Mick Leach: Hello and welcome to SOC Unlocked: Tales from the Cybersecurity Frontline. I'm Mick Leach, your host and guide on this exciting journey into the SOC universe. In each episode, I chat with various cybersecurity professionals about the latest industry news, emerging threats, practical strategies to keep your organization safe, and more. And this week we are excited to have a friend of mine, Michael Vetri. Michael, welcome to the podcast.
Michael Vetri: Thank you, Mick. Really appreciate the invite. I'm excited to be here.
Mick Leach: Well, I'm excited to dig right into this. We have some dear friends in common who will no doubt will be listening. So this would be a lot of fun to, you know, have this conversation. So before we dive too much deeper, let me ask you, would you just tell us a little bit about yourself, what your current role is and how did you get there?
Michael Vetri: Hi everybody, I'm Michael Vetri. I'm the director of security operations at a healthcare technology company. I just wanted to make sure that I clarify that any opinions or views expressed in this podcast are solely my own. They're my personal and are in no way affiliated with my company or any other affiliates of mine. Thank you.
How I got here was a little bit of an unconventional route. A little over a decade ago, I was in Air Force pilot training, and everything was going pretty well. Then one day, I was doing some soul searching and discerned if this is really what I want to do for the rest of my life, not only in the Air Force but also, you know, once I get out of the Air Force.
So I thought about it and, you know, I went through a reclassification and I found out from the vice wing commander at Laughlin that I will be going into cyber operations for my Air Force career. you know, going through that entire process was, was great. And it led to a lot of incredible opportunities. I started off with base operations at Edwards Air Force Base, and did a little bit of a career-broadening assignment where I was the curriculum developer and commandant of operations for New Mexico State Air Force ROTC and UTEP ROTC. So go Aggies, go, Miners, giving a little shout-out there, Debt 505. And then I finished up in San Antonio, Laughlin Air Force Base. So I did various assignments there ranging from the Air Force Cyber Defense Weapons System to being an executive officer to one of the awesome leaders I've ever worked for, Colonel Kern.
I then finished up at the 16th Air Force as a senior duty officer, where I managed and overseeing all the OCO, defense of cyber ops, and network maintenance activity throughout the Air Force. So it was fantastic. It was an incredible opportunity. When I got out, I wanted to do the same thing in the Air Force, just on the outside, so I didn't have to bounce around my family every couple of years.
I got into the healthcare, cyber defense niche on December 21, and I've been there ever since. So here I am today.
Mick Leach: That is awesome. I mean, what an amazing journey through the military and folks, you know, we haven't touched on this a lot on this podcast, but rest assured, the military is a great way to get a ton of cyber training. If you can, if you can get into that kind of job field, I have a friend that I worked with at Nationwide who was an army guy and went to army cyber command.
And they sent him to something like six SANS courses in 12 weeks. I think he was doing one, a course one week and then an exam the following week, then another course and then another exam through like six, culminating, think, I think in the GSE. amazing stuff. Michael, thank you for your service. I appreciate it. Even though it was the Air Force, as an Army guy, I have to say that. All kidding aside, Michael, we are grateful for your service.
Michael Vetri: It's okay, all of us are jealous of the Air Force, that's all right.
Mick Leach: I genuinely am. My daughter was considering the military at one point, and I was like, look, you should look really hard at the Air Force. It's awesome from what I hear from folks who are in it. Anyway, so thank you for your service. You were in pilot training. That's, those are the coolest guys on the block. They got the aviators, they got the styled hair, and you still have at least the styled hair. And just the coolest kids on the block, what did they think when you said, hey guys, this is fun and stuff, but I don't want to be an airline pilot the rest of my life when I get out of here and I'm thinking of something else. What did they say?
Michael Vetri: Right. It was a little bit of mixed reception and you know, I have all the respect in the world for all military pilots, all those that have answered the call to fly, whether it's cargo passengers going to hostile territory, know, their lives. It's a very admirable profession. But even at that time a 23-ish-year-old, I knew one day I wanted to have a family. I've always been very family oriented and I know
I've heard plenty of stories when I was in pilot training about how it's not as glorious and sexy as the movies make it out to be. You're never going to see an Air Force or a Navy pilot crash land in the middle of hostile territory and drive off in an F4 like in Top Gun. It's never going to happen. But as far as the reception, it was mixed. did understand. Some of them understood. like, this isn't for everybody.
Others, you know, this is the culture way back in 2011, 2012, others when that Vice Wing Commander told me, hey, you're going to be 17D, cyber operations. I was like, okay, that's cool. That was not my degree or even close to it in college, but all right. I was walking out of his office and my flight instructor at that point, already knew what I got. You know, he was just given the Vice Wing Commander the honor of notifying me of what it's going to be.
And I still remember the first words that were spoken to me as soon as I walked out of that office from my flight instructor was, Michael, I'm so sorry about cyber. If you need someone to talk to, let me know. You know, because that could be a thing that maybe they didn't completely understand what cyber was all about. It was only 2011, 2012. know, US Cyber Command was still a sub-unified command at the time. So it wasn't really one of the big dogs in the Air Force, AFSC slash MOS world. Lately, it's become a lot more significant. But back then, the top tier was all the pilots, and then there was everyone else. but they've come a long way since then.
Mick Leach: Yeah, yeah, absolutely. So quick question then. Have you ever thought about reaching out just to let him know touch base? I'm OK. We're doing all right.
Michael Vetri: I still have some connections on my LinkedIn that were my pilot buddies, and you know we chat every once in a while, and you know I ask them are you still okay? There have been some, you know, pilots who are still walking away from the Air Force and going to the outside world despite these extremely generous retention bonuses. So sometimes I worry a little bit more about how they're doing. You know, there is a pilot shortage. They're flying a lot more. It's a lot more strain on the family. So that's how it's transpired since then.
Mick Leach: Yeah, and you know, I was even as you were just talking there, I couldn't help but think about mental health being so critical in the military in particular. But, you know, and I know there's way off, you know, what we were supposed to be talking about, but I think it's interesting. And I think there's value here is, you know, how do you see, is there a parallel in terms of the mental health strain because of the operational pace of things in the world of cyber just as there is in the world of the military?
Michael Vetri: Yes, and that the military has absolutely recognized that. I think the civilian world is starting to as well. For those out there who may be listening and who are a CISO or maybe want to become a CISO, it's obviously a very rewarding job. You learn quite a bit. However, there have been several studies that have found that 80 % of CISOs say that they are overstressed since taking this job. They're definitely working more than 45-hour weeks. It's impacted their family life. And it really depends, as far as the rest of us, us directors or individual contributors, engineers, analysts, what field of cyber we're talking about.
So when I was in the Air Force and I was the 16th Air Force, we had a kind of like a risk management score sheet that we would have, that we need to fill out. And everything that applied to us coming into that day would mean a certain amount of more points. And if our points reach a certain threshold, then we kind of need to talk to either the senior duty officer or we have to talk to somebody higher if there's a lot of risk points that we come in with. So some of those things could be, know, did you get enough sleep? Is there personal stuff, you know, going on? How long have you been on kind of a shift that's not the typical circadian rhythm for you? So, you know, you got the days of swings and night shifts, you know, all kinds of stuff. there external projects that you're working on that may distract you from doing so?
The military will give them a shout-out. They have done a fantastic job in making sure that those who are operating those cyber systems are at full strength or as full strength as they can be to make sure that no mistakes are made. But I think that's getting a lot more attention on the outside world. You see a lot more posts on LinkedIn about burnout or the inverse, the bore out, where it's the same thing over and over and over again, and people are just chomping at the bit for the next career stepping stone. And even boredom can take a little bit of a toll on mental health where it's the same thing over and over and over, and you feel like you there's, there's, you're at a dead end. And that can be demotivating in the workplace.
Mick Leach: Yeah, absolutely. I mean, I've seen, and you probably have seen them as well when you leave certain military posts, especially overseas, especially in hostile countries. There's often a sign that says something to the tune of complacency kills. And I think there's a correlation in the cyber world, too, particularly for SOC analysts who sometimes feel it can feel like Groundhog Day. I just wake up, I churn through a hundred different investigation tickets or whatever the case may be. And they're all very similar to the ones I looked at yesterday and last week. And so you can, you can, you can become somewhat numb and then miss something very important.
Michael Vetri: Absolutely. One of the ways to counter that is if you are feeling like, you know, I'm doing the same thing over and over and over again that I've done in the past two civilian companies. If you're, if you're a manager and if you're not a manager, then suggested to your manager is potentially a cross-training program. You know, if you're on the SIM and the SOAR or one of the two every day and you're just, you know, plowing through, you know, alerts, a good amount of them, false positives, you're not growing and managers, if you're letting that happen, you're failing your team.
A manager's job is to develop their team to succeed in their job. A leader's job is to develop their team to succeed in their career. There is a huge differentiator there. So, if you have a bunch of folks that are just going through alerts all day, hey, try to see if the team would be interested in learning something else that's in the SOC. Maybe they want to learn digital or cloud forensics. Maybe see what the red team does or launch, you know, the mandatory phishing campaigns and making them more believable, get them involved in threat Intel, you know, so that, takes care of them. That builds a greater skillset. And if heaven forbid, let's be real, the tech layoffs lately are extremely real. If they fall victim to that, you're only taking care of them so that they can hopefully land a job quicker instead of saying on their resume…all I did my entire time there was look at alerts. It doesn't offer anything else.
And that's one of the things I've done on my teams, not because I feel like there'll be a layoff. Our company has been very successful, but you know, so that they feel like they have a greater sense of purpose. can do more and leaders, guess what? It builds your not only defense in depth but defense in personnel. You don't want to have the same one or two people who can manage each tool. If you're doing an investigation and then one day the big incident hits and it's like my two experts, well, one sick and the other is on PTO. So we're kind of dead in the water. And that's another thing it's crucial for managers and leaders to do is to build that defense and personnel. We hear defense in depth all the time, but personnel is equally as important.
Mick Leach: Could not agree more. Well said, Michael. Thank you. Fantastic stuff. Yeah, cross-skilling. Because as you pointed out, you're leveling those people up. We're giving them some new skills. As leaders, it is our job to develop those that we're entrusted to lead. And that's a big portion of that. So I love it. I love it.
So let me move forward a little bit here and just ask, can we talk a little bit about, you know, past, present, future here. And so in terms of past, like what can you describe a particularly challenging cybersecurity threat or attack that you've, you've encountered over the years and, maybe how your team responded? Now I get it. We all got to be kind of careful on what we say here, right? We don't want to implicate anything. No one wants to get sued over a podcast. Okay. Especially me. So, you know, but, but what can you share?
Michael Vetri: Right. Well, you're fine. Yes, what I can share, I'm just going to keep it very basic. know, in a previous job I was at, did have a third, you know, we had a third party kind of tool that integrated with us. One of the things that was not discovered, I guess, during the bake-off or the vendor risk assessment, supplier risk assessment, or anything like that was if an entity of that particular third party wanted to create something at an admin level, it was extremely permissive to do that. It didn't require much. And I can't go into details, but just trust me on this one. What that admin could also do is create other user accounts after it. you know, so now this, this, this supplier, this, this vendor that we were, you know, kind of invested in, next thing you know, those users, there was very, there was fake users that were actually, of course, being launched by the malicious threat actor. We're getting in trying to poke around. It was, it was a heck of a heck of an incident.
My team, want to say lost two or three consecutive weekends in a row. So it was 19 to 21 straight days of getting all this out here, trying to determine the root cause, looking over logs, you know, looking at some other ramifications to according to the law. So it was not a fun time, but what we learned most out of it is really where we are, where we are the most strong in our analytics, and how well we can maintain organizational discipline in the heat of an incident. Because anybody who's listening can probably attest to the fact there was at least one time, probably many in their career where there was a big significant incident and organization of information is, know, at first it's the priority, but once you start learning more and more, next you know there's an Excel sheet, a CSV over here, a presentation over here, a document over here, and it's, you know, and it's so easy to break access discipline with who should be able to see it, who can't, based on changing guidance as the incident evolves. That was one of the biggest takeaways of that incident is limiting things to a need-to-know and keeping it in a presentable fashion for upper leadership while down below we're scrambling to get, you know, all of the logs together in a digestible fashion.
Mick Leach: Yeah. And so how did you kind of manage that? Did you use it? We had a friend of mine on a few podcasts ago, Joe Morrissey and his role is like an incident commander. And so his job is actually to be the one that kind of unites all of those disparate activities that are all occurring at the same time and make sure that we keep things in a line. We don't have those kind of lapses. Do you utilize that at your organization or have you utilized that in the past?
Michael Vetri: Yes, so for the most part, make sure that we adhere to the standard incident response model, whether you go by NIST, SANS, you name it, the whole pick-roll model, we focused on, okay, what's the highest priority? How can we contain this first, and stop the bleeding? I like to make a lot of medical analogies. All too often, how often do you see analysts go in and be like, let me see what happened, how we get here in the first place?
Again, the medical analogy, if you're an emergency, an ER doc, and someone's coming in with a sucking chest wound, you're not going to be asking them, how did this happen? What did you do to get to this point where, no, you're going to stop the bleeding, try to save a life, and then you figure it out afterward? It's a very similar parallel to cybersecurity. So you make sure the incidents contain, you assign roles on who's going to be gathering, what logs, what you expect to discern from those logs, those insights, whatever you're looking at, the people you're going to be talking with and you schedule those periodic updates with your leadership. The most important thing I have learned in my career with incident handling from a personal perspective is, and it's going to sound a little bit heretical out there for some of you managers, but set boundaries with your upper leadership.
There is nothing more irritating than you trying to get through an incident, trying to discern the logs, listen to the big important information your team's trying to give you while at the same time, especially you work from home folks, you're getting pinged from leadership, ding, ding, ding. know, Michael, what's going on? Need nothing. I have been on this for 20 minutes. Upper leadership, if you're hearing this, let your incident handlers cook. You hired them for a reason. Let them get through what they need to get through and trust that they will let you know if there is anything significant. And if those boundaries are established and you have a good senior leadership team that can buy into it, it's going to make the incident process so much less stressful than what you have to be. We were just talking about mental health. You're going to drive your incident handlers crazy if you incessantly, you know, are breathing down their neck while they're trying to get stuff done. You know.
Mick Leach: Yeah. I've seen this before. I'm so glad you brought this up. Where sometimes what we would do is, in different organizations I've been in, we would have two separate phone calls, right? So you'd have the, and now there's zoom calls, fine or team, whatever. but you'd have like a technical investigative call underway, and then you'd have an executive call underway where you're the incident commander, ideally, or someone tasked with communication is relaying at set intervals information from one call to the other, right? From the technical, as things are uncovered, we share those details with the leadership call. And there have been a number of times that we had senior leaders saying, well, can you send me the link to that other call? I just want to be there. I want to hear it. I promise not to say anything. You're not going to be able to hold yourself to that, OK?
We cannot glue that mute button, so they will inevitably come off mute and start asking questions. As you said, how did this happen? Whose fault was it? Look, this is not the time. We can dig into that stuff later, but for now, we have to stop the bleeding, as you said, right? We have to contain this problem.
Michael Vetri: One of the simplest things you can do is just those regular updates, know, give them what you know, what you don't know, what you still need to find out, what you've done, what you're about to do. You put that out there, right? That should answer most of their questions. And then, you know, you as the middle, maybe upper level leadership, you're the one that translates everything that just happened to a business concern. Why should they care? They're probably gonna know why they care. But as the incident evolves, you may discern some additional information that made you realize we have a bigger problem than we initially realized. How many times do we, okay, cool, we got the ransomware off the server, we're good now, did you check everywhere else? It turns out it's in four other places and they all have this one thing in common. So it's important to explain that too.
Mick Leach: Yeah. Well, and I love, I love the, the, the, we, some of the language that we use is in, terms of malware is an infection. And you were using medical analogies earlier. I think there's a good analogy here to be heard as well, which is one of the concerns with an infection when you treat it if you don't get it all, it will reoccur, right? You need to reinfect you and the same thing happens with malware. So yes, digging, digging, digging, making sure we find everything and get it contained properly is key. Yeah, well said.
All right, so moving forward here a little bit, what are some of the common misconceptions that you think people have about work being done in the SOC? Akin to that, what would you wish everyone knew about your role?
Michael Vetri: Right, so one of the things that needs to be understood when working in the SOC is that you'll see again in some of these movies or TV shows that incidents are going off left and right and it's this all hands and we all know how Hollywood is, it dramatizes a SOC. Now I don't want to create the inverse misperception that nothing's ever going on, but it really depends on what SOC you're talking about. If you're in an MSSP where you provide security for others, then there might be a little bit higher frequency of incidents. And then you have to think about, of all the incidents, how many do we actually have to notify the customer of? If you're in an in-house SOC, it might be a little bit less because you know the business extremely well, much better than an MSSP would know their business. So you know generally, okay, this kind of thing when a developer runs this, it triggers this certain alert, but it's really a false positive. I know what they're doing. MSSP might not, at least in the beginning stages.
So one thing that I want folks to know if they're thinking about taking on a SOC role, whether it's in-house or an MSSP, is you're going to deal with inevitably a lot of, a ton of false positives. There are so many MSSPs out there, and I won't call out anyone in particular, but there are plenty out there that will claim we're gonna reduce your false positive rate by 98%, you know, we're going to, we're going to do this. And it's all these false promises. And it's very bold of them to assume that they know your business already because they already know what they're going to reduce your false positives to. So the other thing that's important to know in a SOC is that you know, it's, it's important to know what the other roles in the SOC should be doing for a lot better communication, a lot better streamlining of processes.
So if you're the analyst, you should generally know what you're going to get from the threat Intel team. So that when you get these indicators of compromise, when you get these activity clusters, you start assembling these personas from the threat Intel team. You know, when you see something again, wow, historically, we've seen that in the past. This looks like something they've done. They generally try to do coming through here, here, phishing attack. And you could be more proactively defending your company in the SOC. And that's just one example of knowing what the other roles should do. And then the last thing I would offer when you're going to work in a SOC is that you're going to run into several philosophies of what a SOC should be. And I'm fairly neutral in most of them. Some companies will tell you the best SOC is in, you if you work in person, no work from home, because there's nothing like whiteboarding and, you know, solving the thing together as a team and being there in person. And there is value in that. But I have been working from home since 2021 and we have handled all incidents just fine.
We got to make sure there's still the risk of latency connections, whatever. You got the rest of your family out there that are streaming YouTube videos and you can't. So there are inherent risks, but I would ask folks that are listening to discern, not worry about what kind of SOC environment is the best, but to more focus on what is the mission of the SOC to begin with, to protect the company at all costs and to constantly show that you're doing a great job of it. I'm going to kind of give a very real, very strong reality right now that security is typically in some companies not seen as the revenue-generating party, right? That's marketing, that's sales, that's all that stuff. So the SOC is not revenue generating, but I would argue it is profit generating because a good SOC will reduce the amount of costs that might be spent handling an incident because we didn't give enough investment in security. So I would offer that perspective as well. Your job is to protect the company at all costs.
Mick Leach: Agreed. I've had some good leaders who were very successful in being able to articulate the value of a security operations organization through cost avoidance. And that's really an interesting approach to it, just to say, hey, gang, we were able to automate some things, and that saved this much time, then if you figure out how much we pay on average, a particular role. That saved us this much in what we, at the Nationwide days, would have called blue dollars, these notional internal dollars.
Michael Vetri: And that's another good point is, you know, when we talk about cost avoidance and be able to, you know, make sure that we don't, you know, we're quick enough that we don't cause an unnecessary, you know, monetary investment in something that could have been prevented. One of the things that you're going to need to be also proficient at when working in a SOC, believe it or not, for you introverts out there, is a little bit of customer service skills because while you may not interact with a customer, if you're in an in-house SOC, your customer still can be someone else in the company that could be a developer, an engineer or something of one of your products. And if you don't articulate clearly, know, hey, we need to fix this vulnerability or you're causing these kinds of alerts or what's going on here with these patterns of behavior. If you can't articulate that clearly, they're not going to take you seriously.
It's also a little bit of reputation building in a security team or security ops team to make sure that you're taking care of those folks that are also in the company, but not in security where, you know, you have some kind of security concern.
Mick Leach: Yeah, agreed. Soft skills are probably the most undervalued aspect of the SOC analyst. I think we always focus on the technical, but the soft skills are equally important because they're often the frontline folks that are reaching out to users to understand what they've seen in terms of logging. All right. This is unusual behavior. I am just going to reach out to this user, and when done badly, it comes across as an accusation. Users get defensive, HR gets called almost always, and you're answering some really awkward questions in a very small room.
Michael Vetri: Right. And especially that's very common in vulnerability management. And one of the things that, you know, we try to focus on is, you know, oftentimes when people say, you know, to their product teams or whatever system owner, you got to fix this critical vulnerability within, you know, two weeks. Why? Because that's the SLA, that's our policy. Well, that doesn't really get you buy-in. Now let me try to the next level where it's, well, this particular server connects to, or it has crown jewel data on it or customer data, are you sure you wanna wait around and risk it being compromised? And that gets a little bit more, then you get into the business level. Okay, if this is compromised, this is going to extremely degrade our reputation with our customers. It could result in an SEC 8K filing. We really need to get on this. There's a reason I said this is a critical vulnerability. Typically, there's no more fight or contention after that.
Mick Leach: Yeah, context. Context is king. I love it. So, all right. So what would you love for the general public to better understand about cyber security?
Michael Vetri: Right. The absolute general public may not be too deep into cybersecurity or know much about it. We would like, you know, for everybody to understand that cybersecurity and IT are not the same thing. You know, for those out there, how many times are you, there might be some forensic examiners out there or, you know, SOC analysts, you name it, that you go home for Thanksgiving or Christmas and like, you're the cybersecurity guy. You know, can you fix my computer? The fans.
Really, fan sounds like it's a, know, F35 about to take off the runway. Well, you know, first of all, that's one symptom, going back to medical analogies, that's one symptom, could be anything. And secondly, you know, security, IT, not the same, you know, you're not going to go to an immunologist if you have bone pain, right? You don't go to a side. So understanding what it's all about, what people actually do, what the different career fields are, and it's evolved to many, right? The field of medicine has evolved to many, cardiology, oncology, immunology, you name it, toxicology. And I would argue cybersecurity is not just as vast, but it's not a single skillset thing that sometimes is misperceived.
Mick Leach: Yeah. And now it's, what's going to be awkward is when I send this episode to my family, be like, listen, just skip forward. You're going to need to hear something in the middle. Cybersecurity guy. I'm not going to fix your printer. Okay. I don't know why it's not working. Okay. Maybe there's a paper jam. Maybe if you were out of ink, I'm not going to troubleshoot this for you.
Michael Vetri: You're welcome, Leech family, you're welcome.
Mick Leach: Thank you. Thank you, Michael. I appreciate it. You're on my side. goodness. That cut right to the quick. mean, when you said that, was like, man. And frankly, everyone is listening; I guarantee it. Everyone listening has had that happen. you're into IT, you're into security, you're into whatever. Even my friends in marketing. You're into marketing? Great. Can you help me figure out how to do this? No. No, that's not my specialty.
Michael Vetri: Right, right. I have had somewhere they said, okay, where they kind of got the context, right? Like, you know, my friend's account just got hacked, Michael, what should they do? Like stop clicking on emails that they don't know where they're going. Don't fall for watering hole attacks. What's a watering hole attack? Okay, here we go. How about not make your password, you know, your street address and your last name, you know? You're going to get hit with credential stuffing like you're making yourself an easy target. Did any of those apply? Yes. Stop doing that.
Mick Leach: I love it. Well, what a great area to talk about all those things in terms of what we want the public to understand. Know those things, folks. Don't use the same password everywhere. OK. So, how important do you think it is in the security operations space, in particular, to have a mind of continuous learning? Like, have that be something that's important to you?
Michael Vetri: Yes. Continuous learning should be, I would argue, a way of life for cybersecurity operators, regardless of your context, if your compliance, vulnerable management, engineering, red teaming, threat intel, forensics, you know, the field is constantly, constantly evolving. The military would argue we fight in a fifth domain, air, sea, land, space, cyberspace. cyberspace is the only domain that changes. It's constantly changing. Targets are constantly moving. And when you are in the profession of cyberspace, especially cyberspace defense, you need to take that concept seriously. What is there today will not be there the next day. Why could that be? This is a highly demanding profession that requires and demands its folks to know what's going on.
I would also give the advice I would give for those who are looking to continuously train or are trying to keep themselves up to date: Look into these well-established threat intel platforms. Not the ones you gotta pay thousands for, but the ones that are free 99. Onyxia is a great one. Alien Vault, stuff like that. Just get the feeds going so you're keeping abreast of what the most emerging threats are. Because the days of congratulations, you're the one-millionth visitor to our website. Here's your gift card. They're done. I mean, no one theoretically should be falling for that anymore. You know, now they're doing things. There's an email tactic out there that Russia does. It's called a squirrel waffle, which is, you know, they'll email you this phishing email, but they'll courtesy copy a couple of your employees to make it believable, you know?
So it's not just what's in the email, but also the metadata as well. And knowing that staying ahead of the psychological game is important too. MGM and CSRS were breached by 16 to 22-year-olds by scattered spiders because of social engineering. Understand when you are going into cybersecurity training and continuous learning, it is not just technical anymore. This is not a technical battleground anymore. This is a psychological battleground is what we're dealing with now. And it's just as important to know the prong of threats as it is the technical aspect.
Mick Leach: Yeah, yeah, and we talk about this a lot over the years about how bad actors really want to they want to capitalize and leverage people's innate goodness, right? Their innate trust, trust, trusting, you know, feelings of trust that that's what they're trying to subvert and capitalize upon. So folks. Generally want to believe the best about other people and rightfully so we should be able to do that But bad actors are here to ruin it for everybody
Michael Vetri: They really are. And, you know, they're capitalizing on things that people desperately need now. They're attacking us when we're vulnerable. So in 2020, I mean, and this is open source info, but in 2020, what was happening in 2020? The COVID pandemic. Hospitals were flailing trying to save lives. And there were certain, you know, actors on the other side of the world that we're taking advantage of that hitting hospitals with ransomware because they know there's no time to negotiate. There's no time to get those backups up. They have lives to save the hospitals, which have decent amounts of money. We're just going to say, you know, pay it. We got to start. We got to keep, we got to keep our systems up. We have lives to save; we have lives to save. And that's what's going that, you know, that kind of, there's a, there's a very strong global need right now of something right now at saving lives. We're going to take advantage of it.
Another example is there are plenty of fake employment websites or fake LinkedIn posts because the cybersecurity market is arguably extremely saturated right now. So they're implementing these job posts where desperate folks are going to go in there and fall for these scams, which is fairly ironic that someone who wants to be a cybersecurity professional would fall for those, but they're still happening. But they're also happening in other career fields as well, all over LinkedIn, all over Monster, some other recruiting websites as well and job posting sites. It's everywhere and what I've noticed, you know about You know some threat actors is that they're no longer targeting, you know little devices or resources here and there some of them are but where they're really trying to get us is You know where they can cause the most effect so they study us and they think they look at us in 2020 and they say
There's a frantic effort to save lives. They don't have time to go through their standard processes. We're going to take advantage of that. There's a huge, you know, job or saturated job market. People want jobs. We're going to go ahead and exploit that psychological need on, you know, Maslow's hierarchy, you know, so and, know, whatever the next big thing is that the U.S. may be struggling with that could be the next way we get psychologically manipulated.
Mick Leach: Yeah. Well, and as we bridge into this, I mean, we're talking about that evolving landscape of cyber threats. And so the real question is, how do you prioritize which threats to address first? I mean, how do you allocate resources accordingly? There's just so much to unpack here.
Michael Vetri: There's quite a bit in terms of prioritization. You know, I'm going to go back and revert to what I said earlier. Your job is to execute actions that are in the best interest of your company. And how do you determine what those are besides, of course, understanding your business needs, the mission, and all that. One of the things that my team has done is we came up with the C3 matrix and it stands for your centers of gravity, your crown jewels, and your capability enablers. So think of the center of gravity or tier one. If this goes down or it's compromised, there would be grave possible irreversible damage to our business. You know, for those that run on the cloud, if your cloud provider goes down, for example, for those that are tech companies, you know, maybe it's your, you know, your source code repos are just compromised or they're stolen. What some did to that effect, right? And then you got, you know, your crown jewels, which is it would probably still be material. We kind of have to file an 8K, but we would still probably survive. And then you have your capability enablers, probably wouldn't be an 8K filing, but it's still something that we need to support our business operations. So you should, of course, prioritize those things that put the most sensitive alerts, detections, and prevention mechanisms on your centers of gravity. That should always be where you are paying attention the most. You work outbound from there.
In concert, I'm going to put in a sales pitch for anybody listening. Threat intelligence teams, while I know, you know, they're technically seen as more support than they are operational. They can provide a ton of context into what your analysts are seeing. When you pay someone to go out and put together an IOC or an indicator database, a historical one, and can start assimilating all those indicators into personas and start predicting behavior and know what TTPs they're going to use. And then you overlay that with TTPs that you know you're either weak in or strong in and that'll drive priority as well. I mean, that is one of the most hallmark ways and strongest ways you can become that, you know, profit-generating, as I said earlier, profit generating entity and preventing additional costs from happening. Because now you're giving your teams more proactive defense versus reactive and that's a common issue we deal with in the cyber security world is react, react, react. But if we already know what they're going to do, then, you know, we almost, we almost have, not to say this conscientiously, we have much less to worry about and we can focus on what's most important.
Mick Leach: Yeah, so it sounds like you're almost using, in terms of threat intel, kind of like the pyramid of pain, right? Yeah.
Michael Vetri: In a way, yes. You know, you have the things that are easily changeable at the bottom: your hashes, your IPs, your domains. But when you can study them enough and understand their TTPs and these diamond models, that is much more lucrative and valuable than just chasing infrastructure that's going up and down all the time.
Mick Leach: Absolutely, absolutely agreed wholeheartedly. Yeah. I mean, I think getting to the maturity level where you can really define those techniques and tactics and procedures and really understand what's happening in those and then being able to prescribe that and write detections to create alerts when we see those behaviors. Brilliant. I love it. So
Michael Vetri: It's true. And when you think about the switch in our national defense or national security strategy, from one administration to the other, we went from a defensive perspective to a proactive cyber perspective, which is more of almost, in a way, fighting back against the nation-state. And of course, it's a government document, but when I am, and it's out there, it's open source but one of the things that is, you know, important to realize is not only, okay, what are you doing to protect your company? But there's almost a call in the security community to share intelligence. But one of the barriers of sharing intelligence is the legal ramifications, especially if you're a SaaS provider, how did you get this intelligence where people hitting your, you know, so that's, that's one thing that that's an obstacle in helping us as a, as a nation in seeing what's out there. mean, the government loves to partner with private industries and say, hey, what have you seen out there is what we've seen. Let's look at the commonalities. We can better protect. We can better prepare for imminent or maybe likely attacks. But if we're not doing that as a security industry because there's fear of, know, or legal ramifications, then that's going to set us back a little bit.
Mick Leach: Yeah, agreed. And as we think about the future, where do you think security operations is going in the future? what advancements or changes do you foresee in the field of cybersecurity? And how do you think it'll really impact the security operations folks?
Michael Vetri: Yeah. So where I see security operations going in the near future, I have noticed that the threat intelligence field is starting to become a lot more prominent. You know, there have been, there's been a lot of growth in there where people are starting to understand threat intelligence more verses, it's just a support function that reads news articles and hacker news and alien vault. And, and, you know, go get a subscription to some big dog threat Intel platform and you know, good, we're all set, we're doing threat intel. No, that's not what it is. It's a very deliberate process. There are structured analytical techniques and analysis of competing hypotheses. It's very much system two thinking versus one. We have one that is like the automatic stuff that where you tune stuff out, know, easy to very almost binary thinking where system two is much more deliberate, analytical and requires that critical thinking. So I see a little bit of a rise in the threat intel.
I also see that there's going to be a lot more investment, I hope so, that there's gonna be a lot more investment in just cybersecurity positions as a countrywide whole, regardless of the industry. You can't go one week without hearing about some either mid or big name company suffering a breach. mean, change healthcare, $22 million ransom. There is another company that was undisclosed, but a DLP provider confirmed that someone got hit for a $75 million ransom. So the stakes are getting higher and higher. And for anybody out there that might be thinking, it didn't happen to us or it's not going to happen. That's one of the biggest leadership failures you could ask for when it comes to take care of your business is thinking, well, we're not a target. There are plenty of adversaries out there that are opportunistic. They don't care who you are. They're going to get the money.
And you know, then you're in a position, do I pay or not? And if you do pay, who knows what you're funding, right? So that's something that needs to be taken into account. What's also going to happen, and I feel the cybersecurity that I see is that adversaries are becoming a lot smarter in realizing your profit margins and your revenue generation. So if you're some Fortune 500 company, don't expect ransomware to be asking only for 50K, you know? They're smarter, they're almost business savvy. They're like, all right, well, this is a mid-level company that can probably dish out two to four mil. We probably shouldn't hit them with 20 mils because then it's never gonna happen, but gotta make it just at the level where it's tempting because they don't wanna go through all their DR processes and all. There's also probably a company that may not be established well in their security program, so greater likelihood that there might be a payout.
That's what I see at the other end of the spectrum, which is not security but the aggressors. They understand the business a lot more and are taking a lot of psychological considerations and temptations into effect.
Mick Leach: Yeah, well said. So what advice would you have for someone that says, everything I have heard up till now sounds amazing. I want to do this. I want to be a part of this. want to get into cybersecurity. But frankly, I don't even know where to begin. What would you tell that person?
Michael Vetri: Sure. If that person, I mean, usually I'll hear this from folks that are about to start a degree in computer science, know, 18 and 19-year-olds, or maybe they're fresh out of college and, you know, think, okay, my college has been saying I need to be in cybersecurity. That's the heart market. They pay well and they're right. However, if they want to get into this field, entry-level position, I'm going to offer this to anybody who's a candidate out there, meeting the job requirements will highly likely not get you the job. And I say this from experience, I have hired four people in a little over two years I've been at my company. All of them offered a little bit more than what the job requirements were asking. So my most recent position, there were about 600 applications that came in. About 100 of them met the requirements because we have a lot of spray and pray going on out there.
Obviously, I'm not going to hire 100 of them. All 10 of them that I decided to at least interview offered something more than just what I needed. So for example, if you're trying to be, I want to be a senior, I want to be a security analyst. All right, cool. I have my degree in comp-sci. I have a security plus cert. You know, what more do you offer than what's beyond those job requirements? I'll give some, you know, helpful advice. Automation is a hot thing. Learn Python, learn Java. Learn, you know, name your automation language, and learn one of the PowerShell. And then a little bit of threat Intel knowledge when you can articulate, hey, you know, I'm not only good at, you know, I'm not only trained up to be an analyst, but I also understand, you know, the proactive value of going in and finding, you know, these, these indicators that could be harmful to the company. So we can better defend against it. No, in the kill chain, no, in the diamond model, that kind of stuff just some kind of extra capability that can be added. So you're more of a force multiplier instead of, yep, I'm here, I can do it. Now, at the same time, I do empathize with those who are looking for an entry-level job because maybe there are not really opportunities, maybe financial opportunities to go out and get a cert. 22 year 22-year-old fresh out of college is not gonna pick up a $9,000 sand cert or whatever they're at now.
But there are so many free videos out there and programs that can get you into coding, that can get you into automation, that will give you that leverage above other candidates. So that's what I would offer. And if there is a little bit of opportunity to get a certification, if there is still a little bit left over, Security Plus is a great starting point. There are several others that are out there. There's AWS, if you wanna be in a cloud security, looking at AWS, Azure related certs. One I will give a shout-out to and I have no affiliation with them, it's just one of my favorite certs graphs out there is called pauljerimy.com. So Jeremy is J-E-R-I-M-Y and then paul on the front. It's an incredible chart that shows you here the different categories of cybersecurity, and it maps it against difficulty levels.
So you kind of want to look at the bottom area if you're first starting out and it'll point you right to its cost, the summary, and everything. So give that a good review, but also be patient because everybody's being told cybersecurity is the hot thing. So now you have to kind of rise above the norm to really get into the interview and later interview phases.
Mick Leach: I love it. I love it. That's awesome. Well, listen, we've had an amazing conversation, Michael, that's been pretty wide ranging across a variety of topics and, and, you know, and even deep diving into a few things there. But what would you have someone take away if they can only hear one thing and really take this away? What would you have that be for
Michael Vetri: Yes, so cybersecurity is a vast battleground and you're going to go up against a strong variation of adversaries ranging from the script kiddies to insider threats to nation-states to, you know, APTs that are sponsored by nation-states. You can go up against a lot. I'm going to give another sports analogy. You need to train for what you want to fight against.
So if you just are okay with ever always perpetually fighting against the very basic things that aren't that complex, then you'll train as such, right? You'll do the bare minimum. Just like in sports, a high schooler who wants to make it to the college level is going to do more than just the high school practices, the scheduled ones. They're going to work out harder and maybe do a few more reps in their sprints or their hurdles, whatever. They want to make it pro. They're not just going to do what the college workouts are. They're going to do more after hours. If you want to advance, if you want to go toe to toe with something that's almost up at nation-state level or sponsored by nation-states. You can't do the minimum. And that's something that, you know, is extremely important to realize.
If you want to be a black belt in cybersecurity, you got to train against black. You have to practice like a black belt. It's not going to be handed to you. You're not just going to magically know all things just by doing just your job. You need to train, you need to educate, you need to practice, set up those labs and constantly learn to realize what are the more recent tactics, the more creative tactics they're using, technically and psychologically. And then how do you stand in front of your company and redirect those adversaries and keep them out? Because that is our job. We stand at the front lines to protect our company with the companies at our backs. That's the premise of this entire profession.
Mick Leach: I love it. I love it. Yeah. And you're right. I mean, in the army, we often said, you know, train as you fight, because you will fight as you trained. And so if you you didn't train hard, if you took it easy if you went half-hearted, you know, you're building muscle memory in those things. And I would say that this even applies to the way that we do tabletop exercises and we and we do in response practicing. You've got to train as you want to be able to fight because when that moment comes, you will go through it with the same muscle memory that you've been trained with. And if it's been lackluster, that's how you're going to respond in the moment. And that's not what we.
Michael Vetri: Right, right. And I would also offer to train even in adverse conditions. And what I mean by that, you know, so side note, I'm also a black belt in Krav Maga. My black belt test was not in nice, you know, 70-degree weather, no breeze, you know, perfect conditions. It was chilly out and we had varying terrain. I was going up a hill, I was going down a hill. I had mult-salindros. So when you do your tabletop exercises, you know, leaders and those that are on it, please don't shut down every idea that seems all that wouldn't happen. Maybe it would, what are you gonna do if AWS or Azure or GCP or name your IAS goes down? What are you gonna do if your leaders aren't available if they're on PTO in another country and they have a low wifi signal or low cell phone signal and you can't get a hold of them? Who's making the decision? Do you have pre-approved authorities? What are you gonna do?
I mean, a great tabletop exercise is not just focused on one incident, but halfway through, Hey, we have another incident. It's completely unrelated. How are you going to handle that level of high stress? Can you still perform? Let them sweat a little bit through tension. There is growth. Let it be a tense situation because if you don't get through this, then, you know, like I say in Krav Maga as a martial arts instructor, nobody cares about self-defense until the moment they wish they knew self-defense. Nobody cares about, you know, incident response, cares about these tabletops until the moment they wish they would have practiced their tabletops.
Mick Leach: Yeah, you know, and you brought up some really good points in terms of injections and we've used a lot of those injections over the years. Like, your primary incident responder incident commander is now sick, right? They've gone home. They were, you know, they were in a car accident. They can't come in for whatever reason. But I wonder something you said that made me think I don't know that I've ever heard of anybody doing a tabletop exercise out of the blue at like 3 a.m.
You know, trying to fight, right? And you said about doing it in, you know, rough conditions. And that's probably the most likely scenario too, is around 3 a.m. for whatever reason something happens. So yeah, consider, so folks consider doing a tabletop exercise at like 3 a.m. when folks are foggy and you know, and you can't get a hold of people as well as you would have liked to. Let's try and fight.
Michael Vetri: Right, right. I mean, and the same thing goes true with your annual pen test that you have to do, you know, keep it minimal. Don't retry. If you can try to avoid telling your security team when it's going to be. I mean, once they discover it, okay, yeah, I got to fess up, but you know, don't say, yeah, we're going to do it today. You don't know what they're going to do. It's like, okay, well now they're a lot more paranoid about their alerts. Of course, they're going to catch it. It's a different psychological mindset. If you get them, you know, but at the same time, I would offer to leadership if they do fail it, you know, don't go don't be ready to be like, OK, whose fault was it? You know, I got to put them on a PIP. I got to give them, you know, a red eval for them. No, like I mean, especially if they're simulating some nation-state stuff. And that's one thing to consider, too. If you're a small company out there that doesn't really have many security resources, and one day just, Russia decides to go after you or China with their fully funded government-backed, you know, operators that they have hundreds or thousands of. Is your four team security team going to stay on toe to toe with that?
So there needs to be a level of realism too, but also a level of coming down to earth on where are we, what kind of attacks are we likely going to highly struggle against or are we prepared for, you know, model assume breach. What are we going to do once this happens? How do we recover? This is not me saying wave the white flag. This is to be very conscientious and in tune and taking the pulse of really where your weaknesses are and understanding if something happened today and they targeted this area where we're weak, it's, it's going to be ugly.
Mick Leach: Yeah, but plan for that, right? I mean, that's the thing, plan for that. And so if you know you don't have exceptionally technical incident responders, if you don't have digital forensics investigators on staff, and many companies can't, I get that. Have a plan though, have a list of organizations that you can call and maybe get on retainer with. Yeah, because at some point we will all, even the very best, need to phone a friend. And you better have some friends on speed dial.
Michael Vetri: Exactly. Get the retainer. mean, the government does free tabletop CISA. Look up Kenneth Walker. He's done a lot of great keynote talks and various conferences. I mean, he'll do tabletops with you. I mean, this government stuff is free. know, I get, you know, there's a little bit of apprehension about the government possibly poking in your system and seeing it there, but the complete intent coming from a government, former government employee, the complete intent of it is to better prepare you so that our adversaries in other parts of the world don't gain a foothold in a private corporation and then could pivot somewhere, especially if your company happens to do a service for the government, whatever that context may be.
Mick Leach: Yeah. Yeah. Awesome. Well, Michael, thank you so much for your time. It has been a pleasure talking with you today and I appreciate all the insight that you brought.
Michael Vetri: Absolutely, thank you so much, Mick. Y’all take care out there.
Mick Leach: All right, thanks, folks. This has been SOC Unlocked: Tales from the Cybersecurity Frontline. Again, I'm Mick Leach, your host, reminding all you cyber defenders out there to keep fighting the good fight. You are the tip of the spear, so stay sharp. Thanks for tuning in. Don't forget to like and subscribe and check out all of our other SOC Unlocked episodes. Folks, we'll see you next time. Thank you.
