as an analyst, they came

out to:

number one, learning to code, number two, learning

out to:

computer forensics techniques, and number three, knowing how to

out to:

operationalize MITRE attack. So, those were the three things that

out to:

came out at the very top of the list. Jim, reactions, thoughts

out to:

you'd like to add to that?

James Risler:

Yeah, so 100% agree with those. Those are

James Risler:

definitely up there. Because As, like I said, back to the

James Risler:

beginning of the thing, your frontline, now you're moving to

James Risler:

different roles inside of the SOC. And as you move up, you're

James Risler:

taking on more and more challenges, you're going to need

James Risler:

the ability to develop and code and code to basically go find

James Risler:

those threats, to scan through databases to scan through

James Risler:

systems to generate things that can help you find those attacks.

James Risler:

So right there, that's back to your coding there. So that's a

James Risler:

unique skillset; engineers in the future, they're gonna need

James Risler:

to code as they deploy things, routers, no more command line

James Risler:

stuff that's rapidly disappearing, you're gonna see

James Risler:

more DevOps in the engineering environment. So both are going

James Risler:

to need to have coding skills, and those abilities. You

James Risler:

mentioned two other things, coding skills. And what else did

James Risler:

you mention?

Dr. Dave Chatterjee:

Yeah, the second one, I said was learning

Dr. Dave Chatterjee:

computer forensics techniques.

James Risler:

Yeah, again, that's changing as these

James Risler:

platforms change, and these attacks get more and more

James Risler:

sophisticated. You know, attacks today, I think, you know, this,

James Risler:

and a lot of our listeners know this, but when you put an attack

James Risler:

into a sandbox environment, that the attacker knows that they're

James Risler:

listening, let's go back and look at the attack that Georgia

James Risler:

Tech was involved with in 2005. The name is on the tip of my

James Risler:

tongue. But once the attackers figured out Georgia Tech

James Risler:

engineers that were watching this attack, were pre

James Risler:

registering the domain names, what did the attackers do, they

James Risler:

immediately went in and changed the encoding on this, it was

James Risler:

Conficker, they immediately went in and changed the encoding. So

James Risler:

instead of generating 256 domain names, they went generate 2048

James Risler:

domain names a day. And so the Georgia Tech guys were like,

James Risler:

they know, they saw that we were pre registering those domains.

James Risler:

So they took this out of the equation for us. So that would

James Risler:

be a perfect example of, okay, so they're actually watching,

James Risler:

you have to think that these attackers today are well funded.

James Risler:

They have all these solutions that your organization's have,

James Risler:

they go out and buy Cisco, Palo Alto, you know, the Zscalar

James Risler:

solutions, whatever they generate, they create mock

James Risler:

networks. And how do we know this because when Microsoft

James Risler:

releases their patches, the next day, we see a big change on the

James Risler:

internet. When Snort releases its signature update, the next

James Risler:

day on the internet, we see a massive change; signatures that

James Risler:

use did not fire start firing, and signatures that fire before

James Risler:

don't fire anymore. So they're making changes to their attacks

James Risler:

that are constantly and these are teams of people with

James Risler:

different skill sets. So think of it SOC engineers are

James Risler:

different skill sets, developers at different levels, different

James Risler:

skills, different mindsets, teaming together to solve this

James Risler:

problem. It's like, I think the best solution to think about

James Risler:

this, and I have you ever been to one of those escape rooms?

James Risler:

Like in different towns they have, I'm sure Atlanta, they

James Risler:

have one here and in a Tampa Bay area? Oh, yes. Go, you go. You

James Risler:

go into the room with a team as the hours locked, and you got to

James Risler:

find a way out, you gotta solve puzzles, yes, I've done that

James Risler:

twice with people. And the team is really what makes the escape

James Risler:

room successful, right? Having different mindsets and different

James Risler:

skills, because some people can solve a problem. And others look

James Risler:

at it. And they, they're coming at it from the wrong

James Risler:

perspective. And they're just stuck. And it's amazing how

James Risler:

teams, that's how I look at SOC teams, that these organizations

James Risler:

need to lead, you need to hire for different people with

James Risler:

different skill sets to create that unique team that can then

James Risler:

go and solve the problem, because you're going against

James Risler:

attackers that are coming together because they see

James Risler:

riches, they see the ability to make a lot of money.

Dr. Dave Chatterjee:

Excellent. So you need the knowledge and

Dr. Dave Chatterjee:

skills that security engineers bring to the table, you need the

Dr. Dave Chatterjee:

competencies that analysts bring to the table, and then the

Dr. Dave Chatterjee:

organization should be able to pull them together into very

Dr. Dave Chatterjee:

cohesive teams that will develop their own dynamic and, you know,

Dr. Dave Chatterjee:

turn out to be very effective based on working together being

Dr. Dave Chatterjee:

exposed to different types of training opportunities, and so

Dr. Dave Chatterjee:

on, so forth. Very true. So, as you said, the challenge lies in

Dr. Dave Chatterjee:

getting folks trained and hired; tremendous gap out there,

Dr. Dave Chatterjee:

shortfall. So under the circumstances, institutions are

Dr. Dave Chatterjee:

trying to ramp up their programs. Some are offering

Dr. Dave Chatterjee:

certifications, some are offering degrees. Many of the

Dr. Dave Chatterjee:

programs are housed in the computer science slash

Dr. Dave Chatterjee:

engineering department. Many are housed in the business school,

Dr. Dave Chatterjee:

so it differs from organism addition to organization, but at

Dr. Dave Chatterjee:

the end of the day when you're producing, when are you

Dr. Dave Chatterjee:

generating the product, will go on to fill these different

Dr. Dave Chatterjee:

roles, what advice do you have for the directors of these cyber

Dr. Dave Chatterjee:

security programs? Whether it's housed in the business school or

Dr. Dave Chatterjee:

its house in the engineering school. What advice do you have

Dr. Dave Chatterjee:

for them?

James Risler:

Number one, and Dave, this is why I'm so

James Risler:

thankful that you reached out to me, because I'm looking forward

James Risler:

to the journey of you and I partnering together, so my

James Risler:

number one recommendation is partner with corporate America,

James Risler:

find companies that want to give back that want to partner with

James Risler:

you that want to create a pipeline of communication, and

James Risler:

work with them to understand and see the problem you've got. The

James Risler:

problem is multifaceted. It's, you know, corporate America sees

James Risler:

it from one perspective, you know, the universities and

James Risler:

business schools and engineering school see it from a different

James Risler:

perspective. They're both right, but they're both wrong. And you

James Risler:

got to bring them together, to mitigate the wrong and enhance

James Risler:

the right and then allow them to be incubating back and forth

James Risler:

ideas that helped both, I think they can absolutely help both.

James Risler:

But we can't take the old approach, and just have these

James Risler:

separate silos out there working, you actually have to

James Risler:

work with corporate America today and have relationships

James Risler:

with those SOC teams and have those engineers come and give

James Risler:

back and teach back. Use those organizations like Bsides that

James Risler:

come in universities like University of South Florida,

James Risler:

Bsides was on that campus that day, this year, every year it

James Risler:

should be on the campus to encourage students to get

James Risler:

plugged in to Bsides and Bsides should be encouraging the

James Risler:

university to get plugged into it. And businesses need to plug

James Risler:

in to the university, and then find a way to where you guys can

James Risler:

work together to solve that common common challenge.

Dr. Dave Chatterjee:

I couldn't agree with you more means I

Dr. Dave Chatterjee:

can't imagine an effective cybersecurity education without

Dr. Dave Chatterjee:

industry involvement, there has to be a strong partnership. And

Dr. Dave Chatterjee:

the training, or the learning has to be hands-on plus

Dr. Dave Chatterjee:

classroom, it has to go in parallel. Like you said, every

Dr. Dave Chatterjee:

institution has their share of challenges. They work through

Dr. Dave Chatterjee:

their strengths and constraints. The Master of Engineering,

Dr. Dave Chatterjee:

master of cybersecurity, Master of Engineering and cybersecurity

Dr. Dave Chatterjee:

program at Duke, they run the program they have started, it's

Dr. Dave Chatterjee:

a new program, they're doing a good job of it. And the CISO of

Dr. Dave Chatterjee:

that university, he offers internship opportunities to

Dr. Dave Chatterjee:

students, those who are not able to go and work, get internships

Dr. Dave Chatterjee:

with companies, and he creates different types of projects

Dr. Dave Chatterjee:

where they get hands-on experience, seeing how SOC

Dr. Dave Chatterjee:

professionals work, they are probably embedded in those SOC

Dr. Dave Chatterjee:

teams doing different things. And the feedback that I've

Dr. Dave Chatterjee:

received from many of the students is they have found

Dr. Dave Chatterjee:

those to be very enriching. So it is imperative that we are not

Dr. Dave Chatterjee:

only partnering to for training for teaching, but we are also

Dr. Dave Chatterjee:

partnering to conduct research, because industry brings a

Dr. Dave Chatterjee:

certain perspective, certain very practical, pragmatic view,

Dr. Dave Chatterjee:

I'm kind of aligned in that direction. That's why I like to

Dr. Dave Chatterjee:

connect with practice more. And the universities do both. They

Dr. Dave Chatterjee:

do good theoretical research, which is important. But you also

Dr. Dave Chatterjee:

have to translate those theoretical findings into

Dr. Dave Chatterjee:

actionable recommendations. So it is really about leveraging

Dr. Dave Chatterjee:

the synergies. It's not about you or I'm better than you or

Dr. Dave Chatterjee:

you are better than me. It's about we all have our strengths,

Dr. Dave Chatterjee:

how do we come together and help each other because cybersecurity

Dr. Dave Chatterjee:

is a global problem, and we have to fight it together as a global

Dr. Dave Chatterjee:

team, if you ask me, just like what we are having to do for the

Dr. Dave Chatterjee:

pandemic. We just can't leave it to a group or a small network or

Dr. Dave Chatterjee:

a certain community. Everybody has to do their part. So I I

Dr. Dave Chatterjee:

couldn't agree with you more Jim.

James Risler:

Well said Dave, the hands-on capabilities. I

James Risler:

didn't mention this to you yesterday and we were talking

James Risler:

but UNC Pembroke, University of North Carolina Pembroke Campus

James Risler:

did something that I think all universities should highly

James Risler:

consider. They created a SOC that is run primarily by the

James Risler:

students. The students are brought in, the cybersecurity

James Risler:

students then come in, learn the skills as part of their training

James Risler:

to protect the organization, to protect the university, to

James Risler:

protect the other students. I think that's brilliant right

James Risler:

there. Now you've got a practical experience. And I've

James Risler:

seen other universities do this for other things like University

James Risler:

of Tampa where I got my MBA has a room dedicated to finance. So

James Risler:

you go in there and you study stocks and how the trends of

James Risler:

stocks. Just do the same thing for a SOC. Now you have students

James Risler:

coming in there, the students are doing the research, they're

James Risler:

seeing threats on the campus, and then they're researching

James Risler:

those threats and reporting them out to the campus leadership.

James Risler:

And then they're getting skills and hands on. And now the

James Risler:

university has a tool, that SOC that they can go to industry and

James Risler:

say, hey, we have a SOC, we would like to put your tools in

James Risler:

there to highlight, and then have your leaders from your

James Risler:

organization come in and lecture and talk and train and teach

James Risler:

about it. There's your synergy you're talking about right

James Risler:

there,

Dr. Dave Chatterjee:

We need to do that extensively. That's so

Dr. Dave Chatterjee:

important. And that reminds me, I get to talk to a lot of cyber

Dr. Dave Chatterjee:

training service providers, and I'm sure they all provide great

Dr. Dave Chatterjee:

service. One particular service provider that comes to mind is

Dr. Dave Chatterjee:

Circadence by Project Ares, and I was looking at their offering,

Dr. Dave Chatterjee:

pretty extensive, they address each of the four or five

Dr. Dave Chatterjee:

elements in the NIST framework. And I'm looking at their list of

Dr. Dave Chatterjee:

skill sets and knowledge that they try to impart through their

Dr. Dave Chatterjee:

program. And it's a pretty hands-on gamification oriented

Dr. Dave Chatterjee:

program, it is AI driven. So essentially, students are

Dr. Dave Chatterjee:

learning the skills interactively. And then they are

Dr. Dave Chatterjee:

in the battlefield, engaging in simulated battles where they're

Dr. Dave Chatterjee:

trying to fend off attacks, thwart attacks. And the

Dr. Dave Chatterjee:

interesting thing here is, if they, during the actual

Dr. Dave Chatterjee:

simulation, when they are engaging in defense, if they

Dr. Dave Chatterjee:

have to access the tips, the helps, they lose points. So you

Dr. Dave Chatterjee:

learn as much as you want. But when it is test time, battle

Dr. Dave Chatterjee:

time, better, you know, remember what you learned, or you can

Dr. Dave Chatterjee:

talk to your team members, and see how well you perform. So I

Dr. Dave Chatterjee:

think that's a great model. I'm sure many other service

Dr. Dave Chatterjee:

providers do the same. So I just don't want to highlight one and

Dr. Dave Chatterjee:

say, you know, this is the best or anything like that. But I'm

Dr. Dave Chatterjee:

just putting forward an example, that some really good work is

Dr. Dave Chatterjee:

happening. It's a matter of institutions, stepping out and

Dr. Dave Chatterjee:

making the connection. Cisco is the absolute leader, somebody

Dr. Dave Chatterjee:

like you, I'm sure it's a highly sought after personnel. And I

Dr. Dave Chatterjee:

look forward to partnering with you, as well. So So yeah, this

Dr. Dave Chatterjee:

is this is wonderful, wonderful, Jim, I have thoroughly enjoyed

Dr. Dave Chatterjee:

the discussion, we're kind of coming towards the end of our

Dr. Dave Chatterjee:

program here. So I'd like to give you the remaining time to

Dr. Dave Chatterjee:

sum it up for us maybe share some key messages, some final

Dr. Dave Chatterjee:

thoughts with the listeners.

James Risler:

Final thoughts, that's a, that's a big Bosu ball

James Risler:

right there, as things are changing all the time. So

James Risler:

there's a lot of opportunity out there, there's a lot of places

James Risler:

to start to get this information, you can start as

James Risler:

simple as basically getting Wireshark and going in and

James Risler:

finding PCAP files from known attacks, and replaying those

James Risler:

into Wireshark. And looking at the PCAP files. And you can go

James Risler:

so far as to you know, get time on third party, Cyber Range,

James Risler:

like range for us and others out there, where you're actually

James Risler:

working through the different skill sets required for a

James Risler:

security operational professional, whatever, whatever

James Risler:

role you see in your future, and then working through different

James Risler:

case analysis. So the world's your oyster, you know, how do

James Risler:

you want to tackle that problem? And then where do you where do

James Risler:

you go from there? There's a lot of ways to, you know, go out and

James Risler:

create your own learning journey, and start learning and

James Risler:

exploring it. And we didn't even cover IoT security, did we, you

James Risler:

know, interesting enough, here's a final thought. One of my

James Risler:

hobbies is brewing beer. And I was at a friend of mines

James Risler:

manufacturing facility, and they build large scale brew systems.

James Risler:

And I was looking at this keg cleaner, and you plug these kegs

James Risler:

into this keg cleaner, and you basically program it, and it

James Risler:

starts cleaning these kegs out. And I look down, and I see, wow,

James Risler:

that's a piece of technology in that keg cleaner right there.

James Risler:

Imagine if I hack that device. And of course, I went on the

James Risler:

internet looked up that device, it's got a default IP address.

James Risler:

Imagine if I hacked that device and coded it so that the last

James Risler:

part going into the keg cleaner was the chemical rather than the

James Risler:

rinse agent. Can you imagine if they filled that beer container

James Risler:

up with beer, And there was that chemical in there people will

James Risler:

get sick, you know, could cause brand awareness problems for

James Risler:

that Brewing Company. So IoT security is a huge space that is

James Risler:

real rapidly coming. And if you look at people from IT, trying

James Risler:

to get into IoT, they don't understand that IoT is a

James Risler:

different mindset. So those two mindsets are trying to come

James Risler:

together. But there's that there's that gap of jumping over

James Risler:

and bridging it. And nobody has solved that problem today. And

James Risler:

yet the security risks are increasing, increasing,

James Risler:

increasing. So I guess that's the best example they could sign

James Risler:

off with is the future of IoT security is a risk to all of us.

Dr. Dave Chatterjee:

What an example. And what a way of

Dr. Dave Chatterjee:

signing off, that prompts me to say a few words, I apologize if

Dr. Dave Chatterjee:

I'm bucking the trend here, I talk about contamination of

Dr. Dave Chatterjee:

water supply. And when you give that example, that brings to

Dr. Dave Chatterjee:

light how these kinds of contaminations can happen, the

Dr. Dave Chatterjee:

more digitized we get. And we connect with smart devices

Dr. Dave Chatterjee:

everywhere, especially our healthcare sector, I've done

Dr. Dave Chatterjee:

research with those organizations. And they are

Dr. Dave Chatterjee:

very, very apprehensive, tentative, nervous about the

Dr. Dave Chatterjee:

kind of security that these IoT devices come with. And that's a

Dr. Dave Chatterjee:

huge vulnerability for them. But from my end, to wrap things up,

Dr. Dave Chatterjee:

I'd encourage listeners that there are a variety of roles

Dr. Dave Chatterjee:

that you can play in a security operations center. Some are

Dr. Dave Chatterjee:

highly technical, some are analytical, and there is the

Dr. Dave Chatterjee:

communication aspect. So even if you don't have a technical

Dr. Dave Chatterjee:

background, don't let that scare you away. There are needs for

Dr. Dave Chatterjee:

motivated people, people who are willing to learn people who are

Dr. Dave Chatterjee:

passionate. So there are some fundamental behavioral traits

Dr. Dave Chatterjee:

that will be highly valued. And then the training will provide

Dr. Dave Chatterjee:

you with the skill sets. And I want to emphasize here what Jim

Dr. Dave Chatterjee:

mentioned several times, it's the mindset. And so at times, if

Dr. Dave Chatterjee:

you haven't had any prior engineering, computer science

Dr. Dave Chatterjee:

training, that's not necessarily a bad thing, because you go in

Dr. Dave Chatterjee:

with a very clear head without any kind of biases, and you get

Dr. Dave Chatterjee:

trained to, to learn to think a certain way. And that often is a

Dr. Dave Chatterjee:

help. So without taking anything away from the security

Dr. Dave Chatterjee:

engineers, who do, uh, you know, who play a major role, from the

Dr. Dave Chatterjee:

analysts who play a major role, and then there are others from

Dr. Dave Chatterjee:

the business side of things, who can also be a major contributor.

Dr. Dave Chatterjee:

And that role is not to be undermined in any way. So

Dr. Dave Chatterjee:

everyone needs to have some level of awareness if we have to

Dr. Dave Chatterjee:

really be effective in defending ourselves against the hackers.

Dr. Dave Chatterjee:

Again, Jim said they are constantly on the prowl, they

Dr. Dave Chatterjee:

are innovating at a speed that's hard to match. So it's not a

Dr. Dave Chatterjee:

battle or a war that we can win. But we have to keep our eyes on

Dr. Dave Chatterjee:

the ball and stay as alert as possible. So that's my two

Dr. Dave Chatterjee:

cents. But since Jim, I said you will have the last word, we

Dr. Dave Chatterjee:

still get to have the last word. And after that, we'll pack it

Dr. Dave Chatterjee:

up.

James Risler:

I loved what you just said right there, the

James Risler:

different mindsets back to the escape room analogy, we used,

James Risler:

that one person coming into that room that may have a philosophy

James Risler:

background, or may have been an accountant or a lawyer coming in

James Risler:

and looking at the problem completely different, might be

James Risler:

the key to solving that puzzle that gets you out of that

James Risler:

escape. So we'll sign off there. I think that's a great way to

James Risler:

close out.

Dr. Dave Chatterjee:

Thank you very much Jim for your time.

Dr. Dave Chatterjee:

It's been a pleasure.

James Risler:

Thank you. Likewise Dave, it's been a

James Risler:

pleasure.

Dr. Dave Chatterjee:

A special thanks to James Risler, for his

Dr. Dave Chatterjee:

time and insights. If you like what you heard, please leave the

Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also,

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

Chapters

Video

More from YouTube