In this two-part post, we wanted to give our SANS prospective students as well as our broader info sec community, a peak into the story of one of our course authors, John Hubbard, who recently launched a new course, SEC450: Blue Team Fundamentals – Security Operations and Analysis.
In part one, you’ll get to know more about John: his early career aspirations, insights from his career journey with GlaxoSmithKline, how he got introduced to SANS and began teaching for SANS.
In part two, we’ll dive into a bit more details about the course, who it was designed for and a walkthrough of each day in the course, what tools are covered and what students can expect to come away with. John also explains briefly, the differences between SEC401 and SEC450 and whether someone who has already taken a 500-level course, should still consider taking SEC450.
Introducing John Hubbard
My name is John Hubbard and I'm a certified SANS instructor and author of the new SEC450: Blue Team Fundamentals – Security Operations and Analysis class. In addition, Justin Henderson and I coauthored SEC455, which is a one-day course on SIEM Design and Implementation.
I'm a Blue Team author through and through and all about cyber defense.
1: Did you have aspirations of becoming an engineer at a pretty early age?
Yes. With engineering, it was an interesting path for me. A lot of people, of course, get into info sec as a swerve from their original career. I went to Purdue University and did an Electrical Engineering degree. And what lead me there was, growing up I was always very much interested in technology. I was building my own computers, trying to install Linux when I was in high school, and fight my way through that. And it was much more difficult at the time, obviously.
I was always interested in technology and those sorts of things. And at the time, cyber security didn't really exist and so I didn't know that was an option. That being said, on my computer I was always playing with those, I would say, gray area type programs where you'd be in chat rooms and you have this program that can kick people out or do crazy stuff like that. I definitely had the inkling that would have been a career choice that I could make, but I had no idea that cyber security could be a real job at the time. I always had a passion for electronics and stuff like that and I still do it. I like that stuff a lot.
I had been going through the engineering degree and about half-way through that I started listening to a bunch of podcasts on security and information security type stuff. And that's what sparked my interest. And I would say probably junior year of college on, I had listened to enough podcasts that I wanted an engineering degree and then turn that into a security job ultimately. Which is what led me into my masters doing computer engineering, focusing on cyber security. And then, ultimately, here I am.
2: You'd spent a number of years with GlaxoSmithKline and held a variety of roles from cyber security analyst to senior analyst and eventually to becoming a SOC Manager. Being a young analyst, what were some of the early challenges that you experienced and remember vividly?
When I had joined the company, it was me and one other analyst on the team and the manager of the U.S. Security Operation Center (SOC). We had to follow the Sun model, and we had other teams in the U.K. and Poland. We all were hired at the same time and it was this case of the company realizing, "Oh, cyber security attacks are a thing now. We need to address this in a very serious way." Because before that they had the casual, like the AV team, the firewalls and IDS and all that kind of stuff going on. But we're like ‘no, we need a dedicated set up of people doing threat hunting and looking for these advanced attackers.’
Because this was right about when the APT1 report came out from Mandiant. And that made a big splash and a bunch of headlines. That was a big watershed moment in information security (info sec). Before this team, we were all in there trying to figure out the best way to do everything as a group. Because some of us had come from previous info sec jobs but a lot of people had not. It was building up ‘what do we want a SOC to be for ourselves.’ In some ways it was a little bit analyst led, in that we had a number of us saying, “All right this is how we want to operate day to day. And these are the tools that we have and these are the tools that we need." And there was the typical mix of trying to make a business case for buying new, advanced tools. I think at the time we had some FireEye sensors and a SIEM that was collecting some logs. But it was not nearly what it is at this point in time.
We didn't have all the data we needed. We didn't have it all integrated very well. And that led to a lot of manual process and doing stuff in inefficient ways. But the team was given the freedom to develop tools and make things better for themselves. We all were very much encouraged to learn and improve our skills in whatever it was that we were passionate about and that led to me taking SANS courses and ultimately progressing in my career and going from there.
I've been in the trenches and done all those sorts of things and know the struggle from all the way back, from a couple tools that don't integrate at all and what that feels like, all the way up until the fully integrated set of stuff. Considerably awesome at this point.
3: I'd love for you to share the key things that helped you rise from being an analyst to becoming a SOC manager?
This is going to sound a little self-serving, but one of the big things was SANS. Besides that, I always had a really strong interest in the topic. A lot of the times I would go home and continue to read and learn. I built myself a home lab, which I'm still using daily. I’ve got a bunch of servers in the basement and switches and all sorts of stuff. Trying to build out similar things to what we had at work, at home. And learn the technology, learn how it works, would have monitoring functions and that sort of thing. As with when I was in undergrad, a significant portion of what I had done up until that point was self-learning.
And then that just continued on once I got the job. Because I had an insatiable appetite to take this stuff in because I was so interested by it. I love a challenge and the different things that you see every day. I always wanted to tear it apart because it was a really interesting puzzle to me. So that just lead to a lot of doing it beyond the job and then also taking the formal training. Going to conferences and trying to soak it all up as fast as possible. And it worked out pretty well.
4: How were you introduced to SANS? Was it somebody at GSK that introduced you?
I was trying to think about what my first experience was. I had a coworker back in 2013 that was like, "Hey, have you heard of SANS? They're like, the awesomest of training. You go to one of these things and you just get your mind pumped full of all this information in a very short period of time." And I was like, "Great. That sounds exactly like what I want." And so, fortunately, my employer had the funds to send me to a class at the time. I think it was summer of 2014 that I took my first SANS class.
What was the first class you took?
This will sounds crazy, but I took Forensics 610 - the Malware Reverse Engineering course.
At the time, I don't know if that was a good or a bad choice. But after I finished it, it turned out that was a good choice. I really, really loved the course. And I always liked taking apart malware and wanted to get into that stuff. And that was something I was doing at work.
I read through the syllabus and I'm like, "I think I can do this." A lot of it was based around assembly, and decompiling and stuff like that. And from my electrical engineering days, I had done that sort of stuff before. I understood assembly language and Ivy's microcontrollers to build projects in college. So that, I think, is one of the things that intimidates a lot of people and since I had been in a debugger and decompiled stuff before, I was like, "That seems like the hardest part of this and I think I understand the main concepts."
Took that and ended up doing the certification for that and went on from there and that was, I think, a pivotable point in my career because I came back from that in 2014 and no one else in the team had taken that course yet. At that point I was the guy who had this advanced training in malware. And I think that really helped, it was a really good addition to the team in terms of the skill set and really helped me with my career along the way. And then from there, I kept taking more and more courses and things continued to go well.
5: How did teaching at SANS come about?
That was a serious curve ball for me. I never really thought that I would be doing that at the time. I took a course in 2014 and I'd taken it OnDemand. I hadn't actually been to a SANS event. I took it day by day working at it from home, just online.
The next year, I was like, "When can I have another one of these courses." Because the first class was awesome. I think it was March 2015, I went to Baltimore and took SEC560, the Pen Testing course with Ed Skoudis. For those who haven’t taken that course, Ed is like a machine. He's got that class well oiled. He's got everything that goes with it laid out and everything so well done. I was absolutely impressed with the quality of the training, because I'd been to other vendor and info sec trainings and nothing I had ever seen was like this. I thought 1. This is awesome info and 2. Wow, this teacher is incredible. I really, really enjoyed that. That was my first actual live course.
I did that course, took the [GIAC] GPEN certification. I did really well on the GPEN cert and got the email that everyone gets when you cross that line for, "Hey, you scored highly. Would you be interested in being a mentor for this?" I said, "Yeah. I guess maybe I can do this. I scored well and I really like doing this stuff." There were people I had been informally instructing at work, based on what I had learned in the class. It seemed like a fun thing to do and I didn't know if I'd be able to pull it off or not. But, turns out I started in October 2015 doing the mentor version of SEC560, which is the first and last time I ever taught a Red Team course. It went well. Being a blue team guy, I was like I can do this. But I couldn't mentor Forensics 610. That's just not a course that you can really get enough people to go for class for that.
I started out as a Red Team, not instructor but mentor and then transitioned on from there. I didn't plan on it happening but, just dipped my toe in the water. It went well and good things kept happening and here I am.
6: Was there a point in time where you realized there wasn't a course for new Blue Teamers and you figured you would be that guy [to create one]?
As I started teaching more, I had progressed to become a senior analyst and I had the opportunity to become a SOC manager with U.S. SOC. As the manager, I had to do hiring of the new folks fairly frequently, and it was always a case of wanting to have a base level of training that everyone needed.
I was always looking for that one course that was definitely for a SOC analyst, and not assume they’d been doing it for years. SEC401 was super broad and 511 was more for hunting and senior analyst type work.
I really wrote the [SEC450] class that solved my own problem and answered the question - What do SOC managers do for the new hires? Because that was a problem I had seen, I had experienced and we tried to tackle it different ways, successfully. But I wanted to write a course as a solution to that problem.
7: Did you interview other analysts? Did you dial back to your days as an analyst?
Absolutely. Both of those things. I remember pretty vividly what my struggles were coming into that job. Just understanding what each bit of data was and what it could tell me. Where it was coming from, how it was formatted, and that's all stuff that I definitely wanted to write into the course.
And yes, I’d been talking to analysts along the way. As I'd been flying around and teaching in various places, I'd try to pay particular attention to people who were newer analysts and say, "What are you struggling with? What is it that you want to learn more about? What do you think would make you better?" I talked to a lot of people in that respect. I also asked them what they didn't like about the job. Which is what gave birth to some of the other content in the course about making the job more pleasant, because SOC analysts, tier one type stuff sometimes gets a bad rap.
I had also run the SOC at GSK in a certain way and the other SOCs as well and we all worked together. We had all done the same thing as we were analysts first, and then we became SOC managers. We knew what we did and did not like about the job and tried to make sure that the new folks that were coming in, were not having to deal with those same issues and brought that kind of experience into it as well.
8: How long did it actually take you to write the course?
I left my full-time job to write the course in July 2018.
I started writing it basically full time minus the time that I was teaching, and I finished writing the course in the end of April 2019.
It was a pretty solid nine months of full-time work. I was working weekends and everyday, just trying to keep a consistent amount of slides turned out. I actually used a program called ManicTime that actually tracks my active window on my computer. I only started using that in October, so I don't know the full total number, but it was a very significant number of hours.
My goal was 180 slides a day because that's about what SEC511 is. But by the time I started writing, I found that I had so much to say about certain slides that it would go into more and more pages. And what it turned into was about 200 pages a day. And yeah it ended up about 1,000 slides. When we put it through the grammar check and run all that other stuff it spit out 280,000 words was the actual count without the labs. I saw that number and I'm like, "That seems like a really large number." I don't know exactly what that means. I Googled it and it is larger than the biggest Harry Potter book which is pretty big. For relative scale, it it quite a lot of text. I put a lot into it.
For More Information:
Don’t miss part two of this feature here.
Visit our course page: sans.org/sec450
Visit John Hubbard’s bio: sans.org/instructors/john-hubbard
Connect with John on Twitter: twitter.com/SecHubb