Episode 33
Skilling Up for Security Operations Center Roles
The Security Operations Center (SOC) is at the heart of an organization's cyber defense system. Highly skilled and motivated personnel must work in these centers. James Risler, Senior Manager, Cisco Learning and Certifications, discussed the roles of the security engineer and the security analyst and the hard and soft skills needed to be effective in those functions. While the ability to code, learn computer forensics techniques, and know how to operationalize MITRE attacks are top skills, the ability to communicate effectively is equally important. Jim strongly recommends that academic institutions partner up with industry to provide hands-on training opportunities and also engage in security solutions-focused research.
Time Stamps
01:24 -- Please share with listeners some highlights of your professional journey.
03:27 -- So Jim, for the benefit of our listeners, many of whom may not have a good insight on SOC (Security Operations Center), let's give them a bit of an overview of SOC. Why don't you start, and if I want to plug anything in, I will.
05:09 -- Jim, when we were having our planning meeting, we kind of agreed that we wanted to focus this discussion on the skill sets that need to be in place for effective SOC operations. So why don't you talk a little bit about that?
09:21 -- I'd like your thoughts on how threat intelligence should be managed and governed, from logging it to acting on it. What are some best practices out there?
12:29 -- People who are strong technically often are not the greatest communicator, and vice versa. What are your thoughts?
15:33 -- How should someone decide whether they would like to follow the track of an engineer or the track of an analyst?
19:24 -- Let me share another interesting finding from the Voice of the SOC Analyst report. The top three skills needed to succeed as an analyst came out to be: 1) learning to code, 2) learning computer forensics techniques, and 3) knowing how to operationalize MITRE attacks Jim, your reactions and thoughts, you'd like to add to that?
24:01 -- What advice do you have for the directors of these cyber security programs, whether they are housed in the business school or the engineering school?
30:44 -- So I'd like to give you the remaining time to sum it up for us, maybe share some key messages, and some final thoughts with the listeners.
35:27 -- Jim, I said you would have the last word; you still get to have the last word. And after that, we'll pack it up.
Memorable James Risler Quotes
The people that work in SOC, I call them the gatekeepers of this castle that the security engineers have built. They got to protect the castle against threats, both internal and external.
Some companies just want a SOC to check off the box. Oh, we have a SOC; ensure we follow HIPAA compliance and all other compliance requirements. And then there's some SOC out there that literally go on the offensive following leading threat hunters out there, finding the latest threats, and then taking those threats and going back and seeing if they've been successful in their organization or not.
If you look back at one of the most successful attacks that impacted many people with their credit cards, that retail organization was getting alerts about the intrusion on their network, but somebody went in to investigate it and said it was a false positive. You have to get down and find out what to your organization is a false positive and what's not a false positive, but what's a true positive indicator, and what's critical to communicate.
Playbooks inside SOCs are critical because they tell you the quality assurance of your process.
My number one recommendation is to partner with corporate America, find companies that want to give back, that want to partner with you, that want to create a communication pipeline and work with them to understand and see the problem you've got.
The future of IoT security is a risk to all of us.
Using the escape room analogy, one person coming into that room may have a philosophy background or may have been an accountant or a lawyer coming in and looking at the problem very differently, which might be the key to solving that puzzle that gets you out of that escape room.
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Introducer:the book Cybersecurity Readiness: A Holistic and
Introducer:High-Performance Approach, a SAGE publication. He has been
Introducer:studying cybersecurity for over a decade, authored and edited
Introducer:scholarly papers, delivered talks, conducted webinars and
Introducer:workshops, consulted with companies and served on a
Introducer:cybersecurity SWAT team with Chief Information Security
Introducer:Officers (CISOs). Dr. Chatterjee is Associate Professor of
Introducer:Management Information Systems at the Terry College of
Introducer:Business, the University of Georgia. As a Duke University
Introducer:Visiting Scholar Dr. Chatterjee has taught in the Master of
Introducer:Engineering in Cybersecurity program at the Pratt School of
Introducer:Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of The Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Our discussion today will revolve around the
Dr. Dave Chatterjee:security operation center (SOC), its role, challenges, success
Dr. Dave Chatterjee:factors with a special focus on how to effectively skill up for
Dr. Dave Chatterjee:the different roles. I'm delighted and honored to have
Dr. Dave Chatterjee:James Ressler, Senior Manager, Cisco Learning and
Dr. Dave Chatterjee:Certifications with me as the guest. Welcome, Jim.
James Risler:Thank you very much. Appreciated it.
Dr. Dave Chatterjee:So Jim, as we recognize the Security
Dr. Dave Chatterjee:Operations Center (SOC) is at the heart of an organization's
Dr. Dave Chatterjee:cyber defense system. At a high level, the primary role of the
Dr. Dave Chatterjee:SOC is to protect the organization against cyber
Dr. Dave Chatterjee:attacks. So it's imperative that highly skilled and motivated
Dr. Dave Chatterjee:personnel are working in these centers. Before we get into the
Dr. Dave Chatterjee:details of SOC operations and relevant skill sets, let's talk
Dr. Dave Chatterjee:a little bit about you. Please share with listeners some
Dr. Dave Chatterjee:highlights of your professional journey.
James Risler:All right, so, thank you very much again, Dave.
James Risler:Really appreciate it. It's great to be here. I started my
James Risler:security journey back in the late 90s, early 2000s, when I
James Risler:was a route switch and network server guy. And I was doing a
James Risler:lot of instruction on networking, specifically with
James Risler:Cisco solutions. I was asked to come up to speed on teaching the
James Risler:old PIX (Private Internet eXchange) firewall. So I started
James Risler:that. And then that started my journey down the road where I
James Risler:got involved with different things like Voice-over-IP,
James Risler:Contact Center security, and then just kept evolving from
James Risler:there before in 2010, I joined Cisco and started leading the
James Risler:efforts in the training development wrapped around
James Risler:security. I spearheaded the cyber ops certification, been
James Risler:focused a lot on NIST 800-181 and DOD 8570, which is now
James Risler:transitioning to 8140. So those are the types of things I've
James Risler:been working on, I'd look at cyber and I break it down into
James Risler:there's network engineers, which is kind of how I was I came
James Risler:along focused like on VPN technology, firewalls and
James Risler:securities in VLan, etc. And then there's people that work in
James Risler:a SOC, which I call them the gatekeepers, the castle has been
James Risler:built, and now they gotta go find and protect the castle
James Risler:against threats, both internal and external.
Dr. Dave Chatterjee:Excellent. Makes a lot of sense. So Jim,
Dr. Dave Chatterjee:for the benefit of our listeners, many of whom may not
Dr. Dave Chatterjee:have a good insight on SOC. Let's give them a little bit of
Dr. Dave Chatterjee:an overview of SOC. Why don't you start and if I want to plug
Dr. Dave Chatterjee:anything in, I will
James Risler:All right. Well, I think the SOCs came out of the
James Risler:necessity of what a NOC (network operations center), and they
James Risler:started pushing NOCs to do more and more specific security
James Risler:skills that the NOC some NOC people were like, okay, I can
James Risler:transition over to this, I can start developing and writing
James Risler:tools to find these threats. I can take on snort, signatures
James Risler:and start developing snort signatures and looking through
James Risler:databases. So I think that they kind of eventually separated off
James Risler:because of the necessity and the breadth and depth of attacks we
James Risler:face today. So I look at a SOC today primarily there's really
James Risler:two types of SOC, those that are threat-oriented that are looking
James Risler:for threats and those that are oriented to policies and
James Risler:procedures and risk management. So, you know, some companies
James Risler:just want a SOC, so they can check the box off. Oh, we have a
James Risler:SOC they follow make sure that we're follow our HIPAA
James Risler:compliance and all of our compliances and boom check. And
James Risler:then there's some SOC out there that literally go on the
James Risler:offensive that are following other you know, leading threat
James Risler:hunters out there finding the latest threats and then taking
James Risler:those threats and going back and seeing if they've been
James Risler:successful in their organization or not.
Dr. Dave Chatterjee:Absolutely. And thank you for saying that.
Dr. Dave Chatterjee:I'm so big, even in my in my book, as well as in the talks
Dr. Dave Chatterjee:that I give that we have to go beyond checking the box, we have
Dr. Dave Chatterjee:to be very substantive in our approach to security, we have to
Dr. Dave Chatterjee:be proactive, whatever we do, we have to do it well. So you know,
Dr. Dave Chatterjee:coming back to SOC operations, as you said, security operations
Dr. Dave Chatterjee:center function to monitor, prevent, detect, investigate and
Dr. Dave Chatterjee:respond to cyber threats around the clock. There are lots of
Dr. Dave Chatterjee:challenges in the SOC role; I had a guest speaker, a couple of
Dr. Dave Chatterjee:episodes back, who talked about a high level of burnout, because
Dr. Dave Chatterjee:a lot of the work is highly manual and tedious. So there are
Dr. Dave Chatterjee:new platforms that are emerging to automate some of the tedious
Dr. Dave Chatterjee:work, so the SOC analysts can stay excited and can find fun in
Dr. Dave Chatterjee:their jobs, I can see why he would talk about the excitement,
Dr. Dave Chatterjee:because I think it's exciting to analyze and see what kinds of
Dr. Dave Chatterjee:threats are coming or what kind of threats could happen. So
Dr. Dave Chatterjee:there are various aspects to the role that could be an attraction
Dr. Dave Chatterjee:to future security professionals. And, Jim, when we
Dr. Dave Chatterjee:were having our planning meeting, we kind of agreed that
Dr. Dave Chatterjee:we want to focus this discussion on the skill sets that need to
Dr. Dave Chatterjee:be in place for effective SOC operations. So why don't you
Dr. Dave Chatterjee:talk a little bit about that?
James Risler:Well, I mean, let's just talk about the first
James Risler:frontline of a SOC out there. Yeah, these are what we call
James Risler:eyes on glass. They're sitting in imagine a room with a bunch
James Risler:of screens, they have screens on their desktop, they're looking
James Risler:at the organizational screens, they're looking at third party
James Risler:screens that are providing them intelligence, and they're
James Risler:literally generating tickets all the time. So inbound event comes
James Risler:in, trigger something off the they basically have to go triage
James Risler:that they have the clock starts right there, they are frontline.
James Risler:So the clock starts, they have to capture the 5- Tupple
James Risler:information, what's the source, what's the destination, IP,
James Risler:what's the protocol, etc, they have to basically start logging
James Risler:this, have they seen this before, they have to go back and
James Risler:look through their database, instead, they seen it before. If
James Risler:they haven't, then they open up a ticket, and they probably get
James Risler:it to the next tier up. So as you start your journey into the
James Risler:SOC, you're gonna do time on the front line where burnout does
James Risler:happen. You're in there looking at events all day, it's kind of
James Risler:tedious, but you're thinking about the future of learning and
James Risler:mastering skills, that you can jump from device device, whether
James Risler:it be IoT device, to a switch, depending upon the vendor, be
James Risler:able to capture data, look at the data and understand how that
James Risler:vendor, brings that data together, and then turn it in
James Risler:and normalize it into your system. So your skills have to
James Risler:continue to grow and grow and grow. You're not necessarily a
James Risler:guru in networking, but you're what I call a Jack of all
James Risler:trades, master of none. You have a little bit, you're an inch
James Risler:deep and a mile wide, because you can jump on to different
James Risler:devices and be able to handle this. And as you get you build
James Risler:up those skills, you get to the next level, you're now doing
James Risler:research, you're now basically taking that threat that's been
James Risler:opened up and then saying, Okay, well, not only are we seeing
James Risler:this, but who else has seen this? What does it look like?
James Risler:What is its end goal? And what are the defenses against it? Is
James Risler:this just a distraction? Is there a secondary thing? Has
James Risler:somebody actually executed this attack inside of our network? If
James Risler:so, do we have to notify management? So as you said,
James Risler:those different levels there they the response, you know,
James Risler:always think of it before, during and after the attack. So
James Risler:is the attack going on now? Or is that already occurred? What's
James Risler:the triage that needs to occur? Who needs to be involved? And
James Risler:what do you need to communicate out to the organization? And
James Risler:sometimes you might have to bring in outside resources to
James Risler:help you.
Dr. Dave Chatterjee:Absolutely! talking about notifying
Dr. Dave Chatterjee:management. I have a question for you. So you know, when we
Dr. Dave Chatterjee:read about major breaches, and why they happened, often the
Dr. Dave Chatterjee:reason put forward is that the company that was breached their
Dr. Dave Chatterjee:personnel received the threat intelligence, but did not react
Dr. Dave Chatterjee:to it promptly, did not send it on to the appropriate people. In
Dr. Dave Chatterjee:other words, I'd like your thoughts on how should threat
Dr. Dave Chatterjee:intelligence be managed, be governed, from logging it to
Dr. Dave Chatterjee:acting on it? What are some best practices out there?
James Risler:I think every organization has its own
James Risler:perspective on best practices. I've actually worked and sat on
James Risler:our frontline of our SOC and I've seen inbound incidents come
James Risler:in, and organizations basically said, "that's not critical to
James Risler:us." And that was back related to the SQL attack. And yet, as
James Risler:the organization that I was working with was basically
James Risler:trying to notify them, this is important to you, you do have
James Risler:these devices. But the management team didn't really
James Risler:consider a high priority. If you look back at one of the most
James Risler:successful attacks that impacted a lot of people with their
James Risler:credit cards, that retail organization was getting alert
James Risler:about the intrusion on their network, but somebody went and
James Risler:investigated and said it was a false positive. So I think that
James Risler:my point is, you have to get down and find out really what to
James Risler:your organization is a false positive and what's not a false
James Risler:positive, but what's a true positive indicator, and the
James Risler:dividing line about in your tracking database, in your
James Risler:logging system, in your communication process, about
James Risler:what's critical to communicate. I think I'd rather err I'd
James Risler:rather over communicate and be wrong than under communicate,
James Risler:and that for it to be successful. And I think in that
James Risler:large retail organization, they decide not to communicate, and
James Risler:it was a true attack going on. And nobody was aware of it. And
James Risler:they didn't have the defenses for it. So I guess on false
James Risler:positive, I would say that in that attack, you would say,
James Risler:Okay, here's the potential outcome. If this was a real true
James Risler:event, here's what it could look like. And to the organization,
James Risler:here's the risk to the organization. So having that
James Risler:risk indicator, and risk flag, even when it's a false positive,
James Risler:allows the leadership and the executives to make a decision.
James Risler:Yes, we don't want to research this or yes, we want to know
James Risler:more, we want to put somebody on this. And it's just the time and
James Risler:the events that are going on right now. It's we're all under
James Risler:such a lot of pressure to to do these investigations, and
James Risler:limited resources, there are truly not enough people working
James Risler:in these Socs, they are overworked. And that's why
James Risler:you're seeing burnout.
Dr. Dave Chatterjee:Yes, that's exactly what I'm hearing. Going
Dr. Dave Chatterjee:back to that episode I was talking about where I had Thomas
Dr. Dave Chatterjee:Kinsella of Tines who worked in the SOCs operations for 12
Dr. Dave Chatterjee:years, then he developed a platform that is helping
Dr. Dave Chatterjee:automate some of those jobs that the SOCs folks do. So I'll share
Dr. Dave Chatterjee:with the listeners, some stats that came out of a study that
Dr. Dave Chatterjee:company did, it's called the Voice of the SOC Analyst, the
Dr. Dave Chatterjee:top five time consuming tasks came out to be reporting,
Dr. Dave Chatterjee:monitoring, intrusion detection, detecting, and finally,
Dr. Dave Chatterjee:operations. But going back to what you were talking about,
Dr. Dave Chatterjee:Jim, about the different roles and, you know, to kind of
Dr. Dave Chatterjee:generalize, you know, you have to do the analysis very
Dr. Dave Chatterjee:carefully. The threat analysis, you have to communicate, you
Dr. Dave Chatterjee:have to communicate effectively. And effective communication is
Dr. Dave Chatterjee:really about clearly laying out why you'd consider this to be a
Dr. Dave Chatterjee:threat for that particular organization, because you're
Dr. Dave Chatterjee:trying to in a in a, in a way, convince the leadership, so they
Dr. Dave Chatterjee:would analyze further, take necessary action. So at one
Dr. Dave Chatterjee:level, you need to have very good communication skills at the
Dr. Dave Chatterjee:other. At the other end, you need to have very strong
Dr. Dave Chatterjee:technical skills. Often, as an educator, I have found these two
Dr. Dave Chatterjee:skills don't go well together. People who are strong
Dr. Dave Chatterjee:technically, often are not the greatest communicator, and vice
Dr. Dave Chatterjee:versa. What are your thoughts?
James Risler:Oh, 100%. So one thing I didn't think about, it
James Risler:just kind of came to my head. So I apologize, but upfront to the
James Risler:listeners out there, but playbooks, playbooks inside of
James Risler:SOCs are critical, because that tells you the quality assurance
James Risler:of your process. How do you go through analyzing that attack?
James Risler:How do you go through this deciding whether that attack is
James Risler:something that you need to communicate up, and analysts
James Risler:have to develop those playbooks and then refined and it's a it's
James Risler:a kind of reiterative process, you kind of kind of got to keep
James Risler:tweaking it and learning and reading about attacks. So there
James Risler:you write to you what you're just saying, not only your
James Risler:technical skill, but you also got to think about how to
James Risler:communicate that out to the business, how to take that
James Risler:streamline of technical jargon, and turn it into risk, business
James Risler:processes, and long term impact to the organization. and think
James Risler:about that. And that all starts in my mind with the playbook.
James Risler:And then out through the communication process of the
James Risler:organization. So yeah, that's the challenge, too, is finding
James Risler:people that have those specific skill sets that can that can
James Risler:wear many hats. That's why I said inch deep, mile wide. And
James Risler:we don't know today, what that SOC analyst or investigators
James Risler:going to look like tomorrow, because it's the game is
James Risler:changing so fast on us. So today, you're playing Monopoly
James Risler:tomorrow, you could be playing another game risk or something
James Risler:else.
Dr. Dave Chatterjee:Yep, the game is changing, the
Dr. Dave Chatterjee:technologies are evolving. So the ability to, you know,
Dr. Dave Chatterjee:quickly ramp up your skill sets, the ability to adapt to new
Dr. Dave Chatterjee:technological platforms, plus having a very good sense of the
Dr. Dave Chatterjee:business sense of the organization. So it is all
Dr. Dave Chatterjee:leading to something that I once again, I emphasize a lot is a
Dr. Dave Chatterjee:holistic approach to cyber, cyber education, there is the
Dr. Dave Chatterjee:technical side, there is a managerial there's the
Dr. Dave Chatterjee:governance side, there is the people side. And we have to find
Dr. Dave Chatterjee:a way of instilling these different knowledge areas within
Dr. Dave Chatterjee:students. So let's talk about students. And in that context,
Dr. Dave Chatterjee:again, going back to our planning meeting, you you made a
Dr. Dave Chatterjee:distinction between the analysts, and the engineers, the
Dr. Dave Chatterjee:security engineers, versus the security analysts, how should
Dr. Dave Chatterjee:somebody decide whether they would like to follow the track
Dr. Dave Chatterjee:of an engineer or the track of an analyst? Maybe that's, that's
Dr. Dave Chatterjee:the starting question. And you can take it from there.
James Risler:Oh, great question. I think interest and
James Risler:where your passion lies. Because if you're doing something that
James Risler:you're passionate about it, you're not really showing up to
James Risler:work, you're getting paid for something you love to do.
James Risler:Engineers like to think about the design problems, the
James Risler:providing the services and solutions out to the customers,
James Risler:aka the people that work in that corporation organization on the
James Risler:network and the ability to provide them with with what they
James Risler:need at that moment. And then as technology deploying new
James Risler:technologies, and migrating them to or which I've done hundreds
James Risler:of times. Now, if you transition to somebody who is in a SOC,
James Risler:they're taking something that's completely already built, and
James Risler:then thinking about it as Okay, did the engineer do all the
James Risler:pieces necessary when they set up the site to say VPN? What
James Risler:encryption scheme did they use? Is that encryption scheme
James Risler:vulnerable? How do they have it deployed? Do they have secondary
James Risler:authentication on there? What's the pre shared key length, etc?
James Risler:And they're, they're thinking about, is that vulnerable to
James Risler:attack? And what can I log off of that event in that VPN tunnel
James Risler:to make sure that that VPN tunnel is not susceptible to
James Risler:attack? So they're taking and looking at a house that's
James Risler:already built? And looking at all the vulnerabilities to that
James Risler:house? burned down? Is it susceptible to a flood, where
James Risler:are all the risk points in that organization? And where do we
James Risler:have to monitor keep that organization secure? So I think
James Risler:both are interesting challenges. And it just where your passion
James Risler:lies, both require two sets of different sets of skills that
James Risler:you got to develop, one, you're learning new skills, to deploy,
James Risler:to engineer and design and the other side, you're basically
James Risler:taking a design that's already done, and then trying to find
James Risler:all the potential weak spots in it that the attacker can do. So
James Risler:you're out researching the latest and greatest attacks, and
James Risler:then taking that mindset and coming back and saying, Okay, if
James Risler:I were an attacker coming back at this organization, what have
James Risler:we not done in this organization that has making us more
James Risler:vulnerable? Do we have one flat network where our POS system is
James Risler:sitting on the same network as our servers? No, or, Yes. You
James Risler:know, we know an organization that did that. But at the time,
James Risler:were they asking questions like that, and challenging the
James Risler:organization to think differently about security. So
James Risler:it's a completely different mindset in my take. But both,
James Risler:you know, if you're passionate about the finding puzzles and
James Risler:undoing puzzles, both of them can be very valuable,
James Risler:interesting careers.
Dr. Dave Chatterjee:Excellent. In fact, let me share another
Dr. Dave Chatterjee:interesting finding from the Voice of the SOC Analyst report.
Dr. Dave Chatterjee:The top three skills needed to succeed as an analyst, they came
out to:number one, learning to code, number two, learning
out to:computer forensics techniques, and number three, knowing how to
out to:operationalize MITRE attack. So, those were the three things that
out to:came out at the very top of the list. Jim, reactions, thoughts
out to:you'd like to add to that?
James Risler:Yeah, so 100% agree with those. Those are
James Risler:definitely up there. Because As, like I said, back to the
James Risler:beginning of the thing, your frontline, now you're moving to
James Risler:different roles inside of the SOC. And as you move up, you're
James Risler:taking on more and more challenges, you're going to need
James Risler:the ability to develop and code and code to basically go find
James Risler:those threats, to scan through databases to scan through
James Risler:systems to generate things that can help you find those attacks.
James Risler:So right there, that's back to your coding there. So that's a
James Risler:unique skillset; engineers in the future, they're gonna need
James Risler:to code as they deploy things, routers, no more command line
James Risler:stuff that's rapidly disappearing, you're gonna see
James Risler:more DevOps in the engineering environment. So both are going
James Risler:to need to have coding skills, and those abilities. You
James Risler:mentioned two other things, coding skills. And what else did
James Risler:you mention?
Dr. Dave Chatterjee:Yeah, the second one, I said was learning
Dr. Dave Chatterjee:computer forensics techniques.
James Risler:Yeah, again, that's changing as these
James Risler:platforms change, and these attacks get more and more
James Risler:sophisticated. You know, attacks today, I think, you know, this,
James Risler:and a lot of our listeners know this, but when you put an attack
James Risler:into a sandbox environment, that the attacker knows that they're
James Risler:listening, let's go back and look at the attack that Georgia
James Risler:Tech was involved with in 2005. The name is on the tip of my
James Risler:tongue. But once the attackers figured out Georgia Tech
James Risler:engineers that were watching this attack, were pre
James Risler:registering the domain names, what did the attackers do, they
James Risler:immediately went in and changed the encoding on this, it was
James Risler:Conficker, they immediately went in and changed the encoding. So
James Risler:instead of generating 256 domain names, they went generate 2048
James Risler:domain names a day. And so the Georgia Tech guys were like,
James Risler:they know, they saw that we were pre registering those domains.
James Risler:So they took this out of the equation for us. So that would
James Risler:be a perfect example of, okay, so they're actually watching,
James Risler:you have to think that these attackers today are well funded.
James Risler:They have all these solutions that your organization's have,
James Risler:they go out and buy Cisco, Palo Alto, you know, the Zscalar
James Risler:solutions, whatever they generate, they create mock
James Risler:networks. And how do we know this because when Microsoft
James Risler:releases their patches, the next day, we see a big change on the
James Risler:internet. When Snort releases its signature update, the next
James Risler:day on the internet, we see a massive change; signatures that
James Risler:use did not fire start firing, and signatures that fire before
James Risler:don't fire anymore. So they're making changes to their attacks
James Risler:that are constantly and these are teams of people with
James Risler:different skill sets. So think of it SOC engineers are
James Risler:different skill sets, developers at different levels, different
James Risler:skills, different mindsets, teaming together to solve this
James Risler:problem. It's like, I think the best solution to think about
James Risler:this, and I have you ever been to one of those escape rooms?
James Risler:Like in different towns they have, I'm sure Atlanta, they
James Risler:have one here and in a Tampa Bay area? Oh, yes. Go, you go. You
James Risler:go into the room with a team as the hours locked, and you got to
James Risler:find a way out, you gotta solve puzzles, yes, I've done that
James Risler:twice with people. And the team is really what makes the escape
James Risler:room successful, right? Having different mindsets and different
James Risler:skills, because some people can solve a problem. And others look
James Risler:at it. And they, they're coming at it from the wrong
James Risler:perspective. And they're just stuck. And it's amazing how
James Risler:teams, that's how I look at SOC teams, that these organizations
James Risler:need to lead, you need to hire for different people with
James Risler:different skill sets to create that unique team that can then
James Risler:go and solve the problem, because you're going against
James Risler:attackers that are coming together because they see
James Risler:riches, they see the ability to make a lot of money.
Dr. Dave Chatterjee:Excellent. So you need the knowledge and
Dr. Dave Chatterjee:skills that security engineers bring to the table, you need the
Dr. Dave Chatterjee:competencies that analysts bring to the table, and then the
Dr. Dave Chatterjee:organization should be able to pull them together into very
Dr. Dave Chatterjee:cohesive teams that will develop their own dynamic and, you know,
Dr. Dave Chatterjee:turn out to be very effective based on working together being
Dr. Dave Chatterjee:exposed to different types of training opportunities, and so
Dr. Dave Chatterjee:on, so forth. Very true. So, as you said, the challenge lies in
Dr. Dave Chatterjee:getting folks trained and hired; tremendous gap out there,
Dr. Dave Chatterjee:shortfall. So under the circumstances, institutions are
Dr. Dave Chatterjee:trying to ramp up their programs. Some are offering
Dr. Dave Chatterjee:certifications, some are offering degrees. Many of the
Dr. Dave Chatterjee:programs are housed in the computer science slash
Dr. Dave Chatterjee:engineering department. Many are housed in the business school,
Dr. Dave Chatterjee:so it differs from organism addition to organization, but at
Dr. Dave Chatterjee:the end of the day when you're producing, when are you
Dr. Dave Chatterjee:generating the product, will go on to fill these different
Dr. Dave Chatterjee:roles, what advice do you have for the directors of these cyber
Dr. Dave Chatterjee:security programs? Whether it's housed in the business school or
Dr. Dave Chatterjee:its house in the engineering school. What advice do you have
Dr. Dave Chatterjee:for them?
James Risler:Number one, and Dave, this is why I'm so
James Risler:thankful that you reached out to me, because I'm looking forward
James Risler:to the journey of you and I partnering together, so my
James Risler:number one recommendation is partner with corporate America,
James Risler:find companies that want to give back that want to partner with
James Risler:you that want to create a pipeline of communication, and
James Risler:work with them to understand and see the problem you've got. The
James Risler:problem is multifaceted. It's, you know, corporate America sees
James Risler:it from one perspective, you know, the universities and
James Risler:business schools and engineering school see it from a different
James Risler:perspective. They're both right, but they're both wrong. And you
James Risler:got to bring them together, to mitigate the wrong and enhance
James Risler:the right and then allow them to be incubating back and forth
James Risler:ideas that helped both, I think they can absolutely help both.
James Risler:But we can't take the old approach, and just have these
James Risler:separate silos out there working, you actually have to
James Risler:work with corporate America today and have relationships
James Risler:with those SOC teams and have those engineers come and give
James Risler:back and teach back. Use those organizations like Bsides that
James Risler:come in universities like University of South Florida,
James Risler:Bsides was on that campus that day, this year, every year it
James Risler:should be on the campus to encourage students to get
James Risler:plugged in to Bsides and Bsides should be encouraging the
James Risler:university to get plugged into it. And businesses need to plug
James Risler:in to the university, and then find a way to where you guys can
James Risler:work together to solve that common common challenge.
Dr. Dave Chatterjee:I couldn't agree with you more means I
Dr. Dave Chatterjee:can't imagine an effective cybersecurity education without
Dr. Dave Chatterjee:industry involvement, there has to be a strong partnership. And
Dr. Dave Chatterjee:the training, or the learning has to be hands-on plus
Dr. Dave Chatterjee:classroom, it has to go in parallel. Like you said, every
Dr. Dave Chatterjee:institution has their share of challenges. They work through
Dr. Dave Chatterjee:their strengths and constraints. The Master of Engineering,
Dr. Dave Chatterjee:master of cybersecurity, Master of Engineering and cybersecurity
Dr. Dave Chatterjee:program at Duke, they run the program they have started, it's
Dr. Dave Chatterjee:a new program, they're doing a good job of it. And the CISO of
Dr. Dave Chatterjee:that university, he offers internship opportunities to
Dr. Dave Chatterjee:students, those who are not able to go and work, get internships
Dr. Dave Chatterjee:with companies, and he creates different types of projects
Dr. Dave Chatterjee:where they get hands-on experience, seeing how SOC
Dr. Dave Chatterjee:professionals work, they are probably embedded in those SOC
Dr. Dave Chatterjee:teams doing different things. And the feedback that I've
Dr. Dave Chatterjee:received from many of the students is they have found
Dr. Dave Chatterjee:those to be very enriching. So it is imperative that we are not
Dr. Dave Chatterjee:only partnering to for training for teaching, but we are also
Dr. Dave Chatterjee:partnering to conduct research, because industry brings a
Dr. Dave Chatterjee:certain perspective, certain very practical, pragmatic view,
Dr. Dave Chatterjee:I'm kind of aligned in that direction. That's why I like to
Dr. Dave Chatterjee:connect with practice more. And the universities do both. They
Dr. Dave Chatterjee:do good theoretical research, which is important. But you also
Dr. Dave Chatterjee:have to translate those theoretical findings into
Dr. Dave Chatterjee:actionable recommendations. So it is really about leveraging
Dr. Dave Chatterjee:the synergies. It's not about you or I'm better than you or
Dr. Dave Chatterjee:you are better than me. It's about we all have our strengths,
Dr. Dave Chatterjee:how do we come together and help each other because cybersecurity
Dr. Dave Chatterjee:is a global problem, and we have to fight it together as a global
Dr. Dave Chatterjee:team, if you ask me, just like what we are having to do for the
Dr. Dave Chatterjee:pandemic. We just can't leave it to a group or a small network or
Dr. Dave Chatterjee:a certain community. Everybody has to do their part. So I I
Dr. Dave Chatterjee:couldn't agree with you more Jim.
James Risler:Well said Dave, the hands-on capabilities. I
James Risler:didn't mention this to you yesterday and we were talking
James Risler:but UNC Pembroke, University of North Carolina Pembroke Campus
James Risler:did something that I think all universities should highly
James Risler:consider. They created a SOC that is run primarily by the
James Risler:students. The students are brought in, the cybersecurity
James Risler:students then come in, learn the skills as part of their training
James Risler:to protect the organization, to protect the university, to
James Risler:protect the other students. I think that's brilliant right
James Risler:there. Now you've got a practical experience. And I've
James Risler:seen other universities do this for other things like University
James Risler:of Tampa where I got my MBA has a room dedicated to finance. So
James Risler:you go in there and you study stocks and how the trends of
James Risler:stocks. Just do the same thing for a SOC. Now you have students
James Risler:coming in there, the students are doing the research, they're
James Risler:seeing threats on the campus, and then they're researching
James Risler:those threats and reporting them out to the campus leadership.
James Risler:And then they're getting skills and hands on. And now the
James Risler:university has a tool, that SOC that they can go to industry and
James Risler:say, hey, we have a SOC, we would like to put your tools in
James Risler:there to highlight, and then have your leaders from your
James Risler:organization come in and lecture and talk and train and teach
James Risler:about it. There's your synergy you're talking about right
James Risler:there,
Dr. Dave Chatterjee:We need to do that extensively. That's so
Dr. Dave Chatterjee:important. And that reminds me, I get to talk to a lot of cyber
Dr. Dave Chatterjee:training service providers, and I'm sure they all provide great
Dr. Dave Chatterjee:service. One particular service provider that comes to mind is
Dr. Dave Chatterjee:Circadence by Project Ares, and I was looking at their offering,
Dr. Dave Chatterjee:pretty extensive, they address each of the four or five
Dr. Dave Chatterjee:elements in the NIST framework. And I'm looking at their list of
Dr. Dave Chatterjee:skill sets and knowledge that they try to impart through their
Dr. Dave Chatterjee:program. And it's a pretty hands-on gamification oriented
Dr. Dave Chatterjee:program, it is AI driven. So essentially, students are
Dr. Dave Chatterjee:learning the skills interactively. And then they are
Dr. Dave Chatterjee:in the battlefield, engaging in simulated battles where they're
Dr. Dave Chatterjee:trying to fend off attacks, thwart attacks. And the
Dr. Dave Chatterjee:interesting thing here is, if they, during the actual
Dr. Dave Chatterjee:simulation, when they are engaging in defense, if they
Dr. Dave Chatterjee:have to access the tips, the helps, they lose points. So you
Dr. Dave Chatterjee:learn as much as you want. But when it is test time, battle
Dr. Dave Chatterjee:time, better, you know, remember what you learned, or you can
Dr. Dave Chatterjee:talk to your team members, and see how well you perform. So I
Dr. Dave Chatterjee:think that's a great model. I'm sure many other service
Dr. Dave Chatterjee:providers do the same. So I just don't want to highlight one and
Dr. Dave Chatterjee:say, you know, this is the best or anything like that. But I'm
Dr. Dave Chatterjee:just putting forward an example, that some really good work is
Dr. Dave Chatterjee:happening. It's a matter of institutions, stepping out and
Dr. Dave Chatterjee:making the connection. Cisco is the absolute leader, somebody
Dr. Dave Chatterjee:like you, I'm sure it's a highly sought after personnel. And I
Dr. Dave Chatterjee:look forward to partnering with you, as well. So So yeah, this
Dr. Dave Chatterjee:is this is wonderful, wonderful, Jim, I have thoroughly enjoyed
Dr. Dave Chatterjee:the discussion, we're kind of coming towards the end of our
Dr. Dave Chatterjee:program here. So I'd like to give you the remaining time to
Dr. Dave Chatterjee:sum it up for us maybe share some key messages, some final
Dr. Dave Chatterjee:thoughts with the listeners.
James Risler:Final thoughts, that's a, that's a big Bosu ball
James Risler:right there, as things are changing all the time. So
James Risler:there's a lot of opportunity out there, there's a lot of places
James Risler:to start to get this information, you can start as
James Risler:simple as basically getting Wireshark and going in and
James Risler:finding PCAP files from known attacks, and replaying those
James Risler:into Wireshark. And looking at the PCAP files. And you can go
James Risler:so far as to you know, get time on third party, Cyber Range,
James Risler:like range for us and others out there, where you're actually
James Risler:working through the different skill sets required for a
James Risler:security operational professional, whatever, whatever
James Risler:role you see in your future, and then working through different
James Risler:case analysis. So the world's your oyster, you know, how do
James Risler:you want to tackle that problem? And then where do you where do
James Risler:you go from there? There's a lot of ways to, you know, go out and
James Risler:create your own learning journey, and start learning and
James Risler:exploring it. And we didn't even cover IoT security, did we, you
James Risler:know, interesting enough, here's a final thought. One of my
James Risler:hobbies is brewing beer. And I was at a friend of mines
James Risler:manufacturing facility, and they build large scale brew systems.
James Risler:And I was looking at this keg cleaner, and you plug these kegs
James Risler:into this keg cleaner, and you basically program it, and it
James Risler:starts cleaning these kegs out. And I look down, and I see, wow,
James Risler:that's a piece of technology in that keg cleaner right there.
James Risler:Imagine if I hack that device. And of course, I went on the
James Risler:internet looked up that device, it's got a default IP address.
James Risler:Imagine if I hacked that device and coded it so that the last
James Risler:part going into the keg cleaner was the chemical rather than the
James Risler:rinse agent. Can you imagine if they filled that beer container
James Risler:up with beer, And there was that chemical in there people will
James Risler:get sick, you know, could cause brand awareness problems for
James Risler:that Brewing Company. So IoT security is a huge space that is
James Risler:real rapidly coming. And if you look at people from IT, trying
James Risler:to get into IoT, they don't understand that IoT is a
James Risler:different mindset. So those two mindsets are trying to come
James Risler:together. But there's that there's that gap of jumping over
James Risler:and bridging it. And nobody has solved that problem today. And
James Risler:yet the security risks are increasing, increasing,
James Risler:increasing. So I guess that's the best example they could sign
James Risler:off with is the future of IoT security is a risk to all of us.
Dr. Dave Chatterjee:What an example. And what a way of
Dr. Dave Chatterjee:signing off, that prompts me to say a few words, I apologize if
Dr. Dave Chatterjee:I'm bucking the trend here, I talk about contamination of
Dr. Dave Chatterjee:water supply. And when you give that example, that brings to
Dr. Dave Chatterjee:light how these kinds of contaminations can happen, the
Dr. Dave Chatterjee:more digitized we get. And we connect with smart devices
Dr. Dave Chatterjee:everywhere, especially our healthcare sector, I've done
Dr. Dave Chatterjee:research with those organizations. And they are
Dr. Dave Chatterjee:very, very apprehensive, tentative, nervous about the
Dr. Dave Chatterjee:kind of security that these IoT devices come with. And that's a
Dr. Dave Chatterjee:huge vulnerability for them. But from my end, to wrap things up,
Dr. Dave Chatterjee:I'd encourage listeners that there are a variety of roles
Dr. Dave Chatterjee:that you can play in a security operations center. Some are
Dr. Dave Chatterjee:highly technical, some are analytical, and there is the
Dr. Dave Chatterjee:communication aspect. So even if you don't have a technical
Dr. Dave Chatterjee:background, don't let that scare you away. There are needs for
Dr. Dave Chatterjee:motivated people, people who are willing to learn people who are
Dr. Dave Chatterjee:passionate. So there are some fundamental behavioral traits
Dr. Dave Chatterjee:that will be highly valued. And then the training will provide
Dr. Dave Chatterjee:you with the skill sets. And I want to emphasize here what Jim
Dr. Dave Chatterjee:mentioned several times, it's the mindset. And so at times, if
Dr. Dave Chatterjee:you haven't had any prior engineering, computer science
Dr. Dave Chatterjee:training, that's not necessarily a bad thing, because you go in
Dr. Dave Chatterjee:with a very clear head without any kind of biases, and you get
Dr. Dave Chatterjee:trained to, to learn to think a certain way. And that often is a
Dr. Dave Chatterjee:help. So without taking anything away from the security
Dr. Dave Chatterjee:engineers, who do, uh, you know, who play a major role, from the
Dr. Dave Chatterjee:analysts who play a major role, and then there are others from
Dr. Dave Chatterjee:the business side of things, who can also be a major contributor.
Dr. Dave Chatterjee:And that role is not to be undermined in any way. So
Dr. Dave Chatterjee:everyone needs to have some level of awareness if we have to
Dr. Dave Chatterjee:really be effective in defending ourselves against the hackers.
Dr. Dave Chatterjee:Again, Jim said they are constantly on the prowl, they
Dr. Dave Chatterjee:are innovating at a speed that's hard to match. So it's not a
Dr. Dave Chatterjee:battle or a war that we can win. But we have to keep our eyes on
Dr. Dave Chatterjee:the ball and stay as alert as possible. So that's my two
Dr. Dave Chatterjee:cents. But since Jim, I said you will have the last word, we
Dr. Dave Chatterjee:still get to have the last word. And after that, we'll pack it
Dr. Dave Chatterjee:up.
James Risler:I loved what you just said right there, the
James Risler:different mindsets back to the escape room analogy, we used,
James Risler:that one person coming into that room that may have a philosophy
James Risler:background, or may have been an accountant or a lawyer coming in
James Risler:and looking at the problem completely different, might be
James Risler:the key to solving that puzzle that gets you out of that
James Risler:escape. So we'll sign off there. I think that's a great way to
James Risler:close out.
Dr. Dave Chatterjee:Thank you very much Jim for your time.
Dr. Dave Chatterjee:It's been a pleasure.
James Risler:Thank you. Likewise Dave, it's been a
James Risler:pleasure.
Dr. Dave Chatterjee:A special thanks to James Risler, for his
Dr. Dave Chatterjee:time and insights. If you like what you heard, please leave the
Dr. Dave Chatterjee:podcast a rating and share it with your network. Also,
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.