Mick Leach: Hello and welcome to SOC Unlocked: Tales from the Cybersecurity Frontline. I'm Mick Leach, your host and guide on this exciting journey into the SOC universe. In each episode, I chat with various cybersecurity professionals about the latest industry news, emerging threats, practical strategies to keep your organization safe, and more. And this week we are excited to have on the podcast, Joe South. Joe, welcome to the podcast.
Joe South: Thanks for having me. This is a fantastic, I guess, switch of events, You were on Security Unfiltered and now I'm here on your podcast.
Mick Leach: I know we're just bringing things full circle. So for those listeners that maybe haven't yet found security unfiltered, Joe has an excellent podcast called security unfiltered. And it was my pleasure to be on that twice now. Thanks for having me back a second time. Apparently I didn't do too bad a job. He was very kind enough to have me back. And now when we kicked one off here, Joe was one of the very first people I reached out to and said, Joe, listen, you know, I loved being on your podcast. You got to do me a solid and come back on ours. Would you willing? And he very kindly agreed.
Joe South: Yeah, it only took like two or three months to finally get me on.
Mick Leach: Well, you're a busy man. All right. mean, we all know that security professionals, right, especially practitioners that are in the weeds day in and day out because you're you're you're hooking and jabbing with the bad guys on the daily. Yeah, yes. So.
Joe South: Yeah, yeah, quite literally. And trying to save organizations from themselves.
Mick Leach: Well, that's always a part of what we do. In fact, I would argue that's probably a bigger portion of what we do is protecting our organizations from themselves. Well -meaning folks can wreak havoc in every organization that I've come across. So thank you for that. Thanks for all of your efforts. We certainly appreciate it. And welcome to the show.
Joe South: Yeah, absolutely.
Mick Leach: So as our longtime listeners know, we like to kick this off, learn a little bit more about you. We'll talk a little bit about the past, present and future of cybersecurity, particularly as it relates to like the operations, engineering and architecture capabilities. And then we'll get into a little bit of career guidance. And lastly, we'll hear kind of the one last thing. Sound fair? Awesome. All right. Well, with that, I would love for you to tell us a little bit about yourself. How did you get into cybersecurity? What does your journey look like? And tell us about what you're doing these days.
Joe South: Yeah, absolutely. So, you know, I started this journey back when I was getting my bachelor's, right? So when I was getting my bachelor's, I actually got my degree in criminal justice, fully expected and planned on going into the federal agencies, you know, going to like the darkest hole on earth and spending time there, right? That was my entire intent. And while I was in college, I needed I needed some way to make money for beer money.
Right. mean, when you're in college, you don't have very many expenses. You know, I had to pay for my cell phone and beer. Right. And so I ended up getting a job at like the school's help desk and did a couple different IT roles and different like like orgs within the university that I was at. And I hated it. I hated every bit of it. I really, truly thought to myself, man, if I find myself in IT in 10 or 15 years, like I will have really failed. Like this is so terrible.
Mick Leach: That's hilarious.
Joe South: Yeah. So I, I, I went in, you know, graduated and you know, the first thing that they tell you is like, Hey, student loans are going to come due in six months. Like that's when they kick in. and so the quickest way for me to get income was to make a transition into IT. Right. And so I continued on and help desk until I got my federal agency dream job, right? And that whole process is like two years long. So I can't wait around for two years. So I got this help desk job and again, hated it. I hated every bit of it. I thought it was stupid. I felt like it wasn't challenging me. I didn't like it at all. And one of my coworkers there kind of said, hey, did you ever think about going down cybersecurity? Right. Going towards cybersecurity. Never, never heard of it. Never really thought about it. Anything like that. You know, you always see these breaches and whatnot, but I never thought like, there's someone, you know, that's trying to prevent that internally. Right. Never thought about that.
So I went and picked up the security plus book after his recommendation and read it and I couldn't put it down. Right. So it was very interesting to me because I had the, I had the right mentality for it. I have that mentality of like always asking questions, always inquiring about different things and whatnot. And so I said, okay, well, if I'm to go down this route, let's make sure that this is the right route because I don't like wasting time. don't like going down a path and then finding out it's not for me and having to like start over. Right. So I picked up a network plus book and the only thing that that thing did for me was put me to sleep. I mean, it was incredible how it was able to do this.
I still pick it up from time to time if I'm having trouble sleeping, it just knocks me right out. I would literally be working at my job at a help desk role and I'd be trying to study in between calls or something. And so I'd open up this book and I'd be sleeping and my coworker would have to nudge me like, hey man, you got a call in 15 minutes, you gotta wake up. And I'm like, dude, I can't even, I can't read this book at work anymore.
Mick Leach: My gosh. I love it.
Joe South: Yeah, so I never made it past chapter one of Network Plus, so I figured security is probably the route for me.
Mick Leach: So listeners, call Joe with your subnetting needs.
Joe South: Yeah, yeah, I'm a pope calculator. That's the first thing I'm going to do. It's crazy. But then it took me from there. took me two and a half years to actually get into a security dedicated role. And that included me finagling my way into security roles and security functions at my current company. Really, just like trying to. I look back on it I'm like, man, it's incredible that they didn't fire me because I very aggressively took over security there without the title of security.
Mick Leach: Well, but sometimes that's what it takes, right? mean, you know, in the military, I was a military guy in the military. We were we often talked about we would rather be punished for our initiative than than for, you know, the lack of movement. Right. So I love it. I love it. So what happened after that?
Joe South: Yeah. So it took me two and half years to get in and that's literally two and a half years of five days a week doing interviews. Because I was applying to every single role that had security analyst in it. If I remotely qualified for the role, if I met like 20 % of the requirements, I was applying to it. There would be times when it would be, you know, interviews back to back for a couple hours, right? And I'm like risking my day job because I, wanted to get into security so, so badly. You know, looking back on it, I was in a role that I was making $45,000 a year, right? At the end of every month, I was choosing which bills to pay and which bills I could put off for another month, you know, like, that was the financial situation that I was in. And I kind of heard, right? That in security, you'd make a lot more money. I had very little, I guess like upward mobility or growth potential at my current company.
And I didn't want to get another help desk role because I felt like that would just be more of the same. That wouldn't be like a step up for me. I personally like to see a lot of progress. And so that's why I focused on getting into security. I figured surely, you know, one year of doing this and I'll, I'll get my break, right? One year passed. I didn't get my break. Took it another year. Right. and then at that, at that half year Mark, you know, I literally said to myself, I mean, I remember this very clearly, right? I had two in -person final round interviews for two different companies. One was in the suburbs. I lived in like the northern part of Chicago and then one was downtown Chicago and So one was in the morning one was in the afternoon and I literally said to myself I was like if I don't get an offer by the end of the day from one of these companies I'm just gonna find something else to do because like obviously this isn't for me. I literally remember, you know, like praying that.
At the end of the day literally, I got home from my second interview of the day and 30 minutes in, I'm just, I literally just got home. Thirty minutes in, I get a call from the first place and they gave me an offer. And then like while I was on that call, the second place was calling. So I hung up with them and got the second place and I got an offer from them. I was like, man, this is, and it was, you know, at that time it was, it was double what I was making. Right. was making $45,000 a year, not making anything. And now it's like, like it was such a relief. It was like, my God, like there's a way, there's a way out. Right. and so that was, that was kind of my, my start.
Mick Leach: That's what I mean. What a start. So, you know, the thing that that jumps out to me in that that journey is that you didn't give up, right? That it did take longer than you expected, longer than certainly you wanted. And so I suspect that a few of our listeners right now are in the midst of that. And so would you have anything to offer? I know we're going to do career like traditional career guidance kind of towards the end of podcast, but I mean, there are lots of folks that are struggling, that are frustrated, are, you know, on month three, month four, month nine, of being not where they want to be. Maybe they're out of work entirely. And so, you know, what, what encouragement would you, would you offer? Having been there yourself and seen the other side of it.
Joe South: Yeah, I would say to not give up, right? Because security is so broad. I mean, back then, security wasn't that broad. It was blue team or red team. There was no purple. There was no in-between. It was like for security, you know, you had those two options. And then if you wanted to stay within IT, it was like systems and networking and everything else. Right. There were so many different opportunities on that front compared to security. And so now with the broad spectrum of security that we have, it's really important to stay focused, keep yourself motivated, keep on doing those little incremental things every single day. Maybe you're working towards getting a cert, maybe you're working towards getting a little bit more experience with something and try to get 1% better every single day. But the most important part is to try and not lose hope.
That's kind of what I was going through, right? Two and a half years in not getting a single offer like once, you know, not getting a single offer. And I was losing hope. It's like, okay, you know, this is this is it for me. This isn't for me, you know, and trying to just give yourself another shot. Right. Because all you need is one. Yes. I mean, I got I, you know, I went back in my emails. I got told no 500 times in those two and a half years. I couldn't believe it. I got told no 500 times, and I kind of explained it like I was just stupid enough not to understand what no was and kept on trying. Right. for some reason, no like does not doesn't even like work in my brain. It's like, OK, no today or no right now. Let's figure it out tomorrow. You know.
Mick Leach: Yeah. Wow. I mean, but what an encouragement for some of the folks that are listening that either have have been there and they can appreciate what you're saying. But also those that are still in that spot, right? You know, 500, if you're at 27 no’s, you know, buckle up. I mean, it could get worse. And yes, but there is a yes at the end of this. Don't give up. We'll get there. We'll get there. So you got your yes. In fact, you got two yeses, and you finally got your big break into cyber security. Tell me more.
Joe South: Yeah, that first role was, it was really interesting because, know, insecurity when you're not on the vendor side, you constantly have vendors reaching out to you, trying to take you out for lunch and games, and, you know,, everything else. And that is, that is fantastic. You know, like that's such a, like a shift in culture almost, right. To what you're used to because it helped us.
That never happens. If you get invited to a lunch for help desk, like they're probably like letting you off easy, know, letting you go and whatnot. Right. so that, that was a culture shock alone, but then it was also, you know, from the technical side, it was like drinking from a fire hose, you know, like a fire hose on steroids. That's probably the easiest way to put it. And I remember my very first project and my first technology that my manager gave me. I still talk to that old manager to this day. He actually started the Security Unfiltered podcast with me and then he left due to some reasons and whatnot. But he gave me this technology. I won't name the technology because I do not like the technology at all to this day. But he told me, in security, you're not going to come across a more complex product than this.
He's like, I've seen a lot of different products. This is by far the most complex. If you can learn this, you can learn anything. And you being able to like have this skill set and whatnot will pay dividends in the long run. like he was talking about, know, you could do consulting and this and that. I didn't really care about any of that because as soon as he gave it to me, I was more than happy to do it because you know, that whole time for two and a half years, I was being told. No, you don't have experience with X technology. And so when I started there, it was like, Hey, give me everything. I want to own the entire security stack. doesn't matter what it is. And they, and they did that. They gave me it right. And, you know, through the misery of learning that, that dreaded technology that I strongly dislike to this day, came opportunities that I never even expected.
You know, companies started to reach out to me for consulting on that technology because, apparently, no one in the industry really had experience with it. And I'm over here. I'm the only one that deployed it. which is, guess, good and bad, you know, like it opens up a lot of doors, but it's also a miserable door.
Mick Leach: Sure. Been there. So cool. And that brings you to what are you to these days?
Joe South: Yeah, now I am the principal cloud security engineer for a large automotive manufacturer. So that's, it's interesting. You know, I, I didn't like get into security with the goal of cloud security, right? I got, I got into security with the goal of security and then get experience with a broad range of technologies and domains. And then from there, you know, I, I tried to look five to ten years out and see what is valuable. Where's everything going? Because I don't want to be in five to ten years, you know, potentially with a family at that time, right. And be unemployed because I didn't think ahead and didn't plan for that. And so I identified cloud security very early on. mean, cloud security was, was not even really a thing. AWS didn't even have their, their security cert for the cloud. And so I identified that as some, somewhere I wanted to go. Right. And so I went and eventually, through persistence and not giving up, got my break in cloud security because I had such a broad range of experience. I had the network security experience. I had firewall experience and switch experience. The stuff that would put me to sleep, now we spun it, put that security twist on it. And now I'm immediately interested in the ins and outs of SSH and Telnet and whatnot.
You know, I had the endpoint experience, the IAM. In the cloud, all of those things come together, right? So like you're not at least right now in the industry. You're not going to your cloud network security guy. It's like, no, you're going to the cloud security guy and he's going to know network security. He's going to know the firewall. He's going to know IAM data encryption. Oh man, it's there's so many different facets of cloud security. It's it's pretty intense and overwhelming at times.
Mick Leach: Absolutely. mean, absolutely. Yeah, you're right. The cloud kind of united everything that for years we all had on on prem. You know, these were physical devices and now they're all, you know, software. So, you know, these are just software changes that can be made. And so it's it's so much more important that you bring someone in that has that breadth of experience that understands I'm going to open this port, you know, in this service. And suddenly, because without that experience, you can find yourself in a very tenuous place.
Joe South: Yeah, yeah. It's, you know, the, the cloud is it's interesting because you're going from, you know, like that on-premise infrastructure where if you want to pull the power plug on something, you absolutely can. Like you can go in there and pull the power on a server and the cloud, can't touch it. You're not running the cable, nothing like that. And it's difficult for a lot of people to extrapolate that out. And now I'm getting my PhD in, in a securing satellite infrastructure, right? So that's like taking it up a couple of notches from the cloud. It's like, you want to run different things or you want to just do an update. You want to just do a normal update? Well, you may not be able to for 24 hours. there's a zero date. Doesn't really matter. You got to figure it out.
Mick Leach: Yeah, wow. I mean, you're like, I'll see your AWS and I raise you space. That's fantastic. So the next part we love to jump into is kind of talking about the past, the present and the future of cybersecurity here. So in terms of past, it sounds like you've got a wealth of experience across a whole bunch of different roles. Can you tell us about maybe one of the more interesting or challenging cybersecurity threats or attacks that you've come across in your time and how your team responded and just kind of go sort of full storytime mode here.
Joe South: Yeah, sure. So I'll leave the company out. Of course, I don't want to, I don't feel like getting sued today. Yeah, that would be a difficult conversation with the wife. Like, Hey, I got sued going on this podcast. But, you know, I was leading the privilege access management team at, you know, a fairly large company. If I said their name, literally everyone would know it. And the solution that we owned was something that tied into AD and other account directories and rotated the passwords. And there was a large amount of these accounts, maybe 25-ish thousand that were supposed to never rotate because they were service accounts. And we were working through manual rotation of those accounts, kind of one by one, because it's all very, it's very unique for each application and function and whatnot.
And we had recently performed an upgrade on this solution. And, you know, in, in my own preparation for this, you know, I was working with my account manager and the account manager, constantly told us there's no, there's no hot fixes that you have to run after you do the upgrade. There's no, you know, issues that you have to fix or look out for or anything like that. This thing has been in the wild for, you know, a month or 45 days and
You know, if anything pops up, I'll tell you about it and whatnot. Because I, you know, I take it from a customer obsessed approach, right? Even when I'm internal at an organization, my customer is my fellow employees. My customer is all the people that are using the solution. and so I'm very obsessed about, you know, uptime and availability and scalability and how quickly they can use it and access it, all that sort of stuff. So anything that would bring down my solution is not like, it's not something that I've looked over, you know? And so, you know, we ran this upgrade, the upgrade went terrible. I mean, it was probably the worst upgrade that you could possibly like ever think of. this two hour upgrade with, it was supposed to be two hours on a Saturday with all the testing and everything else like that turned into a, I think it was 18 hour upgrade.
So we worked for 12 hours and then it got to a semi stable state and we worked the next day for another six ish hours on Sunday. Monday comes around and the solution is up. It's running. It's doing its thing. And I just got back from lunch, literally just sat down at my desk, logged in and I saw a a little prompt come up from windows saying, your password changed, log out, log back in with your new password. I thought nothing of it because I was actually at like that 90 day rotation point. So it was very feasible that my password would have changed. I figured the text was wrong because obviously my password didn't change. I just logged in with my password, right?
So I figured it was wrong. figured it was literally time for me to change my password. So I log out, log back in and I can't log back in. There's no prompt for, you know, put in your old password and here's the new one and everything else like that. So I was like, okay, well that's weird. You know, let me go over to like my, my global SOC, which is, know, a two second walk away. And there's, it was a very impressive room. There's a giant room as big as you can you know, think of for a SOC that has a wall of nothing but TVs. And then you have 200, 250 people in desks, you know, doing different tasks and whatnot. being, being more senior, I could walk in there and I can, you know, shift who's ever priorities I needed for that day. Right. Which the managers did not like because they, like, didn't really own their employees time, but I had that leverage or that, that leeway to do that. So I walked over to one of my, you know, one of my team's specific stock employees. And I, I just said, Hey, it says my password change or something. You know, can you just like rotate it real quick or let me change it? You know, and I'll, I'll get back in real quick. And she said, yeah, of course, you know. And so she went ahead and, you know, changed my password. put in the new password and whatnot. And, I was like, you know, how's it going?
And she's like, it's fine. You know, a new ticket came in for someone's password to, to change, or they didn't have access. And so I went out and just changed the password in there and re-synced it with AD. That was what we had to do. It was a very normal task. I mean, we do that. We do that, you know, constantly throughout the day, every single day. Right. Because that's a fix for like a very well -known issue. Passwords just get out of sync. It's a very large database. So there's going to be sync issues at times.
And so we went into our solution that we own, the Privilege Access Management Solution, and we saw all of the accounts had been rotated all at the same time. And we're like, well, that's unlikely, not unfeasible, but it's unlikely. And so we pulled up like a critical account, you know, because like we, you know, out of like 25,000 accounts, you know about 15 or 20 of them. You know, you can name them right off the bat, right? So we pulled up a couple of those and those were in queue to be updated.
And you know, this is 1pm, literally just got back from lunch. I was at lunch with my director, right? And we, you know, we were having, having a good time and we both looked at each other and it was like, we were just pale. It was like, no. Cause we both knew what happened, right? Something broke in the update that we didn't know about. We were not told about.
Mick Leach: Right. it cycled all the passwords.
Joe South: Yeah, it did not accept the database filter. So when you select a single account, you know, it's normal. It's a normal task, right? You're looking for a certain account to change their password, to re-sync it with AD so that they can log in. You select that account, you filter it, you select that account. On the backend, the database does not see the filter and it sees when you select something that you select everything. So it literally starts rotating everything. Yeah. So thankfully we have about 45ish thousand accounts in this database and their queue does 15 a second. Right? So it's a small number, but it's every second. And so it starts inching through this queue. And so I literally had to tell her, was like, go grab this conference room, get all of our team in there right now. I need to go tell like management, what just happened. And I literally had to go and tell the managers until very specific people in the organization. You are not allowed to log out of your computer. I don't care what you do the rest of the day. You're not allowed to log off because the reason why I had to do that is because we had a legacy AD infrastructure. So we had a global AD that pretty much no one knew about except for three or four people. There was literally 10 accounts in there.
I had just onboarded the global AD accounts into this solution. And I actually brought it up to my manager. was like, Hey, this is probably a bad idea. I mean, what if something like we're to break and goes, it's not going to break. We're just going to set it as never rotate. And it was only 12 accounts, you know, so it's very easy for me to do it because I have that experience that my prior manager, you know, told me that would be very valuable someday. And, so I just put them in. I mean, I think it was like a couple of days before the upgrade. just put them in, you know, cause it was like, it was dealing with like my own project goals and whatnot. And so they're in there. And so I had to tell a few very select people.
Like, hey, you know, this is what's going on. You're not allowed to log off. We have to ensure that we have control over global AD because in Microsoft AD architecture, if you don't understand what that is, there's a global AD and then there's AD for everyone else. Global AD runs the AD for everyone else. And if you lose access to global AD, you automatically lose access to everything else. And so we were quite literally three accounts away from losing access to our environment completely and having to call Microsoft and saying, Hey, do you guys still have a golden ticket by chance?
Mick Leach: My gosh, what a crazy series of events. My gosh.
Joe South: Yeah. Yeah. That was, that was my life for the next 48 hours because we had to then, and I didn't know that we had this at the time, right? We had a password interceptor in the environment. it intercept every password and keep a, just a log of what that password was and the hash and whatnot. just for like, it was for another solution that wasn't really related, but it was there as like a just in case, like the architect that thought through this design was just like, and we're, technically paying for it through our subscription. We'll just deploy it. It'll probably never come in need or anything. And there was literally, literally two people that knew about it at the organization. And, it just so happened that one of those people were one of the key people that I pulled into, you know, that conference room to say, Hey, this is what happened. We need to like somehow set these passwords back to their old password. And so we had to create a playbook on the fly of, well, how do we, like we had to essentially reverse engineer these passwords that were supposed to be secured with hashes. Right.
And go through that whole process. That process alone took something like eight or 10 hours to script out. Right. And then let's not even include testing and then let's not include breaking the hashes. So we literally had to hack our own environment and get us back in all while, you know, there's a, there's a political battle going on internally at the organization. So there's a red team at the organization that wants to consume everything that the blue team is doing and take it under their ownership. And so if they caught wind of this, you know, they would immediately say, well, we're going to beat them to the punch and we're going to break all these hashes then and, you know, take a little bit of ownership of this thing. So it was, it was extremely stressful. then, you know, the following morning, of course, on the call with the vendor and, know, I pulled up the 15 emails that I sent to them saying, Hey, is there a patch or a hotfix that you would like me to deploy on day one so that we can avoid an outage? You know, be literally saying that to them and them telling, no, there's nothing. It's a perfect update. Perfect piece of software.
Mick Leach: My gosh. And so how did that play out then?
Joe South: It was, it was tough, you know, because as a customer obsessed person, right? I did a lot of work. I did a lot of, I guess, groundwork, right? With the rest of the organization trying to build their confidence in this solution. Because the things that we were trying to do with this solution were very ambitious. mean, no other customer for this vendor had, you know, the goals outlined or had deployed it in their environment as widely as we planned on doing it.
And so I would need to buy in from the business. So when this happened and word got out that it had, you know, rotated everyone's passwords from an action that is literally done every single day, multiple times a day. You know, everyone kind of lost trust. And so I immediately had to go into, you know, that, that customer obsession of, you know, kind of siding with the business siding with the organization and saying, yeah, you know, we, we messed up. We didn't do something right. We, we adjusted the plan. We adjusted course. We have controls in place now that, you know, should catch something like this, you know, and I went about actually creating something like a 250 step, testing procedure, right? Where when we deploy this new software version into our lab environment,
The lab has to meet certain requirements, right? It has to be managing a certain amount of accounts. Even if those accounts don't like control anything, it has to be managing all these different accounts. And then you have to go through this 250, you know, step testing process is everything that you can do within the tool. It all has to be tested and vetted. And it takes, you know, about a month and a half for anyone to just go through and ensure that it works. And you have to sign your name next to each item. Right? So you have to understand what you're signing your name to because if you miss one and it breaks and it's, you not what was claimed to be, there's going to be repercussions for it. So it was a, it was an interesting time really taught me a lot in incident response. And, I guess was it public scrutiny or public relations, you know.
Mick Leach: Sure. Well, and you bring up a good point, right? Trust is hard to build and is broken very quickly and easily. And, you know, I think that's where, you know, to your point, there's value in transparency. You you look at a major EDR vendor had an issue not long ago. And I would argue that their CISO had come out. Their CEO put a bunch of stuff out and it was good. Their CISO came out and I thought gave an absolute master class in ownership. And if you haven't seen that, you can find it easily. It's out there in the interwebs. But there was a post from that CISO that said, basically just taking complete ownership. We messed up. We owe you more and we'll do better.
And there was no there were no excuses. It was just pure ownership of the problem and then a commitment to doing better going forward. And frankly, as a customer, you can't ask for much more than that from your vendors. Right. I don't want to hear excuses, but just tell me that you you've dropped the ball and and how you're going to fix it. And I know here. At Abnormal, where I work, is a key facet of our leadership strategy is that level of intellectual honesty and customer obsession.
Joe South: Yeah, mean, I even, you know, a couple of years ago, I read the Extreme Ownership book by Jocko Willink, right? And it kind of, it kind of restructured or reframed leadership to me, right? Because a lot of the times it's very easy for people in leadership positions to put the blame on your team and then also, you know, take all of the, the congratulatory, you know, talk and praise when things go right. And really that book kind of flips everything, you know, on its head, right? Like you're, you're no longer, you're no longer, you know, accepting the reward of your team's work. You're directing it all straight to them. And if they do something wrong, it's on you, right? Because you communicated improperly. You didn't communicate the importance of this. You didn't set standards and guidelines. There's a million things that you could have not done that would have prevented it. at the end of the day, it all rolls up, right? Like you're either going to get all the blame or you're going to get all the praise.
Mick Leach: Yeah, agreed. I've heard that leaders, it's also ingrained in us in the military, is that leaders are accountable for everything that happens in their area, right? Everything that they're responsible for. And they should take ownership of all of that in terms of the challenges. When it goes wrong, it's your fault. When it goes right, it's your team's success, right? So you point and you share the kudos, the congratulatory stuff with the team at large and then you own the things that went badly. So agreed, agreed wholeheartedly. So that's a lot about the past and crazy story that I'm glad I didn't have to suffer through, but I'm sorry that you did. What about today? What do you think in your opinion is the biggest sort of threat facing security operations today?
Joe South: Hmm. That's a good question. You know, I think it's more because now we have a very cloud centric approach to everything and the risk is much more internal now. You know, you're, you're, it's not just social engineering. Like, you know, a lot of people used to think what insider threat was and whatnot. It's literal misconfiguration of things. You know, you think that it's right. You think that it's okay for you to do and it's misconfigured and you know, now we have a breach, right? Now we have a huge giant issue. The cloud is really great. One of the things that it does really good is it makes it very easy for you to deploy a very large amount of infrastructure. And maybe its biggest downfall is also that you can deploy a lot of infrastructure really easily. Right. Because you.
You don't have to have separation and segregation in your network between billing accounts, between, you know, different, infrastructure and whatnot, right? You don't have to have that because there's nothing keeping you from deploying it if you don't have it. Right. So a lot of the times these organizations, they'll say, okay, we're going into, you know, name your big three cloud provider and the developers immediately somehow come up with a company card and they start billing it to that company credit card and they're deploying things in there, you know, that you don't know about that you've never even heard of. I worked for a company where I interviewed and they said we're 100 % AWS, you know, yeah, we have some on-prem stuff, know, AWS is our only cloud provider. I get there maybe six ish months in.
You know you you hear about having a Footprint in Azure, but it's only ad accounts right like everyone else in the world. It's only and then you start talking to the right people or maybe the wrong people and they tell you, yeah, we deployed this production app in Azure. It's using blob storage. It's doing this. And I'm sitting here, you know, you want to say that again, potentially, you know, and they're like, yeah, we're, talking about using, you know, GCP in a couple of months here. And then you talk to some other people and they'll tell you, we're already in GCP. What are they talking about? Like we have, we have this appthat's running out of GCP and it talks to AWS and it does all these things. And I'm sitting here. So I'm a team of two doing cloud security at this organization and we are in three clouds that is literally learning three languages, you know, and two of them are all at the same time. It's like, you know, us speaking English and now we're going to throw in Chinese and German and you have to learn those two at the same time, two completely different languages in every way.
Mick Leach: Yeah. my gosh. Yeah. Fair point. mean, it feels like every organization that I've ever been to shadow ID IT has been a problem. Now, historically, that wasn't that big of a problem because, yes, they would buy things and install it. But you're talking about installing it on on -prem infrastructure, right? They still had to come to you. Maybe they're running it on a, you know, a laptop or something under their desk that they try and turn into a server. I've seen that. But most of the time they still have to eventually come to you and be like, look, I need a server so that I can install the stuff I bought. You're like, OK, well, let's put it through third party risk and let's give it a look. But today, anybody can spin up our infrastructure in the cloud so quickly. And now they don't have that gate that they have to pass through. so, you know, shadow IT has become just a much bigger problem these days.
Joe South: Yeah. And sometimes those gates that we think are in place, are not really in place, right. At, at one of the roles that I was at, you know, was told, you can't, you can't, you know, push anything to public internet. It's can't have direct internet access or anything like that. You're not able to deploy a Kali Linux VM into the environment. It's not allowed and all of these different things, right, and me, you know, having the security mind that I do. When someone says I can't do something or won't be able to do it like, well, let's give it a try, you know, and sure enough, here we go. I have a public Kali Linux VM, two things that they said I should never be able to do. the alarms went off, right? But I still had it. I still had it in the environment and people were saying I couldn't do it, you know.
Mick Leach: Yeah, yeah, there's a big difference between detect and prevent. Okay, wow. So looking forward, though, if we're to put our future glasses on, you know, what do you think? What do you think is coming down the pike? If you will, what's what's where where's, you know, cybersecurity operations headed and what are the kinds of things we need to be on the watch for?
Joe South: Yeah. So those are great questions. And I think it's a, a three-part question, right? I see cloud security turning into, you know, what legacy security was, right? Where you have a cloud network security team, you have a cloud data security team and so on, because these domains are getting so large that one person cannot know every single thing in these clouds. You know, last year alone, AWS added over a hundred new services to the AWS, which boggles my mind as to how anyone could even think about keeping up, right? I mean, that is just absurd. And they're all tying together. They're all talking to each other. They all have their own subset of services that have their own subset of security controls and things that you have to be aware of and whatnot. It's an insane size of a, a potential network, you know, or a potential environment. Right.
So I think cloud security is going to get, you know, broken up into the different respective domains. And then we're going to see a very, it's probably an easy answer, right? But we're going to see a very large focus on AI security and what to do with AI, because now every company is using, you know, AI to some extent, not just in their, you know, security solutions that they bought that had that slogan of, next gen, next gen AI or whatever it is, right? We're actually working with putting real data into AI and getting an output. And what does that AI do with that real data once we put it in there? Right. And then the third part, which is why I'm getting my PhD in it. I think the next war front or battleground will be in satellites, right? Because the next major war.
You have to think about what it would take to actually get the upper hand on a nation state, on a country. What's the very first thing I'm going to do? I'm going to intercept all the connections and I'm going to limit their GPS capabilities. Why would I not do that? Right? We're trying to win here, right? You don't go to war to lose, you go to war to win. And so I think that that's the next frontier, the next battleground that some people are starting to wake up to, mean, like there's literally maybe 25 of us, right? That I know of that are actually focused on satellite security and saying, wait a minute, you guys don't have standards? Like they don't have standards up there. I was talking to someone in the space force and he saying, yeah, I've done satellite stuff for 23 years and you could do your PhD on the standards that we should have on satellites because we don't have it.
Mick Leach: Wow, that's not a little bit terrifying.
Joe South: Yeah, it's because they assume that it's so difficult to reach it. There's no way that you're going to unintentionally reach it or intentionally reach it through other means. When me and a couple of other hackers at Defcon are sitting here, like, I have this antenna extender. I can literally just point at your satellite and time it right and I'll get in. Like, that's what you do.
Mick Leach: Right. Yes. I, to your point earlier about tell me something I can't do and I'll show you something I can do. Right. mean, that's the hacker community, summed up in a phrase.
Joe South: Yeah. You know, I, I read an article not too long ago. I think it was DEF CON, not, not this year, but it was like DEF CON 2023 or maybe 2022 where a general was challenged in the military, right? To have an F35, hacked. And he said it was unhackable. There's no way it goes through so much R and D and everything else like that. And someone said, well, why don't
You know, DEFCON is around the corner. You have a very large military base close to DEFCON. Why don't we just take these hackers out on a helicopter to this military base, walk them into this hangar where the jet is. They're not allowed to touch it. They can, you know, not go closer than 10 feet and see what they can do. And the hackers were not only able to take over flight controls, radar, the GPS, it was able to take over the weapon systems and launch weapons and things of that nature. And, you know, they had very strict guidelines around that. Right.
So it was essentially like when you get to a point where you're in the weapon system, right, you show us theoretically what you could do from here, but you're not allowed to go any farther. Right. And I mean, these hackers, you know, they said that they got it done in something like five hours, five hours. They were able to do all of that. Right. And the general was completely blown away, completely blown away. It was like I didn't even think that this was possible. It like this never crossed my radar.
Mick Leach: That's crazy, crazy. Well, jumping ahead, we're kind of running short on time here, running long on time, I suppose, but career guidance. If somebody is saying, listen, Joe, I want to get into cybersecurity and maybe I don't have, I'm not working on my PhD towards my PhD in satellite communications or security. What would you recommend? Where do they start? What's the best way to get in?
Joe South: Hmm. Yeah. The best way, honestly, is, you know, you're going to have a robust home lab, right? And you need to go and pick up some security books, right? You look behind me, this entire bookcase is nothing but security books. I've spent an embarrassing amount of money on books, just on cybersecurity books and literally go through them. You know, I went through and I went and set up a whole security lab and then I went and bought a reverse engineering malware book, right? And started figuring out and I actually got access to a malware database that has every strand of malware that you could think of, right? Just ready to go right there. And they literally tell you like what you do with it is not up to us. It's on you. You know, they have Stuxnet in there and everything. And I start putting it through and learning the different IDA Pro you know steps and capabilities that you can step through a piece of malware like that, right?
But taking that same mentality and you don't have to go as deep as malware engineering, right? You can go with, you know, vulnerability management. How do I actually patch it? How do I patch something that is supposed to have high availability without it going down, right? Like let's make sure that this thing never goes down and in that lab, you know, you're gonna you're gonna destroy it. You're gonna blow it up so many times, many more times than you're willing to admit, but you're going to learn a lot every time you do it. And so approaching it from that front and gaining certifications along the way, know, things like security plus, I would never recommend anyone get the CEH, but you need to know all of the information that they have in that book. you know, in building your career in steps like that, learning the cloud, right?
Every cloud provider has a cloud foundations certification for their cloud. You should absolutely have all three of those. There's no reason not to. It is literally three different languages. and so, you know, they're all at the same difficulty level. So if you get the AWS foundation cert, you can probably go get the GCP foundation cert and the Azure one. It's just a language barrier. It's learning the verbiage. and those things together will get you in the front door at any company. You will at least talk to someone that could make a decision that'll get you in.
Mick Leach: That's awesome. Great advice. Getting getting into that home lab, getting the books rolling up your sleeves and giving it a try. So awesome. Joe, if if someone can only take away one thing from this wide ranging conversation that we've had, what would you have that be? What would you have them walk away knowing?
Joe South: Hmm. I would say maybe two quick things, right? Never give up and never stop asking questions. Cause as soon as you stop asking questions and security, that's when you really start to, to fall along, you know, with everyone else, right? Like you don't want to be like everyone else in security. You want to be your own unique self with your own unique skillset and, you know, focuses and whatnot. And that's how you build that, is asking those questions and continuously asking.
Mick Leach: I love it. love it. Don't give up. Be curious. Awesome. Joe, thank you so much for your time. I appreciate it. This has been a fantastic conversation. So thank you again.
Joe South: Yeah, absolutely. I really appreciate you having me on and more than happy to come back on whenever you want me.
Mick Leach: Hey, stay close to the phone. We'll reach out. Folks, this has been SOC Unlocked, Tales from the Cybersecurity Frontline. I'm your host, Mick Leach, reminding all you cyber defenders out there to keep fighting the good fight. You're the tip of the spear, so stay sharp. Thanks for tuning in. Don't forget to like and subscribe and check out our other SOC Unlocked episodes, as well as Joe's podcast, Security Unfiltered. You guys can find that in all the same areas. He's also on YouTube as well. And with that, folks, we will see you next time. Thank you.
