Can you tell us about your professional background?
I started my career in small business IT administration, where I wore many hats. From there, I moved into Digital Forensics and Incident Response (DFIR) consulting, then corporate DFIR and Blue Team work in the financial services sector. Now I do threat analysis on the service-provider side with Red Canary. In my current role, I work on our Cyber Incident Response Team (CIRT) and build out and lead our internal training program.
How did you get started in cyber security?
Quite simply, I was always the guy who was “good with computers,” even though I often felt frustrated that they didn’t work the way they were supposed to. Things always seemed to operate outside of established parameters, whether by design or otherwise. Regardless, I worked for a variety of small businesses where I'd end up dealing with host and network issues, administration, and “first responder” scenarios.
A few of my bosses saw my work and encouraged me to continue, because they felt that I had innate skills in that area. I valued their guidance and pushed on, discovering computer forensics. I was blessed to have an opportunity to prove my skills to a small local forensics firm and was brought on board. I worked my way into a lead role there, then I moved into a corporate cyber security position before joining Red Canary.
What challenges does your business face in relation to cyber security?
There are two big issues that I think most organizations face in relation to cyber security:
- Staying abreast/ahead of current threats.
- Scaling operations as the business grows.
There are multiple facets to each of these issues, but most will fall under one of those general categories. Both challenges require a lot of deliberate effort, and neither can be accomplished without a solid plan of action backed up by a mature security program.
Why did you choose to train with SANS, and why did you select the courses and certifications you did?
Initially, I took SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling with Jim Shewmaker and earned the GCIH certification because my boss told me to. I had tested for other certifications not related to SANS or GIAC in the past, but the GCIH required that I had practical knowledge about the subject matter and was by far the most thorough. Since then I’ve taken several other SANS courses and earned a GCFA certification as well. Going through both the course and the certification convinced me of the efficacy and value of SANS and GIAC offerings.
Can you give an example or two of things you’ve learned in SANS courses that you were able to apply directly to your job?
One of the biggest things that I've taken away from SANS training is an understanding of what actual attacks look like when carried out by a real-world adversary. So many things from a threat perspective in cyber security are theoretical – they “could” happen, but aren't necessarily likely to happen, and indeed may have never even happened before. SANS training is based on real-world activity, and that makes the difference.
Completed SANS Courses
- SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
- FOR526: Advanced Memory Forensics & Threat Detection
- FOR578: Cyber Threat Intelligence
- FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
- SEC511: Continuous Monitoring and Security Operations