That experience is what forms his teaching philosophy. "I make it my teaching philosophy to constantly bring in new material into the classroom through my personal experiences and the successes and failures of those I've seen in the industry," says Robert. This augments the traditional classroom material students receive to ensure they get the most relevant and cutting-edge concepts in the industry. But Robert's real-world experience also keeps things interesting. "I enjoy telling and sharing in case studies and stories from the field, looping in bigger concepts into the technical material, and setting a humorous tone so that no matter the seriousness of the topic we all have fun together."
Robert got his start in information security making small control systems for humanitarian missions. He joined the United States Air Force and became a cyberspace warfare operations officer in the U.S. intelligence community. In that role, he created and led a mission examining nation-states targeting ICS, the first mission of its kind in the U.S. intelligence community. For Robert, that intermixing of defense, intrusion analysis, and threat intelligence provided the ultimate thrill.
Robert has worked offense, defense, and intelligence in various government teams. "My time on the offense helped me better appreciate defense and how sometimes we simply get it wrong: defense is not necessarily harder than offense and there are many opportunities we have to defend and make the world a better place," he says.
Robert joined SANS for myriad reasons. He had long been aware of the organization, and followed the career and workings of SANS fellow and DFIR curriculum lead Rob Lee. Also, ongoing encouragement to attend SANS conferences and consider teaching from a number of friends and colleagues such as Dave Shackelford convinced him to give it SANS a shot. His first pitch - a five-day class on identifying and responding to industrial control systems (ICS) attacks - was well-received, and as Robert says, "the rest is history." Today he teaches SANS ICS515: ICS Visibility, Detection, and Response, the industry's first and only incident response and threat hunting class for ICS and FOR578: Cyber Threat Intelligence, the industry standard course for threat intelligence training. "The SANS family is amazing, the students are world class, and teaching is what keeps me constantly refreshed and excited in the industry."
In fact, authoring ICS515 and FOR578 have been highlights in his career, Robert says. Industrial control system security as well as cyber threat intelligence are both exciting topics that receive a lot of hype and misconceptions. "I love destroying hype while giving the students the most blunt and actionable information possible," Robert explains, adding that his experiences "gives me a robust view into the problem space and the solutions needed at various levels. My experiences and hard work have afforded me the chance to significantly advance students' skill sets and the way they view the problem."
Central to helping students succeed in their day-to-day careers is ensuring that they understand the big picture, Robert says. That's more than just understanding what command to run on a specific tool or how to use that tool during an incident. Its' about know the larger context of a security strategy is, all its moving pieces, and how to use analysis to help fill knowledge gaps. "This ensures that students who take my classes are not only technically prepared but are also prepared to think differently about the hard challenges their organizations must face when facing the adversary," says Robert.
Robert has a master's degree in cybersecurity and computer forensics from Utica College as well as cyber and warfare training through the U.S. Air Force, and he's pursuing his doctorate in war studies from King's College London. Robert is a faculty member of the SANS Technology Institute, an NSA Center of Academic Excellence in Cyber Defense and multiple winner of the National Cyber League competition. He was named one of Forbes' 30 under 30 in Enterprise Technology in 2016, was awarded EnergySec's 2015 Cyber Security Professional of the Year and named one of Passcode's "Influencers."
Outside of teaching, Robert enjoys running his company Dragos and working with customers in the industrial community. "It allows me to constantly stay relevant, challenge and grow my skills, and directly help people." He also enjoys writing papers and blogs for the industry, and looks for opportunities to travel, snowboard, and play a Steam game or two whenever he can.
- Named one of Forbes' 30 under 30 in Enterprise Technology in 2016
- Awarded EnergySec's 2015 Cyber Security Professional of the Year
- Named one of Passcode's Influencers
- Course author of ICS515: ICS Visibility, Detection, and Response, and FOR578: Cyber Threat Intelligence
- Author of the book Threat Intelligence and Me as well as numerous articles on cyber security
- Watch Robert's lecture at the CTI Summit 2017: "Knowing When to Consume Intelligence and When to Generate It"
- Watch Robert's lecture at the DFIR Summit 2016: "Leveraging Cyber Threat Intelligence in an Active Cyber Defense"
- Listen to Robert's webcast "Next Level in Cyber Threat Intelligence Training: New FOR578 course updates"
Get to Know Robert M. Lee
- Robert's website: http://www.robertmlee.org/
- Little Bobby, Robert's ongoing security-themed web comic
- SANS' announcement of Robert's placement on Forbes' 30 under 30 in Enterprise Technology in 2016
- Generating Hypotheses for Successful Threat Hunting, August 2016
- The Who, What, Where, When, Why and How of Effective Threat Hunting, March 2016
- The ICS Cyber Kill Chain, October 2015
- The Sliding Scale of Cyber Security, July 2015
Publications and Papers
- Threat Intelligence and Me, book for children and analysts, January 2017
- Why Strong Encryption is Elementary, Christian Science Monitor, July 2015
- Security Firm's Iran Report Mostly Hype, Christian Science Monitor's Passcode, April 2015
- The Feds Got the Sony Hack Right, But the Way They're Framing It Is Dangerous, Wired, January 2015
- Snowden's Leaked PowerPoints Provide Flawed View of American Spy Agencies, Christian Science Monitor, January 2015
- OMG Cyber!, The RUSI Journal, November 2014
- It Does Matter That the White House Cybersecurity Czar Lacks Technical Chops, Forbes, August 2014
- Making Digital Forensics a Critical Part of Your Cyber Security Defenses, Control Engineering, January 2014
- The Failing of Air Force Cyber, SIGNAL Magazine, November 2013
- Understanding and Utilizing Cyber Deterrence to Better Enable a Holistic Approach to Cyber Security: The Creation and Analysis of a Cyber Deterrence Model, Utica College, May 2013
- SCADA and Me, IT-Harvest Press, September 2013
Awards and Honors
- 2016: Forbes' 30 under 30 in the area of Enterprise Technology
- 2015: Energy Sector Cyber Security Professional of the Year, awarded by EnergySec
- 2014: Colonel Sparky Baird Award, awarded by AFCEA
- 2014: Air Force Association Gill Robb Wilson Award - Air Force Nominee
- 2013: Air Force Association Gill Robb Wilson Award - Air Force Nominee
- 2013: AF Information Dominance Award for Outstanding Cyberspace Operations CGO - 693 ISR Gp
- 2013: Junior Officer (Operator Category) of the Year - Europe/Africa
- 2013: Military Performer of the Year - Threat Operations Center
- 2013: CGO of the Year - 693d ISR Gp
- 2012: Distinguished Young AFCEAN Officer - Central Europe
- 2012: Outstanding ISR Officer Contributor of the Year - 693rd ISR Group
- 2011: AFCEA Intelligence Professional of the Year - 693 ISR Group