Welcome back to our continuing Q&A series – “Sitdown with a SOC Star” – in which we pose 21 questions to SecOps practitioners working at various levels and industries, and they choose 11 to answer.
In this edition, we say hello to Jesse Emerson, VP of managed security services for the Americas at Chicago-based Trustwave, who was introduced over two decades ago to the world of cybersecurity when he was hired to help a company ready its systems for the year 2000 switchover. Thankfully, these duties didn’t grind his spirits to the point where he didn’t want to go anymore.
Instead, it propelled him to explore a career in security operations, from which Emerson never left. In this candid conversation, we hear how a person who literally majored at college in the outdoors found his true calling inside windowless rooms. He shares valuable insights, from threats that keep him up at night to practical shift handling advice for preventing SOC burnout.
Siemplify: Tell us about Trustwave, what you do there, and the role security operations plays there.
Jesse Emerson: Trustwave is a leading global, broad portfolio cybersecurity company. Through a mixture of technology, consultation and managed services, we specialize in helping our clients prevent, detect and respond to cybersecurity threats. At Trustwave, I work as the vice president of managed security services for the Americas. As a managed security services provider (MSSP), security operations play a key role at the heart of our services. We provide both standard solutions that comprise the foundation of a client’s security operations, as well as solutions that are a hybrid, tightly integrating with a client’s existing or emerging security operations. While we bring technology and threat intelligence and cybersecurity expertise to the table, the security operations are how all of that comes together in such a way that improves our client’s security posture and resiliency to threats.
Describe your career path and what propelled you to want to work in a security operations center (SOC)?
I didn’t set out with cybersecurity in mind when I was picking college majors. My degree is in outdoor recreation and leadership, with a minor in English. But, to pay the bills, I worked in my school’s computer labs. Eventually, a large tech firm came to my school recruiting for Y2K readiness, which landed me in a corporate job providing systems integration and deskside support. After surviving Y2K, I looked for career opportunities and was attracted to the company’s SOC. This was due to the high variety of work and broad domains of knowledge that one had to apply to be a good SOC analyst. And, from what I could tell, the SOC had an important mission and very high visibility within the company (and to be honest, was a bit dysfunctional) – so it offered a good opportunity for learning and career advancement.
Soon I was promoted to SOC team lead, then to SOC manager, then a senior manager with multiple functions including SOC, digital forensics and incident response, and security intelligence. This was for a Fortune 50 company that also happened to be a leading MSSP. I took that experience to lead for several years a global consulting practice focused on building and optimizing SOCs. Eventually, I observed that even the largest organizations required a solid partner in order to maintain and operate their SOC capabilities. This led me back to MSS and the role that I hold today at Trustwave.
What is the biggest challenge facing you and your team on a daily basis, and how do you work to overcome it?
There’s an aspect to security operations that is super interesting and very cloak-and-dagger but also an aspect that is very much operations. And to be honest, it’s (all about) walking that line where we are doing enough to keep everyone on the team upskilled and aware of current threats and technology while also maintaining a highly consistent and predictable service to our clients. There is an adage about the asynchronous nature of cyber defense that says we need to be right all of the time, while the bad guys only have to be right once. And in security operations, we feel that the most. The biggest challenge is probably staying vigilant and thorough when we are literally investigating and analyzing, often in real time, hundreds of potential threats for our customers every week.
“There is an adage about the asynchronous nature of cyber defense that says we need to be right all of the time, while the bad guys only have to be right once. And in security operations, we feel that the most.”
What’s the most important hard skill(s) and soft skill(s) for an analyst to possess to move to the next level?
Without a doubt, the most important skill is the ability to solve problems. Cyber defense is largely about piecing together incomplete pieces of information in such a way we can determine if something is a threat. It requires an inquisitiveness and an ability to logically solve puzzles. Now, to advance, an analyst needs to combine this problem solving with experience and soft skills like the ability to clearly communicate, especially under pressure.
Which threat that comes into the SOC worries you the most/keeps you up at night?
There are probably two main scenarios that keep me up: There’s the customer who has had a previously undetected APT threat actor in their environment for years, where it’s an enormous challenge to untangle what happened and determine the breadth of the breach. The other scenario is the self-propagating threat that takes advantage of a widely available zero-day.
What’s one piece of advice you’d give for someone considering a career in the SOC?
The SOC is not for the faint of heart. You need to be prepared to work under pressure and on hard problems. But the work itself has purpose, and if you’re doing it right it’s never boring. Surround yourself with people who you can learn from and that you enjoy working with. And keep and constantly apply your creativity to your job.
“The SOC is not for the faint of heart. You need to be prepared to work under pressure.”
One threat in the SOC that isn’t talked about as much as it should be is burnout and stress. What do you recommend you and your team to avoid this predicament?
This is a very real problem. The most important things, in my experience, is to build task rotation into schedules and to ensure there are sufficient layers of support for the team. For real-time operations, “console burn-in” is the condition that occurs when you schedule analysts for more than two to four hours at a time to being “on console.” This is a highly demanding role where it’s key to remain sharp and vigilant, and it’s not possible to do this effectively for long shifts of time. This should be rotated with other responsibilities that allow the analyst’s mind to have some variety. In addition to this, the analyst’s role is high stakes – the wrong decision could have a huge impact on the environment. For this reason, it’s important that analysts have tiers of support behind them so that they are able and comfortable with asking for assistance.
Which SOC metric do you think is most underappreciated/underrated? And which is the most overrated?
One of my favorite metrics is “events per analyst hour.” It indicates how many things are you asking your analysts to triage and investigate in a period of time. If this is too high, it means your analysts don’t have time to perform good analysis and points to an opportunity for improving your use of technology. (An) overrated (metric) is the total volume of events, alerts or logs that the SOC is monitoring. In this space, not all logs have the same level of security value, and more does not always equal better.
Why was it so important for Trustwave to incorporate security automation and orchestration (SOAR) as it built its managed security services?
Any MSSP that runs at scale needs to take advantage of SOAR. The sheer number of tasks that we need to execute every day is enormous. SOAR allows us to do these things efficiently and consistently while allowing our knowledge workers, analysts and engineers to focus on more interesting and harder problems. SOAR also allows us to offer clients services that we would never undertake with manual labor alone, so it helps us expand our value proposition to clients.
“Any MSSP that runs at scale needs to take advantage of SOAR. (It) allows us to do … things efficiently and consistently.”
What is your philosophy on how a SecOps team should be built out?
The most important thing is to build the team to have complementary skills and good chemistry. A SOC analyst needs to know so much that it’s nearly impossible to hire individuals that are truly qualified. The best way to operate is to have people with a mixture of experiences and expertise working together in such a way that they can support and teach one another.
When you’re not staffing the SOC, what is your favorite thing to be doing and what do you like about it?
I like to get outside. This might be kayaking or bicycling or skiing. But the mixture of exercise, sunshine and no computers really helps me reset and re-energize. When I do these things, I find I’m much more effective when I get back to the office.
Are you or someone you know a SOC star whose insights would be valuable to share in this space? We’re always looking for new candidates! Just email Content Director Dan Kaplan.