Mick Leach: Hello and welcome to SOC Unlocked, Tales from the Cybersecurity Frontline. I'm Mick Leach, your host and guide on this exciting adventure and journey into the SOC universe. In each episode, I chat with various cybersecurity professionals about the latest industry news, emerging threats, practical strategies to keep your organization safe and more. And this week we are excited to have an old friend of mine, Joe Morrissey. Joe, welcome to the show.
Joe Morrissey: Hey Mick, thanks for having me. You must have lost a bet or something to have me on here. What's going on, man?
Mick Leach: Absolutely. You're killing me, man. So Joe and I, those listeners who don't know, Joe and I worked together for a good while at an insurance company. And, you know, it's just one of the best hires we ever made was bringing Joe into the SOC there. All right. So. Before we dive into all of the details of what we're going to look at today, I wanted to give our listeners an opportunity to learn more about you and hear a little bit about your background, because you have one of the more eclectic journeys into cybersecurity that I've heard of in my years. And I love that because I think there's a lot of folks that are just not sure if cybersecurity is for me.
You know, is my journey going to be my, my history going to be valid in that world? And, and to those folks, if you're thinking that, if you're questioning that, I would love to introduce you to my friend Joe here, cause he, he proves that you can, you can get there.
Joe Morrissey: You that's right, it's all up to you. right. So what do want me to share? Everything leading up to the SOC and then we can dive into more there? What do you want to hear about, Mick?
Mick Leach: Yeah, yeah, tell me a little bit about your background, what your current role is, kind of your journey, how did you get there? And then we'll dig into it.
Joe Morrissey: Sure, yeah, yeah. So thanks for the intro. Kind words. I don't know. Great, thank you. So my background, I've been in security, I think it's been 10 years now, Mick. think I've been working in security for eight years, but my journey started 10 years ago. Well, you can talk a little bit about my two years and three interviews to get on your team all those years ago. But yeah, so it's, I don't know, maybe it's not so much a non-traditional background.
Disclaimer alert, I don't have a formal education in IT and security. don't have a degree at all. I spent a couple of years in college. The latter part of those years was focusing on information systems, but I don't know that I really use much of what I learned there applied to my career now, but I was always interested in tech, right? I dabbled a lot of, I spent a lot of my time dabbling into whatever I could get my hands on. It probably started with interest in video games and spending time at the computer. I allegedly spent a lot of time writing a botting program for World of Warcraft back in the early 2000s. So I don't know, you can't prove it. So that probably piqued a lot of interest there. But then I started like at Micro Center is probably like my first job in tech. I was like in the build your own section, right? You come in, you want to build a computer, I pick out the parts and then I build it for you.
So that started my interest in the hardware side of things. Retail is not great, for those of you that love it, more power to you, but I wanted to kind of have more of a career path into something, but I didn't know what that something was. So I took the first chance I could and got a help desk position at a rather large Midwest financial services and insurance company. I was a help desk analyst for a while and that job was actually really great because I think it exposed me to the sheer size of an enterprise or an organization like that. And you really get a feel for all the complexities that exist there. But I didn't want to resolve tickets and reset passwords my whole life. So I think I took the first opportunity out of there where I was a mainframe operator, maybe the youngest in history. I don't know, Mickey, tell me.
Mick Leach: I was gonna say, you don't have near enough gray hair to be working on mainframes.
Joe Morrissey: It's coming in. It's coming in. Maybe because I worked on mainframes, those are starting to come in. Yeah, mainframe operator for a couple of years. And that was an even better experience into the complexities of all the different technologies that are reliant upon just anything and everything you can think of in a large organization. Then think it was around 2014, that I found out where I was working was building a SOC, building a security operations center.
I thought that was cool, but I didn't really have any experience or knowledge into what that actually is. And so I applied and I had no business applying at the time or being in that interview. Mick, you can share a little bit about that interview and I can continue. But it was not great. But I think Mick being on the interview team probably showed more grace than he should have. it wasn't great, man. And that's okay. I think that was probably the catalyst for me—trying to understand and get into the mindset of not only knowing what I didn't know but trying to figure out how I close those gaps. So it was was good. Who was on that interview panel? You remember?
Mick Leach: Goodness. Well, it would have been you and me and Stephen and Kim for sure. Even you won't. Yeah, that was the dream back then. What I would have our listeners here, though, is that you don't always step up to the plate and hit one out of the park on your first day in the big leagues. Right. That's and that's okay. It's okay to come in and realize I have been weighed and measured and found wanting. And that's okay on that first go route.
What I would also have you hear is that Joe never gave up, right? I mean, he came back time and time again and put his nose to the grindstone, worked really hard, studied the things that we talked about, and took the initiative to set up one-on-ones with me and some of the other security leaders to learn more about what is it I need to study? What is it that I don't know that I need to know to get there? And that's what I would wish for anybody to hear is that if you want to get there, you got to take charge of your journey and you got to grab it with both hands. You got to set up meetings. You got to take the initiative and make it happen because it's not going to come to you if you just sit and wait for it. And Joe did that.
Joe Morrissey: I mean, I feel like humility is a huge piece of it too. I know it's a little bit ironic for me saying that now that I'm sitting here talking about it, but like just being understanding and giving yourself some grace and being okay with what you don't know, but relying on people who do know and trying to learn from them. Nobody's going to spoon-feed it to you. You're going to have to do all the hard work yourself, but it may take you quite a while. It took me two years to get to the point of a pretty junior role in the SOC, right? Like, I mean, I know that you guys took a gamble on me because I didn't have the experience of an analyst. But yeah, after that first interview, I did all those things that Mick just said. And I think if you get knocked down, get up. And if you get knocked down again, because I told you third time was the charm, get up and keep chugging along. So I think it was two years, three interviews, finally got the position.
But there was something you said, Mick, to me. I think it might have been in my second interview that had stuck with me forever since. It was, if I can give you all the things that I would require one of my SOC analysts to know and be proficient at, I will give you this list. And if you know everything on this list, I won't have a reason to not hire you. I remember you saying that. And it stuck with me forever, like forever.
And I even repeat it now, now that I'm in a position to hire people as well. So I use that because it's good motivation for the right person who has the right mindset, I think. But there's just so much to learn. So try to focus, right? I tried to focus what I needed to know and learned as much as I could about it. But yeah, 2016 is when I got started in my security journey, right? I was an analyst, officially, officially, that's right.
Mick Leach: Right. mean, let's be honest, right? Those two years, they count. That's that's work. You're putting in the work.
Joe Morrissey: Yeah, as far as the CISSP certification is considered, they certainly do count. But I got in, y 'all hired me. was a flex analyst at the SOC where I'm still currently at and worked, right? It was the way that we had it structured was there were a lot of senior guys and gals on the team who had been around for a while and I did the same thing that I did years previous and just kind of immersed myself and let myself absorb all the things that they knew and were doing and applied it. And a couple of years after doing the SOC analyst thing, we didn't have a tiered approach. It was every analyst for themselves, not in a negative sense, but like there was trust that any analyst on the team could investigate any alert that came in, which I think is a great model in the right environment.
It certainly allows people to grow rapidly, but could be, I mean, it could be detrimental if you don't have a mature program. But in those two years, right, I got close to you. I got closer to, you know, maybe some of the strategy around how we were operating our team and where we wanted to go. And I got the opportunity to get a team lead spot. And I did that for a few years. I think I'm, I think I matured the team a little bit. I don't know, they were tough shoes to fill, Mick, but.
They were, were. Man, did I learn so much in that timeframe. Did that for a little while. And then where I was at, wanted to develop more of a formalized C-cert, or we call it our threat response team. So we pulled some folks from our forensics area, some of the more senior folks in the SOC, and made a new team that was strictly responsible for IR, straight up incident response, incident handling. Threat hunting was a part of that team as well, and I spent a few years there. I was a team leader for that team. And then I got a new opportunity to kind of be more of like a senior consultant, not only over the SOC, but of that C-cert. So in a way, we have a role called incident response capability leader, which is more of the administrative function of things like developing your run books and making sure you produce stuff for audit. Then there was my new role that I had taken, which was more of like a incident commander for any of the large-scale incidents, organizing, and interfacing with leadership, but it was an individual contributor role. So I didn't really have people reporting to me. And then just recently, I'm now in this director role, this people leader role, which is a new journey. So ton of learning. Yes, ton of learning to go a long way to go on that. But it's exciting. I think a lot of the trials and tribulations I learned around my technical journey will probably come into play with helping me.
Mick Leach: Well, congratulations. Yeah. Well, and our listeners listeners will quickly realize that one of Joe's biggest strengths is his ability to communicate well. No, no, for real. So, you know, I told him then that someday I'd probably end up working. I end up working for him. So just remember me kindly is all I would ever ask. So now it's been great. Joe, I love that. I love your journey and that story because I think it just portrays so many so many attributes that we really look for in cybersecurity, the ability to dig in, to never give up, to continue to ask questions and to strive. I think all of us could use a little more strive, a little more hustle in our lives. I think that's how you make yourself successful.
Joe Morrissey: Yeah, and not to mention too, right? SOC life is it's a team sport, right? Like I certainly could not have gotten where I was at without the help and support of people way smarter than I'll ever be helping me along the way and getting me to where I'm at. And don't be shy. Don't be shy asking anybody in the industry for help. Like I think that's probably one of the coolest things about this industry is everyone's got a different story. One of our pals, Dan, always says everybody's got something to teach everybody else. And that's most certainly true. So just ask. Just ask. Don't be shy. Don't be scared. Participate. Ask for help. Get a mentor or two and get on in there.
Mick Leach: Yeah, no, couldn't have said it better. You know, two things I'd pull out of that. One, we had Dave Kennedy on who is like a legend in our cybersecurity world and has been for Neuron 20 years now. The guy's been around forever and yet is one of the humblest, nicest guys, most approachable people on the planet and will help anybody get a leg up in what they're going to do next. and that is not unique to Dave, right? That's something we see in great leaders across our industry. And I love that. The second thing I'd pull out of that, one thing that you had mentioned in that conversation was being, you know, humility and being humble. And it kind of harkened me back. had Jeremy Ventura, a dear friend from Field CISO at Myriad 360. We had him on the show a couple of weeks ago.
Super smart guy, but one of the things that he said that he looks for when he hires is people who are hungry, humble, and smart. Right. And the smart wasn't necessarily book smart. He's looking for folks that just can figure things out. And I think that really describes what I saw in Joe then and see in Joe today. And certainly, what he looks for, I think, in folks that he hires. Is that a fair assessment?
Joe Morrissey: Thank you. Those are very kind words. Yeah, I don't I always try to surround myself with people who are smarter than me and the room is always very large. So I encourage everybody to do the same, right? If you're the smartest one in the room, go to a bigger room, right?
Mick Leach: Yeah, yeah, and I've heard that before, right? And we've said that, I think, together, right? If you're the smartest guy in the room, you're probably in the wrong room, right? You should, know, get to change your scenery. So good stuff, thank you so much for that. And we'll touch a little bit more on that, kind of at the tail end of this discussion. But for now, I kind of want to dive forward and you know, by now, we love to look at sort of this past, present, future. In terms of past.
Joe Morrissey: Yeah.
Mick Leach: What's some of the more interesting attacks that you have ever investigated or encountered and how did your team respond?
Joe Morrissey: Sure, yeah. Let me think about that for just a second. Not too many details on some of the bigger ones, but interesting ones for sure, right? This is a situation, and we'll go through the story real quick. It was so wild to go through it, but I think everyone in the SOC has experienced a DDoS before. Everybody has been through that. Some are bigger than others, depending on your infrastructure, whether you're a hybrid or on-prem or all cloud, you've probably in some way been affected by it.
Mick Leach: Fair enough.
Joe Morrissey: Years ago, many, many years ago when the organization I worked for had still it was hybrid organization, but most stuff was on-prem. So we had all of our own infrastructure. And like everybody else, you've got your primary dot com site. Well, it was like a 6 p on a Wednesday or something. And we're getting our DDoS alerts. And it was just an enormous amount of unexpected traffic coming into our, you know, our homepage, our .com homepage, and no reason why. And I was like, okay, typical DDoS, let's look at the traffic, what patterns can we observe? Can we put some sort of filtering in place if we wanna do some sort of BGP routing to somewhere else to mitigate it? Let's do that.
Looking at it, it was so strange, Mick, because we could get PCAPs, we could look at some of the logs that we were getting from the server itself just to see if they were like hanging connections or something like that. But they were just simple get requests, normal, regular get requests to our .com site, our main .com site. And that was it, just over and over again. And we looked at it.
Mick Leach: So was it like half open connections?
Joe Morrissey: No, they were, they were, no, they were, they were, they followed the whole handshake, open connection, and it was just over and over again. And it was the, there was no pattern to it aside from looking at the user agent strings were just like the most random ones. Like you'd see like LG, Samsung, Roku, random browser, like just all over the place. It wasn't mostly browser. It was mostly like IoT things, not like fridges or anything like that, but like media devices. And I was like, my God, is this like some massive botnet that somebody has purchased and is now using it against us, right?
The strange thing, we couldn't figure it out and we didn't want to block that traffic or block those user agent strings because they're legitimate. And the IP space it was all coming from was residential IP space. People's, like seemingly people's houses and we all know IP geolocation is tough. We get last hop, sure. But it was just strange. it was all, it was mostly US, right? Like 98% US.
And we watched it and worked on this for a while and didn't want to necessarily filter things that were seemingly good traffic. But then the traffic just kind of died down a little bit after, I think maybe 1 am So it was like 6 pm to 1 am was just massive amounts of nonstop traffic from all over the continental U.S. from all these different weird like media IOT devices. And I don't know who it was. Definitely, somebody smarter than me was like, OK.
Do we have like a marketing campaign or something going on right now? Like, is there people visiting websites, like our website for an ad campaign that we're doing? Which was an excellent question. And I was still newer in my SOC days and hadn't thought of anything like that, Benefits of being part of a large organization is stuff like that exists. And if your SOC isn't aware of it, they should be. It's a little foreshadowing there.
Next business day, everything, all the traffic was normal. We didn't have to put any mitigation in place. Talked to our marketing team and they were like, yeah, we do. We've got a marketing campaign that kicked off yesterday. And we were like, solved it. Deal. We got it. So we dove into it. Turns out the company I'm at hired a third-party company to manage the ad campaign. And we talked with them and they were like, this is what we're seeing. It's random. Could it all be affiliated with the ad campaign that you're doing?
And they were, you know, vehement like no, couldn't be us couldn't be us. Of course, and like there's I know, I know it is.
Mick Leach: I hate that. That's the life of the SOC analyst though, right? Hey, did you do this? Nope. Nope. Definitely not me. Ha and then you show them logs like, shoot. Yeah, my fault. Yeah, it turned out that was me. My bad. I didn't realize.
Joe Morrissey: It is. Nope, couldn't be me. You know, and we showed him what we had. And it like there was no indication that pointed towards that it was strange for sure. having, you know, having retrospect on it, it allows us to kind of see where the story is going. But they swear up and down. It had nothing to do with the marketing campaign that was going on. Another night went by another peak around 6pm all the way through midnight 1am died again. And it's like, listen, this is like prime time TV time. Like it sure feels like a marketing campaign. Like what is going on here? Meet with that marketing team again and they're like, well, we do hire this or we talk with the third party again the next day. They mentioned, well, we work with this other third party who implements our pixel tracking, but I don't know how that would deal with anything. And I was like, whoa, okay, let's talk to them. And to sum it all up, we ended up talking to that team and the pixel tracking that they had implemented in the third party that we hired, ads that they were running, they had forgotten to comment out our company name dot com. And so every single time one of our ads played on a Roku device, you're on YouTube, if you're looking at things on the browser, if you're watching TV on a smart TV, every single time one of our company's ads came up, it would resolve to our company dot com. So it was just constant connections. Yeah, yeah.
So not a sexy malicious story or anything like that, but like still a security problem because part of our jobs is availability, especially when it comes to that.
Mick Leach: Absolutely. Yeah. Yeah. For our listeners, right? CIA. All right. The confidentiality, availability, integrity, triad is integral to our world. And you're absolutely right. And what I love about that story is because that is the most real thing that we encounter on the daily in the SOC. It's some weird one-off, you know, problem that ends up being pseudo not malicious, but definitely caused impact. And, you know, on the SANS advisory board, there was a there was a recently a big discussion after an EDR vendor had an issue about whether or not that was a security incident. I mean, I'll bet there were it's got to be the most trending discussion in the history of the SANS advisory board had to have 300 plus replies to it.
But yes, it's those kinds of things that whether it's a security incident or you call an IT incident because availability was impacted, it still remains one of the things that the SOC gets pulled into and has to start from ground zero. And let me just say this, sorry, Emily, my producer, it is marketing. It's always marketing's fault. In my experience, run into this all the time. And I say that lovingly and half joking, half serious. Marketing seems to be at the heart of many of the challenges that I've encountered in my time in the SOC as well.
Joe Morrissey: Well, this is the last SOC Unlocked podcast. Thank you, Mick, for flaming Emily in her tea.
Mick Leach: Yes. Sorry, marketing team. We love you. Just call us once in a while is all we're saying. Just give us a call. Let us know what's going on.
Joe Morrissey: It's just interesting to think about, like think of what all of the stuff that goes into a large company, if you're a SOC analyst at one or even a smaller company, like things from HR to marketing to, you know, acquisition and recruitment and acquisition of folks. Like there are so many pieces of that that have a tie, most likely to something that should be monitored from a security perspective. And it's just wild to have to come across stuff like that. Like that's the cool part of our industry is it's constantly evolving to like we're limited by our creativity because everything produces data. And so it's just, it's crazy to think about, right?
Mick Leach: Yeah, yeah. And now we're consuming that data in so many different tools. Every tool and everything you touch generates data. And here in our world, in the SOC world, trying to differentiate between high-value data and low-value data, regardless of the quantity of data, it's a tough world we live in, right? You have to make some hard choices. So a great story. Thank you. I appreciate that. Now jumping forward into the present.
What I want to know is what is the biggest challenge that you see facing SOCs today? The biggest threats, the biggest challenges, and you can interpret that in whatever way you want, but what's the problem for SOCs today?
Joe Morrissey: Sure, yeah, I'll wear both my caps real quick. My leader cap will tell you, it's still the skill gap, right? I mean, it's hiring good folks. We talked about that a little bit in the beginning of our conversation here, like how much it can take to get somebody up to speed to understand this environment. Because I think a lot of times, still even today, there's this misconception that a SOC analyst is an entry-level position. And I hate it. I hate that, by the way. Don't ever say that.
I think that if you were to implement a security operations center and you were explicit about a tiering system, it can be an entry-level security role that would require a lot of context and experience from an IT background. That doesn't mean you need 10 years of experience. I had a couple of years of experience in a large environment and a couple of different support areas that didn't necessarily tie to security, but it gave me a ton of understanding of really the breadth of responsibility that could go into investigating.
anything that comes into a SOC as a case. That alongside of, everybody needs security analysts. I don't know what the deficit is on how many jobs exist with how many skilled security analysts are out there, but it's gonna grow still as we move into the future. So I think, I don't know what the solution is to that. think what's interesting to think about though is,
And I don't know if you've got an opinion on this, Mick. I know you've hired a ton of people. I don't even know if there's really a good trend to follow with, who, if you could pinpoint exactly what makes a good security analyst outside of, and you and I've talked about this before, so this won't be a surprise, that whole tinkering mindset. We touched on it a little bit earlier, right? You don't need a ton of experience, but if you are passionate and you are willing to dive into understanding how something works, why it happened, and just like, essentially keep asking those questions over and over again until you reach the bottom. And then you pivot to the next thing you don't know about. Like, that's really how you get there. But I don't, I've not found a good way to streamline that outside of kind of sharing the way I did it, but it was just my way, not the way, right? There are a lot of different ways to do this.
Mick Leach: Yeah, I'm glad you mentioned that tinkerer piece because I think that is so pivotal. Almost invariably, when I have hired a successful person who ends up really, you know, just growing exponentially, you know, you're a good example of that. We have others, but they're those folks who almost invariably are tinkerers in something, right? You're into cars. Fine, right? Somebody that's not afraid to roll up their sleeves and, you know, and change their own brakes or I don't need you to take the engine apart, but somebody that's not afraid to roll up their sleeves and get into something. If you build drones, right? One of the guys that we hired a while ago was, yeah, Alex is a drone dude. I mean, he built racing drones on this, on the side for giggles. And what we learned is that that same tinkerer mindset really makes for a successful SOC analyst in my experience. Your mileage may vary, but whatever, what I've always found is that somebody who's willing to roll up their sleeves and get into it ends up being a great SOC analyst. And I think why is because all of us that do that are driven to understand how something works, right?
At the lowest level, you built computers at Micro Center, I built computers, you know, largely because I couldn't afford to buy like a pre-built computer. They were simply too expensive on my army, you know, salary. We were dirt poor. We couldn't afford a window shop. We were that poor like just the gas money to go look in the windows was too much. So, you know, you harken back to those days, when we built our own computers, and in doing that and learning all of the little details of how things fit together and being driven to understand and then try things, try and fail, try and fail. These are the same folks that go home and build a lab. Whether that's a physical lab, you have lots of systems and some elaborate networking architecture in your basement. You and I both know folks like that, or jealous, at least me, I'm jealous of folks like that have the space and the money to do that. Instead, lots of us pivoted when virtual machines became more reasonable and you could run a whole bunch of them on the architecture we already had at home. So whether you're doing that digitally or you're doing that in an on-prem sort of hardware-based, it's those folks that started firing off attacks and then running a SIM, like an open source SIM, just to see what it looked like on the wire, what the attack looked like. That's how we all learn and the folks that are not afraid to spin something up, spin up a VM, even if you don't know what you're doing, right? Security Onion, know, whatever the case may be. ADHD is one of my favorites. John Strand, I hope you're listening someday. I love your guys' stuff, I do. You know, even, you know, Kali Linux, fine. That's what everybody thinks is gonna be the one, one to rule them, the one ring to rule them all. But either way, fire it up. Try things out and see how it works.
Joe Morrissey: Yep. There are a ton of guides out there, too, right? Like there's no expectation that if you are just new into the security world you're going to know how to do that. And in fact, I mean, that was, that was what you mentioned kind of part of what would help me get there. Right. I had not spent really any time in a Linux system before I applied to the SOC 10 years ago. But one of the things that Mick and team gave me at the time was go build a lab and attack yourself. And it's like, well, what do you mean? And it's like, exactly. Go figure out what that means and build it.
Like, and that's truly part of the journey. And I give that same advice today to people who are interested in a profession change, career change. And I tell them like, you should build a lab and attack yourself. Do you have a guide on that? I was like, yeah, but like you should go find one and actually do that. That's part of it. If you don't know how, or if you're just expecting me to give you like an SOP on how to do this, not gatekeeping here, but like if you require a checklist for doing everything. It's going to be a tough industry to get into because a lot of the stuff we do is very ambiguous and lives in the gray. That's why they're not tickets, they're investigations. They're cases that we work. We investigate and analyze. We don't follow a checklist. That's what SOC analysts do.
Mick Leach: I love that. I love that, Joe. Awesome. So in terms of present problems, challenges that we have today, right? Skill gap and then is it volume or staffing number of folks? Is that the other one?
Joe Morrissey: No, so I mean, it's just a skill gap, right? It's how do we get the next-gen ready. How do we have a pipeline of new SOC analysts ready to come in and crush it, which is looking very promising. I host a ton of interns every year, and we got to build a CTF forum years ago, and they're getting so smart. It's why I got to make these things harder. Well, that's one of them. The other one is I think this is probably close to everyone's heart is like actually using automation appropriately. It is.
I'll mention I think we struggle with it because I think there are these grandiose ideas of let's automate all of our alerts 100% from the cradle to the grave. And it's like, Jesus, that's if that's what we can do, let's rip it and patent it and make me a billionaire because I don't know that that's possible. I think we can get there with pieces of an investigation. But I think we get distracted with the shinies at the end of the tunnel rather than ensuring that the processes we have in place and the investigative steps and all the data that's required to make a disposition on a case are really, really well-oiled before we introduce a programmatic approach to doing that because that can get ugly super fast, as I'm sure you know and everybody else knows.
Mick Leach: Yeah. And I think we've all been, you know, sold some, some Kool-Aid that sounded amazing. that, that it would, it would, you know, take the alert in and do everything for you. And then at the end, it would spit out and maybe you would even just have to have an analyst review the decision. But, we just haven't, we haven't really encountered that yet. At least I haven't your mileage may vary again.
Joe Morrissey: We, think, I mean, to speak personally, I think we're, my team's getting there. It's tough though. I think that's another maybe present challenge and even future challenge is a lot of SOCs that I've toured and heard from. And when I say SOC, mean like operational security organizations are very siloed. You have like your threat intelligence, you've got an automation team, you have an engineering team, you have a SOC team, you've got your red team. And they're all very, very good in their discipline and super skilled in it. I think what we're starting to see is it's tough to introduce automation between these silos because we, know, every SOC relies on Intel, right? Every SOC also could rely on AMP testing and automation and requires good detections and the tuning that goes into them to produce good alerts to give us investigations. If there isn't some sort of cross-training between those teams, it's really hard.
Everyone hates this question, what are your requirements for automation? My God, if I have to hear that another time. But it's tough to explain that investigative operational mindset to maybe an automation engineer who's never done this kind of work before. So I don't know how to solve that problem. But I think it starts with encouraging your teams to be empowered to go learn what the other teams do. Carve out a couple extra dollars for them to go to a training. I'm not saying everybody needs to go to SANS eight times a year, but man, there's some good training out there to get some cross-skill action going on.
Mick Leach: I could not agree more, could not agree more, especially now with YouTube being so accessible, LinkedIn learning, cyber area. mean, there's just, there's so many options and such great content being offered. I agree. You don't necessarily have to go to some big name organization where you're going to spend eight, 10, 12 grand on a week long course, I would argue that some of these are just as high quality, but don't require near that kind of commitment in terms of time or money.
Joe Morrissey: But if you have the option to go to one of those big vendors that offers that and you work for a large enough company that's got an education benefit for you, use it for that, please. It's great. Please use that.
Mick Leach: Yes, yes. And I will tell you here, just a second, in the moment of the confessions corner here, I spent five years at a company that had a very lucrative education benefit and didn't use it one time in my first five years. And even then, when I finally was sort of cajoled, forced, like shamed into going for the very first time to one of those courses, I realized what I was missing. And man, I wish I had had that five years back. I mean, I can't even imagine how much great training, how much more I would have learned, how much faster I would have learned, how much easier the rest of my jobs would have been if I had just used it. So folks, great call out, Joe. If your company has an education benefit, use it. Absolutely use it. So good call out there.
Going forward into kind of the future now as we shift gears, what does it look like? Like what, you know, as we look at how advancements are coming, I mean, how do you think it impacts cybersecurity and more specifically security operations as we go forward?
Joe Morrissey: Yeah, I mean, I think I've alluded to a couple of the things as to where I think it's going, right? I'll just capitalize quickly on that skill gap and kind of deficit that I'm seeing with, you know, super disciplined teams needing to cross-skill. I think that's going to have to happen for us to move forward as a SOC and as an organization. I don't know if we coined this term, but a term I've heard a lot recently is, you know, treat your analysts as engineers and your engineers as analysts. And I don't think that that's meant to be taken literally because they're two entirely different disciplines.
But if you can get some cross-skilling in there, and if you've got SOC analysts who have an interest in their career path to become an automation engineer or detection engineer, there's no time better than now to get them that experience to uplift the stuff they're doing in your SOC today. And if we do that industry-wide, I think that makes everyone's world better. And I think that's happened a little bit more in the tooling part of our industry because I think another thing that we're probably going to start seeing more of is these like big platforms coming in and kind of being a one-stop-shop solution for everything. I don't know that I want to mention any vendors on here, but like you can look around and see them, right? Like we have this company X has got all of your solutions in one shop. And I think I think it's cool. I think it eliminates a lot of complexity with some of the things that you and I struggled with for a long time in the SOC, you know, 10 years ago. But it has some downsides to like we saw a couple of weeks ago. I think that's where it's going. And it might take a couple more of those incidents to maybe change the trend or have some sort of resiliency to that. But I still think that's where we're trending. But yeah, I mean, poly skilling for sure has got to be the future of SOCs and utilization of every tool under the sun. And I just want to say too, if you're a leader out there and you think that you're going to get your SOC to the point of only living in one dashboard for their entire job, it's never going to happen.
Mick Leach: Hold on, Joe, you don't shatter this dream of mine. The one pane of glass that we've heard about for years in every vendor, every vendor's ever promised me that you're telling me it's smoke and mirrors?
Joe Morrissey: I think you can get about 80 % of the way there, but I have never come across an investigation in my life that didn't require context outside of that. And maybe we're trending towards that, but the data cost alone to get everything that logs under the sun into one place, I think is still a bit out of reach. yeah, prove me wrong. I don't think we're close to it though.
Mick Leach: No, I agree. All right. Kind of getting into one last topic and we've touched on it a fair bit, but in terms of those that are looking to get into a SOC role, I know we've shared a lot of really good actionable information so far, but what advice would you give someone that is trying to get into cybersecurity for the very first time? Do I need a traditional four-year college education? Do I have to have certs? Can and will self-study suffice? Like what would you say?
Joe Morrissey: I mean, I think all of the above are valid. It really depends on you. don't like I said before, I don't have a degree. Not that I'm necessarily proud of dropping out of school and not having that, but I had to find a different path. So if you do well in a structured environment and you're younger in your life and you need that to mature yourself into learning, by all means use that. I'm not familiar with any super good cybersecurity programs at universities, I think it's still so new, it's tough. But we, I mean, where I'm at, we support some of those. And we do a good job. If you're in one of those programs, and you have the opportunity to go work with a company as like a, like a student intern, or do a rotation in there over the summer, totally do that. Like you will get more experience doing that than what I think you might learn in the classroom. But that's just, I'm just saying that because I don't, I didn't do that that way.
So yeah, the traditional education route, it works so long as you can get your hands on a keyboard and do the things that you're learning for sure. Self-study is what worked for me. I'm a visual guy though. So like if you just give me books, I can't retain anything. I got to get my hands on something. So building a lab is like the one thing I always tell people to do mainly because it's the way I learn. And then just get yourself involved. Right. I mean, the Twitter versus massive make connections on there. Go to local cons that you have around. Right. I'm in Ohio, I don't know if I'm going to shout out any on here, but if you ever want to reach out to me, I can give you a list of cons that are inexpensive and awesome. And if you've got the pleasure of going to one of those, participate. Just because you don't know how to do something doesn't mean that you shouldn't be doing it. That's the whole freaking point of going to one of those things and participating and capture the flag. Right. And then there's a ton of free stuff online. Right. Hack The Box. All that kind of fun stuff. Right. TryHackMe. All those things are fantastic.
Mick Leach: All right, look, I do want to shout out the ones that we like. So if somebody just happens to be living within an hour's drive, two two-hour drive of Columbus, Ohio, and says, Joe, you brought me right to the edge and stopped short of telling me who to actually like what to get involved in, tell them now.
Joe Morrissey: Yeah, sure. So I mean, I know they can't see me, but I have my Hackers Teaching Hackers shirt on right now. So that's a local conference in Columbus, founded by one of the guys that Mick and I work with at the place we were at for quite a long time. Fantastic. I think people drive in from around the country now are flying in for it. But it's it's very homey. It's not. It's not a suits conference at all. If you show up with a suit on, you will stick out like a sore thumb. It is a show up with your beard fully out, your tattoo showing and grab a beer and learn how to hack some stuff. It's a fantastic conference. There is value in other ones, right? I think there's a couple of like Central How Infosec Summit is a bit more corporatey.
So if you want to go listen to some talks from folks that run programs and have good examples of how they're doing things in more of an enterprise way, that's a good one. And it's pretty inexpensive, but there's a ton of them out there. I'm not going to be able to give credit to all the good ones that are out there, but those are the two that come to mind for Central Ohio.
Mick Leach: Yeah. Yeah. And I would throw out BSides as well. Yeah. And one other that I think doesn't get as much play but probably ought to is different vendors' user groups. So back in the day, there was like a QRadar, like a Q1 Labs user group that became really active in Columbus. And we could go and meet with other geeks. And yes, most of it centered around Q1 Labs’ work at the time, but then it grew. And so we started having conversations that didn't have anything to do with Q1 Labs or QRadar or SIMS at all. And that became very useful as well. yeah, look for those kinds of things. I would say that if you are, if you go to something and you feel like there's a lot of gatekeeping, you're probably at the wrong one because the best ones I've been to it's very open arms.
You mentioned Hackers Teaching Hackers, formerly known as 614con. And I will say that was one of the things that stuck out to me most. I took my son to it last year and he was really afraid of going and not looking like he knew anything. He just felt like he didn't, he wasn't at a bar high enough to be there and was afraid to kind of get involved even when he got there. But then as people were inviting him in to try things out, and invited him to ask questions, he had the time of his life because everyone was there to make each other successful. And that's what our community should be about. So I love it, I love it.
All right, with that, Joe, I know we are, we're getting a little long in the tooth, my apologies, I blame Joe. Not for the first time. But what I would ask is this, right? We've had a great conversation for a little while now, Joe, but if someone can only take one thing away from this conversation, what would you have that be for them?
Joe Morrissey: If you're interested in becoming a SOC analyst or diving into your security career, don't let anything stop you. It's only you. There are plenty of resources out there. There's plenty of community out there. I will even offer myself. If you've got questions, you can find me on LinkedIn. You can reach out to me on Twitter. I think my handle's on there too. I love mentoring people, so long as they're serious about it and you've got some sort of plan and what you wanna do. Don't be afraid to dive in. We need smart folks. And just because you think you aren't smart right now, that's nonsense. Let's find out what you're really good at and how to use it.
Mick Leach: Could not have said it better myself. Joe, thank you so much. Joe Morrissey, ladies and gentlemen, one of the greats in our world. So very, very glad to have you. Thanks again, Joe.
Joe Morrissey: You're welcome. Thanks for having me.
Mick Leach: Well, folks, this has been SOC Unlocked: Tales from the Cybersecurity Frontline. I'm your host, Mick Leach, reminding all of you cyber defenders out there to keep fighting the good fight. You're the tip of the spear, so stay sharp. Thanks for tuning in. Don't forget to like and subscribe and check out our other SOC Unlocked episodes. We'll see you all next time. Thank you.
