The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

4. Wesley Belleman of California Air National Guard and Palo Alto Networks: Security Operations Center from Military and Private Industry Perspectives

Welcome, everyone, to the Security Podcast of Silicon Valley. I'm here today with a very special guest, Wesley Bellman, who is the cyber warfare operator for the California National Guard and a system engineer at Palo Alto Networks. He spent a good chunk of time in the armed services, so thank you very much for your service, Wes. This was started off at the Air Force.

You were a cybersecurity engineer at the Air Force. Then you moved over to the Space Force, which was a new branch of the military. And you were at the United States Southern Command for a while as a technical lead. And now you've cut over to private industry with your new gig at Palo Alto Networks as a security engineer.

And, of course, you continue to serve in the California Air National Guard as a cyber warfare operator. So thank you so much for joining me on the show. Impressive background. A huge thanks for all of that service.

Yeah, no, thank you for having me. I'm definitely looking forward to talking about security operations. So clearly, you're a very talented guy, and talented people always have options available to them. And so I'm super curious, is there a story behind all of your service in the military and the armed forces?

Really curious. No, yeah, that's a great question. Well, first of all, my parents were in the military, so it was the family business. After my dad left the military, he still continued to work for the Department of Defense as a civilian, actually a teacher.

And I had the opportunity to live on different military bases. So I definitely felt that the military had given me a lot from a home, a career for my dad, and school was even funded by the DoD. So I definitely felt like a debt of gratitude to the military, so I really wanted to join. And then when I did join, there was just a lot of benefits.

They help kind of kickstart your career by giving you training and education. So there was just a lot of enticing things about joining straight out of college that made it exciting for me. So I'm definitely really glad I joined the military. I talk a little bit on LinkedIn about some issues I have with their personnel practices and how I think the military is not going to remain competitive in the future with Silicon Valley.

But that's certainly not to bash on the military or the people in it. That's just because I don't want people to leave for the same reasons I did. I want people to stay in, especially talented people, to continue to go to the military and to stay there and build out their careers there and be successful. I'm super curious now, what was the reason that you left the military?

No, that's great. So, yeah, the military has, like, they still have some kind of archaic HR practices. So you kind of get into a very specific career and you get pigeonholed into that career. And they kind of tell you where you're going to move next.

You don't really have a lot of choice in where you live. You don't have a lot of choice if you want to move laterally. There's also a lot of upper out. So that's talked about in some books on cyber defense for the DoD, such as The Perfect Weapon.

He talks about that. So the upper out is a problem for some people who want to be more technical. You know, if you're the type of person that you like to be, you like to be hands on, you like to solve problems, you like to be an engineer, then you're quickly pushed into management and you can't really move forward and become a senior engineer, you know, a software engineer. 10 years is very valuable outside the military, but in the military, it's hard to do that.

No, that's those are some interesting questions that you raise. And I'm sure that they'll change. It's just a slower process for it to change and constantly changing for the better. You know, it's like the larger the organization, the slower the rate of change.

It's almost true almost across the board. Right. And that's why that's why startups can be very interesting because they change very, very quickly. But if you want a little bit more stability, like a larger company, I think people sort of discover that and realize that even in even the private sector.

So you actually spend a good chunk of time as a cybersecurity engineer focused on operations and security operations. And so you worked in a SOC, right, a security operations center. So do you want to describe for the audience who's maybe interested in security but not familiar with a SOC? What is a SOC exactly?

Right. No, that's yeah, that's a good question. There's probably a lot of people. I actually, when I joined the Air Force, I didn't realize how much of a kind of a niche within security, security operations actually could be.

I think because there's a kind of a heavy emphasis on security operations within the military as far as the defensive side overall and the security cybersecurity side overall. But I did find that, you know, I needed to explain to a lot of people, what is what is this? What is a security operations center? What are what are security operations?

And really, it's it's similar to monitoring. So I know you had a guest on and you talked about monitoring. A lot of people ask, are you doing monitoring? Are you doing logging?

But when it comes, you know, when you're when you're just doing logging or you're just, you know, watching your network traffic, that's all going somewhere. And is anybody really reading it? Are you really are you really triaging those different logs and the different network traffic trying to? Compare it against a signature, which is a known attack format that you can compare it to, like, and if someone's actually looking at that, and when that does, when that does alert, and you say, okay, well, we've received this, this traffic coming into our, into our network, and we know that it, you know, it matches an attack, are we looking to see where did that come from?

Was it successful? And so security operators sit in the security operations center, and it can be tied to a single network or to many networks. And they're actually looking at those logs, and they're actually following those alerts, and they're following up to them, potentially doing a response if they find that there actually was some sort of a successful attack.

And then the future, which we can talk about, of that is being able to just close that loop and make it a lot faster so that once you actually see that alert, you're able to investigate it, determine if it had an impact, and then respond to it before it really had a significant impact on your network, or at least be able to minimize that impact. So that's really what security operations are and how it ties to monitoring, which I think maybe is a concept that all security people will be more familiar with. So it's kind of like the front line, the Navy SEALs, but for cyber warfare, right? Yeah, no, that's a good way of looking at it, especially on the defensive side.

I mean, I guess Navy SEALs are more like offensive, but. . . They're a little bit offensive, yeah.

Right, it's very much like your, you know, your security forces or your, you know, police officers within your network that are there, you know, trying to, just trying to keep everybody, keep everybody safe within the network. So what sort of organization would you recommend have a security operations? Yeah, so I would say, I mean, maybe I'm biased because of my background, but I would say every organization should have that within their, within their cybersecurity portfolio. The question is more going to be how, right?

So if you're a Walmart or a really big organization, you probably want to have your own security operations center that you run in-house and you can fork over the high cost of a good security operations analyst and an engineer like myself who can help set up a security operations center. But if you're a small organization, then you probably want to outsource it to like an MSSP. So this, this is an emerging concept, the managed security service provider. So for those who watch Shark Tank, Robert Herjavec wrote a book about automated chess and how there's kind of the mix of the human and the computer is the future and you kind of need both.

And that book was pretty relevant. And now it seems that that actually might already not be true. And so when, when he was originally writing that book, it would be, you know, a human and a computer could be a computer like with 10 times the capacity at chess. And now it no longer seems that that's true, that basically a computer, like a human is now just minimal help with, with a computer at playing chess.

We're just irrelevant now. And so, and chess is, you know, maybe not, you know, chess is not the same thing as security operations. The level of complexity is very different, but, but there's, but there's an analogy there, right? Maybe that will happen kind of in a lot of other different fields, such as security operations.

I definitely think that's, you know, from what I've seen, that's, that's really far off. A lot of security operations centers still have yet to implement automation. They're still just kind of grappling their hands around getting all the data in one place. So there's a lot of work to do before we get to the point where everything's, you know, where it's Skynet.

But as we move in that direction, I think 10 years or, you know, five to 10 years from now, we'll be having a different conversation. But right, right now it's very, very difficult to see that horizon of everything being automated because there's so much work to do. There's so much work to do to even just start doing the basics of automation to start thinking of using automation to really cut out your analysts. No, it sounds like a great opportunity for some entrepreneurial thinking.

It'll be exciting to watch that unfold, you know. So with Space Force and your service in the military, what sort of threats did you actually see or deal with? Can you get into any of the details? Yeah, no, I definitely appreciate that question.

And as you might imagine, I'm not able to talk about specific threats to space systems. That's something that while I was at Space Force, it was great to see some of that opening up in the sense that there was definitely a push to have the government start talking more about threats to our systems and threats to the country overall. There's kind of the traditional mentality that a lot of these things need to be secret, that any kind of intercontinental or international conflict needs to be very under the weeds. Right.

But what people started realizing is that, you know, as people are getting more politically involved, people are more informed through the internet. And then when generals are trying to get additional funding or trying to change national priorities, they're not able to do that because they don't have supportive constituents because voters don't understand why, why are you doing this? Right. And to give a non-cyber example of that, General Raymond, who's the commander of the U.

S. Space Force, the chief of space operations, he started talking openly about a Chinese satellite that has, maybe you've heard of this, that has like a robotic arm on it. So he started talking openly about that and he wanted people to know, like there, you know, there is a satellite out there from a foreign government that is able to, you know, grapple, you know, grapple other satellites because it has, because it has this robotic arm. And he was trying to show people, this is why we need to think about defending our satellites.

And then obviously, you know, you kind of have to think, you have to kind of have to understand additionally the importance of GPS and our day-to-day lives and the importance of satellite communications in the military overall. Right. But if you can kind of understand that and then you can, and then he can, you know, speak openly about this satellite, then that starts to paint a picture for voters and constituents and people why this is important, why we're doing this. And there's a lot of people trying to do the same thing on the cyber side, but it's like you said, just some things take longer in the government.

So hopefully over the next, you know, the next five to 10 years, we'll start to see more information open up so that people can start getting involved, you know, when they're thinking about security for their government, especially cybersecurity, they can know, you know, why are we doing this? Why is this a priority? And so I really hope that, you know, voters will start to think about this and we'll start to politically engage. Take this into account when they go to the voting booth, right?

Yeah, yeah, absolutely. Yeah, that's super interesting about the Chinese satellite with the arm. You know, it bumps into that rule that I have when whenever you have a physical compromise of a system, then all of the secrets and everything inside of it, you have to consider them compromised as well. I like the role of a well-informed democratic society.

It seems very important to, you know, maintaining a free society. So when you're in a, when you're in there and you're in the weeds and, you know, with security operations, what role does data really play in attack detection and your response? No, that's, that's such an important question right now. I think the data is starting to become the primary basis upon which people think about probably security overall.

I mean, you can tell me from you're on the encryption side, you've had some other roles, but definitely on the security operations side as well. The, I've noticed, I've started reading, you know, more, more books that are, you know, released in the last couple of years on security operations. And they definitely, they start with data. They start with data engineering and data science concepts, and then they expand from there into, into the security operations field.

So, you know, they, they say, okay, you know, you need to understand what is a, you know, what is an analytic? What does it mean for an analytic to be, to be sensitive versus specific, et cetera. And then they, and then they talk about different data sources within cybersecurity, within security operations. So I've seen, I've seen different ways of breaking it up, but the one that I kind of like is network data sources, post data sources, and service data sources.

So you have those from those three data sources coming into, usually into some sort of a NoSQL database, but you know, into whatever kind of repository you want it to be in. And then from there you do, you do analytics on that data. And just thinking of, you know, thinking of it from that perspective and starting from that just basic data organization, data analysis mindset is not necessarily new or modern per se, but I just see more and more people joining that chorus of, we need to think about this as a data problem. Like I know, like a lot of people are still thinking of it as a security problem.

Maybe they have kind of this background with IDSs or IPSs, and they just want to write like their traditional rules like they were before, but more people are starting from data and then moving towards security operations. And it, it took me a while to do that. I was fortunate that I had some friends who were in the data science field. And so they were able to, they were able to show that to me from the outside.

And then I was able to bring that into my toolkit within my work. But I definitely think that, you know, thinking of it as a data problem and thinking of it, I mean, at the end of the day, Right, if you're trying to find malicious traffic as compared to benign traffic, that's just a binary classification problem within data science. So if you're thinking about it from there, and then you're, you know, as you try to break it up into further categories, whether it's, you know, whether it's command and control traffic or something like that or exfiltration, then, you know, then you just realize it's just a classification problem.

And then the whole security operations process is just a series of classification problems. So you turn it into like a machine learning classification problem. I mean, I'm listening to you and I'm thinking, wow, that just cut itself right out for, you know, machine learning algorithms to just chew in and try to classify all of that data. Yes, so I don't know if you saw my article on this, but I had kind of five decision points, and each of them was I defined as a classification problem.

And I gave my really subjective view about how I felt machine learning fit into those different decision points. For some of them, I think it's a really good fit, and there's definitely going to, we're going to see a lot of growth. I think a big one, a really, you know, a really big one that's becoming kind of common is just spam filters. And spam filters obviously has a huge impact in the phishing space.

So if you're just trying to keep phishing out of your network, you can also just block phishing emails, which can be detected with machine learning, right? It can do natural language processing to kind of determine if that email looks like it's a phishing email or it's a regular benign email. And if it, and that just, you know, obviously it can't catch everything, but if you can at least keep more phishing emails out of your, out of your perimeter, out of your network, then you're just less likely to have someone exploit your network through a phishing email.

So that's just one example of the, of one of the early decision points that I have in my, in my paper about, you know, just being able to determine like, is this, is this really an attack or is this, you know, is this fine, that's some like traffic that you can kind of just continue out through. Yeah, no, we'll put a, we'll put a nice link to that in the description of the podcast so people can go off and look it up and dig into the details there, but that's a nice overview.

So in terms of the data and the sources of the data, I know you were, you were specifically focused on probably Space Force for most of your, your career in the services, but did you find that there was collaboration between the different branches of the military or even, you know, the three-letter agencies, or was that maybe an opportunity for to have a wider, more global view of, you know, the U. S. government's systems and security response and you try to unify some of that security operations? Right, no, absolutely.

So, you know, again, sometimes I complain about the DOD, but we do try our best to, to collaborate just because we, we care about, you know, the money that comes from the citizens and just how we prioritize resources. We don't want to be wasting a lot of resources by, by duplicating effort. So we do try to talk to each other and see, okay, where can we collaborate? What have you done that we can, we can pull from?

So we did a good job. I think we talked to every branch of the DOD and including, you know, we do, we do talk to certain agencies, as you can imagine. And definitely, you know, the, the Space Force rolled out of the, out of the Air Force. It's still part of the Department of the Air Force.

So probably most of my collaboration was with the Air Force just because of how close they were, for lack of a better term. But we did a really good job of, of talking to all the other different agencies and branches. So sometimes, sometimes the collaboration can, can bog you down, you know, sometimes you're in like 10 meetings a day, but as long as you, as long as you can kind of manage that with, you know, I have to get something done. I have to, you have to build my SOC, then you can, then we, we definitely do a lot of that.

And that's, I think that's really important as well. Just like, you know, I was talking about earlier is people, you know, people try to understand like, how should they, how should they see the government? The government belongs to them, right? That's also something that they should demand in addition to transparency is just, you know, collaboration and good use of government resources.

Yeah, no, definitely. I'm really impressed and happy to hear that actually. So in terms of, in terms of actually where the rubber hits the road, would you recommend any specific tooling or are there open source projects that help process all of that influx of data and identify specifically designed to identify threats or suspicious traffic? Or maybe there's even services out there that you could subscribe to and they'll just consume your logs and flag suspicious things on your behalf or?

Yes, absolutely. So the most, most popular project that we use in the security operations community just to get started, and this is more used just by hobbyists. It's not, not really used by like big organizations is the security onion framework. So security onion framework comes with two network sensors so you can start collecting your, your network data.

So that's Suricata and Zeke. And then those feed into the elastic stack, which again is a NoSQL database that you can view with Kibana. And then the elastic. Elastic also has a, again, an endpoint log collector called Logbeats.

And so, yeah, I would recommend it. If someone wants to, you know, tinker around and kind of be a hobbyist, I would recommend to find the Security Onion framework and then install Logbeats on some endpoints to monitor those logs. And then you can point those directly back to your Elastic stack. And then you've got your log data and your endpoint log data, your service log data, and your network data all in your same Elastic stack.

And so then you can start running, you can start running queries, you can build signatures, you start generating analytics, you can have the Elastic stack create new data dictionaries to correlate across those three data centers, which I think is, you know, that's kind of where things start to get really interesting. You can kind of detect like a whole lifecycle of an attack. So that's, that'd be my recommendation. And then to validate your own security tools, MITRE has a really cool open source project called Caldera.

I don't know if you've heard of that, but. I have to admit, I haven't used any of these great tools. Yeah, so Caldera is really great and it's based on the MITRE attack matrix. And they have several, just several different campaigns that you can run on your endpoints.

So you basically install the agent on your endpoint. So you just simulate, okay, bad guy got a zero day and was able to get some sort of an agent on your endpoint. And then they start, they start running some of those, those tactics that are in the MITRE attack framework, such as, you know, pivoting from one endpoint to another, or, you know, a command and control from a server into that endpoint, exfiltrating data from that endpoint. And then you're able, and then if you have, you know, if you've done the security onion framework, then you can go see in the security onion framework, what does that actually look like?

And then you can start developing detections for that to actually have those populate in your Kibana dashboard. So if I'm an engineer at a large company and I'm tasked with thinking about how do I detect some of these attacks coming in and I want to start to get serious, you mentioned the, the onion framework is, you know, it's great if I want to do some hobby stuff, but what, what sort of commitment is required to move that to the next level and really have it be production ready? Is it just, is it just a time commitment to see it through all the way to the end or are there scaling issues that you wouldn't want to even start with that project or what would you recommend?

No, that's, that's a huge, it's been a huge topic and concern of mine when I was in the space force was the, the build versus buy paradigm. And I mean, you can do it either way. Like if you're, if you're at a big company, you can probably afford enough engineers to, to build everything. But I, I personally wouldn't say that that's generally the, the most efficient way at solving that issue.

I'm, I'm generally a, as much as possible, a proponent of buy when you can. And so for existing, for, for example, Elastic, right? So Elastic is in the security onion framework, but if you, if you download security onion, you're going to have to manage your own, you're gonna have to manage your own Elastic cluster there. And Elastic itself, like Elastic is a company.

So they have a cloud provided Elastic search engine, which they manage. And they have this, you know, smart people there who have spent several hours learning about how Elastic works and how to keep it up and running and et cetera. And so, so my, my suggestion to someone at that company would be to consider using Elastic cloud or using their professional services to try to maintain your Elastic cluster. And obviously, you know, Splunk, which tends to, it depends on your environment, but that tends to be a little more expensive than Elastic, you know, has similar offerings.

And so, so generally it's just, you know, at a high level, you get what you pay for. So I would recommend, you know, investing more money in, in better software, hosted software when possible, because then you're going to make sure that things don't go down, that your logs are, that your logs are rotating properly because you might only want your logs to stay there for 30 days. And if you manage it yourself, you're going to have to configure that on your own and you might have logs sitting for years and then your, you know, your storage is going to blow up or your, if you have too many in one index, your memory could blow up.

So if you, you know, if you have Elastic or Splunk's professional services or you're hosting it on their cloud, that just makes those types of issues a lot simpler. Yeah, it makes life easier. It allows us to focus on our, our business value add instead of having to worry about a huge tech stack of random services that some open source project just referenced and now you're deploying. No, that makes perfect sense.

I'm right there with you. Almost always I'm, I'm for a buy versus build because, you know, I'm the expert of very little in this world and would love to include other people's hard work and time well spent grappling with those important nitty gritty questions that are all solved underneath the hood of a managed service so that I can not only take advantage of all of their expertise, but not have to worry about it. It almost seems like a no brainer. And it's very surprising when I see, you know, a company.

to actually invest huge amounts of time and money and engineering into building out things that already exist in this world, you know? It's like, you want to reinvent the wheel. Well, okay. I mean, I suppose there's some interesting technical problems underneath the hood that need love, but there's also a lot of open technical problems that haven't been solved yet.

I'd rather work on those. Right, I would as well. It makes perfect sense. So speaking of work, you recently transitioned from mostly your military service to now civilian service with your role as a system engineer in Palo Alto Networks.

Of course, you're still part of the California Air National Guard too, part-time as a cyber warfare operator, which is very cool. But what would you say is the biggest challenge with the private sector that you've noticed so far in your, you've been there for two months? You know, honestly, I, there's, I like Palo Alto. Like Palo Alto is a really great company.

So I, it's, it's hard to say that there, there's really any challenges just because, just because it is, it is such a great company. Like I've heard, I've heard people when they leave the military, they say like, oh, everything here is like cutthroat and, you know, it's all about, you know, personal performance and stuff. And I haven't had that at Palo Alto at all. Like it's very team focused.

It feels, you know, it feels like people care about each other. So I, I definitely don't, don't have any complaints about, about being in Palo Alto and I'm really happy. I think the biggest issue for anyone, especially, so my, my background, right, growing up with parents who worked for the government in one form or another, more or less their whole careers. And then me going to work for the government after college.

And then now, now leaving that, I think there was just kind of a, a fear and a definitely like a feeling of instability leaving. And so I think that was, that was a little bit. You're breaking the tradition. Right, exactly.

So I'm just, you know, I'm leaving because I mean, the government can tend to be a little bit more stable as far as, as far as salaries, as far as the economy. For, for example, right, like we were in, in 2000, 2008 during the financial crash, I was living on a military base and had barely felt the impacts of financial crash. And I'm sure there's going to be some people listening to this who don't, don't want to hear that.

They, they certainly, they probably felt a lot of impacts due to that significant financial event in 2008, but almost everybody on, on base, our little isolated world on this military base was, was more or less unaffected because the government just, just kept giving out, you know, the regular paychecks. There's no layoffs or anything like that. So I think some of, some of those scares were, were definitely a challenge for me leaving, especially being someone who, who grew up with that crash in mind. They talk a lot about how people, you know, millennials, a lot of times think about the 2008 and that, that affects their lives.

And that's one of the reasons why, you know, millennials are, are making certain financial decisions that you've seen, that people have probably seen in the news. And so that was the same thing for me. Like I, I kind of fear instability due to that, that major event in my life, even, even though my, my interaction with it was basically, it's not affecting my life, but I know people at home who it is affecting. And therefore I felt very safe and secure.

And when I was leaving the military, I felt like I'm leaving that, that safety and security. Right. Well, good for you for doing what's right for you and breaking the tradition and taking a risk, really, you know, I'm always a big fan of people that really willing to try something new to see how it fits. You can always go back if it doesn't work out, but just the experience and the diversity of trying something new brings with it a new perspective, oftentimes.

And that can be really rewarding. How about an advantage that the private sector has over military? Right. No, absolutely.

So with the, you know, with kind of that lack of, of security comes a lot of freedom, right? So I'm able to, you know, I'm able to live where I want as long as I can get a job in that location. I'm able to, I'm able to move laterally. So if I, so right now, you know, I'm a, I'm a systems engineer.

If I wanted to, if I wanted to go be a software developer, as long as I can, you know, build that tool set and, you know, someone is willing to hire me as a software developer and they, they think that I either have the potential to do it or I've, I've been able to learn that in my spare time. That's something I can do. And that kind of internal mobility is very difficult within, within the military. So there's just, you can kind of guide your own career a lot more in the private sector than you can in the military versus in the military, you kind of get on a train track and, you know, that's your track and you have to kind of just go forward on that track.

And then basically your, your control is, is the pedal, right? Like you go, how fast do you go on that track? Not, can you turn left or right versus in the, the private sector, you can turn left or right if you want to. And a lot of people, you know, like me who are more, you know, a little bit nerdy, we like to, you know, get hands on and, and build stuff.

A lot of times we don't want to be on this kind of upper out track. I want to, you know, want to go continue to be engineers into the future. And sometimes the military doesn't let people do that. Yeah, for sure.

The, the career paths in, in large companies are. definitely have two tracks associated with them, the IC role, the individual contributors, you know, the engineers, the operations folks, and you can climb the ladder just as well as an IC sticking to engineering and you become an architect, but yeah, they facilitate that. They facilitate that type of growth and that career path really well because at the end of the day, they want to make sure everyone is challenged just enough to still be learning and growing in the private sector. And that's really that sweet intersection between, you know, you're doing good work, but you're also learning and growing and so you're trying out new things.

You're engaged, and then when you do have your successes, they're real successes, you know, it's not just like mundane, same thing over and over and over again. Well, at least it shouldn't. If you find a good company, if you find a good team, that cycle will present itself over and over again within the same context. So I'm happy for you.

It sounds like you've got a little bit of that entrepreneurial spirit where you like to be challenged and engaged. So it'll be exciting for you there at Palo Alto Networks. And okay, so what about a piece of the military, culturally speaking, that you wish you saw a little bit more of in the private sector? Is there anything in that space for you that you thought really worked well in the military and you think it might also work well in the private sector that the private sector is just missing just a pinch?

No, I wouldn't say anything particular. I mean, the military, I'll just say the military is very, just like the private sector, right? It's very diverse. It can depend on where you go.

So for instance, when I was at United States Southern Command, and this is something I've talked about before, when I was at United States Southern Command, that's more of a, so if people aren't familiar, there's the military is divided up into service branches, which form like organized, train, and equip. So they organize troops, they train them, and then they equip them with different forms of technology. And then there's combatant commands, which actually do, for lack of a better term, war fighting. And United States Southern Command is one of these combatant commands.

And so it's more, so in any kind of combatant command environment, it's more of a deployed environment. It's more operational and active versus in a service branch environment, it's more of acquisitions or training, et cetera. So when I was at United States Southern Command, it was a lot more operational, but it did feel, everybody felt like a person. Like everybody treated me like a person.

You know, everyone was very friendly with me. No, it wasn't very robotic. People weren't just coming in to just, you know, do their work and get home. It was a lot more, you know, I'm here to, you know, we're all friends and we're here to be friends.

We're here to grow relationships and we're here to help each other out. And that's probably something that some companies need, that kind of attitude. I'm sure there's a lot of, from what I've heard, I mean, I have a lot of friends who work at those types of companies where it's, you know, punch in, you know, do as much work as possible and then punch out. But there's certain parts of the military that are like that too.

So I think in every, you know, whether it's in the government or in the industry space, every company should just realize that everyone you work with is a person. Treat them like a person. Be friendly with them. Don't, you know, don't just treat them like an object, like an input-output kind of function or something like that.

Like just like treat them like a person, kind to them. And I definitely, you know, I saw that more in one job I had in the military than in other jobs. And I see that at Palo Alto Networks and I know in other companies, they don't have that mentality. So that doesn't really answer your question exactly how you asked it, but I do think that that's something that I'd like to see just across the board.

Yeah, for sure. It's, I think it's super important to see people first as people. And you know, when I interact with people, I like to assume two things. One, that they bring something to the table and it's my job to see what that is.

And it's going to be something different from what I bring to the table or what anyone else brings to the table, but it's something, you know. They have some set of experiences and values and knowledge that's valuable. And then the other thing that I like to assume, you know, when I interact with people is that they want to do the right thing, right? That the context around whatever's going on is driving them, you know, with their set of values and their experiences that X is the right thing to do for whatever X happens to be.

And that means that when there's a disagreement between people, it's really one of two things are about ready to happen. A, someone is going to learn something new about how the world works, right? They're going to gain another piece of knowledge or clarify their view of how the world is working. Or on the other side of that equation, they're going to have an opportunity to see the world from a new perspective where it's not even a problem anymore.

And that's the answer to the question, you know, what's the right thing to do? And then when you adopt a mentality like that, then disagreements become this really interesting thing. Because you know something good is going to come out of it at the end. And you don't know if you're going to be on the receiving side or the giving side of the knowledge side of the knowledge piece or the perspective piece.

But either I've been like in all four of those cases, I've been on both giving and receiving sides all of the time. And it just makes everything really enjoyable for everyone. And then it's not like, it's not like, you know, as long as that core respect is there and you can acknowledge that with each other, because we all have super different life experiences, but it's those experiences that shaped us into the person that we are today. We've got to see that in each other and acknowledge like our differences, not as baggage, but as strengths, right?

So I've always been fortunate enough to work for companies in the private sector that really embody that. Maybe not perfectly, but pretty much most of the time, that's what everyone is shooting for. So I feel very fortunate to have had those experiences and to have had the type of career that led to valuing, you know, like our differences. And I think that's the core value of diversity too.

You just have very, very different experiences across the board, across different cultures, even within our own nation, our own society. Okay, so let's go back to the security stuff for a second here. Okay. No, I was going to say, well, before I actually that, I just want to say I really like your, in your article, you talk about celebrate disagreement.

I just think that's a really good mantra for people. Maybe not a, maybe mantra is not the right word, but just something for people to remember because I think sometimes disagreements look badly, like looked as bad and some leaders might say, well, there's too many, too much disagreement here. I can't make a decision. And I don't think that's always the case.

Sometimes disagreement is just part of the process. And if we just, we just accept it and celebrate it, then we won't let it hold us back. One thing I like about Palo Alto is one of our core values is disruption. So in, so in the Air Force, the three core values are integrity first, service before self, and excellence in all we do.

And those are great, you know, those are, those are great core values for sure. But I, sometimes I felt like those were all very me centric, right? Like I, my integrity needs to be first. I need to give service before myself, which I don't think those, those things necessarily have to be competing and excellence in all we do.

Like I have to be excellent in everything I do. In Palo Alto, we have some of these things like disruption where, you know, it's, it's about, it's about sort of the whole system as a whole, like changing the whole system to be innovative and to use a buzzword, right? And then also collaboration. We have specifically collaboration is also one of our core values.

So we're encouraged to collaborate more together across, you know, across the entire company. And so the Space Force is actually setting up its own core values. So right now it started with the three that the Air Force has temporarily, but we'll see maybe it'll have some, some more modern types of core values, such as collaboration, inclusion, and disruption, which are three of the core values of Palo Alto. No, that would be awesome.

You know, but, you know, larger organizations, the larger the organization, the slower it will change. Maybe that's actually a benefit for the Space Force because it's new, maybe a little bit smaller. I bet they could be more innovative more quickly than some of the other branches of the military. Super interesting.

All right. Well, how about I'll put you on the spot a little bit. Do you have any, I know we already talked about some predictions that you had, you know, in terms of, is a SOC going to be entirely automated or could it be entirely automated? And that's a hot topic.

And maybe 10 years we'll have a different conversation around that. But do you have any predictions about what might happen with the SOC space with sort of attack detection? What do you, what do you think, what do you see as the future? What are you optimistic about that we're going to see within our lifetimes?

No, that's great. And I definitely wanted to reference a, someone that I follow a lot on this, Anton Chebakin. I don't know if you've heard that name, but he works at Google and he was at Gartner for many years. And he's definitely someone, you know, if you're listening to this and you're interested in these topics, he's definitely someone I've learned a lot from.

I've read several of his, his articles and research, but he, and he was the one who talked about the SOC being automated and how he's actually, his prediction is that it seems, at least it seems to indicate that he predicts that the SOC could be fully automated at some point in the future. He said, it might be 2025. It might be 2045. He didn't seem to give a specific date, but he does, he does predict that.

And, and he makes some good arguments for that. So I would say he's definitely swayed me a little bit in that direction. I'm definitely, go ahead. Oh, no.

Yes, I'm definitely, I mean, I'm definitely like, I've got, you know, I've got a little bit of like optimism for sure, but I think there's also, there's definitely going to be, we're going to see a lot of change, right? So as, as, as a lot of companies start collecting, collecting more data, they're going to start to see which data sources are more useful and, and which are less useful. So I do see the SOC, I could see the size of SOCs kind of ballooning and then, and then shrinking back and then, and then growing kind of up and down like a little accordion. And so, and so, you know, I could see, so what.

What do I mean by that? So I mean, you know, a lot of SOCs might collect, you know, every single endpoint log that they can think of, and they might layer on like an endpoint device on there, an endpoint protection tool, such as, you know, from Symantec or another company. The Palo Alto has one as well. Lots of, you know, lots of companies have these endpoint tools, and you could layer all that on and then collect all this data and then find that, you know, and then find that a lot of the data you're not really using or it doesn't, it doesn't have a lot of predictive power as far as an actual attack detection.

And so I could see that, you know, that kind of changing, maybe not, you know, maybe not moving in a linear direction, but going up and down. One, one market trend I've seen recently that I was pushing a lot in the space force. So I have a, I have a presentation I gave in the space force several times called Nowhere to Hide. And in that I covered, I covered security automation, which is my primary.

Was it K-N-O-W or N-O? No, it's just N-O, like nowhere, nowhere to hide. So the idea was that. Nowhere to hide, you can't run, nowhere to hide.

Right, so the idea is that, you know, we, we do all these things, right? So like you run a, you run an encryption company, right? And there's, you know, encryption is very important, right? And, you know, if you, if you can do encryption correctly, then, you know, an adversary, even if they, you know, even if they can see your data, it's, it's encrypted and they're not able to actually read it, for example, right?

But the idea of nowhere to hide is if they're, you know, if the adversary is doing something that they're not supposed to be doing, they can't do that undetected, right? They, they're going to be, they're going to be basically caught and stopped very quickly. And so a huge part of that was security automation. So you see the, the SOAR platforms taking off, such as, as Phantom and, and Palo Alto's Cortex XSOAR.

Those, those two platforms are taking off in the space to increase security automation and to bring all the different data sources together. So that's, that's a huge part of SOAR is these different SOAR platforms have hundreds of integrations with lots of different tools and for security operations centers that have dozens of tools. They, they have tool sprawl and they don't want to log in to each individual one. They can bring it all together in a SOAR platform and then they can start to add playbooks, which are just basically scripts.

Some people don't like scripting. They want, you know, visual, visual programming. So you can do that with a playbook and then you can automate certain actions within the SOC. So that's definitely, we're going to start to see that take off.

And as, as that starts to grow, we're going to see SOC operations just happen faster and faster. And then SOC operators are going to start moving out of what we call tier one activities, which are just very, very basic SOC activities of just opening tickets, closing out like really obvious false positives. And they're going to start to focus on a lot more complicated threat detection. So that's one market trend I see and definitely something I predict in the near future is going to happen.

And then the other thing that I'm going to see, we're probably going to see happen in the near future is also is in the XDR space. So XDR is interesting concept. Like some people could probably argue that XDR has been going on for, you know, as long as security operations exist because XDR just means extended detection response. So rather than doing endpoint detection response or network detection response, you're doing it across the endpoints and the network and other devices.

So I know you've talked on your podcast about DLP. DLP is also part of the extended detection response architecture, right? And so bringing all those data sources together and then doing the detections across the several data sources in a single data object rather than just trying to do it within each stream. And what's interesting about XDR is a lot of companies are using similar, like a lot of companies are using Red Hat, right?

A lot of companies are using Windows. And so the log sources from those are going to be very similar. A lot of companies are in the network traffic. You know, a lot of most network traffic is probably TCP IP, right?

Right. So you're going to correlate. So if you can correlate Windows logs with TCP IP, then those analytics that that correlates those two different data sources can be shared across different organizations. So we're seeing in the XDR space is companies are able to actually have those analytics on their cloud and then customers are able to send their data to that cloud to be analyzed with proprietary analytics.

And then those those analytics can send a report back to the company's security operations center to say, OK, these we've seen, you know, this traffic looks suspicious, so go look into it more. So that actual commoditization of the analytics and selling of analytics is one of the major new trends we're seeing in the market. And I think that's definitely going to take off. And also that coming with threat intelligence, which we can talk about if you want, threat intelligence becoming more commoditized and being sold more as well.

So what is threat intelligence? It's just the fingerprints that identify specific types of attacks. Right. Yes, exactly.

So the idea of the idea of threat intelligence, there's there's sort of two ideas of threat intelligence. So if an attack happens on Palo Alto's network, that adversary is going to want to use that attack on several different networks to see how many they can compromise. So, you know, especially something like like ransomware, right? Like ransomware works best if you can, you know, hit as many targets as possible and get them all to pay.

So if there's a ransomware attack that Palta Network is able to detect and hopefully stop right before anything happens, then we can share what that attack looks like with Peacemaker, and then you're able to make sure that that doesn't hit your environment. Yeah, exactly. I would imagine that ransomware folks, you have to break into these networks, and so there's a period where they have been, where certain networks have been compromised and they have access to the storage device. They identify all of the backups.

It's quite the attack, you know. I would imagine it's very targeted too. It's hard to automate something like that. Yes, I mean, it can depend.

It's been, I mean, it's been certain ransomware attacks have been automated, but that's a good point. That's called the dwell time. So that that time from which the adversary is in your network, that's the time that they're detected, is known as the dwell time. Maybe you've heard that term before.

But part of the point of security automation and just adding additional sensors is to limit the dwell time. So that's really our goal, you know, within the community, security operations community, is to shrink that dwell time as much as possible. What is the dwell time like right now on average for like a ransomware attack? Would you?

Well, I can give you a different example. So the SolarWinds attack, right, so that they said that that started in the summer, so around June or July of 2020, and then it was released, the information was released about it was detected by CrowdStrike in December of 2020. So it was about five or six months of dwell time. That's a long time.

Right. So the idea is that, you know, we're trying to shrink that down to much faster than that. If you look at, so CrowdStrike actually has a report on different adversaries, and a lot of the adversaries have breakout times, which is kind of a niche term, but it's basically the time in which you need to detect an adversary in order to actually stop them. And like the fastest adversary that CrowdStrike had on there, the effect, the fastest APT was about two hours.

So, you know, so the, we're trying to get that dwell time from, you know, six months in some cases, right, down to something that's measured in hours or minutes. So that's, you know, there's a lot of work being done in analytics, security automation to just really speed that up. Excellent. Well, I'm excited for the future.

It will be more automated. It will be faster. It will be more secure in no small part to folks like you on the front lines helping think through these hard problems. Wes, it's been an absolute pleasure.

Thanks for sharing your wisdom, your experiences. Absolutely. Thank you for having me. This was a great experience.

Thank you. Awesome. Well, we'll have to have you back on at some point and we'll see how those predictions work out. Yes, absolutely.

‹ 5. Leigh Honeywell, Founder and CEO of Tall Poppy, The Human Side of Privacy and Security: Online Harassment and Abuse

3. Daniel Feldman, Cloud Security Architect at HPE, Service Authentication with SPIFFE and SPIRE ›