Saturday, August 13, 2011

Coming to Terms – Growth of a Philosophy

I’m coming to terms,
I’m starting to learn,
This ain’t all it’s cracked up to be.

Those lyrics are by Carolina Liar and they seem to be a good explanation of what my first conference has done to me. I attended the 7th annual GFirst conference, and I learned SO much, wish it was longer, and the tracks ran longer, I missed out on a few incredible ones.

I took careful stock on where I am in my career, my skill sets, and where I see myself in the next 3-5 years. Not so much as long term hard and fast rules, but a few key things I want to accomplish. I feel that anyone who wants to be successful in their chosen field they must be willing to do a written plan, dedicate time to understand and grow their skill set, a frequent and honest audit of their skills and abilities, the capabilities to challenge their philosophies and make change as needed, and the willingness to admit that they do not know everything.

I am an incident responder that I know, I have always felt that I needed to be a proactive responder, instead I have realized that I am a reactive responder, attempting to put out fires with no historical information on how they started. Part of this is because where I am this is how it always has been, and another part is I have not felt comfortable in my strengths as a responder to propose changes. This has caused me to stay in the daily grind and allow others with more experience to help lead the team I am on in the directions that they see provide strengths and values. Gfirst has given me the strength to challenge that.

Another take away I grabbed from the conference is that there are very incredible and capable people in the field, whom can admit that they do not know everything and are not afraid to ask questions and seek advice of those who are considered subject matter experts. It helped reinforce the strength and conviction of those who I want to emulate and learn from, those who I would consider my idols.

The final take away from this that with some dedication and determination I can make positive changes within my environment, I can make a difference and that just by listening you can learn a lot from those Experts who are willing to share their knowledge.

When I go back into the office I will have celebrated my birthday, which also throws more perspective into it, some of the people I learned something from are younger than me, and have more experience than I do. The willingness to learn from these youngsters will require one to be humble, and willing to accept their guidance.

The first step I plan to implement is working at helping move the team I am involved in from a Reactionary Responder philosophy to a Proactive Responder, that are able to deploy and mitigate threats before our defensive mechanisms are updated. This means that I must get management onboard to understand the changes we need to do will increase our efficiency and lethality in responding to threats. To do this, I need to take the things I learned from Netwitness, Mandiant, Chris Sanders, Jason Smith, Andrew Case, Golden Richard. Chris Pogue, Karlo Arozqueta and even Dave Marcus, and deploy them on the network I work to defend.

The next step is to make a fundamental change in the way we monitor traffic. Currently we rely on a lot of reactive methods that alert us when they believe something is wrong in the network. By adopting proactive monitoring, watching and analyzing Layer 7 metadata we can find and set baselines for normal traffic. Then when we start seeing things that are outside the normal parameters we can take action, even if there are no known signatures to alert us on this traffic. As I learned in one of the GFirst presentations the following things can be looked at from Layer 7 to predict evil in the network:
  • Web Address Length
  • Spike ranking of an unknown website/IP
  • Spike of external data transfers
  • Many Others

·       The final step that I need to implement is to never get comfortable in my job. I need to push myself to learn or improve a process or technique every month. I need to get aggressive in my development and I need to push for greatness. I need to be willing to honestly audit my skills, development and work performance and work on decreasing inefficiencies and lackluster in these areas. This last step is the most important thing out there, I can never allow myself to become comfortable in my position, and neglect challenging my skills or philosophies when it comes to digital forensics and incident response, doing that means I will never give my best. This also will allow me to be the most lethal tool in my toolbox, because it will allow me to adapt to any threat that might appear in the network I defend. 

Challenge yourself, challenge your beliefs, challenge your skills, and above all challenge the acceptance of techniques that have always been. 

1 comment:

  1. Thank you for having this blog and sharing all the info with us.