Back by popular demand, I’ve interviewed a new group of women and non-males in information security for Spring 2018. I’m really honoured by all of the positive feedback I’ve been getting on this interview series since it launched in the fall of 2016. This series was even mentioned outside of the tech media during my appearance on a popular non-tech podcast, The Way With Anoa.
My first interview of the year is with Amanda Berlin, a Senior Security Analyst and co-author of Defensive Security Handbook by O’Reilly Media. Amanda is also a host of Brakeing Down Security podcast, a show I highly recommend you check out.
Kim Crawley: What do you do in cybersecurity? How did you get into it?
Amanda Berlin: Currently, I am a Senior Security Analyst for a MSSP company in Ann Arbor, Michigan. I do defensive security consulting, write, speak, train and podcast. I started in IT right after college at an ISP in the helpdesk, moved on to working in a hospital at the helpdesk, moved my way up to sysadmin and netadmin, and started focusing more on security about five years ago.
KC: Was there something about cybersecurity that inspired you to pursue it?
AB: Well, I had always had this fascination with “white hat hackers” and always had thought of it as kind of a pipe dream. What changed my mind was when our company had Dave Kennedy show up for a pentest when he was still working as a consultant for another firm. I had several people convincing me that I wasn’t smart enough to pursue it, and Dave let me know that was crap and I totally was. He gave me my first conference tickets to DerbyCon, and it was just all uphill from there.
KC: Do you think people told you that you weren’t smart enough because you’re a woman?
AB: I don’t think so. The people that did that were in my life at the time are like that to pretty much everyone. Rarely do I find someone that will treat me a different way just because I’m a woman. Most of them are really just horrible to everyone. One was a giant control freak, and the other was the textbook definition of a narcissist.
KC: I don’t recall being subject to sexism in my industry recently, but women still very often have to deal with it. Has sexism ever been a challenge for you in the tech industry in any way whatsoever?
AB: I’ve seen it a few times but have always done a good job at ignoring where it is coming from. I’ve had calls from tech contacts thinking I was a secretary who were surprised when I was the one going to be either helping them or troubleshooting the issue. I’ve always just been able to prove that I knew what I was doing by actually performing or just by dismissing them and conquering the issue myself. I’d say at least 95 percent of the time the quality of my work speaks for itself and has gotten me further than anything to do with my gender.
KC: What are some misconceptions people have about the nature of your work?
AB: That running any type of threat detection or SIEM is a one-time setup or a part-time job. They are both extremely complex systems, configurations and processes that pretty much need a constant eye on them. They are always in need of additions, tuning, and a full plan around the threats of each individual enterprise.
KC: Are SIEM correlation rules really frustrating to improve?
AB: For many things, they can be, yes. For example, an organization can correlate various security events like unusual port activities on routers and firewalls, suspicious DNS activity, signature matches from a web application firewall and IDS/IPS, and threats recognized from antivirus or endpoint solutions to detect a potential threat. But tying all of those together can be tedious and sometimes very difficult work. To ensure you have them correctly correlating, you have to duplicate one or more of those security events and have the correct logging turned on and ended up formatted in the right location. So, that includes change control, any approval needed to perform potentially malicious and disruptive activities (even if it’s a lab environment), and repetition of the activities or malicious events to make sure the correlation is actually working.
KC: SIEM is really complicated, and I’ve always just written about the theory of SIEM without having any real life experience using one. Thank you for enlightening me. What do you think some of the biggest cybersecurity problems are these days?
AB: I feel like I’m always learning more using one.
I think one of the biggest underlying problems is the technical debt that we all have. I’d guess that at least half of the companies out there barely even have a security program at all, and I wouldn’t be surprised if it were more than that. Factories, stores, businesses, all running on outdated hardware, with one admin running around putting out all of the fires. Technology exploded not too long ago, and it did so without security in mind. There was rarely any security built into the designs of the network, software, hardware, etc. It was just needed to be installed at such a quick rate that eventually everyone started looking back and realizing how much of a mess it all was. I’ve dealt with so many customers that are just starting to get off the ground with a security program. They finally ended up with a budget, bought some super expensive blinky boxes, and never started segmenting or patching.
Another issue is the skills shortage we have due to that massive tech debt. Not only do I think the kids graduating with cybersecurity degrees aren’t nearly prepared as they should be. (I mean, neither was I, but thought it would have gotten better in the last 15 years.) But it’s all such a fairly new concept in comparison that we have a lot of catching up to do.
KC: What do you think can be done to make cybersecurity education more accessible to the masses?
AB: I think there are a lot of people doing great things for education. There is Safari online, Codeacademy, Udemy, Cybrary, elearnsecurity…. I mean we do almost all of our work on a computer, so it’s great to have all of this online training out there. I think maybe the right people just don’t know about it. I’m no marketing genius, so I honestly have no idea how to get all of this info into the hands of the techies out there who don’t know it’s available or just haven’t thought of it yet. I try to do my part by talking about it to almost everyone. I mean two days ago, I had about a thirty minute conversation with my Uber driver on how to get into coding.
KC: I try to do my best by writing blog content for excellent cybersecurity companies such as Tripwire!
I read your Defensive Security Handbook a few months ago, and I really learned a lot from it. Please tell me how that book came about and what motivated you and your co-author Lee Brotherston.
AB: Well we were both tired of walking into jobs and them being complete and utter disasters. Flat networks, no patching, old operating systems, and really no idea on what to do for security. We’ve also heard all of our redteamer friends complain about these companies that aren’t prepared for a pentest. They give the same old “how did you not already know this” advice over and over again. Putting all of that together, we kind of realized that there was a big gap in knowledge for the simple best practices that are mostly free that someone can do before shelling out capital for other services or devices. We actually didn’t know each other prior to writing the book and only met after we had started it. Our publisher O’Reilly Media introduced us, as we kind of had the same idea at the same time for the book. It turned out really well, as we both had complimenting knowledge on a broad range of topics.
KC: What are some misconceptions people have about defensive security or blueteams specifically?
AB: That offensive security is cooler.
KC: It was a pleasure speaking with you, Amanda.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.