2. ABOUT ME
C:>whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=============== ================ ================== ==========================
CURRENTHalyard Health Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
HALYARDCyber Security Alias S-1-5-32-544
Group used for deny only
CURRENTH-ISAC Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group
CURRENTDC404 Well-known group S-1-2-1
Mandatory group, Enabled by default, Enabled group
PREVIOUSCisco Systems Well-known group S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
PREVIOUSGE Energy Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group
3. AGENDA
• Cyber Security Career Tracks
• Entering the Cyber Security Industry
• Degrees and Certifications
• Career Progression
• Improving Your Effectiveness
• Continuing Education
10. ENTERING THE CYBER SECURITY INDUSTRY
• You can start a cyber security career from just about any
background..
• BUT technical careers will require a technical background
• You can get a degree in cyber security
• The traditional approach is to get a job in technology, then
pivot into security
• Software Developer -> Software Security, Malware Reversing
• Network Admin -> Network Security
• Application Platform Admin -> Identity & Access Security
• Desktop Admin -> Endpoint Security, AD Security, or
11. HOW DO YOU PIVOT INTO SECURITY?
• Learn a technology, then learn what “Security” is for that
technology
• Learn the security features, policy options, default vs. secure
configuration, recommended security settings
• Research past/known vulnerabilities in the technology
• Learn how to “hack” the technology
• Learn how to protect against hacking
• Use free resources (SANS, CIS, OWASP, Adsecurity.org,
decentsecurity.com)
12. WHAT IF I’M NOT TECHNICAL?
Still Need to Learn Security Fundamentals and Concepts!
• Project Management, Program Management
• Compliance, Audit
• Governance, Policy
• Awareness, Training, Technical Writing
• Risk Quantification
• Legal, Regulatory, Privacy
• Sales/Marketing!
13. ABOUT DEGREES AND CERTIFICATIONS
• Why are college degrees worthwhile
and/or required?
• About Cyber Security degrees
• Industry Certifications – the Good, the
Bad, and the Ugly
15. DEFENDERS CAREER PROGRESSION – ENTRY
LEVEL
• Operator (Level 1): Technical support role. Follows scripted
processes and procedures. Uses documented knowledge
base articles for operations, troubleshooting, and support.
Little to no creative flexibility.
• Operations Lead (Level 2): Oversees execution of Level 1
Operations teams. Acts as escalation point when Level 1
staff cannot resolve issues.
• System Administrator (Level 2): Trained on operation/use
of specific products. Knowledgeable about configuration,
maintenance, and troubleshooting. Focus is on stable
16. DEFENDERS CAREER PROGRESSION –
ADVANCED
• System Engineer (Level 3): Expert knowledge of specific
products, processes, or capabilities.
• Program Manager (Level 3): Functional responsibility for
delivering security services, capabilities, or compliance.
• System Architect (Level 4): Design integrations between
multiple systems to provide holistic security capability or end-
to-end policy implementation.
• Principal Engineer (Level 4): Industry-leading knowledge or
expertise in a domain.
18. USE THREAT MODELING
“Threat Actor X seeks to achieve Outcome Z”
What are the Actions (Y) that they could perform?
Opportunistic, Organized Crime, Insiders, Nation-States,
Competitors
20. LOOK FOR THE END-TO-END VIEW
How do you respond to a malware infection?
• Scan and clean? (Nuke and Pave?)
• Offline analysis/clean?
• Submit to vendors?
• Remediate infection ingress root cause?
• Share threat intelligence?
21. HAVE A VISION AND ARTICULATE IT
• Effective Communication Is Critical
• Don’t Assume That Constraints Are By Design
• Speak Up When You See Opportunity
22. THINK LIKE AN ADVERSARY
“Why Will This Work?”
“Why Will This Not Work?”
“How Could An Adversary
Respond?”
23. ANALYTICAL PROGRESSION
How is it done today?
What are we functionally trying to
achieve?
What are the gaps in the current
approach?
What are the factors to consider?
How should it be done?
25. CONTINUING EDUCATION
• Advance Your Threat Models
• Technical, Cybercrime, Nation-State
• What is State-of-the-Art?
• Improve your Toolbox
• Keep Up With Industry News
• Learn New Threat Mitigations
26. CONTINUING EDUCATION
• Security Social Media – Twitter, Podcasts, Slack/Discord channels,
LinkedIn groups
• Beware the “echo chamber”
• Attend vendor events and conferences
• Take their promises/vision with a grain of salt
• Attend vendor-sponsored learning/networking events
• Attend industry/community events and conferences – ISSA, BSides,
OWASP, DEF CON, etc.
• Attend paid conferences
• Attend paid technical trainings
Cool circuit board theme
I use the word cyber a lot, don’t make it a drinking game. You might not survive.
Speaking of the word cyber, why do I use that term?
What is the scope of the security team’s mission?
IT Security – Protecting assets managed by the CIO – network, servers, PCs, applications
Information Security – Protecting information in all forms; includes handling policies, retention policies, clean desk, media, etc.
OT – Factories, Refineries, Utilities, Industrial Control and Automation Systems
IOT – Internet of Things; widely deployed sensors and controllers
Cyber Security encompasses the digital realms of IT, OT, and IOT security but not the physical realm of information protection
Three primary types of career tracks in Cyber Security
Defenders
Assessors (not Attackers!)
and Researchers
Defenders – Responsible for protecting an organization’s information, assets, or technology.
Define organizational policies, standards, processes, and procedures
Design, implement, and operate security tools, platforms, and secure systems
Develop secure products and services
Industry associations (ISSA, ISACA, ISACs, Forums)
Landscape from Momentum cyber security almanac 2019
https://momentumcyber.com/cybersecurity-almanac-2019/
Assessors – Responsible for measuring and assessing an organization’s posture, compliance, risks, vulnerabilities, or threats
Risk assessment, adversarial emulation, threat modeling, capability/maturity evaluation, standards/policy compliance evaluation
Recommend risk mitigations or controls efficacy improvements
Provide assurance certifications to third parties
Security Assurance Attestation
Penetration Testing
Risk Assessment / Register
Threat Modeling / Attack Tree
Compliance Certification or Attestation
Researchers – Advance the state of cyber security
Discover new vulnerabilities and exploits
Analyze how vulnerabilities are exploited by threat actors
Show of hands – how many people know:
Marcus Hutchins – Wannacry ransomware takedown / kill switch – arrested in 2017 in LV after DEFCON
Tavis Ormandy – Google Project Zero – OSS, Windows, Linux, Imperva, D-Link, LastPass, and more
Brian Krebs – Cyber Underground and Data Breach Reporter
The focus of the remainder of this presentation is on the Defenders career track
#1 because that’s what I do
#2 because that’s where most of the jobs are
If the Assessments or Research tracks are of interest to you, think about the remaining presentation from that context
SW Devs can also pivot into Penetration Testing or Exploitation Research
Internet Storm Center
Reading room
Cyber security degrees are all unique – some are glorified Metasploit and vuln scanning certifications, others are much deeper
Security degrees go technically deep much faster than could be achieved via a career pivot, but don’t generally focus on mitigations and threat details
What does career advancement look like in Cyber Security?
What does career path look like?
Depth + Width of expertise
Width: How many technology domains you know
Depth: How well you know them
Level 1 Ops – Narrow and shallow
Level 2 Ops – Wider and shallow
Level 2 Sysadmin – Narrow and Moderately Deep
Depth + Width of expertise
Level 3 Engineer – Narrow, Deep
Level 3 Program Mgr – Wide, Moderately Deep
Level 4 Architect – Wide, Deep
Level 4 Principal – Moderately wide, Very Deep
So you’ve been in your security career for a few (or several) years now and you want to get to the next level..
Accept, Mitigate, Transfer, and Avoid
Example of SMS for password reset versus the risk of Adversary performing a SIM hijack
Talked earlier about Level 2, 3, 4 roles – What is the defining characteristic of those who advance?
Defining characteristic of experienced practitioners is their critical thinking and analytical ability
With experience comes the knowledge of your organization, risk factors, threat models, and how controls address risks
How is it done today: Basic understanding of the issue and process to address it
What are we trying to achieve: Understanding the intent behind the outcome
What are the gaps: Ability to compare the existing solution/process against the intent of the objective
Factors to consider: What are the risks, threats, limitations of controls, scalability or complexity of solution, etc?
How should it be done: Considering all of the above, what is the best way to achieve the desired outcome?