Our latest edition of “Sitdown With a SOC Star” brings us Reid Gilman, a longtime security operations practitioner (11+ years at MITRE as a lead cyber engineer and 2+ years at Boston Children’s Hospital as a security engineer and architect) who recently launched his own venture. Reid has a passion for helping organizations build maturity, but as you’ll find out, most businesses need to make sure they are sorting the fundamentals first. Please enjoy 11 questions with Reid.
1) Hi Reid! Thanks for (virtually) sitting down with us. Tell us about where you work, what you do there, and the role security operations play there.
As of late 2020, I work at Watch City Cybersecurity. It’s a small company that I founded and I couldn’t be more excited. I’m trying to help businesses take practical steps to improve their cybersecurity. Security operations is the focus. I’ve spent a while working in SOCs and I get that it’s hard. As an industry, I think we get wrapped up in technology to the detriment of people and processes. The best EDR in the world won’t save you if all of your analysts are swamped with busy work. Prioritization is hard because it means that you have to ignore a ton of alerts and problems that come across your radar. It is the only way to free people up to focus on what’s important, though.
2) Describe your career path and what propelled you to want to work in security operations?
I started off working in research, and that experience has really informed the rest of my career. I was drawn to security operations, I think, because I’m impatient. There’s no other job in security that offers the same kind of immediate gratification as detecting and disrupting an attack. I’ve since moved into architectural roles where I’ve tried to help the folks triaging alerts and deploying tools to achieve bigger and better things. That’s the sweet spot for me right now.
3) You spent more than two years working at Boston Children’s Hospital. This cybersecurity news coming out of the health care sector (which already is under the microscope because of the COVID-19 crisis) seems to be going from bad to worse. From a security operations perspective, how can health care reclaim surrendered ground?
I’m not convinced that health care as an industry is in a worse place than many other industries. I realize that may run counter to popular opinion. The data certainly shows that health care has been targeted by ransomware actors, and it’s very scary when a hospital suddenly can’t treat patients so it makes the news. While healthncare had the misfortune to be targeted, I don’t believe that their cybersecurity or IT postures are exceptionally bad in comparison to other industries.
I believe that the top security operations priorities for nearly any company concerned with ransomware are the same:
- Clean up Active Directory permissions.
- Require multi-factor authentication (MFA) for all internet-facing applications.
- Deploy an EDR (ideally with 24/7 monitoring).
- Keep all internet-facing systems patched immediately and without exception.
- Create and test backups.
- Train analysts to recognize ransomware precursors.
Some companies have already reached a point of maturity where maybe they should worry about other things first, but most have not. The devil is in the details. We always hear about the one VPN account that didn’t require MFA. So, when I say MFA for all internet-facing applications, that might be tougher than it sounds.
4) What’s the most important hard skill(s) and soft skill(s) for an analyst or engineer to possess to move to the next level?
I think tenacity pays off at nearly every stage of an engineer’s career. For technical skills, there are so many to choose from. It’s hard to pick one thing so I’m going to suggest that engineers aspiring to a new role talk to their managers about what skills their target role requires.
5) Which common threat impacting organizations worries you the most/keeps you up at night?
Ransomware. No other threat actors are as indiscriminate, motivated and capable. The ransomware groups we see in 2021 are staggeringly well funded and very capable. The defensive strategies we have today do not scale, whereas their offensive tactics very demonstrably do. We need a whole-of-government if not global response, and I can’t envision that happening overnight. The U.S. Department of Justice’s recent success in taking back a ransom payment is heartening. I hope we see more actions to disrupt the payment cycle.
6) What’s the No. 1 thing security operations teams can do to improve their maturity?
Create and document processes. This is a generality, but it will ring true for a lot of folks. We have a lot to learn from other safety-critical industries. Even something as simple as having an alert triage checklist can make a huge impact.
7) What’s one thing you wish was happening more in enterprise security that is still pretty rare to see these days?
Please, please, please secure your Active Directory permission structure. So many organizations invest millions in the greatest anti-phishing and EDR but don’t invest a dime in this.
8) When you’re not SOC-ing, what is your favorite thing to be doing and what do you like about it?
I practice handstands almost daily. I started a few years ago and it makes almost everything else in my life seem much easier. It helps me focus on the journey of improvement instead of worrying about an end state.
9) It’s 2030. How would you describe the state of security operations at the average company, taking into account how things have changed in light of COVID-19?
I might be an iconoclast here, but I don’t think security operations need to change much to accommodate COVID-19 or remote work. This won’t be true if your company previously didn’t allow any remote work and nobody had a laptop. There will be some shifts in underlying technology and upgrades to VPNs. Fundamentally I believe that the abrupt shift to remote work has revealed existing weaknesses more than it has created new vulnerabilities.
10) What is your philosophy on how a security operations team should be built out?
Start with a clear definition of success and figure out how to measure it. “Don’t get hacked” is not a good metric because you can only measure it when you fail. Create processes to support the metrics and select technologies to enable the processes.
11) Have you experienced an aha! or an oh-no! moment in your career that led to some kind of breakthrough or improvement? If so, what was it?
The more scared I am of a conversation the more important it probably is. I try to embrace those difficult conversations now and approach them directly and candidly. So far it’s worked a lot better than putting them off forever.