Episode 52: SOC Engineering with Chris Wojtowicz

Pat: 0:35

Hey everybody. Welcome back to this week's edition of Breaking Down the Bites. As usual, we are back this week. I'm your host, pat. You can find me on Twitter at layer eight packet. That's the number eight. Kyle, he's not here this week, but you can find him on Twitter as well. He's at Dan, that's 2 56. Alex, you're not on social media at all, so you can get the show on Twitter at Breaking Bites pod. If you wanna talk to Alex specifically, just hit us up there and he'll get the message. We're pretty active on Twitter, so come say hello. If you like the show, don't forget to subscribe on your platform of choice. Alex, what's up man? How you doing?

Alex: 1:11

Well, outside of patiently waiting to see if I make the Disney layoff cuts. I mean, outside of that I'm

Chris: 1:18

Oh boy.

Pat: 1:19

Yeah, buddy. Yeah, a couple tense moments there. So you're everything else going well, but it's It's a tense time. I actually saw an April Fool's joke the other day that Bob Ier laid himself off, which we all know is not true. He's like in the event of cutting cost, I'm gonna cut myself out at 25 million or whatever the hell he's making. So yeah, that was pretty funny.

Alex: 1:40

I like that. Yeah. Next big thing is tomorrow there's a, an investor's call, so be interested to see what he has to stay there.

Pat: 1:49

Yeah. See what happens there. So we're all pulling for you. Definitely let us know how that goes and next couple of weeks. So, yeah, we're all good here. I will say just a couple of housekeeping notes. My March Madness bracket for any of those that you follow from college basketball, completely busted. There is no hope for my bracket anymore. It is completely gone. I didn't even make, like, I don't think I had one team make it to the final four. It was just, it was crazy this year. So March Madness for sure. All my brackets are busted. Good thing I didn't actually bet on any of them, cuz I would've been out quite a few bucks. So I was terrible at it this year. So, other than that, let's get into the guest. We have a guest this week with us Ladies and Germs mr. Chris, and I'm not gonna butcher your last name, Chris, I'll let you pronounce it yourself. But Chris, you and I work together at the bank. You are on our soc team in our IS department. So, Chris, the floor is yours. Why don't you get the people who you are and where you're coming from and where you're at. So, floor is yours, my man.

Chris: 2:45

Thanks guys. Yeah, it's Chris Voy Taitz, pronounced with a V,

Pat: 2:50

See, look at that.

Chris: 2:51

but not spelled like that. Spelled with a w. Yeah. Hey, thanks for having me on, guys. No, I've been a I've been a SOC engineer now for about six years. I am kind of an older guy, so, I have kind of a, an IT background before that graduated from temple University here in the Philly area, and in the nineties became a network consultant right away. Worked on the old Nobel Network platform, which,

Pat: 3:16

Nice.

Chris: 3:17

yeah I'm going back ways guys, but I the best thing I can say about that is, is novel invented active directory before Microsoft appropriated it.

Pat: 3:28

Stole it.

Chris: 3:29

before they, yeah, exactly. I don't know how much you guys, Microsoft bash here, but

Pat: 3:34

We bash it all. There's no safe space here.

Chris: 3:36

Cool.

Pat: 3:37

we call it like we see it, so it's all good.

Chris: 3:39

No,

Alex: 3:39

we're still, pat and I aren't the youngest. I mean, we go back a little bit,

Chris: 3:43

cool.

Pat: 3:44

yeah.

Alex: 3:45

like I consider getting a cna. So I mean,

Chris: 3:49

Oh, there you go. Certified network administrator,

Alex: 3:52

been in

Pat: 3:53

There you go. Yeah. Right, right. Yep.

Chris: 3:57

got a CNA in version three. I think, as I remember, that I think three point 11 was the big one in the late nineties. But I'll never forget in the early two thousands when I moved more into a Microsoft area I kept hearing about this active directory and I'm like, this Remi, this forest and trees thing this reminds me of Novell, so, kind of funny. But then I went to work for a large pharmaceutical company and I was there for about 15 years and did all types of IT infrastructure roles. Really good job. Kept moving around software deployment email team. Actually the email team was, when I first started doing kind of security work, cybersecurity investigations. It was actually internal employee investigations. And you knows some of the things these employees were doing are just you're doing that at work anything you can imagine, and, they'd come to

Alex: 4:49

I have a terrible imagination. So what are some of the worst that are still PG enough to say on a podcast?

Chris: 4:56

one employee was storing explosives underneath his desk. Yeah. And and they want their mailbox and you know what, all the proof that led up to this and. Everything like that. A very common one was a married manager with a married subordinate. And a mix of males and females, doesn't matter. And it was funny, they would come to me and say, give me these two people's mailboxes for two weeks. And and I would just do that and, my job was done.

Alex: 5:26

Oh yeah, that's enough to start the rumor mill for

Pat: 5:29

Yeah, buddy. Yeah.

Chris: 5:33

But actually that kind of, I found that kind of stuff interesting. It's kind of like being a detective and that's what the core of why I enjoy cybersecurity today. But after that the speaking of layoffs, Alex I was part of a two 300 IT person layoff. About eight years ago, nine years ago from this pharmaceutical company. And it was the old they're opening up an offshore center that replaced all of our jobs. I don't know if that theme is still common today. It's it's cheaper for a European call center than here in the us and then they kept people on to train those folks, so,

Pat: 6:09

Sure.

Chris: 6:10

but this is the way large companies act. But so I moved on from that and I did a couple contract works. I really decided at the time I I really liked Cisco Network Engineering. So I got my C ccna it was about seven years ago, and. As I was working in that, I started getting more interested in cyber. Personally I would be reading cybersecurity books. A big original author of mine was Kevin Mitnick who's one of the, he's an og hacker from long time ago. He works for uh, no before right now, which is a phishing email company. And he wrote a series of excellent books, like The Art of Invisibility, the Art of deception, and all types of things. So, I really started getting interested in that and I think one of my contracts ended and then a banking cybersecurity position came up not with my current bank. And they needed some temporary help a guy there was out for several months. So, they took me on for six months. I loved it. I was kind of a raw, you come to cybersecurity with an it approach and you kind of have to forget that it approach a little bit and just think more of security and cyber. So, after I learned about scene tools and all incident response and investigations and documenting stuff and log review and all the stuff that cyber folks do. And then that contracted and I was immediately picked up by customers bank luckily as a direct employee and in instead of the contractor. They're really a contractor these days. I, pat, I know, what I'm talking about here,

Pat: 7:44

Yep. Yep, for sure.

Chris: 7:46

they, they want to try people out as contractors first. Y

Pat: 7:50

try before you buy. Oh Yeah,

Chris: 7:54

But no. I've been there for about four, four or five years now, and it's been fantastic. It's like a daily challenge. I've been a SOC engineer using about 15 or 20 different tools and it's it's really the what I've really learned it's a wide breadth of the position. A lot of it folks just specialize in, they're the ad guy or they're the Cisco guy. But cyber people have to know like every single tool, every single subnet how applications work, what APIs cloud everything. And that's been a real challenge. It's it's certainly something where you deal with several emergencies every day and you kind of have to work through them. You get help if you need it. And then, management comes in with some customer requests and it's it's certainly always interesting. Definitely.

Alex: 8:45

For sure.

Pat: 8:47

you.

Alex: 8:49

Yeah. And. I'll be honest, when someone says they're part of a soc security Operations center, I guess the first thing in my mind I think about is just firewalls. But I guess there's just so much more to it. And I guess, can you kinda give us a quick rundown of what a day-to-day would look like? Maybe that's tough to do, maybe like a normal week. What are some of the devices tools that you're touching on a weekly basis? The most common things?

Chris: 9:22

Actually that, that was at what I was originally hired for because I had a, a Cisco firewall knowledge. And that's when I came on and I expanded into network security a little bit, but honestly, I've handled all types of different pieces of a sock. Obviously a lot of it is incident. And using all your tools to correlate problems and put put different pieces together of an incident and detect incidents. I've I've worked on a whole bunch of incidents and stuff that I've found. I've worked on malware infected desktops and laptops, and I just worked on all types of crazy problems. But there are different, I was gonna talk to this. There are lots of different roles in a soc. One very important one is vulnerability management. Tools like Tenable neis coli. There's other scanning tools like that. That's a very important part of soc is again, a soc is a lot of monitoring. First off besides the actual incident response and vulnerability management is, you're detecting something unpatched in the wild malware in the wild, and they, and their advice is have this Microsoft patch six point x or higher. And you check we, we check our current version levels and we're, some of 'em are at five point x and we're like all right,

Pat: 10:41

Yep.

Chris: 10:42

drop everything in patch there. So, yeah, vulnerability. In fact vulnerability management is like a full-time job in itself. And I in, various job reviews I've done in over the years I've seen dedicated vulnerability management positions and cause, cause that's very important just to make sure. All of the software, all of the infrastructure is not is software patched?

Alex: 11:07

And at least with your role, once you identify these vulnerabilities, are you the one that has to ultimately patch them or you're having to track down the groups and kinda hound them until it's done?

Chris: 11:20

It's well, a lot of companies are set up where the cybersecurity is monitoring, and then the actual IT group are the ones that actually apply the patches. I don't know, Alex if that's the way it is at Disney or that, the cyber group is strictly for monitoring and they don't have global admin access at all. So they just make recommendations and that the IT group has to follow,

Alex: 11:47

So you could be the most hated group in the entire company, at least when it comes to it. You make every other team's life

Chris: 11:55

my God. You're exactly right. You're exactly right, Alex. Oh my God. No,

Alex: 12:00

got project they're celebrating cuz everything went in without a hitch. And then they're told like 24 hours later that it's got, 237 vulnerabilities. Oh.

Chris: 12:13

e exactly. And the unfortunate position is because ASOC is so much monitoring, it's, we give it and a lot other groups work to do. And, sometimes we get requests back to us and, projects and stuff. That's another thing that makes the job fun. We work on projects and software analysis and development. But no it's, we're always coming around asking it to do something, and that I'm sure that gets old for them very quickly.

Pat: 12:43

Well, Chris, it was good to talk to you. We gotta get outta here now. No, I'm just kidding.

Chris: 12:46

hello. Hello.

Pat: 12:48

yeah, exactly. You're also the department of No I've heard the security departments are also the department of No. It's like, oh, can I do this? Could I install this program? Everybody's like, no. It's like a, like you just walk around with a big stamp just going no. Just denying everybody.

Chris: 13:01

Oh yeah and that, that goes across the board with software, risky software and websites that employees want to visit that are not that are malicious or

Pat: 13:13

Yeah. Right. Not a business need. Yeah.

Chris: 13:16

yeah. E exactly. We've gotten some crazy ones with, firearm sites and, stuff like that. It's like there's no business reason for this.

Pat: 13:25

Be.

Chris: 13:26

Yeah. But I hope that answers your question, Alex.

Pat: 13:30

Yeah.

Alex: 13:31

so do teams often come to you or ever come to you before they do a big project to kind of get cyber securities blessing before they go about a large project?

Chris: 13:42

Yes. Yes, they do. Especially if the project involves brand new software to the bank. And our team has a kind of a software ana, a new vendor software analysis process is very detailed. Even the history of this new vendor, if they've ever been involved in any cyber incidents or anything like that. So that they really have to have a a set stamp of approval. Now that might be more financial company specific. Cause, we go through audits for federal and state and, everything has to be kind of certified and approved by audit and audit department.

Alex: 14:20

Gotcha. Yeah, that makes sense. All right, well, I have one question that I definitely want to touch on before the end of this conversation, but it is on a completely different, Wavelength. So I'll let Pat suggest any follow up questions before I do it.

Pat: 14:37

Now I'm just trying to think of, so, so typically, and I guess this depends on the size of your company, but what's a typical size of soc? Is it, is there a steadfast number? Is it, is it 10, is it 20? Is it 50? Whatever. Now, obviously that's gonna depend on size, but you know, what's a good average as far as like, how many bodies do you have to what, the ratio bodies to what you're monitoring or how many endpoints?

Chris: 15:01

I'd say for most smaller to medium size companies, it's about five to 10 people. A mix of analysts and engineers and the vulnerability management person, as I mentioned. There's other people too who are more threat intel, threat feed. They go out and they they go onto the dark web and see if our company's been mentioned or not, and, take actions from there. And I think Telegram is one. I think that's one of those gl something like sp Skype that is used a lot by malicious folks. And so we have people monitoring that. And so, and that, that goes into domain typo squatting as well where they change your domain a little bit and then they send email, phishing emails and other stuff from that. There, there's so many examples of it. But so we our team tries to be investigate things before they they hit us, but but yeah. But you know, with larger companies, pat they have like a vulnerability management department and then they have. And an incident response investigation department. So they, they have like five to 10 people in each of those departments cuz you know, it's a, usually a global scope.

Pat: 16:16

Sure. Sure. And then you said some of the tools and whatnot. Right? So, a lot of ESUs or Tenable or Qualis is another one that I've had, I've worked at a couple places. They do callus, internal scanning and all that kind of stuff and whatnot. So, any others that you can kind of think that are sort of the forefront of somebody that a, somebody in a sock that would use

Chris: 16:34

Definitely. Well, the, well the really the core of a SOC team is the seam tool, s i e M which is security incident, event monitor. A lot of those tools are like Splunk. Splunk is kind of the industry leader

Pat: 16:49

The big boy in the room? Yeah.

Chris: 16:51

Yeah. There's other ones like logarithm and several others. Competitors, oh. Microsoft has Sentinel One se if you've ever heard of. That's their scene tool. And all that is, is just a huge data gatherer from mult, from tons of different sources. And it all kind of crystallizes it in new one searchable I'm not gonna say database, but one searchable location in there. There's queries and dashboards and reporting that you create from the same tool, which you can practically do anything and anything custom to frequently management will have, what about this tool and who did, who got into this for during this custom timeframe? And, there's a there's a query language in, in all scene tools. That you can just punch up custom scripts and pull in anything custom. But most times it's just used for monitoring and reporting and definitely alerting. You can there's a ton of different alerts and detections that you have in your seam tool and we have an on-call rotation, which monitors all of us. And most of the alerts do come from a seam tool.

Pat: 18:03

Okay.

Chris: 18:03

There, there's other tools like, monitoring your network infrastructure as pat managing alerting on your firewalls or if anything's down or if anything is being DDOSed. That's a big thing. There's WAFs web application firewalls like, Imperva and CloudFlare. We have to monitor those two those mainly stop besides, filtering web traffic. They're, they mainly defend against DDoS attacks, volume attacks, trying to shut down a website.

Pat: 18:32

Sure. If I could just back up for a minute just to the fishing attempts and the domain squatting and things of that nature. Truth be told, when I was at a company couple years back, and they used they used Kevin Mitnicks, same thing that know before that training that he does or that company that he owns whatnot. And they basically just, it's an internal, cyberware kind of thing, blah, blah, blah. And they would send like test phishing emails to, to places and see who they actually catch, like internal employees. And I was there like a couple of weeks and they had this thing, they had this thing which was actually kind of cool, like they. It was I forget what the heck they called it. Kago or Ka Joe, something like that. Basically it was like a kudos thing. Like, Hey, Chris, Chris, you helped me out the other week. Wait, way to go. Nice job, blah, blah, blah. And then you, so basically you accrued so many of them and then they threw you like an Amazon gift card or something, something of value and that kind of thing. And so, so, they sent me a Phish attack and it said, Hey, your boss sent you a kudos. Click on this link to, to see it. And I clicked the link and

Chris: 19:35

And

Pat: 19:35

says, oh yeah, you need to log into your oh 365 to see the blah, blah, blah. And I did. And it was like, oh, you've been caught. This is a fishing attempt. I'm like, oh, no. Like, I was like, my ego got in the way. I was like, wait, I'm getting kudos out the way. Let me get that thing. It was,

Chris: 19:50

Yeah.

Pat: 19:51

I was like, everybody move out. That kinda thing. And it was a fishing attempt, and I was like, oh, you idiot. I was like, sure. The senior network engineer's been here like a couple of months, is, the first fishing attempt that's thrown out there. He gets caught in the hook. I'm like, it looks great,

Chris: 20:05

oh boy. Yeah. And and that's, You just named it Pat, that's the most common type of attempt in a phishing email is credential harvesting.

Pat: 20:14

I was so mad. I was like, oh, this, I'm such an idiot. That kind of thing. But it was an internal test. And we get them now where we are at at the bank, and I have not failed one yet. So knock on wood.

Chris: 20:23

You, learn your

Pat: 20:24

a thousand so far. Yeah. Like, Hey Chris, open this link. This actually fish. You were there.

Chris: 20:30

Yeah. No. A lot of different companies use products like Node before for monthly campaigns, and our team has some fun with that, with developing what's the latest campaign that we can test the employees with? Know before is cool because then, if your employee fails the phishing email test you can get a training assigned to you again,

Pat: 20:52

And we all love that, right? Extra work, extra training.

Chris: 20:55

some of those fishing tools don't offer training, but I mean, they say, your employees are your best defense here not to fall for stuff, so, some employees go through that training several times and,

Pat: 21:08

Yeah,

Chris: 21:09

trying to get it through their

Pat: 21:10

Yeah. Knocking in the old head. Yeah. No, I hear you. I hear you. No, I hear you. Alex, do you have anything? You have any questions there?

Alex: 21:18

Well, it's funny that you went back to that topic because I was, I wanted to interject and ask about phishing email specifically, and I was curious if they've been doing that themselves. Like if you within the bank have been sending out phishing emails just to see who could, who false prey to that.

Pat: 21:36

Yep.

Alex: 21:37

I didn't know about your story, pat. Shame on you.

Pat: 21:40

I know. Shame on me. I know. Oh, no. Oh, like hanging my head.

Chris: 21:45

Can see it worked. He's never phoned for another one ever again. How long ago was that?

Pat: 21:49

This is like, like two years ago, something like that. Like it

Alex: 21:52

and he is no longer with that company, so it definitely

Pat: 21:54

No longer with him yet. Yeah. Yeah. Like how you failed the first time. Get outta here, you bumped, kinda thing. But no it's very easy. And actually I'll mention something. I won't mention his name, but he is on my team now. Well, my first couple of weeks on the job. And he actually fell for one. It was disguised as a WebEx. WebEx meet, and it came through and it was, it came from our boss, that kind of thing. And he clicked it, and it was a fishing one. He got mad. He was so mad at himself. Like, if he listens to this, he knows who he is. That kinda thing. But, oh man, it was, oh, he was so mad at himself. He's like, oh, that really looked legit. But like, he took screenshots and sent it to everybody. Like, look at this link. Look at this email. It looks so legit. That kinda thing. He was, oh, he was mad. But it happens, man. It happens easy. It's quick.

Alex: 22:43

Yeah.

Chris: 22:44

power of a no before, where they can customize it. They can personalize it to you. Not just with, like my boss sending me something, but that they can even, really apply to like a project you're working on. Or a another common thing with fishing campaigns are anything topical. Like, you were mentioning your March madness thing. And we've done that one before in previous years where right before March Madness, when it's all in the news, we'll send something and, we, we get people like that, cause you're, you immediately associate, well, I've been hearing about March Madness and here's an email about it. You,

Pat: 23:20

sure. Bunch of snakes. Lemme tell you. Jesus.

Chris: 23:24

Social engineering,

Alex: 23:25

Disney VP sent out an email recently to several of us asking about filling out a March Madness bracket, and my very first thought was, this is a Phish email. I later found out that it wasn't, but that was my immediate

Chris: 23:39

Oh,

Alex: 23:39

like, wait a second.

Pat: 23:41

Oh, that's,

Chris: 23:43

crazy, huh?

Alex: 23:45

So, yeah, and I feel like maybe they should have different tiers of like phishing email levels if they're gonna do it internally, like the people who fall for the really good ones and then the other people that fall for an email sent from your domain that is just so radically wrong. So like,

Chris: 24:04

It all depends on the recipient's knowledge, right?

Pat: 24:09

that's pretty much it. I'll tell you, I, I bet a lot of people fall for it. I really do. Like, I'm so gung-ho on it now. I report fishing. Almost like anything that's even remotely questionable and people are probably like, that's not a fish, that was just a spam or that was just a, you know somebody, because I get hit so often from salespeople like that just land in my work email account, trying to sell me something. I'm just like fish. I don't

Alex: 24:30

next project you don't feel like doing. Just tag it as a fishing

Pat: 24:33

Oh,

Chris: 24:34

yeah. There you go.

Pat: 24:35

Yeah. Would you like to look at our D aacp offering Phish Fish? Yeah, go there. How do you, yeah. What's your iPad look like? Phish. Get outta here. I don't want to hear this. Yeah. Oh yeah. That's crazy. Chris, have you done anything with like, like a red team, blue team, like active hacking or anything? Anything like that? Or has it just been more on the monitoring side or,

Chris: 24:58

Yes, I have I'll speak kind of generally to that, but you know, the role I play is always the blue team. we we actually have and had some red team folks on our team, and we've also employed pen testers from various vendors. And they've done the same thing. And we've done testing on that. And and that's one thing I've worked on for years is pen test findings. Y and fix this and tighten up that. And but red team is pretty interesting. I probably have a note on that where it's funny I I've worked with it a lot. I've worked with red Teamers Guys who have been hackers for years. And sometimes the they've had contact with the government if you know what I mean, because of their actions.

Pat: 25:45

Sure.

Chris: 25:45

But one thing when when I meet newbies or people who want to get into cybersecurity, they all want to be a pen tester, and like a red teamer, cuz

Pat: 25:54

Yeah. That's the sexy side,

Chris: 25:56

Yeah, I was gonna use that word pat. The sexiest. Yeah, yeah, But I kind of have to be patient with them and say, you, you have to be an expert. It knowledge expert coder, scriptor y you have to have a deep knowledge to be an effective pen tester because I've seen before where pen testers break something. In, in, in a client's network, and that's that's like a big no-no. But no, it's, uh, I guess

Alex: 26:23

them doing their job. See,

Chris: 26:25

yeah,

Alex: 26:25

you guys

Pat: 26:26

See guys are all busted.

Chris: 26:29

I guess the pen can say that. Well, look see what I did, you know?

Pat: 26:33

Yeah. You're lucky. It was just me and not some really bad

Chris: 26:37

Yeah,

Alex: 26:37

I literally clicked your website's URL Q times pretty quickly.

Chris: 26:42

Yeah. But I guess the point there is that you have to have a couple years of red team experience to really be a good pen tester and, these folks just wanna come right in and be a pen tester right away. I don't know, just kind of unrealistic,

Pat: 26:56

yeah,

Alex: 26:57

that might be a good segue into talking about how does someone actually get into cybersecurity. It seems like, pat, maybe you're getting ready to ask a question, so if you, before we go on to another topic, see if there was something you wanted to say.

Pat: 27:10

No, I just wanted to say from an internal perspective too, and I'll give a, I'll give a a little blurb here from an internal perspective too. There's just as much I should say information security, lease privilege, that sort of thing from an internal inside the company as it is trying to get, outsiders to come in, right? That kind of thing. So you have to wrap your security from both angles, right? From an outside in perspective and from an inside to inside perspective as well as I will mention these are not any of the companies I've worked at. I know someone that actually works at a healthcare facility that they stumbled upon people's salaries in a shared drive. In a shared drive. It was literally on a shared drive for everyone to see, and she's she stumbled upon it. It was there on a Excel spreadsheet. It was her and her team and what they all make, and it's just like, oh, my that kind of thing. Like, so there's more there's that as well as far as like keeping all that stuff and, under locking key from an internal perspective, let alone, worried about the outside guys, beating on the firewall and eventually breaking it down too. So there's, there's two sides of that coin. I would suspect you, you have the same ideology there, Chris, as well as, least privilege. People only get access what they a absolutely need to do, their jobs and, no more, no less kind of thing. Right?

Chris: 28:29

Yeah. And that's kind of another buzzword, pat, in recent years zero Trust,

Pat: 28:34

Zero trust. Sure.

Chris: 28:35

and we kind of laugh at vendors because they call up and they say I have zero trust software for you.

Pat: 28:41

Yeah.

Chris: 28:41

No, zero

Pat: 28:42

that's a marketing term,

Chris: 28:44

it's a framework.

Pat: 28:45

Right.

Chris: 28:46

software,

Pat: 28:46

Right? Yeah. Zero Trust is basically a marketing term at this point in the game. It's just you have to decide what kind of zero trust you actually need and then go from there,

Chris: 28:56

Exactly, but

Pat: 28:57

go ahead, Chris.

Chris: 28:58

Answer your question a good amount of the people I work with are ex IT people. They I followed that track and a lot of my coworkers did. Some people came in without any IT experience and they're very good cyber people on our team now. And but I was gonna share that share a a good cyber career tracker site if this applies here,

Pat: 29:21

it at me.

Chris: 29:22

I just chatted it up. It's cyber seek.org and, That shows various sub careers in cybersecurity and how you start with them and what certs you should get. If that URL is good,

Pat: 29:35

Yep, it is. I'm looking at it now. Yeah.

Chris: 29:38

Yeah. It shows really key jobs within cybersecurity, common transition opportunities even like salary information, which is kind of, kind of interesting and skill sets. But yeah, most people start with an IT knowledge and like, even help desk folks can transition into a SOC with some with several months of training and experience. And of course the certifications always help the comp TIA certs network Plus and SEC plus CISSPs more for like a management and an overall type of cybersecurity person. But there's a ton of certs out there, as you guys know.

Pat: 30:14

sure. Yeah, that was sort of my question too, like from a cert perspective, if somebody's got nothing. And then basically you're looking to get into the, because you're right, right from the, on the it side of things, cybersecurity is the, is the sexier role, right? That kind of thing. They wanna go in there and cuz they, they watch the Matrix a couple times, it's like, ah, I wanna do that. That's pretty cool. Yeah.

Chris: 30:33

Yeah.

Pat: 30:34

But and no, I totally get it. And rightfully so. But it just feels like, so from a knowledge perspective, I would think this is just me personally, I would think that they would need some sort of network background or at least a general network idea, right? Cuz you can't secure the network if you don't know how it works. Right? How does the packet get from A to B? Right? I would also say, Obviously the security plus, right? We're all big fans of CompTIA here and what they offer and that sort of thing. So net plus sec plus, I would even say probably a little bit of Linux as well from learning, learn the Linux side of things, cuz literally half the world, almost three quarters of the world and the internet runs off of Linux on the backend. So, you're gonna need some sort of Linux or at least enough to get around the command shell, right? The command line and the shell what, you know, depending on what you're using. So those would be the big three for me as far as like, okay, look, I wanna get to cybersecurity. Well, like you said, there's various roles inside that cybersecurity pen test, vulnerability management. So forth and so forth. So, but I would think they would need all, they would all of them would need some sort of network basis. Sec plus to wrap your heads around the types of attacks and threat actors and things of that nature. And then the Linux side to actually, sit there and bash in the command line. So, I don't know your thoughts on that. Does that sound about right?

Chris: 31:51

I would totally agree, pat and when I've advised newer people in this field before I would always say take net plus first that certification, learn your subnets and your site range and firewalls and et cetera. And then when you go into SEC plus, you'll have that pretty much sealed up there. It's almost like a a net plus is a prep for SEC plus but yeah, totally agree.

Pat: 32:16

Makes sense.

Chris: 32:17

To be a good cyber person, like I said earlier, you have to know the whole environment, you know,

Pat: 32:21

Yep.

Chris: 32:22

It's more of a wide breadth of knowledge than being an expert. Like, I would love to be a deeper Splunk expert. I'm working on that, but you have to know so mu, so many wide range of tools to do your job well.

Pat: 32:37

Yeah I would agree. I don't know. Alex, you wanna jump in? You got anything based off of that?

Alex: 32:41

Well, I was gonna ask a similar question about Yeah. Certs. One thing that you mentioned, I did wanna highlight that cuz I you mentioned the C I S P. I think that's a cert that a lot of people might have heard of. But you're saying that cert is more tailored towards management and maybe just like audits and like certifications, like, by certifications I mean more like,

Pat: 33:03

Like iso, that kind thing.

Alex: 33:05

soc to

Pat: 33:06

Yeah. Pci. Yeah.

Alex: 33:08

things like that. That's more that role

Chris: 33:11

Yeah. Um, I'm probably, I'm. I'm probably limiting I'm probably not describing it as wide as it is.

Alex: 33:19

We just lost all our C I S P followers.

Chris: 33:22

Yeah. Sorry guys. No. I think, I've known several people who've gotten that cert. I have not. But you don't really need an expert technical knowledge to get a C I S P certification. Um, it's like I said it, it tests on a wide breadth of, oh my God 12 different chapters different can't come up with the word, but it's a, it's more of a wide cyber knowledge than,

Pat: 33:51

Then deep. Yeah,

Chris: 33:52

Then rather then you know how to set firewall rules for better security. It's not really that

Alex: 33:58

Master of none.

Pat: 34:00

yeah. Right.

Chris: 34:01

almost like that.

Pat: 34:03

Yeah.

Chris: 34:03

But, CISs are really in demand. That's a popular one.

Pat: 34:07

Yeah, it's popular. Shout out to my buddy Kevin, who has the C I S P a few years back, and dude's killing it over at I forgot where he is at now, but yeah, he's just absolutely murdering the scene. It's just like, it's just, it's crazy. So shout out to him if he's listening. so

Alex: 34:21

we mention Certified Ethical Hacker yet?

Pat: 34:24

C e h no, I don't think we have.

Alex: 34:27

That was, that's still one that it seemed like it. It sounds so cool. So I think it's one that might interest people just based on the name of it, but is that one that you've seen come up in your team or one that you've kind of looked at the itinerary and thought that might be useful?

Chris: 34:43

I haven't, I don't think I've met someone who's been a C E H. And I have worked with some red teamers and some vendor red teamers too. But not too much. I've heard about it, that, for those newbies who want to be pen testers or red teamers, hey, work on that c e

Alex: 35:00

what I was thinking because I think it's kind of, it's meant to be about as intro as you can, like as about, as beginner as you possibly can in this field. It seems like c e H is just, if you have never, worked in this field before at, you still have an opportunity to study for c h and pass it, at least from my initial understanding. So I could see that

Chris: 35:25

I would agree.

Alex: 35:27

okay. All right. Yeah. Well, I think that's all I have then on the cert topic.

Pat: 35:33

Yeah that's interesting. Cuz from what I understand from the c e h part of it and if there's anybody out there that, that knows a little bit more, feel free to hit us up. Cuz I, I'm I'll be completely honest, I'm not super, super aware or in that space enough to really kind of thing. But it seems to me like a couple years ago, The c e h kind of took a hit from a reputation perspective. Cause the EC council is the governing body of the c e h. They were kind of, they kind of lost some street cred, if you will. And it was kind of the c e h went downhill with it or something of that nature. So I, and I don't know if that may have rebounded in the last couple years, but there was some talks out there that really, the EC council was doing some shady stuff or I don't know if that's the right word, but it would, it definitely lost some street creds. So I don't know if that's still the case or whatnot, but it sounds

Alex: 36:20

followers.

Pat: 36:21

I know. Yeah,

Chris: 36:22

Yeah.

Pat: 36:23

it does sound cool. I'll tell you that the c just certified ethical hacker, that does sound pretty, pretty sexy, so I ain't gonna lie. So I don't know if you have knowledge about that, let us know. Cause that's kind of what I heard, but I really wasn't. Super close to it. So that may have just be me just misinterpreting, but it's an interesting interesting topic and interesting cert for sure. So I'm curious to see if anybody else has any thoughts on that. So kind of pivoting to that or pivoting on that, Chris. I see like cybersecurity is absolutely white hot, and I don't see it slowing down anytime soon as far as trying to get qualified bodies to fill these spots that are out there that. Like I said is teams and security teams are just blowing up at the seams. They're just, they just can't seem to hire enough people. But these places, I should say, these spots go vastly unfired, but it's so hard to break into cyber. I don't know if that's just like a, if that industry has like a gatekeeping issue or what they, or like they, everyone needs an expert and they don't have time for the rookies to kind of break in and get their feet wet. I mean, and I guess you could say that about any sort of spot, but in cyber it seems to really kind of, Be, I don't wanna say bad, but it's got an issue where, they don't have, these places don't have time to, teach the rookies and kind of bring 'em along. But, but normally most of the time, right, like, no, most of the time your security team blows up after you've had an issue, right? And then they say, oh, we need to hire all these smart people. We need to have 'em hit the ground running. That sort of thing. And truths be told, juniors just don't have that hit the ground running mentality. Cause that's just not where they're at in their career. So I guess I get your thoughts on some of that gatekeeping or what they can, what folks can kind of do to, kind of break down some of those walls or at least give themselves a fighting chance in the big world of cyber out there.

Alex: 38:09

And maybe even a another way to word it would be, at least with your team, do you feel like you ha you would ever hire a junior level person that just is fresh outta school? Or are you already ex Oh, you would, okay.

Chris: 38:23

y yeah. And we have, and we've I guess we have the time to train them in the last few years. And mainly because I could say that there's a large grunt work. Of being in cyber log review, generating reports. So, a lot of people getting into cyber don't realize that there's certainly a grunt work part of it that's really needed. And the more experienced people want to bring in the new analysts to take that on y so they can move to the more interesting stuff.

Alex: 38:57

So maybe it's low retention rate cuz people go into it and go, oh, this is not nearly as cool as the Matrix. And I'm gonna go back to

Chris: 39:05

unfortunately that's the total reality, Alex. Yeah. But no boy, that's well, I know one thing is one thing that really helps new people is to have a really healthy curiosity about cybersecurity and always ask questions and follow a bunch of feeds various cyber websites. That's one good thing online is that there's a ton of cyber resources that you can, and training that you can take even in LinkedIn learning. There's a whole, I mean, you can certainly learn a lot. So that's what I would advise. I think even, they used to say, set up a test lab at home, but I think that's even kind of, that, that's good. And, these days they have online test labs. You can have at home cloud-based, but No I, I'll go back to just have a really healthy curiosity about what you're getting into and ask a lot of questions. Cyber management folks really like that. That, shows you're into it and you wanna learn more and take on different tasks and duties. So, if you're just getting into it just to, hang out and not really be interested in cyber that's not so great. I've

Alex: 40:08

it's a promotion over, help desk or, they're like, yeah, not the way to do it. Okay. And then do the skills that you learn. We'll just use customer bank as an example. Cuz I'm coming from a networking background, so I kind of think to myself there's like three vendors that kind of run the show. And then the skillset that you learn at any company using those three skillsets are easily transferable to any other company that might be using those three vendors and even the three vendors are really similar. So do you kind of feel like the knowledge that you're using right here at customer bank and the rest of your team that's easily transferable or is you get to the position this type of position? Is it are the, because you have to cover so many different things, do you somehow feel like the skillset that you learn right here is just so tailor made for this network that right now that it's not quite as easy to transition to somewhere else? Maybe, you know, not quite like a networking person would be able to.

Chris: 41:09

Right. I'd say yes to both of your points. Well, yes, that what is transferrable is using common cyber tools, like a scene tool like Splunk and there there's Splunk jobs out there that, you can transition to. But your second point is right as well. I mean, even if you're the most senior guy, you come into an environment you really have to spend a couple months learning that environment and hoping that it's well documented hoping that their asset inventory is accurate and up to date that their C M D B things of that type. So it's I would say it's both really out.

Alex: 41:44

All right. And then I'll ask another kind of follow up question around the the same means, so, Say for whatever reason there is a senior level principal level position opened up on your team, what are the skills that you're expecting for that type of level? Are you going to make sure that they are just using the exact same tools that you're using right now? Cause that's the only way someone can come into your environment as a principal, or are there just very specific skill sets or just knowledge that they have to have at that level?

Chris: 42:19

I think a good technical knowledge is definitely something that we look for. And some of the interviews we've done, folks don't have cyber experience yet. But but no, a good technical knowledge and a good curiosity always helps.

Alex: 42:35

Some go-to interview questions. So if you're hiring a senior level guy, you got one. You got like two or three that come into your mind right away.

Chris: 42:42

Oh man. Yeah.

Alex: 42:44

I wanna know what I, if I wanna transition into this,

Chris: 42:48

oh, well, a very common, basic one is what is the CIA triad, which is confidential confidentiality. God, am I gonna get it wrong now?

Alex: 42:59

oh, man. I hope it's not common.

Chris: 43:00

Yeah. But yeah there's a lot of cyber questions you can ask like, like the difference between a threat and and various other type of risky. Behavior that you're seeing oh, a difference between a threat, a vulnerability, that was a good one. And then you're really testing them to see if they understand those things. And generally what they've done on their last job, and whether that's really led up to what we're looking for.

Alex: 43:29

Okay. All right. And seems like you struggled a little bit on that. So it may go back to what I think where it, maybe it's it's just cybersecurity is a difficult a difficult field to have a perfect skillset just to pick up and move from company to company. But yeah, interesting to know either way.

Chris: 43:50

I would say so. I mean, I guess your best hope is that, you you've used the same cyber tools that the new

Alex: 43:56

All right. Okay.

Chris: 43:57

Looking for. Yeah. Another common question is the difference between an I D S versus an I P S, intrusion detection system versus an intrusion prevention system. And it get, it gets pretty granular. But there, there's a whole bunch of questions out there.

Alex: 44:12

Okay. All right. Well, I guess we'll pun it over to Pat again. I know we're getting pretty close here, and I like to end conversations talking about kind of the future of the topic that we're talking about. But before we get to that, is there anything else that you wanted to cover, pat?

Pat: 44:27

No, that was pretty much it for me. That was that's all I kind of had. I definitely wanted to touch on the the rookies coming in and kind of gave them some some general talking points and some direction. But no, that's all I really had. So, if you got any futuristic questions, have at it.

Alex: 44:41

Okay, well, I guess, we

Chris: 44:43

G

Alex: 44:43

will start

Chris: 44:43

P t, possibly chat,

Alex: 44:44

y Well, I was try I try every topic we talk about, I figure, like, how can I talk about Chatt b t? So does CHATT in your mind, and maybe the, you haven't come across it yet because in the IT field, I mean, people know about it, but I still don't feel like it's being used very heavily from the average end user. But do you have any fears about chat T P T fundamentally changing your job? Is it going to make things harder, easier? Is it going to give people the ability to do things that they couldn't do before that's gonna make your life harder?

Chris: 45:20

I know that gosh, it just feels like it came around like three months ago, right? I mean, it's like, it's crazy. But no I just heard recently that a cybersecurity department blended that in as another resource into all of their cyber teams. But and also we've talked about it on our team and how it can benefit us and. One thing people have said is, they've tried to use chat g p t to write malware,

Alex: 45:45

Right. And that's what I was thinking, like there, there's two sides of it. How can you use it to help with, you're doing, like chat G P T how should I be, design this network or design this. But yeah, on the flip side, you have the exact same thing where people who may have a background in it now, are they, do they have a gateway now to get them over the hump of writing really malicious stuff? Before, because they knew about it, but not enough to write the code. And now it's just like,

Chris: 46:12

Well, one of my coworkers tested that a lot and he said it was writing terrible malware.

Alex: 46:19

it's not there yet. Chat, G P T, version five.

Chris: 46:22

yeah. Yeah. It that the malware wasn't really working, so,

Pat: 46:25

next week.

Chris: 46:26

Yeah, I know. Good God. The next version. But no just as an, a resource, I would say I'd really I think one thing I'd like to delve into it myself is how, what's its advice on incident response. Because there's so many different steps to investigating an incident and correlating events and, I'd really like to, and I would see that would be in use in a sock where, chat G p t I've detected an incident and I've done four of the 10 steps that chat G p t recommended. I could see that as a situation, and just to be extra thorough, so.

Alex: 47:05

like chat g b t. If you were to position where you haven't slept much, it's two in the morning and this alert comes in, would you get up and fix the problem or leave it till tomorrow morning

Chris: 47:16

Yeah. Well that's a great point, Alex. I mean, what's the severity? Determine the severity for me.

Alex: 47:24

and then chap, G B T goes

Pat: 47:26

Sev one.

Alex: 47:27

If you're bored and you can't sleep, I would get up and look at it otherwise.

Pat: 47:32

How neurotic is your boss? Will he care

Chris: 47:35

yeah.

Pat: 47:35

If he really cares? Get up right now. If not.

Alex: 47:38

and that's another thing with chat gbt I read about it every day. It's hard not to, if you're in it. And that's another thing that I've seen people say is a better way to use chat GBT is to give it more and more. Additional information to answer your question. So rather than just say, is this a valid threat, you can say, is this a valid threat for this type of business? And these are your end users. And so you can give it so much more details for it to end up figuring out what it thinks is the best course of action.

Chris: 48:10

Alex would you consider it true AI though? Or is it just something that just cranks out a bunch of scripted answers and it's not really ai, I don't

Alex: 48:20

world's best Googler at this

Chris: 48:22

Yeah,

Alex: 48:22

is a very good school, a very good skill. An incredible skill. I mean, before the person that wrote the best essays was probably the person who could, go through the library and get to the stuff they needed. Then it just turned into, who can Google things the best and. Yeah. Now you just have a program that can google better than any person in the world can

Chris: 48:46

Right.

Alex: 48:47

because it can't, it doesn't know anything that isn't already out there on the internet. It just can

Chris: 48:51

a really powerful, is it really just a much a souped up Google search or is it seems like it is more than that cuz it is interactive and you can build on questions like you said,

Alex: 49:03

Yeah. It's the next evolution of I don't want of a search, I don't wanna say of a search engine, but what the search engine gave people and that's, this is the next evolution in just information gathering where just now you got something they can do it even better is,

Chris: 49:19

Yeah.

Alex: 49:21

so, okay. Well, I mean that's the chat G B T stuff. Outside of just chat, G p T is there anything else that you can kind of think of as the future of cybersecurity? Is there something that's keeping you up at. That's interesting.

Chris: 49:33

I would say I gotta bring up cloud because I'm an old on-prem data center guy, and, and in fact, I think there was a there was a Cisco protocol at work recently which I had never heard of, and I looked it up and it was a SaaS it was a SaaS offering. So I'm like, okay I gotta get the cloud knowledge up to date here. But I mean, on a general level it's a lot more harder defending cloud where you have all points of entry instead of actually having a perimeter firewall that you would defend against. So, you know that, I guess that's another advice for newbies as well learn. Learn Azure or AWS and how to defend that y but I would say cloud cloud defense is a big one.

Alex: 50:18

Does that ever make you concerned that cybersecurity roles might get limited? Cuz people might just rely on the baked in security that goes with being an AWS or in these clouds, because I'm sure they're gonna have their own offerings and people say, Hey, there's the check bar

Chris: 50:35

Yeah.

Alex: 50:36

AWS says, I'm secured.

Chris: 50:38

I, would say so. Yeah. There, there's always have to be people setting that up, but that could be it people, but but yeah I would agree with that. Yeah. I don't know how the, honestly, I don't know how cyber there a lot. It'll be a lot more of a cloud emphasis, as I said. But I don't know how the roles will change. You'll still need analysts and engineers and other roles like that in the whole thing. But should be interesting.

Alex: 51:05

All right. All right. How about you, pat? You got any follow up questions for the future of cybersecurity?

Pat: 51:10

No, that was it. The chat, g p t, we always seemed to talk about that. So that

Alex: 51:14

We might as well just put that's gonna be a topic going forward, the future of topic X, Y, Z, and chat, G P T.

Pat: 51:21

That's it.

Chris: 51:22

will this podcast devote parts one, two, and three? Pat to chat. G p t.

Pat: 51:31

Oh, I've dabbled with it for this show, but nothing really nothing really to actually use yet. Yeah. Kind of thing, so I don't know. So, we'll see what happens, but it does seem to be a

Alex: 51:39

plugin chat, G p t and pleasing it once it goes sentient and can start sending people over here

Pat: 51:47

Some Sky net. Yeah, some Skynet shit going on right now with, I'm just gonna unplug this real quick. This is really weird, that kinda thing. Yeah, we're right around that hour mark. That's it. We just we like to keep it somewhere around the hour and make sure everybody's everybody's still with us and hasn't turned us off yet, so we appreciate that. So,

Chris: 52:05

it was interesting.

Pat: 52:08

Chris, do you wanna plug your LinkedIn? How can people find you?

Chris: 52:11

It's Voz is not a common name, but I'm easily found on LinkedIn. If anybody wants to reach out with any questions or anything it'll be a nice change from the usual vendor pile on

Pat: 52:21

There you go.

Chris: 52:22

LinkedIn people get

Pat: 52:23

it's so bad. Actually I'll I'll put Chris's LinkedIn link in the show notes, so if family wants to talk to him, hit our show notes up and his LinkedIn profile will be there and you can chat to your little heart's content on anything sock related. So,

Chris: 52:40

Thanks for having me on, guys. It was a

Pat: 52:42

Yeah, man, this is great. Like I said, we're right around the hour mark. We want to keep it nice and short and get everybody all in their way. So we appreciate everybody joining this week on this episode of Breaking Down To Bites. Visit our website, breaking Bites pod.io where you can subscribe to the show on apple Podcasts or Spotify, Google Podcast, Stitcher. Or if you just need an RSS feed that's there as well. So you never miss a show. Throw us a rating on the Apple Podcast and that's where a lot of our listeners come from cuz that's what our stats tell us. So you're already there. You might as well throw us a rating and leave us a review that fools with the algorithms and the the sky net of the world that are. That are out there, that helps helps with the the show and get more, get in front of more people, more years, right? That's the that's the idea of the show here. So, if you could do that'd be great. Tell a friend as well. Word of mouth is just as good these days, right? Sometimes I think it's even a little more effective. Then just letting something pick out a, Hey, you might like this show. If you hear from somebody you trust and it's reliable, then I think that carries a little more water. So, go tell your friends about us. So that'd be awesome. Follow us on LinkedIn Twitter. There's a Facebook out there, discord server. Our survey is still out there, so if you like what you hear or if you want to hear something different let us know. There's a survey out there for you. I think it's like nine or 10 questions. We don't know who you are. It's completely anonymous. It just aggregates topics for it actually just aggregates answers for us, I should say. And it just helps us tune the show to what people want to hear and keeps us going. So, nobody's told us to stop yet, so we're gonna keep going until somebody does. So we can't help that. So again, thanks Chris. It's been awesome, man. Really good time. Appreciate you hanging for a couple of minutes and talking some nerdy socks stuff. So, that's it. Alex, you good man. We're outta here and we'll see everybody again next week. Thanks, everybody. See you next time.

Chris: 54:25

Bye-bye.