Mark started his security career in 2001 as a SOC Analyst, and since then has been both fighting for blue team resources and trying to automate them out of a job. He has built, assessed, and managed security teams at the Pentagon, the White House, the Department of Energy, global Managed Security Service Providers, and numerous Fortune 500 clients. Mark enjoys finding new and innovative ways to help defenders scale through the right application of foundational knowledge and assistive technology. In 2012, he designed and launched a Managed Detection and Response (MDR) service offering and helped to invent an automated cyber threat hunting technology, both of which were later acquired. Mark enjoys reading, going to rock shows, and sneaking in the occasional Netflix binge.
SANS: What made you choose to work in security?
No two days are the same which works well with my limited attention span. Also, there is always something to learn, someone to learn from, and new concepts to explore. Even after 19 years in the field, I feel like a novice in so many areas, which keeps it exciting.
SANS: What was your first SANS course and GIAC Certification (if applicable)?
My first SANS course was Intrusion Detection in Depth with Mike Poor. I was as enthralled by his great stories as I was of his technical mastery. I followed that up with SEC504 with Ed Skoudis, who of course is also a great instructor and storyteller. Obviously, I was extremely fortunate in my initial exposure to SANS.
SANS: What courses do you teach / author?
I currently teach SEC450: Blue Team Fundamentals, Security Operations and Analysis and soon will also be teaching LDR551: Building and Leading Security Operations Centers.
SANS: Why do you teach, research and practice information security?
Two reasons: teaching provides the opportunity to share what I know with others, which is so important for defenders to do so that we can all get better. The second reason is that understanding a topic well enough to teach it to others is sometimes a whole other level from putting it into practice, so it helps me stay sharp. It also gives me the chance to interact with more people to see what I might be missing out on (turns out there is usually a lot).
SANS: What tips can you provide newcomers to cyber security and defense?
There will always be someone more skilled (or differently skilled) than you. Understanding that you can’t know everything, always strive to fill gaps in your knowledge and don’t hesitate to question things. The minute you start feeling like you’re the smartest person in the room, find another room! Also, it’s understood that we let the red team claim their work is harder and more advanced than the blue team because it makes them feel good. It’s ok to let them believe.
SANS: Who has influenced your information security career?
I owe a great deal to more people than I can even list here. My early career was heavily influenced by the original Foundstone crew and their writing, technical work, and business ventures: Richard Bejtlich, Steven Andres, Kevin Mandia, and others. More recently, there are tons of entrepreneurs, researchers, and practitioners that I admire and try to emulate including many of the SANS faculty. I’ve also been lucky enough to work with some phenomenal comms people and business leaders who have expanded my view of how security fits into the larger picture. My Twitter follow list is a pretty good accounting of all of these.
SANS: What do you want people to know about you?
We often hear (and roll our eyes) at the phrase “thought leader.” Realistically, I think there are very few people in this field who could claim that title – and those individuals probably never would themselves. It’s far more important to be an enabler: someone who helps other people innovate and lead. That’s the kind of person, and the kind of practitioner, I try to be.
SANS: Favorite quotes?
In writing SEC450, John Hubbard included the quote “All models are wrong, but some are useful” by statistician George Box. This one really resonates with me as I often look for more structured, repeatable ways of doing things. But my all-time favorite is “Everybody has a plan until they get punched in the mouth,” which I think is paraphrased from Mike Tyson. This takes me back to my military days where you might train and train and train, but ultimately will have to rely on your ability to think fast and adapt when challenges arise. That happens to be a good description of incident response, too.
SANS: Tell us about things you enjoy that people may not expect.
For years growing up I aspired to be a comic book artist, and art was my first major in college. I ultimately decided that I enjoyed it more as a hobby than a profession, but I still try to find ways to work in my love of comics, art, and all things pop culture into my work.