Mick Leach: Hello and welcome to SOC Unlocked: Tales from the Cybersecurity Frontline. I'm Mick Leach, your host and guide on this exciting journey into the SOC universe. In each episode, I chat with various cybersecurity professionals about the latest industry news, emerging threats, practical strategies to keep your organization safe and more. This week we are excited to have Mick Douglas.
Mick Douglas: Cool, well, thanks for having me Mick. It's nice that we have high availability of Micks. If we lose one Mick, we got another.
Mick Leach: Agreed, agreed. And I think being able to fail over in your Micks is probably the most important in terms of network security. So it's good we started off there. So again, I'm so glad to have you. When we considered putting this podcast together, I gotta be honest, the first name to jump into my mind was Mick Douglas. For those who don't know, Mick and I worked together for a little while, years ago now, but so I'm happy to have you.
Mick Douglas: Happy to be here and this is a hoot and can't wait to get chatting about this stuff, so hit me. What are some of the controversies because knowing you, you don't give the easy stuff this is a tough industry?
Mick Leach: Awesome. I got you. Indeed. No, no, no, we're gonna bring the heavy hitters right from the front here. Although before we jump into that, what I would love for you to do is tell us a little bit about yourself, what's your current role, how did you get here? Kind of maybe talk about your journey into cybersecurity.
Mick Douglas: So, hey everyone, my name is Mick Douglas. My Twitter handle is @BetterSafetyNet. And I came into cybersecurity through a fairly long and windy road. My undergrad was in telecommunications and I did systems and network administration at a long-distance company and an ISP for a while. And then after the dot-com crash, I went to work at a marketing firm where I helped manage very, very large server fleets. So like brands like apple.com, Hewlett Packard. I was the lead sysadmin that was running about a third of hewlettpackard.com. And yeah, it was a big gig. And the thing that actually nudged me into InfoSec was my very first pen test. And what happened was one of those very big names, actually it was another name, Victoria's Secret, and we managed a lot of their infrastructure and they had a pen test and this pen test report was horrible. They did have legit findings but they also had some things that were just nuts and I was so angry with how bad the pen test was that we fixed all the issues and then we did some honeypotting against the pen testers and then when they came back, I think it was like seven months later, they begged us to turn off some of the security controls that we implemented. And I was like, man, this is too much fun. And then, from there, I had a couple different gigs. And one of which was working with you, Mick, where we were rebooting the SOC at a very large insurance company.
The thing that got kind of weird is one of the main reasons that I left that gig was not you, Mick, contrary to popular opinion, was SANS at that point, so that they wanted me to start teaching about once a month. And that is really hard to work in corporate America where you're like, so I'm going to basically be gone a quarter. At which point I followed that dream and that ultimately led to me founding my own company InfoSec Innovations. And so we've been in business for almost seven years now and having a blast loving it.
Mick Leach:Well, time flies and I got to be honest, right? I've taken at least a dozen SANS courses now. I've had that tremendous privilege and honor. And one of those courses, I don't know if you'll remember, the SEC 550 course years ago now was taught by one Mick Douglas.
Mick Douglas: Yep, it was in San Diego. We were on the ground floor. You were sitting in the back of the room in the, to my right.
Mick Leach: That's right. That's right. Man. Boy.
Mick Douglas: Yeah. Yeah. If it's a good class, I remember the folks. It's really wild how it burns into your memory.
Mick Leach: Indeed, indeed. And it was a fantastic course. They ended up rebooting that course, I think, to keep me honest here, but it was an amazing course. And Mick is an amazing instructor. So thank you for that, for all of your contributions to the security community. I know that you are generous with both your time and your knowledge, which is why you jumped to mind when we started thinking about this.
Now let's jump into some of the questions today. Now, this podcast is really meant to be focused around security operations in particular. And I know that this is a place that's near and dear to your heart as it is to mine, because I've heard you speak many times on this. So what are the things, kind of start with a positive note, what are the things we're doing well today in terms of security operations that you're seeing across the board? And then maybe we'll start to unpack some of the challenges.
Mick Douglas: Well, so some of the things that we're getting better about is we're talking about the scope of the problem a lot better. I think that people have realized that the way a lot of the software and tooling in this space has been traditionally sold doesn't work. And so most organizations realize that getting the tool, getting those appliances in the network is really just the first third of the journey.
I love the fact that we're having a lot of clients saying like, hey, we got this thing now, how do we hot rod it? And that's amazing. I also think that we're, like there's some, we're just, gosh, we're thinking about the problem so much better now. If you look at some of the research that MITRE has done, now ATT&CK, the ATT&CK framework or matrix, it's awesome. But in my opinion, it kind of sucked all the oxygen out of the room. There's other projects that MITRE's done that are really, really cool. One that I love and it's still in beta is DEFEND. DEFEND is an amazing holistic approach. Even if it doesn't wind up becoming widely adopted, just the fact that it gives us a common and clean definition for what different technologies are, having that common vocabulary is a massive win. So you know there's a lot to hope for and you know it's easy to fixate on the negative but I think that year over year we're actually getting a lot better.
Mick Leach: I would agree having been in the cybersecurity operation space for about the last 12 years full time. I would agree. I've watched the maturity of a variety of organizations and I would argue the industry as a whole is going from, well, maybe we need a SIEM to yes, let's get a SIEM to let's figure out what the right things are to bring into that SIEM.
So that's what's been encouraging now to kind of touch, maybe transition a little more into some of the challenges today. You know, I'm hearing about alert fatigue constantly, frankly, for the last 10 years. We've talked about alert fatigue being a major problem. We've talked about the fidelity of those alerts. And there's a little thing called a talent gap, right? A shortage of folks in the security operation space. Where do you see those things today? Pardon me, what's the solution going forward?
Mick Douglas: Well, so let's talk about the talent gap thing. I think that the solve there is organizations kind of, in my opinion, need to realize that the SOC is the new HelpDesk, right? There's two types of people that get jobs. Like I came up from the HelpDesk and Mick, I would assume you did too.
As a certain vintage of IT person, you started at the HelpDesk, or you were a lifer. And so the lifers are lifers that's, good luck, God bless, you do your thing. But I think that what many cybersecurity organizations would be really wise to do is take an approach of, hey, you want to get into cybersecurity? You want to become a pen tester? You want to do this? You want to do that? Cool. Hey. Take a tour of duty or three at the SOC. Be with us for a year or three. You'll get trained up. You're gonna see how the attacks work, what they even feel like incoming, and you're gonna have a whole different approach, a whole different understanding of what this is versus the folks that are going to wherever.edu and getting some academic here's how you pen test.
Mick Leach: But let me stop you there, Mick, because if I look at LinkedIn, or Indeed, or Monster, if that's still around, and this shows you how long it's been since I've looked for a gig. All of those things tell me that you have to have three, four years of experience and half a dozen certs, and I have to have compromised Microsoft personally before I'm eligible for an entry-level SOC gig. What I hear you saying is that's not really the best way in, is that true?
Mick Douglas: Right, so you don't get in, like, you need to start thinking of pen testing as kind of like not an entry-level position. I mean, there are some entry-level pen testers, but those are very, very rare. Instead, what you need to start thinking about is what onramps you can get into an organization so that you can learn the basics. Once you have those fundamentals, you'll have the context, and then you won't be like that pen test company that gives me horrible findings. You'll be actually doing good quality work and helping people.
Mick Leach: I love it. I love it. So companies, I hope you're listening. What we're hearing is stop requiring like these crazy backgrounds for your entry-level SOC analysts, right? They should bring them in and let them learn on the job. That's certainly how I learned. I think that's probably, Mick, how you cut your teeth. So that's awesome. Okay. Now.
Everything I read, again, LinkedIn, if that's not a source of truth, I don't want to live in that world. So everything I read on LinkedIn today talks about AI being the future. And frankly, it's supposed to basically take the place of these entry-level SOC analysts. We just talked about what they need to be, where they come from. Now we're going to talk about, are they being replaced by AI?
Mick Douglas: Well, that's a very fraught conversation. I contend no. What you're going to be able to do is have the analysts do a little greater level of investigation. There's going to be a lot more automation and there's going to be better quality of care that they can provide. But I've not yet seen where we can wholesale replace analysts.
Now, if you're at a very large organization and you have a group of like 10 analysts, maybe one might go away. But to say that it's a wholesale replacement, like that just, that doesn't track with reality because we've, we've had greater automation year over year in this, in the SIEM space, especially. And, you know, you would think that if we were going to automate things away, we would have done it really much earlier. Like machine learning was a very interesting clipping point where the false positive rates started falling through the floor. Now, false positives are still way too high overall, but I just don't see how we're going to get away from the human. I just don't.
Mick Leach: Yeah. And I'll be honest, right? Mick and I don't always agree. In fact, we've had some rather passionate disagreements over drinks before, and that's okay, right? I think that's how we in the industry are. We're passionate about what we do, and that's okay. In this case, I would agree vehemently with Mick in that I think AI is not really coming for cybersecurity jobs, I think that people who can use or leverage AI are probably coming for your jobs. I think it's a tool like any other is where I come from at least. And so folks that know how to leverage it to its greatest capabilities, that's who's going to be taking those roles.
Mick Douglas: Absolutely.
Mick Leach: Okay, awesome. Okay, so diving forward, right? We talked about, we've actually covered a lot of ground in just a short period of time, but one of the other areas that I think is a constant discussion point in the security operations community is around automation and orchestration, right? I think that's the real efficiency play for us in security operations.
Tell me more about what you see in that space, what innovations you're seeing, any challenges, that sort of thing. Talk to me about automation and orchestration.
Mick Douglas: All right, this is where I think we're gonna deviate. I've not seen much changes. So this will surprise some folks, but we've had the ability to do automated response based off of telemetry for well over a decade at this point. In fact, I would say 15 years plus. So QRadar, prior to them being purchased by IBM, back when they were Q1 labs, QRadar had the ability to do response based off of log telemetry. And it was kind of a pain to use, so few people did it.
Shortly afterwards, ArcSight had the ability to do automated response. And way back when I worked at dbold, we had our ArcSight instance tuned so if you were doing attacker behaviors, you got put into a script that we would fire and it would block your IP for like five minutes and after five minutes you would be allowed back to the site. And it was like for a regular user it might be an inconvenience, but for an attacker that was murdered or you'd have to like instantiate a whole bunch of sites and watch them all burn.
So I think that we haven't really learned. In fact, what my contention is that a lot of people are trying to press this easy button and have this security orchestration, automated response or SOAR solution that you can just drop into your environment and everything just magically is handled. And you don't want to do that. What you really want is a model. Now this is where we probably will come in alignment is what I prefer is when an alert comes in and it triggers, rather than just giving a bland, stupid alert to the analyst, what I do is post-alert enrichment where the SOAR will go in, do some additional queries, validate to the extent that it can, and then instead of having just a dumb alert, you have here's a little portfolio of why we think this thing is bad.
For bonus points, what you do then is in the alert, you give some buttons that are like smart actions that somebody can say, give me more logs, disable this user account, move that machine to a quarantine VLAN so that, and those steps by the way, would be fully automated. And the advantage that you have is lower drag, it's faster to do, and it's consistently repeatable because folks like myself, like I know how to put a machine into a quarantine VLAN. But if I'm doing that all day every day, I'm sure as the sun's coming up tomorrow, I am gonna make a mistake at some point and I'm gonna do something really dumb like, I'm gonna tell on myself. I once put a network gateway in the quarantine VLAN.
Mick Leach: Don't... No! Did anybody notice?
Mick Douglas: Yeah, but problems suck, right? Like -Hey, Billy, I'm sorry you got splinter, we're just gonna have to euthanize ya.
Mick Leach: Exactly. So let me get this straight. What I'm hearing from you is that for years, we've really as security professionals wanted it both ways, right? We wanted the tools to not only detect the problem, right? Detect the alert. We wanted it to really automatically respond to the alert. However, we wouldn't really let it do so. And...I mean, you and I have seen this firsthand, even back in our insurance days. We would see things where a user might be compromised or we see that a particular IP might be attacking us based on the amount of traffic we're seeing. And we would get the alert. And we had the ability to either, you know, suspend the user account or force a password change at the next login, or in the case of an IP address, we could shun that IP, we could block it, we could tarp hit the IP. We had options, but we always stopped short of automating all the way into the response.
Mick Douglas: But that might be a real user but what if they're trying to buy the thing and they accidentally the finger slipped and they did a denial of service attack that happens right?
Mick Leach: My gosh, so often, right? So yes, these are the challenges we face today in that regard. So I agree with you in this that there are definitely solutions available to us today that we're just simply not taking full advantage of, right? I would argue most of the tooling that companies employ in their tech stack today, are somewhere in the range of 25 to 45 % implemented and fully configured and ready to use. Do you argue with me?
Mick Douglas: You're going that high? I'm not even saying this to be controversial. I mean, some of the cloud ones maybe, but man, like I just see flat out busted integrators. Like the logs aren't being parsed correctly. You know, field names, my God, the number of times I go on site to a client or where I'm doing work remote, they're like, hold on, I got to give you the index field name key. Like, no, you need to normalize the field names across all the indexes, please and thank you, because like writing queries under like, I just, I'm assuming this is a family-friendly podcast, I want to use words that would exclude that rating. And furthermore, those words would be fully appropriate.
Mick Leach: Indeed, indeed. Okay, Mick, we are moving along quickly here. So let me do this. If someone can only take away one thing from this conversation, what would you have that be? What is the one thing that you really want folks to come away hearing in terms of security operations?
Mick Douglas: The main takeaway is that it's not the SIEM, it's how you use it. There's a couple products out there, like maybe one, two, that you can't really tune in. There's not much you can do. Everything else, it's up to you. Now, some of them might be a little more tricky to set up and maintain than others, but once you've done the initial deployment, your work really begins.
So making that SIEM fit your environment and building your workflows into the SIEM versus the other way around, you trying to fit your workflows into the SIEM, like that's nuts. If you can do that, your organization will be set up for success.
Mick Leach: Yeah, and what I'll tag on to the end of that really is just maybe it's a plug for you and your company as well as others that help with things like this. There's a reason my wife will not let me do electrician-level work at my house. I don't know what I'm doing, okay? I'm just being honest and if when I try, someone's going to get hurt and so she will keep me honest here and say, Mick, it's important that we bring in an expert to help with this. I don't need to hire an electrician to live in my house, but I may need to hire one to come in and help me with one thing.
And so my plug would be, don't be me. Don't get yourself hurt, right? Or your company hurt. In some of these areas, if you don't have the expertise, that's okay. We can't all know everything. And feel free, don't try and innovate in a vacuum or do everything on your own. Reach out. The security community has tons and tons of professionals that are willing to share best practices with you. But also, there are lots of really great companies that can come alongside you and help you in terms of contracting and those sorts of things, consultations. So take advantage of that. Don't try to do it all on your own either.
Mick Douglas: Yep, 100%. And that's actually a big part of what we do. So my company is primarily defense focused. We do a little bit of pen testing and vol management for orgs, but our main bread and butter is taking your defensive stack and hot rodding it. And the main thing that you need to understand is that deploying a SIEM, getting it set up and running is a totally different experience than doing the day-to-day running and operation of it.
And all too often organizations say like, hey, there was a lot of effort to get this SIEM set up and running. And that's just getting on the dance floor. And a lot of people misunderstand that. They think, hey, I got the SIEM set up. Ooh, thank goodness the hard part's over. And when they say that to me, like, I'm just like, no. Like, we gotta have a chat. Because that was the easy bit. You know, the only easy day was yesterday in this space.
And so reach out to folks, you know, my company InfoSec Innovations, that's what we do. We're primarily focusing on Sentinel right now. And one of the things that we're trying to do to kind of sweep the leg against all the pen test SOC companies, like, you know, pen test puppy mills, SOC puppy mills that are out there. We have a one-click deployment utility that takes up, you know, once you're on the queue for the Azure instance, it'll take about two minutes for your Sentinel instance to deploy.
And the thing that's awesome about that is we want it to be so low-effort that if something went wrong or you don't like a setting, you can just nuke it from orbit, redeploy, fresh, shiny new, and not having to try to reheat that thing over and over again. Don't settle for mediocrity. If things are too tough with your SOC, things too tough with your SIEM, it's too tough and find somebody that can help make it a lot easier.
Mick Leach: Yeah, and I would also say that many SOCs I've been in, you know, we don't want to let the perfection, we don't want to let perfection be the enemy of good or good enough. And so continue to iterate, folks. Continue to do something a little bit better today. Continue to work and iterate and tune your alerts. It's like eating an elephant, right? It's just one bite at a time.
Mick Douglas: I thought that was a lot of hot sauce.
Mick Leach: That spoonful of sugar, if I understood the song right. At any rate, folks, I wanna say thank you to Mick Douglas, as well as Abnormal Security for allowing me to put this podcast on. And with that, folks, I'm Mick Leach reminding you all of our cyber defenders out there to keep fighting the good fight. You are the tip of the spear, so stay sharp. Thanks for tuning in. Don't forget to like and subscribe and check out our other SOC Unlocked episodes. We'll see you all next time. Thank you.
