When you hit the couch to binge a new TV series, the last thing you’re likely thinking about is that there is a team of security operations professionals somewhere keeping your viewing experience enjoyable and your personal data protected.
Our continuing “Sitdown with a SOC Star” Q&A installment catches up with Chris Elliot, senior manager of security operations at Hulu, who borrows lessons learned in his long career in the U.S. Army to ensure the subscription video on-demand service is keeping its intellectual property and customer information out of the hands of adversaries.
Among other things, Elliot talks the importance of process and the lost art of patching, and shares why rogue devices are anathema to security, how communication in the SOC is best delivered jargon free and old school, and why Matthew Broderick just may be his favorite hacker. Plus, he gave us a bonus answer!
1) Tell us about Hulu, what you do there, and the role security operations plays there.
Chris: I am the senior manager of security operations at Hulu. I directly lead a team of security analysts, security engineers and threat intelligence analysts in our security operations center (SOC). The role of security operations is ever present at Hulu, as our customers rely on our entertainment streams and live TV 24/7. We have a constant demand of content while receiving a constant stream of personally identifiable information (PII) and financial info. We are the firefighters who ensure the movies keep flowing and the data stays secure, no matter what is happening in our compute environment.
2) Describe your career path and what propelled you to want to work in a SOC?
In the U.S. military, I worked on everything from the teletype (yes, I know I’m dating myself) to multichannel satellite communications, and everything in between. When I left the military, I knew I was comfortable working in a high-stress, data-driven, decision-making environment. I was comfortable speaking to system operators about their applications and business decisions, and translating to them the need for security and the effects of their application vulnerabilities. My ability to see things not in a black-and-white lens but in a flexible secure manner made me feel comfortable making security decisions in the SOC.
My ability to see things not in a black-and-white lens but in a flexible secure manner made me feel comfortable making security decisions in the SOC.
3) You have an extensive military background. How does what you learned as a U.S. Army soldier apply to your work in a SOC?
My 23 years in the U.S. Army taught me many things that I have brought to bear here in the SOC. The three most important:
- Look at your foxhole from the enemy’s perspective: No matter how secure you think your defense posture is, look at it from the hackers’/customers’ perspective, and you will see the biggest hole.
- Look to win the battles not the war: In the SOC, we will never stop all cybercrime or defeat all breaches. Thinking you can will lead to burnout. Take pride in the small improvements in your security posture, make changes in your sphere of influence and make every day more secure than the last.
- Violence of action: Making decisions is what people in high-stress positions do. Don’t wait for the 100% solution. It’s OK to make a decision on 80% of the solution known, knowing you will have to figure out the last 20% en route to the solution.
4) What’s the most important hard skill(s) and soft skill(s) for an analyst to possess to move to the next level?
An analyst should know networking. I have seen many analysts who know application security and operating systems, but very little about how networks work. Knowing how firewall rules work and how packets flow through the network and the associated devices helps greatly in threat hunting. If you can’t explain it, you don’t understand it. Analysts need to know how to explain complex security issues to non-tech savvy folks. This is the reality we live in. I love to geek out with my analysts, but when I want the down and dirty, explaining it to me in hexadecimal, T-SQL format doesn’t work.
If you can’t explain it, you don’t understand it. Analysts need to know how to explain complex security issues to non-tech savvy folks. This is the reality we live in. I love to geek out with my analysts, but when I want the down and dirty, explaining it to me in hexadecimal, T-SQL format doesn’t work.
5) Which threat that comes into the SOC worries you the most/keeps you up at night?
The computer at the Starbucks in Florida. I worry about when my devices are off network in a place my tools (or a limited subset) can’t protect them (funny as I type this in an airport bar). These days the brute force of a firewall is dead. We will be exploited by a credential-harvesting, lateral-moving, vulnerability-exploiting bad guy. I am constantly worrying about that computer that I don’t know about in someone’s desk or house with admin logon and no security tools.
6) What’s one piece of advice you’d give for someone considering a career in the SOC?
Communicate, in duplex. Slack, email or text do not convey urgency, uncertainty, sarcasm or plain panic. Don’t be afraid to get up and call someone (Yes that phone does do more than text/social media/questionable picture taking). Walk over to the desk, have coffee, use a whiteboard – or just scream – but either way, your point will be understood.
Slack, email or text do not convey urgency, uncertainty, sarcasm or plain panic. Don’t be afraid to get up and call someone.
7) What’s the No. 1 thing SOCs can do to improve their maturity?
Accurately document your processes. These documents should be living and realistic. Keep track of how often you actually perform these processes, and if you do it more than three times, automate it based on these documents. Build and document your process with the idea of automating them. This way your process should involve the least amount of human logic and the most of process flows.
8) What’s one thing you wish was happening more in enterprise security that is still pretty rare to see these days?
Patching. It’s the simplest way to harden your environment. Patching in a cyclic, documented repeated fashion. Many organizations are too quick to build and deploy – and then say, “I have no time or resources to patch.” You wouldn’t buy a new car without a warranty and service plan. Why are you deploying production IT in this fashion.
9) What books, blogs or podcasts have you read that have helped you advance your security operations skills and career? (Choose one or more.)
Colin Powell’s “It Worked For Me: In Life and Leadership.”
A lot of lessons on how to lead/manage/act. The principles laid out by Powell can be applied to pretty much any situation, and these mantras still hold true.
10) It’s the year 2030. How would you describe the state of security operations at the average company?
Dolphins with lasers…actually automation (hopefully not Skynet, but who knows?). The automation of manual repetitive tasks using a mix of machine learning and artificial intelligence. The SOC will still be needed but at a higher decision-making level. Yet even in that capacity, the decisions will be prefaced with all of the information needed and indexed in a single pane of glass so that the analyst can make an informed decision faster. Once that decision is made, we will have the ability to put into simulation to see the effect of the decision without affecting production.
11) What’s your favorite movie involving hacking and cybersecurity, and why?
I know I’m supposed to say “Hackers” with Angelina Jolie and Jonny Lee Miller, but I won’t. Actually I think “Ferris Bueller’s Day Off.” I loved the part where he hacks the school to change his attendance record and states that he asked for a car but got a computer instead. This is how I felt. I never saw myself going into IT as a career field, but when I was made to do it by the Army, I was able to turn it into a positive for me.
12) Why was it so important for Hulu to incorporate security orchestration, automation and response (SOAR) into its SOC?
SOAR frees up my highly technical and easily bored analysts to do cool stuff. SOAR allows threat hunters to hunt, analysts to analyze and managers to…anyways. By taking repetitive actions out of my analysts’ hands, I am able to allow them to do far more technical tasks that leverage their hard-earned skills in a way that keeps them sharp and in the game. SOAR also allows for tasks to be done the same way every time, rain or shine, day or night. This constant makes analysis easier, and makes expectations and results steady.
SOAR also allows for tasks to be done the same way every time, rain or shine, day or night. This constant makes analysis easier, and makes expectations and results steady.
You can connect with Elliot on LinkedIn here.
Are you or someone you know a SOC star whose insights would be valuable to share in this space? We’re always looking for new candidates! Just email Content Director Dan Kaplan.