There are many gifted security operations professionals in the world, grinding day after day, without much fanfare. Most, of course, are not attention-seekers by nature – if they were, they likely wouldn’t have chosen the cybersecurity career path – but far too many remain in the shadows, despite having so many valuable insights and anecdotes to share about their experiences and craft.
We want to change that. Today we are launching a new Q&A series – “Sitdown with a SOC Star” – in which we pose 21 questions to SecOps practitioners working at various levels and industries, and they choose 11 to answer.
Our inaugural installment is a chat with Cameron Rayner. Aussie-born and bred (you’ll catch some Down Under slang), Rayner now calls Chicago home, where he serves as the SOC manager for Crowe, a leading accounting, consulting and technology company.
Rayner joined us to share his top career moment, how he thinks security operations can improve within the industry and what his advice is for up-and-comers considering joining our skills-deprived industry (hint: so many diverse opportunities exist!). He also settles, once and for all, an important cross-continent debate: Vegemite or Chicago deep-dish pizza?
Siemplify: Tell us about Crowe, what you do there, and the role security operations plays there.
CR: Crowe is one of the top ten accounting firms in the United States and we are consistently recognized as one of the top places to work by Forbes, Fortune and Glassdoor. I am the manager of the security intelligence center for our managed detection and response (MDR) solution. Through working with really smart people and leveraging really slick technology, we work to quickly detect and remediate any suspicious or malicious activity for ourselves and our clients.
Describe your career path and what propelled you to want to work in a SOC?
Initially I began my undergrad in computer games design at Edith Cowan University in Perth, Western Australia. I was close to finishing when the global financial crisis hit the local industry hard. I decided to swap my major to information security because I saw my friends using BackTrack to break into WEP (wired equivalent privacy) security networks as part of a class project. This was a great decision because I find the security industry is still, to this day, one of the most exciting fields to work in. After graduating, I worked as a Level One analyst and instantly fell in love with the work.
What’s the most important hard skill(s) and soft skill(s) for an analyst to possess to move to the next level?
Curiosity and an acceptance that security exists to support business objectives. If you wish to be an effective security analyst, you need to be, at your center, a curious person. For example, you naturally ask why that log looks out of place. Analysts investigate why, dive deeper and don’t always take no for an answer. Information security is a competitive field. Make sure you are always working on improving yourself; otherwise the industry will leave you behind. If you wish to advance, my advice is to understand that security is just another business function to help meet business objectives. Our goal is to do our best to help our companies achieve their business objectives. If we measure our success solely on the security we deliver, we’d just unplug everything and pat ourselves on the back.
“If we measure our success solely on the security we deliver, we’d just unplug everything and pat ourselves on the back.
Which threat that comes into the SOC worries you the most/keeps you up at night?
Ransomware and business email compromise (BEC). Security operations centers are really good at detecting threats and responding to them. But ransomware and BEC present unique challenges. Ransomware ,if not part of a coordinated campaign, moves quickly, making detection in the early phases of delivery critical. BEC is largely a business process compromise, making traditional security approaches difficult or, at worst, just plain ineffective. To defend better, both require a change in security culture which needs to be a directive/priority of senior leadership.
What’s one piece of advice you’d give for someone considering a career in the SOC?
Cybersecurity is a wide field and is expected to grow at a rapid pace, so get on board now! But remember: Cybersecurity is not all about hacking. You do not need to be a computer expert to be a valued member of the team. Certainly, there is a need for those experts, but the field is so large that we need a diverse range of skills to face modern threats. Security teams need business people, they need investigators, project managers, communications/relations people, policy writers and trainers, to name a few. I truly believe that a strong security team is one with a diverse set of skills and people.
What’s one thing you wish was happening more in enterprise security that is still pretty rare to see these days?
You can’t beat a bad human with a robot. The days of only performing reactive investigations to correlated alerts are behind us, and frankly they lasted too long. What is required in a modern security program is proactive threat hunting. This is a curious analyst traversing a large data set to prove/disprove a hypothesis and pulling threads until they discover something out of place. Traditional detection logic (‘x’ and ‘y’ condition seen together equals an alert) is rigid and is no substitution to a human who knows the environment and attackers TTPs (tactics, techniques and procedures). A large benefit of threat hunting is that often the analyst finds bad IT and vulnerabilities, which are useful for other areas of the enterprise (to know about.)
What’s your proudest professional accomplishment? You can be as generic as necessary if it involves a customer.
Just thinking back on this gives me shivers. When I was finishing school, I was a desktop support contractor at a government department in Australia. The core patch panel for the head office was a right mess, so me and one other desktop support analyst were tasked with rewiring it. Keep in mind, neither of us had any networking training, experience or certifications beyond manning the help desk. We came in on the weekend and ripped this old Avaya punch block bare. Being young, inexperienced and eager, we didn’t think to mark out the cables properly. Through cable tracing, stupidity, sleep deprivation, luck and 48 hours of scramble, we had the building up and running by 8 a.m. Monday. Easily could have brought the department to a standstill. Looked great in the end.
“Being young, inexperienced and eager, we didn’t think to mark out the cables properly. Through cable tracing, stupidity, sleep deprivation, luck and 48 hours of scramble, we had the building up and running by 8 a.m. Monday.
Why was it so important for Crowe to incorporate security automation and orchestration (SOAR) as it built its Managed Detection & Response service?
It is no secret that there is a skills shortage in cybersecurity. My goal is to ensure that our analysts are spending their time on constructive and higher-level activities to ultimately increase their value as individuals in this industry. SOAR allows us to automate a large amount of those basic activities that would bog down an analyst. This could be pulling contextual data, ‘whois’ lookups and basic decisions based off scanning results. By removing some of the mindless work, it allows our analysts to perform other duties more engaging and challenging. Effectively, this raises everyone in our team to, at minimum, a Level Two analyst. (Editor’s note: You can check out the Crowe-Siemplify case study video here.)
What is your philosophy on how a SecOps team should be built out?
Diversity. I truly mean it in every sense. You simply cannot afford to have a single-lane, narrow-minded team defending when you face a diverse set of adversaries. You need diversity in skills, opinions, experiences, abilities, values, mindset, perspectives and backgrounds. By ensuring you hire a diverse range of people, you have a better chance of achieving those needs. In regard to skills, a security degree is valued, but you need to hire more than just security people. Yes, knowing the OSI model and the CIA triad is great, but you are defending a complicated organization with a wide range of technologies and its own business objectives. I encourage the hiring of seasoned AD admins, VM admins, cloud admins, exchange admins, desktop support analysts, data scientists, programmers, sys admins, VoIP engineers and network admins, all who want to pivot into security as the next step in their career. Those people know the business, have supported its objectives and can learn security while possessing a deep understanding of the technologies we are trying to protect. A sys admin with intimate knowledge of the Windows file system may spot hidden, masquerading or out-of-place files e.g. ‘Scvhost.exe.’ A network admin may be able to break down traffic in a PCAP to observe out of place C2 connections. A desktop admin knows the enterprise, has valuable connections and knows the processes to spot potential compromise. Diversity in people and skills is necessary to effectively defend and align information security with the business and its objectives.
“You simply cannot afford to have a single-lane, narrow-minded team defending when you face a diverse set of adversaries.
What books, blogs or podcasts have you read that have helped you advance your security operations skills and career? (Choose one or more.)
I have to spruik a fellow Aussie here and say I listen to the Risky Business podcast. Risky Biz is a fantastic podcast with a global focus and helps me to stay up to date with the latest happenings across the security industry. Plus, it is good for a laugh.
You grew up in Australia and now live in Chicago. What’s better: Vegemite or deep-dish pizza?
One of my favorite things to do is to share Vegemite with my American colleagues. I love them both, but Chicago deep-dish pizza is on another level. If you are ever in Chicago, visit a local deep-dish place, set aside an hour and prepare to have your world changed. For those who wish to try Vegemite properly – toast some bread and butter it. Apply a thin layer of Vegemite and enjoy.
Thanks, Cameron, for your time! You can connect with him on LinkedIn here.
Are you or someone you know a SOC star whose insights would be valuable to share in this space? We’re always looking for new candidates! Just email Content Director Dan Kaplan.