Our “Sitdown with a SOC Star” is back with a bang. This installment catches up with security operations and incident response dynamo Ryan Chapman, who shares passionate and thoughtful stories and views on the field of cybersecurity. Among other things, he pleads for more communication and empathy, champions for increased headcounts and describes why staying social with different teams will come in handy when hell breaks loose. Plus, he shares one of his favorite scenes from cult classic “Hackers.” Obviously.

1) Hi Ryan! Tell us about where you work, what you do there, and the role security operations play there.

I work as an incident response (IR) analyst for BlackBerry Security Services. When a company identifies threat actors within their midst, that’s when we’re called in to support. Many organizations either do not have IR staff on hand or find themselves short-handed when the proverbial “ruh roh” occurs, hence our group’s existence. I’m a principal consultant, which means that I lead cases, help train new hires, conduct presentations, help the development/infrastructure team when I can, etc.

While I may have transitioned out of a direct CIRT/SOC position for a given entity, the role of security operations is critical to the success of our IR engagements. Whether a client has its own SOC, CIRT, MSSP, or other monitoring team, the data they are able to feed us, or to which we’re given access, can expedite our processes immensely. Oftentimes a client’s SOC is the saving grace during an incident, as they are the No. 1 team who understands our needs and can work with us to help secure the client.

2) Describe your career path and what propelled you to want to work in security operations?

Following high school, I set up a little PC repair and installation outfit in San Jose, Calif. After moving to Arizona in 2005, I started working in a call center. Though I thought the position temporary, I ended up being promoted to a full-time technical trainer role. I spent the next six years training and attending college, eventually moving over to the application development team for just shy of a year.  I wanted so badly to transition into a security role, but just didn’t know where to begin.

As I neared graduation, I received a call from someone that I had trained a while back (that’s YOU, Johnny!), who was quite literally bragging about his amazing new job in a SOC. I researched SOC positions and knew right then and there: This is what I’m going to do.  Needless to say, shortly thereafter I transitioned to the same SOC. From the first day on shift, I felt as though I was living out scenes from a novel or movie. I was obsessed. After 2 1/2 years, I transitioned to the company’s CIRT.

Thus I took on the role of the CIRT/SOC liaison, in addition to my new network security monitoring (NSM) role. I worked to foster communications between the two teams and served as a technical point of contact on the CIRT for the SOC. After 2 1/2 years working in NSM, I moved over to the CIRT DFIR team. After seven years in that SOC/CIRT environment, I made the transition to consulting, the role in which I find myself now.

3) What is the biggest challenge facing you and the teams you work with on a daily basis and how do you work to overcome it?

Communication! Most of us in IT have issues with communication. When it comes to security, we dabble in nearly all of the IT realms. I find that this exacerbates the general communications issues, as numerous teams operate in silos. When our teams inevitably need to communicate with one another, we have poorly established relationships, a lack of understanding, and run into barriers because of all this.

To overcome this, I attempt to monitor and communicate with all teams that I recognize as being a part of the royal “us,” if you will. For example, where I work, I’m in IR, but we have threat research, MSSP-like, product-specific, marketing, and sales teams around us  If we don’t work with them, everyone will fail to benefit from the collective team’s abilities.  

If I see a public chat room for another team, I join the sucker! If I see questions posed that maybe aren’t directly to our IR team, I participate. When I see someone from another team reach a milestone, receive accolades, or otherwise just do something awesome, I speak up.  

If you’re in a SOC, with whom must you most likely communicate over time?  Think about it.  So many teams!  The NOC, the people who monitor your very own network! Infosec, the policy folks, core network services, the router/switch folks, the data center team, the service desk, the application development teams, and more. All of these teams can be extremely helpful during an incident  If you don’t pre-establish those relationships now – yesterday for that matter – you’re going to have a rough time during your next incident.

Establish those working relationships now: Reach out. Say hello. Introduce yourself and your team. Take the five minutes now so that when “it” hits the fan, you know who to contact, and they know you. When you hire a new SOC member, walk him/her/them around to various contacts. Introduce them. Make them known.

If I see a public chat room for another team, I join the sucker! If I see questions posed that maybe aren’t directly to our IR team, I participate. When I see someone from another team reach a milestone, receive accolades, or otherwise just do something awesome, I speak up.  

4) What’s the most important hard skill(s) and soft skill(s) for an analyst to possess to move to the next level?

I truly believe that the most important soft skill to have within our realm is empathy. We security folks often lack it, and sometimes to the “nth” degree. The SOC’s job is to monitor the security of the environment and respond when action must be taken. This job is often carried out without empathy for those that are affected. Communication breaks down quickly during an incident, heck even just within a mere event. The more we in SOC roles put ourselves in the shoes of the people with whom we interact, the more we’ll understand their plight.

You can think of it this way: How many times has a SOC member said something like, “This stupid user clicked a link and now their host is compromised”? We hear this often in a SOC environment. Is that person really “stupid”? No, they aren’t. That person may be an engineer, a payroll specialist, a salesperson who enables the very company for whom you work. They have their specialties and their skills. And we have ours. Expecting everyone under the sun to understand security the way that we do is daffy. Rather, we need to be empathetic. We need to realize where they’re coming from. It’ll help us all get along, which in turn improves communication and fosters a healthy working environment.

Expecting everyone under the sun to understand security the way that we do is daffy. Rather, we need to be empathetic.

5) What’s one piece of advice you’d give for someone considering a career in the SOC?

The SOC can be a high-pressure, ever-evolving environment. A role within the SOC is one that requires constant vigilance, outside-the-box thinking and a willingness to engage in ongoing learning. If you’re the type of person that prefers to “check out” from work completely after hours, the SOC life may not be for you. However if you’re the type of person who likes to take on challenges often and doesn’t mind spending time outside of direct work hours researching, learning and honing your abilities, the SOC can be an extremely rewarding career path.

6) You mention on your LinkedIn profile that you’ve taken a particular interest in malware reverse engineering. What prompted that?

I grew up on my computer. My computers growing up were my educators, my babysitters and my best friends.  As I entered junior high, I found myself obsessed with the “warez” scene. I wasn’t so much into the “let’s steal all of the software we can and share it with the world” notion of the scene, but rather was enthralled with the technical ability that was required to obtain, crack, release and courier the software.

In high school, I began looking into the “cracking” scene. My online mentors eventually showed me how to use a kernel-level debugger called SoftICE. The power and capability of the debugger absolutely blew my mind. I was hooked. I would sit for hours on end trying to get through “crack me” tutorials. Even when I failed miserably, every minute was an adventure.  Over the years, I would put down the debugger in favor of other endeavors. But the thrill never left my memory.

As the years went on, malware became more and more prevalent. Slammer and Conficker wreaked havoc in the digital realm, but it wasn’t until I learned about the intricacies of Stuxnet that I truly realized the capabilities of malware. I realized that malware had the power to change the world, quite literally. I viewed taking up reverse engineering as a hobby to be a major challenge, and I wanted in! By 2012, I had begun my foray into reverse engineering malware (REM). Fast forwarding eight years to 2020, I find myself teaching REM for SANS and picking malware apart multiple times a week.

7) What’s the No. 1 thing SOCs can do to improve their maturity?

First and foremost: Ensure staffing is appropriate. SOC analysts cannot “work tickets” every second of their shifts, or the team will never mature. The group needs time to automate, hunt and research. Second: The team must foster an open learning environment, which is enabled by the aforementioned priority of ensuring staffing is appropriate. The team must be given the opportunity to hunt, research, and ask questions. Information should be shared freely, and all data from previous events/incidents should be used to enhance current automation or hunting efforts.

As an example of the above items in action, think about a phishing email.  Some SOC teams are told to “stick to the ticket data.”  Such teams might action a user-reported phishing email by blocking the URL within the forwarded email and closing their ticket. More advanced SOCs will allow their analysts the time to pick apart the email headers, either manually or via automation, pulling out the subject, SMTP sending server, x-mailer, from email address, and more.  The analyst will search the email security platform for these items.  Not just the “from” email address, but the domain itself.  Not just the full subject, but portions of the subject that may provide links to related campaigns.

A mature SOC will go even further, allowing their analysts to research the SMTP sending server’s IP address. To which ASN does the subnet belong? Are any domains registered to the “from” address’ domain?  Do threat intel services note relations to those indicators to similar or other campaigns? Data enrichment and pivoting can be automated to a degree, and SOAR helps this immensely, but the analysts must have the leeway to perform this research. Otherwise, the SOC is destined to employ “ticket workers” with narrow focus.

SOC analysts cannot “work tickets” every second of their shifts, or the team will never mature. The group needs time to automate, hunt and research.

8) What’s one thing you wish was happening more in enterprise security that is still pretty rare to see these days?

I can’t stress this enough: Security 101 practices. Managing assets and patches and following general best practices take the cake. It is not uncommon for those in the SOC to run into an incident whose root cause was an unknown and/or unpatched system. When companies don’t know what they have, how can the SOC be expected to protect those resources? When companies have three-month patch cycles, that’s literally handing the adversaries three full months to utilize well-known vulnerabilities. Best practices aren’t hard to find. 

9) What’s your proudest professional accomplishment? You can be as generic as necessary if it involves a customer.

This one is quite easy for me. My proudest professional accomplishment was being selected as a certified instructor candidate for SANS. When I took my first SANS course back in 2013, I was enthralled. I sat through an on-demand course from Ed Skoudis, and I was amazed. The level of detail, professionalism, effort and proficiency opened my eyes and gave me a whole new perspective.

These days you almost cannot have a deep, technical conversation about a particular security topic without mentioning SANS in some way, shape or form. To find myself accepted by the group and be able to say, “I’m a SANS Instructor” can be surreal. I could not be more appreciative of the opportunity. 

10) What books, blogs or podcasts have you read that have helped you advance your security operations skills and career? (Choose one or more.)

Podcasts are my go-to.The SANS Internet Storm Center daily cast is a must for me. Darknet Diaries is one that I don’t like to miss, ever. I’ve listened to some of the episodes multiple times. InSecurity is also a great listen. Security Now is a darn good cast, and I like to listen to it because they cover many topics that I may not delve into otherwise, given that my head is always down with incident data, some training effort, or malware samples.

For books, I have a few favorites in various realms. One book that really gave me a new perspective on what it takes to be a success in this field, let alone in life in general, was Malcom Gladwell’s “Outliers.”  For network security, “The Practice of Network Security Monitoring” and “Practical Packet Analysis” are must-reads. For malware analysis, “Practical Malware Analysis” is phenomenal. All of these technical books are old, but they lay a solid foundation.

11) Have to ask to conclude: What’s your favorite movie involving hacking and cybersecurity and why?

“Hackers,” of course! What I love isn’t just the introduction to the “underground” society of hackers but also the characters and their outright love for and devotion to their craft. Zero Cool, Acid Burn, Phantom Phreak, Cereal Killer, Lord Nikon, and Joey embody the personalities and passions of those within our realm. They don’t just like what they do. They’re infatuated with it, to the point where their entire worlds are modeled around their hobby. How many of us in this industry can relate?

One of the scenes that comes to mind is when the crew is checking out Acid Burn’s new laptop:

Phreak: “Yo. Check this out guys, this is insanely great, it’s got a 28.8 bps modem!”
Zero Cool: “Yeah? Display?”
Cereal Killer: “Active matrix, man. A million psychedelic colors. Man, baby, sweet, ooo!”

Nikon: “I want it.”

Phreak: “I want it to have my children!”

The laptop isn’t just a utility to them. It’s an embodiment of their passion. A tangible, real-world artifact that represents their trade craft.

You can connect with Ryan Chapman on LinkedIn here.

Are you or someone you know a SOC star whose insights would be valuable to share in this space? We’re always looking for new candidates! Just email Content Director Dan Kaplan.