Reanna Schultz - SOC Essentials: Assembling Your First Response Team

so before I begin I personally want to thank each and every one of you for not only attending my speaking session the day but most importantly attending the 10th anniversary for bides Knoxville here in Tennessee how awesome is that we're going to be discussing sock Essentials a civil your first response team as a quick introduction my name is Ranna Schultz I am born raised and from Kansas City Missouri and before we get to Q&A I'm going to answer this question now no do not have an opinion about Taylor Swift or Travis Kelsey on the Kansas City Chiefs but what I can't tell you about myself is that I did attend the University of Central Missouri I had

graduated with my bachelor's of Science and cyber security secure software development and then later again I got my masters of Science in cyber security information assurance I have a very technical background in endpoint security engineering network security engineering and as of today I am a team leader out of a security Operation Center at Garmin besides my love and passion for this field I am a huge science fiction book reader I really enjoy reading science fiction books from the 1980s so before I deep dive into the contents I am going to be presenting to you all the day I'm going to have a quick disclaimer the information I am going to be presenting to you all the

day is not a reflection or any processes Incorporated with my current or previous employer so if you creep on me on LinkedIn sorry you're not going to find this information with my employers but I can tell you the information I am going to give to you all the day is Community Driven this is from the cyber security Community itself it's areas where I have had people Express concern and areas where people are given resources one resource I recommend that you all go home and buy if you want to learn more about a security operations center is the miter Saka Central book there is a lot of great things coming out of this book that you can apply your day-to-day

not just as a leader but also as an individual contri contributor so throughout this presentation I am going to be discussing on how to start immature your security operations center I'm going to be talking about leadership if you are a leader in this room I'm going to be giving you all some insight on how to build a great Innovative culture and then additionally if you're an individual contributor how you can work with your supervisor and build a great relationship and have strong connections because transparency is very important especially when you're working with sock get intense stuff hits the ceiling and then everyone goes home stressed to play video games and they wake up to do it the next morning like

nothing ever happened it's fun it's great here now additionally I'm going to be talking about how you can build a career path I often hear the things such as I'm a senior analyst I don't know how to go from a senior or a principal I feel like I'm captain in my career okay well I'm going to be giving some insight on what you can do to fix that issue and most importantly how to write a job description I feel like we've all seen a terrible job description Rec recently so I'm going to be bringing some insight on how you can write and attract Talent towards your business that you're trying to build now most importantly the

security operations center what do we need we need alerts right this is how the sock monitors this is how they act on security threats and incidents so I'm going to be talking about how you could build your learning architecture platform and most importantly playbooks to reflect that and lastly metrics because if you do not know this cyber security costs a company money so when have metrics it reflects where that budget is going and how we're utilizing that budget towards our program so I like to start with what is the sock and this can be a reflection between you know maybe a small business if you work in a company with 50 to maybe 500 people a sock analyst is going

to have probably a lot of different hats they're going to be working the alerts they might be your PIN testers they also might be the people managing your sim and sore a security analyst can have many different hats in a small business now if you're in more of a bigger organization probably 5,000 plus employees where you have more funding towards your cyber Department those rolls and hats get split up into different divisions but a c a cyber security department can also work with their defer or ceser team so typically what a sock does they go in they contain their triage their alerts their threats and they might work closely with a forensics incident response analyst or a

cyber security incident response inness whatever the acronym is in the area but this team specifically tells that whole story again it's not uncommon that a sock in a smaller company might be S wearing the same hat as a D4 team or even split up with thread intelligence people on the dark and deep web learning about emerging attacks or threat actors and also working with their endpoint security team those hardening anti virus and EDR on the endpoints these endpoint security St create alerts that are probably being fed into the stock so it's important that they have that relationship network security your firewall gurus Cloud security we're still trying to figure out what this is in today's world and then also

vulnerability management the team that's working on finding exploits who probably have a relationship with the pentesters who are exploiting these findings where the sock is see visibility and don't forget application security this is going to be your entry point and then all of these other different departments right that the sock is probably going to have their fingertips on risk compliance policy security education the reason I put the sock in the center of all this is because again the sock is the first eyes and ears to all security threats and risk targeting or happening within your business it is crucial that they have a strong relationship with not only just your cyber security department but all of

those other business Corners as well so again like I said before a lot of the information I'm giving you all is Community Driven I often see hear and read very frequently on LinkedIn or X or even some of my local cyber security chapters I am burned out I am tired of doing the same thing every single day now if we think about a security analyst what do they do they come to work they log in they probably have their bowl of oatmeal I don't know what people eat in the morning anymore and they work an alert close an alert they work an alert close an alert work an alert close an alert and then at end

of the day they go home they come back to work to do the exact same thing it is not fulfilling there is no purpose there's no passion behind what you're doing cyber security this field can tear you apart and burn you out very quickly if you do not pursue your passions additionally another thing I often hear is there is not a clear defined career path for me now now when you come in as an entry-level analyst it makes sense right you look at the people around you for those have been here for a few years and you're like okay well I'm an entry level I know what I need to do to get to maybe that mid position and then going

into that senior security role and then now what what's the difference between my senior analyst or my Architects or my senior analyst and a principal whatever that job title is you know what what am I doing or even sometimes your mid analyst might be doing senior level work and so now they're frustrated because they're underpaid they don't have a title and it's just why am I here I can leave we want to obtain our talent and this is where it's really really important for those who are leaders in this room to really utilize your one-on-one time I'm sorry but me personally I believe everyone should be meeting with their Associates by-weekly if not more if you are a leader in this

room and you haven't met with your team in the last month you need to do some personal reflection after you leave the store and ask yourself why am I in leadership because your job is a reflection on your team your priority as a leader is to invest in your team you're supposed to be there for them I have had moments where I've canceled meetings because there's someone on my team that needs 30 minutes absolutely it's important I'm going to give you those 30 minutes I can reschedule a meeting I'm not even going to be paying attention to don't care so utilize those one ones hear your people understand what they want and if you're an

individual contributor in this room think about if any of these bullets right are really hitting you and you're like oh my gosh I am burned out ask yourself why are you burned out are you not doing what you enjoy maybe you have interest in something else like pin testing so use your one-on one time to go back and tell your supervisor and be like hey I really enjoy my day-to-day but I'm getting burned out but I'm also interested in this there's an opportunity where you might be able to incorporate your passions within your day-to-day as well and then also if you're a leader listen and allow yourself to have that Innovative culture listen and maybe just try an idea uh I

feel like it's not uncommon in the tech field where we just white grip a knuckled process that we wrote five years ago fun fact technology changes right so that process might be slightly outdated now so when you have someone come to you they're like hey let's try something new and it's like oh my gosh new that's scary I don't want it just try it out right you're allowing that Innovative thinking um there's a saying I grew up with and it said hey I'm just going to let you fall off the bike to figure it out I grew up with a very tough love household but again right that's trial and error you're allowing them to grow you're allowing them to

pursue their ideas in a very safe way right you're guiding them that's your job as a leader so when you start creating your culture within your team you start building a brand or a trademark and this brand or trademark can have have two different Reflections your internal brand and then also your external brand so your internal brand this might be reflected on your team how they're producing deliverables uh I feel like we all work with maybe a group at work and they're just they just complain a lot right they're hard to work with they're difficult when you meet with them they just go on and on and on about one thing but the purpose of the meeting

is completely lost and you're like I just wasted 30 minutes I just needed this hash to be blacklisted or whatever the case is you know that is a trademark that is being built now you might also work with specific people in the business that you know they're go-getters you know that if they don't have a solution they're going to ask someone that might have an idea on how to solve that solution so again you as a leader as you're building your team as you're building that culture providing those innovative ways to think and listening and investing into your Associates right it's going to be investment return you're going to start building that internal brand how people are going to

be thinking how can I work with this team I know if I work with them they're going to be producing great results and now your team is happy and they're growing etc etc whatever the case is and now that's going to start reflecting your external brand and this is really important because when you have job postings the cyber security Community is very small we know people who work with specific teams and if there is a team that has a sour taste in the community you know you're not going to track the talent that you're probably wanting to relate to with that job posting I know this one person I'm not going to name them um at a respect but they are very

well known they do a lot of public speaking events um they took a team essentially of one they built it to 15 and it's not unknown that people from these team will leave and go work at Fortune 50 companies and build their program additionally so when this person have posted a job position opening he had over 500 applicants in less than 24 hours because of the weight of his brand he had in the community people wanted to work for this guy he because they knew the investment they knew what could happen and the mentorship that would come with it so additionally brand and trademark is very very important and kind of highlight with what I just said

about leadership I made this really cute pyramid for you guys so this Baseline here is leadership leadership is going to be that Foundation to build your team you're providing the mission and vision the culture you're giving the purpose as to why are they doing this why am I closing this alert well hey man that alert protects us from against FR somewhere it's kind of important you know you're giving that why they're allowed to ask questions your team is absolutely allowed to ask questions and if you're an individual contributor if you're getting a task and you don't know what you're doing go back and ask the why why am I doing this because if your supervisor doesn't know the why there's

probably some other questions that need to be asked we're not doing work to just do work here another thing is once that is all built and ready it's going to impact how your team functions you know they are given the purpose they're understanding their task and they're feeling recognized they might accept more additional responsibilities they might accept different challenges right because they're happy they want to build that program with that leader and then this is how outcomes happen right these deliverables are going to reflect the culture that you're establishing with your team so now that we talked about leadership the question is how do I start building my security Operation Center where do I begin well the first

thing I recommend is asking yourself what does my organization need what does a sock look like for my business again going back a few slides I had a smaller business you might have a sock analyst with multiple roles and multiple hats they might also be your defer team they might also be managing Simon store they could be your PIN testers right so asking yourself what exactly is the sock analyst going to do how is is going to reflect the security needs for the business because once you start figuring that out this is how you could start creating development plans and job postings as well and this might sound scary and some people are like I don't

know how to develop career paths I usually use the blank template that my HRT might give me that's okay but one thing I do recommend is starting with the nist nice framework this is a fantastic framework provided by nist and this allows a outline of knowledge skill sets abilities and taskings and this isn't just for cyber defense analysts this is also for pen testers reverse Engineers forensics Engineers endpoint security you name the cyber security role even leadership they have a tab as to hey this is what this person should be able to do and perform now if you take this and you're like okay well I have an entry-level person we think about entry level they may or may not

have had an internship historically right so I'm going to assume they probably have little to no work experience they're coming out fresh they're coming into Corporate America all happy and excited so how can I get them from no experience no skill set to having knowledge skill set abilities and taskings and so for an example this is something I pulled from the NIS nice framework this might be a bullet I would want an entrylevel analyst to have knowledge of operating systems it's kind of important right they should know the difference between Windows and Linux and Mac they probably should know why Windows Event IDs are very very important okay yeah that's definitely something that's achievable for an entry level analyst

maybe the next thing is knowledge of like TCP UDP icmp why is this important why is this valid so again having these knowledge where I can start mentoring them giving them education resources where they could grow and be fulfilled in that entry level role now if we go down to skills skill in using incident handling methologies absolutely right you're a sock analyst I expect you to know how to do containment and then maybe potentially escalate from there another one is collecting data from various cyber resources EDR Fireball knowing how to use the Sim that's collecting all these big data analysis tools now the ability section ability to apply technique for detecting host and network-based intrusions right understanding the

difference between these two alerts why is this on the host why is this happening on the network right maybe about worms okay so what do worms do well they start on a host and then they start traveling through different file shares so again these are very important things to have because when they pick up an alert they should understand what they're doing additionally ability to interpret information collected by different Network Tools understanding pen in a lookup who is probably and then taskings being able to identify abnormal activity in the network right associating that to threats well this looks like a PHP command ejection because of this okay and well now I'm expecting maybe my entry level analyst

to start picking up some of those things and understanding those differences and then lastly document and escalate absolutely absolutely my entry level analyst should know how to document case findings and then also using their team to escalate when they have questions or asking why or making sure that they have a second set of eyes so something isn't missed right so now that I have a KSA developed between entry-level analysts this is how I maybe as a leader could go in and go okay this is how I can grow you as a person this is how I'm going to start investing in you to make sure that you're set up for success success so when we have our career path

right this can also be translated into job descriptions and I feel like like I said before I feel like it is a common theme recently to see very terrible job descriptions posted and then you see the Cyber influencers screenshot these very bad job descriptions and then they call the company out to go fix their job description I think it's I think it's sad and funny at the same time but then I think to myself do I actually know how to write a job description if I had to post something am I going to be made fun of right so going back to that n nice framework this can also help you write those job descriptions because now you

identified hey this is what we're looking for in an entry level this is what we're looking for in a mid they don't have to hit all the check boxes but now we know where to grow and kind of an idea of what we're looking for when you write job descriptions they should be marketable right current accurate there should be a clear difference between required and preferred on those job description writings here is an example I pulled from LinkedIn I redacted the company's name out of respect but we can see here if I'm putting my shoes on as an entry-level analyst and I'm going to go job hunt in the market I'm definitely going to be

going to LinkedIn filtering on entrylevel jobs and I'm going to be looking at jobs that way so this is a full-time entry-level job right nothing wrong there so far but they're also looking for a senior cyber security analyst followed by five plus ye of experience I don't know about you but there's a couple of red flags here so again right if I'm looking for a job and I see this the first question I'm going to ask is why followed by are they going to invest in me if the hiring team did not take the time to review and properly post this job description are they going to take the time to get to know me in an

interview okay what if I get the job are they going to take the time to invest in me and this is why writing job descriptions are very very important because this is how you're going to attract talent for your team so here's a second one this one we're looking for a full-time internship now there's some good things I like about this this doesn't always have to be super negative um first thing they call out is bachelor in computer science Information Technology okay you know that's pretty straightforward a tech degree and then also the responsibilities these are vague enough but they make sense you know overseeing cyber security activities um entering robust cyber security postures present

okay makes sense right here's the red flags out of this first bullet is CSP for an intern position followed by 10 or more years in information technology for an intern posting or my favorite one managing Personnel followed by experience leading providing executive level briefings I don't know what intern they're looking for and just out of curiosity does anyone have a cisp in the audience congrats on your

internship I am chairman so kind of fast forward right if we take that n nice framework and you think about it right entry level people without experience how are we going to write a job description for that now this job posting again this is from LinkedIn this was targeting interns and this was probably one of my all-time favorite positions I have ever read it it made me so happy I was so excited the first one and this is in the first sentence this person will work with a team to apply your knowledge and gain experience this stood out to me because again it's an internship it's calling out how they're going to be invested into the team this screams positive word

culture already within that first sentence and then moving down here must be a student inrolled they're not calling out that they have to have a college degree they're not calling out that they have to obtain a certification or pursuing XYZ right they're saying hey we know that you're probably having continuous education we just need proof that you're enrolled right that you're a student seeking this that's awesome and then my next favorite part remember the ksas knowledge of XYZ ability to do XYZ this is the difference between a internet entry-level posting compared to a mid and above knowledge of cyber security principles Etc now when we start seeing the mid and seniors this that knowledge of gets changed to

experience in those two words have a lot of weight when you start writing job descriptions it's very very important so just food for thought now like I said investment in is investment return with your team and as we write those ksas and we think about what can we do to start providing that education right we have knowledge and tribal knowledge we learn from day-to-day or the mentors that we have but what can we start doing to maybe have those external influences in and I know a very popular training path is Sans I have taken multiple Sans classes in a lot of my different past lives I absolutely love Sans right the instructors are very passionate great

time money worth but it's expensive I would probably have to sell my car to go for the next hands course I want plus the certification so what can I do to give to my team or even like college students I'm like hey this is how you're going to get experience in well there's a lot of different platforms out there there's hack the Box there's try hack me um if you're an educator in this room cisa has a lot of great resources that you can take back to your classro or even if you're already in the field right cesa additionally has a lot of cool links on their website that you can click and go through to watch boot camps or enrolling

you to me and a lot of other different platforms that you can take back because again in investment in is investment return and I'm very big on understanding and finding your passions in this field you can have a job but you should be able to do something you really enjoy and having that continuous education allows you to find those different Avenues and your passions so alerting you have your team built you have your culture established you have your jobs posted you know you're hiring you have a path developed already okay so now we have a sock let's start with alerting well Where Do We Begin it's kind of a very big question now I always say scope and know your

environment most likely hopefully all of you in your business have a a anti virus or an EDR already employed if not you'll get there it's okay or even a firewall right security stack nine times out of 10 already has a feature built-in called alerts these alerts is what's triaging security threats and risk enter your environment this is a great way especially if you have a new sock team this is a great way for them to start learning lay of the land in the business right they're understanding oh we have a developer team that frequently kicks off this Powershell alert well it's part of their process right so now they understand what's common what's not what's abnormal

what they can tune and start hardening that security stack Appliance if you're not familiar with a concept called pyramid of pain it is a great concept for you to take back and apply when building your alert and monitoring architecture pyramid pain if you're not familiar with it the Baseline of the pyramid starts with common known indicators hashes IPS domains these are easy things that you can block with your security stack but the handoff is these are also easy things that a thread actor can go in and change right they can change an email address they can change the website that their C2 server is hosted on it takes a few seconds or even they can go into their code add a line

recompile it it's a completely different hash so those blocks that you put in are no longer applicable but again that's why it's at the Baseline it's an easy place to start it's an easy place to hunt on now as you continue up the PID at the very top you have your threat tactics that threat actors are using maybe they do a specific process a malware family is known to do this a ransomware family is known to do this and this is how you start building threat hunting in your business an example I like to use is hey we have a process spawning from a do link file that's now calling to a Powershell that's sending out Bas 64

encoded scripts to a external IP you can't hunt on hashes with that or IPS because that IP is probably going to be rolling and changing constantly but that's a behavior you might want to start hunting on because now you're data trying to get sent out of your environment so really really cool um again once you kind of start figuring out what's in your environment this is where you can start cater hey this is where we're missing and if you already have a learning established in your environment and you're like I don't know how to mature this anymore um I think we're great no you're not great um my biggest fear being a Defender is protecting what I can't see I walk in

every day in a work assuming we've been breached it's just how am I going to find that breach today and it's scary that's what keeps me up at night so if you are like well okay I don't know how to find the gaps in my visibility there's a tool that miter published and it's called the miter attack framework in fact they have a open- source repository called minor mapping and you can go in and add the different behaviors that all of your alerts have all of your custom queries and a Maps it to all those different ttps and so now you could say wow we're really heavy on active directory security but our web apps we have no detection on

these why is that well maybe we don't have logging for our web apps okay that's a gap right let's work with whoever to get the logging in so we can start crying alerts and start filling that visibility Gap that we're seeing so highly recommend it it's a great great tool again that Saka Central book that I had a few slides back definitely covers it so now you have alerts you have a team what about documentation we love love documentation here don't we everyone loves writing documentation that's why we have URS you're doing a good job over there cissp um there's a saying I one of my mentors told me and has stuck with me through my dawn of time is when it doubt

document it right documentation is great because this is how we're passing tribal knowledge and you know it's sad news team members come and go trust me if I can retire with the same team I have today I absolutely would but I know that's not realistic so if someone new is coming into my team I'm G to be able to hand them a piece of document and they're going to understand how to run through an alert documentation should be easy to find easy to use current and also accurate and if you're like well I don't know how to write a Playbook don't worry that's why we have ai Chad GPT wrote this for me in 30

seconds in fact the name of this alert at the very top here is a real Microsoft Defender alert and I went to chat GPT and I'm like hey chat and it's like hi and I was like can you write me a Playbook that covers like the details what this alert for a few investigation steps and then also hey if this is a true incident what what should we do yeah sure here it is copied and pasted it put in a Microsoft Word and screenshot it for this presentation for you guys you're welcome so again you can take this back for inspiration I did change a little bit of it up to make it more usable and friendly for I would say

the community but most importantly what we have here is this about section what is the alert firing on like I said before providing the why goes a long way especially if you have an alert that has a lot of false positives that alert loses its value alert it loses the quality as to why do we have this it eventually might get disabled or there's a thousand false positive tickets in a skey metrics all over the place so having hey this is the purpose of alert we have to have it because of this is very very very important and then also the last audit of this documentation audits are really good um especially for those who are in compliance they're

probably smiling in the back of the room they're like yes time stamps thank you um if you're like I don't even audit any of my playbooks good place to start is if you have maybe an incident that used that Playbook maybe if you had an alert and all of a sudden there's three or four people working on the same alert it got escalated multiple times CL and even though it's a false positive right that's an opportunity to go back and review that Playbook and say hey how can we make this more usable so that way a whole lot of people aren't escalating it clearly they figure something out that probably should be documented for the

next time this happens additionally is details on how to investigate the alert open the Microsoft Defender 360 console determine reputation of the hash or whatever it is right whatever those XYZ following steps are that would make sense for your business and then also details on incident response so if we go through an investigation steps and we're like hey this turned out to be a true positive it's all over our Network Muddy Waters Flames everywhere dumpster fires we got to contain this what do we do well first step is let's contain the host scope the environment how big is the spread whatever those IR mythologies are for your business because it's important that an analyst should feel

empowered to go from investigation right into that first resp responder for the business absolutely crucial additionally audit log this is changes that happen for this alert it used to be my biggest pet peeve when I was in the weeds and I would do alert creation and um whenever we had an alert fire for multiple false positives there's always this one person that's really ambitious they're like I'm going to tune this alert today and I'm like you go Joe you go so go in tune the alert and then a couple weeks pass and someone goes hey remember when the alert used to fire like a lot yeah I haven't seen it in a couple of weeks did we

disable it no and then you go in and you look at the alert and you realize the person that tried tuning it added the exclusion not wild card so they just excluded everything the alert doesn't fire it works right but again let's go in and fix it and that's why that autog is really really important because if those exclusions do happen or if you go in and you add a section to gain more value for the alert it provides awareness the rest of your team so there's not a question and that way you also know how to go in and make changes if needed as well and then most importantly you have your team you have your alerts how can

we showcase to the rest of the business what the security operations doing we as Security Professionals know how important it is to be in cyber security but for those who do not wear our hats or in our shoes every day it's kind of hard for them to know that especially if you go into more of the sea Suite briefings and stuff like that um numbers go a long way so one metric I do recommend is looking at meantime to detect in meantime to resolve how fast is an analyst going in grabbing that alert and then also how fast are they going in and resolving that alert as well and now this can also be a metric

to push weight maybe as to doing an audit on your alerts such as hey our meantime to resolve is poor but we have fast meantime to detect oh why is that well we have it a lot alerts they're easy to close out it's because it's a known false positive so of course like that meantime detect is high because the analysts already know yep we know this is the development team doing this close close close close close false positive okay well let's let's step back why are we closing a close right um opportunity the tomb additionally if you have a high mean time to detect meaning it takes a very long time for an analyst to go in

and grab alerts but the solution seems normal and average uh it could be a reflection of needing resources at this point right if your alerts or pure is what I call it right you know the false positive rate is low or maybe there's a true negative right you know what the use case is it's nothing abnormal with that but now you're starting to see an increase of alert volume in detection time it's taking a long time and your analysts are starting to feel overworked well now you have a metric to show back as to why you need another body in a seat to help support sec Security in that first response as well Additionally you can also use sock metrics to start

tracking risk in your business as well um if you work a lot of fishing cases and stuff like that if an analyst goes in and they're like hey we had a lot of users report you know this fishing came back as true positive well this is an opportunity to work with security education and start using that in your fishing pool or if a IT person goes hey we're probably going to decommission you know this Fireball for whatever reason whoa we have metrics to prove we need that firewall because we're being targeted with this attack specifically on that firewall and it's blocking it so metrics hold a lot a lot of weight it just depends on how you're going to use

it so thank you guys so much for coming to my speaking session today I hope I gave you some insight on not only how to start or build your security operations center but maybe some areas on how you can improve with career paths or writing job descriptions or even how to mature your learning architecture in your business I know I presented a lot of QR codes throughout my presentation so going from left to right over here we have those cesa education resources uh for continuous education the miter Essentials that's the book I recommend I believe there's a free pdf out right now don't know how long that's going to be but you could buy it on Kindle for 99

cents or a physical copy I believe for $25 or $30 on Amazon and then also that n nice framework right that's the framework I use for career development job descriptions and then very lastly my LinkedIn like I said my presentation is a lot of community-driven stuff so absolutely please connect with me because I like giving back to the community and I like to hear from you as well so thank you guys so

much thank you Rihanna so uh my first question my only question um it's you talked about assembling your trademark as a leader I'm wondering is that something that I can do as an individual contributor and if so how many years of experience do I need before I start ye you know it just also depends what you want your trademark to be um now being an individual contributor I feel like we always work with that one person that wants to be the SME I want to be the guy that knows this I want to be the person that knows this and investing in what your passionate about you're going to be that person that knows all of the

stuff you're investing in what you want to be educated in and most importantly I think the biggest thing regardless if you're an individual contributor if you're a leader one of the biggest things that came back to me if you do not know the answer it's okay to not know the answer because that's why we have other people we work with and stuff like that you don't want to be known as the person that fluffs answers when you don't know it it's better to have hey I don't have that answer you could start this today if you want um there was a presentation earlier uh today with a girl who is still in high school absolutely look at that brand now that

they're building for themselves they're taking risk and that's how you're building your confidence that's how you're getting yourself out there regardless if it's in the business or also in your community as well take those challenges it's okay okay if anybody has any questions uh please come up to the front so we can get your question into the microphone that'll allow us to get the question into the recorded set question Wesley do you have a question yes

please hi thank you um how do you um encourage um metrics for performance in a way that encourages people it's really easy to get new people into an entry-level job but again to your point it's hard to keep them y so how do you um what are some of your tips and tricks at at at um retention that's a good question so using metrics alone uh metrics can lead to either a very negative thing or a very positive thing again it just depends how you utilize it um there's times where you might show metrics and it becomes more of a challenge accepted like I'm going to be the analyst that closes the most alerts this week or I'm going to be the person

that runs the most incidents right and again that's going to cause burnout because now they're pushing themselves at 110% when I sit down with when I do my mentorships with anyone I always tell them come in the office give me 85% that day and I know it might sound weird right because you hear you should give 100% 110% work life balance is absolutely crucial 85% gives you that 15% buffer to be able to drive home maybe your dog needs to go to the vet maybe something personal is going on or whatever the case is you got sick you need that 15% to survive and you can't give that all the time constantly at work because then you're going to come

home exhausted so having that said it's not really a true metric right like a a quantitative extra metric but it's a good metric to allow that work life balance um especially I remember when I first started I was such a go-getter I was so hungry I was putting in the hours because I just wanted to learn everything so fast and then you come home and you're so tired and you're like I can't even pay attention to watching this TV show I'm doing today so it's just static but yes yes thank you uh great presentation earlier you had a slide on where you showed the sock in the middle connected to all the different bubbles on the

outside could you speak a little bit about uh going from let's say uh sock team IR team to thread hunting and some of the pathways involved there or what you think uh that uh that uh career drity yeah from sock to like IR to thread hunting kind of what that career transition might look like yeah yeah so it it just again right it depends on your business or whatever I think of the sock as your first your first entry point right they're going to go in they're going to do the containment they're going to tell that surrounding story as a hey how did this alert happen here's the spread here's the impact etc etc and then your

incident Response Team they're going to come in and tell more of the story exactly how did that entry point happen What caused this to actually occur and now maybe if it's a malware right I probably should have a sock be focused on triage you know that instant response team is going to go in and tell more about this is what that malware is doing this is exactly what happened on the host because then once they provide all those indicators and those ttps they could give it back to the sock or even a threat hunting team and they're like go create an alert go monitor this type of behavior so that would I would say like

high level that would be that transition from sock to incident response hats yep any other questions Wesley are you sure bud you got plenty of time okay anybody other than Wesley have a question yes thank you for the presentation um so this is kind of a loaded question so you can answer just a piece of it maybe but uh with the Advent of managed xdr how do you see um shifting your strategy around your team when you have some of the sock portions already taken care of by another external team oh the questions I uh I did this presentation not too long ago and one of the questions was like aren't you afraid of like AI replacing your level one or tier

one analyst I'm like absolutely not and um that's because because our security tools can also be hacked right things are forever evolving uh security stack whether it's EDR xdr whatever the buzz word is that we're going to be talking about things can only mold immature as fast as threats are happening and so there's always a mindset I feel like on the defense side where we're supposed to be one step ahead of the threat actors one step ahead of you know people doing bad things to our environment and the reality is we can't our goal should be able to swim line with these different types of threat actors so that way we can understand and learn just as fast as

they're deploying these new tactics otherwise we're going just be waiting for the next ransomware to hit our business and then we're like oh yeah we should probably learn that we should probably call our vendor and be like why didn't you stop this and stuff like that so having that continuous education having you know that continuous investment can go a long long way any other questions okay let's thank our speaker this that was outstanding