SANS: What made you choose to work in security?
Brandon: I’ve been fascinated with technology since I was very young. In particular, I was obsessed with video games from the moment I got my hands on a controller for the Nintendo Entertainment System on my third birthday. This obsession led me to start developing games of my own. In order to share my (awful) games with the world, I had to learn how to create a website with HTML and CSS. To make my website interactive, I learned JavaScript, PHP, and MySQL. This eventually resulted in me dropping game development and becoming a professional web application developer.
In recent years, the cloud has become a core competency required to work in the web. I worked with Azure heavily in my first full-time software engineering role for Smartvue Corporation, an Internet-of-Things video surveillance startup that has since become Tyco Cloud. I then moved to Asurion, where I designed, implemented, and deployed various features for both internal and public-facing platforms hosted on AWS using services including EC2, ECS, S3, CloudFront, DynamoDB, RDS, API Gateway, Lambda, KMS, and more. The cloud enables developers to release new functionality extremely fast, but without a deep understanding of security, they will find themselves shipping security flaws at the same rate.
As I developed for two companies that highly value security, I picked up application security fundamentals along the way. Unfortunately, without formal security training, you won’t know what you don’t know. Thankfully, Asurion has an incredible program called the Security Mavens, in which software engineers have the opportunity to take SANS courses in exchange for evangelizing the lessons learned throughout the product development organization. After I joined the Mavens and took my first SANS course, there was no turning back. I transferred to Asurion’s Product Security organization shortly after, which is where I work to this day.
SANS: What was your first SANS course and GIAC Certification (if applicable)?
Brandon: SEC401: Security Essentials Bootcamp Style with Ross Bergman and Mark Geeslin, the latter of which was also the long-time head of the Security Mavens and Product Security organization at Asurion. The course imbued me with the knowledge I needed to pass my GIAC Security Essentials (GSEC) with honors and qualify for the GIAC Advisory Board.
SANS: What courses do you teach / author?
Brandon: After taking SEC540: Cloud Native Security and DevSecOps Automation and obtaining multiple GIAC certs, I got on Frank Kim’s radar. He then invited me to SANS’s DevSecOps Camp, in which new and developing instructors went through a bootcamp-style training on how to teach courses in what is now the SANS Cloud Curriculum. This was an amazing opportunity for me as I had a large amount of cloud security experience at this point, and I realized I loved teaching after finishing teaching the first cohort of the Vanderbilt University Coding Bootcamp just a month prior. I learned a lot in the DevSecOps camp, and SANS saw potential in me, so I was given opportunities to teach SEC540. I did a co-teach with Mark Geeslin, two co-teaches with Eric Johnson, and finally a solo teach. Sadly, this was right before the start of the COVID-19 lockdown. Although SANS has since revolutionized their Live Online offering, few people had time to pursue training during the early months of the pandemic, so my instructor development was seemingly slowing down.
Luckily, those who know me know that I refuse to slow down when it comes to things that are important to me. Even luckier, SANS wasn’t resting on their laurels either, constantly thinking of ways to use our newfound free time to accomplish what would otherwise be impossible. Frank, Dennis Scandrett, and I had already discussed the possibility of creating a course comparing the security of the Big 3 Cloud Providers after receiving positive reception of my SANS webcast, Secure by Default? With many of our distractions out of the way, Eric Johnson and I were able to take this idea and get a course into beta in less than 6 months: SEC510: Cloud Security Controls and Mitigations. We are still hard at work expanding the course to 5 days and adding bonus challenges.
SANS: Why do you teach, research and practice information security?
Brandon: Cybersecurity is necessary to protect the lives and freedoms of people in the modern era. I’d like to tell you that my motivation to work in cybersecurity is just as noble, but I’d be lying. I practice security because it is the most fun and interesting field I’ve ever been exposed to. It is hard for me to understand how anybody could feel otherwise. Much of my motivation for teaching and contributing for SANS is to explain to others where my fanatical enthusiasm is coming from. Of course, it doesn’t hurt that the field is one of the most lucrative you can be in without a doctorate.
SANS: What tips can you provide newcomers to cyber security and defense?
Brandon: My advice differs depending on the person’s experience. If you are brand new to the technology field, I’ll give you the same advice I gave to the participants of the first SANS Cyber Camp for Teens:
If, like me, you come from a software engineering background and want to pivot to security, recognize that you are already playing the role of a defender. You are implementing new features and products while employing best practices and minimizing the associated risks. Now, flip your perspective and think like an attacker: what security mistakes are engineers most likely to make? Which parts of the system would have received the most care and attention for its design? What user activity would tip off engineers of an indicator of compromise? Learning how to think like a defender will inform you how to think like an attacker and vice-versa. If you aren’t already familiar with the core attack and defense techniques, SANS has countless of courses which can help.
SANS: Who has influenced your information security career?
Brandon: Too many people to mention, but as shown above, three of the most influential people to me have been Frank Kim, Eric Johnson, and Mark Geeslin. I’m looking forward to working on many additional projects with Frank and Eric. To my dismay, Mark has recently put his work with SANS on-hold and left Asurion to lead a security organization for Dave Ramsey’s company, Ramsey Solutions. Although we won’t be working as closely together, I know that I can rely on Mark for feedback and advice whenever I need him. I’m sure we will continue to stay in-touch. It doesn’t hurt that we have to interact with each other as Co-Leaders of the Nashville Chapter of the Open Web Application Security Project (OWASP).
SANS: What do you want people to know about you?
Brandon: If you are half as passionate about security as I am, I’m sure we can learn a lot from each other. I’m very active on LinkedIn and Twitter and am always happy to connect with fellow technologists.
SANS: Favorite quotes, songs, or books?
Brandon:
As a drummer, I’m quite passionate about music. My favorite genres are all over the place, including progressive rock, thrash metal, vaporwave, vocaloid, and showtunes. If I had to pick a favorite artist, I would probably pick King Crimson. Fun fact: the iconic artwork for their first album, In the Court of the Crimson King, was created by a computer programmer.
Read Brandon's full bio here.
