Welcome to Defender Spotlight! In this blog series, we interview cybersecurity defenders of all varieties about their experience working in security operations. We inquire about their favorite tools, and ask advice on security topics, trends, and other know-how.
Scott J Roberts is an incident handler, team lead, and developer at GitHub, the world's code collaborative development platform. Scott has worked major investigations involving criminal fraud & abuse and nation state espionage while with Symantec, Mandiant, and others.
He is a sought out speaker having presented on threat intelligence and incident response for SANS, Silicon Valley, and various BSides. Scott is an author of O'Reilly's upcoming Intelligence-Driven Incident Response. He is also a member of the SANS CTI Summit and NYU Poly CSAW advisory boards.
Tell us about yourself, and your history working in security operations.
I’m Scott and I do incident response at GitHub. I’ve been with GitHub for a little over four years. Before GitHub, I had worked at a pretty fun variety of places: SOC operations for a top 3 Managed Security Services Provider, internal intrusion detection and threat intelligence at a major federal agency, internal incident handling at a defense contractor, and threat intel focused research at a small consultancy. It’s been amazing to see such a wide variety of organizations and perspectives.
I’ve also been lucky enough to be involved with some industry groups, speaking and teaching for SANS and writing a book for O’Reilly.
What you are working on these days?
One of my favorite (and least favorite) things about incident handling is you never really know what you’ll work on. You always have a plan, but it’s 50/50 if that plan will go sideways by lunch. In general though, my focus has been on improving our endpoint telemetry using Facebook’s osquery and automating as much of our incident response processes as possible.
Can you tell us about a moment in your career when you were proud to be a defender?
I’m always most proud of times when a team really comes together to solve a problem. Security problems, especially publicly facing ones, pull from a wide variety of folks including security, engineering, legal, public relations, all working together to make our users more secure. Seeing that work well is a pretty amazing thing.
In your opinion, what are the most important elements of implementing a successful security operations center capability? What do companies struggle with the most?
I’d say the toughest thing right now are issues of scope. Security teams are called upon to cover a wide variety of problems, from BYOD to custom internal development to managing and securing third party software as a service.
That range of domains is tough, but so is the range of tasks we’re asked to take on whether they be proactive like application security and risk management to the reactive like incident response and public relations.
What are some of your favorite products, software, or tools that you use on a daily basis? How do they make your job easier?
I use Maltego on a daily basis. The ability to visualize and pivot is amazing, especially after you realize how to build your own transforms. It’s a bit of a hurdle, but it’s worth it. Along those lines, I write a lot of custom tools for data analysis, cyber threat intelligence, and MacOS incident response and forensics. Basically if I have to do it manually three times I need to start automating.
I’ve recently spent a lot of time focused on the built-in Unix tools that I think everyone has forgotten about (or never learned to start). Things like Sed/Awk/Grep are a great start, but combining those with other data munging command line tools like jq, spark, and q are super useful. I also fall back to lnav a lot for getting through big log files.
What are the top 3 things defenders should be worrying about today? What worries you the most personally?
The diversity of what we have to defend is tough. There used to be borders where data did and didn’t go. Now it’s not enough to worry about desktop systems inside your network; you have laptops, tablets, phones (which may or may not be owned/controlled/monitored by your company). Users work from the office, home, coffeeshops, airplanes, everywhere. This makes the defenders job significantly tougher.
Nation State attackers are becoming more and more prolific. Years ago, they stayed targeted at other governments and defense contractors. Now they seem to be everywhere.
Criminals adopting espionage style attack techniques. With a rise in nation state attacks, we’ve seen more research into them and that research is being adapted by a wider variety of attackers.
What advice would you give to someone getting started in security?
Not to be intimidated. The security community can have a lot of bluster and it can be offputting. Getting convinced you can’t really do security unless you know how to be a pentester or read packets in hex or other nonsense. It’s easier than people realize to make an impact.
Take the time to find an aspect you like, work to understand it, and start doing things. Most of us have learned a lot as we’ve been going along (even if we forget that). Beyond that, find a mentor; someone doing what you want to do and reach out to them. I’ve found most people in the industry want to help new people, so reach out and give it a try!
What are some of the best industry events to attend and why?
Personally I love smaller conferences focused on blue team (defender) issues. It’s cool to see someone jackpot an ATM, but the problems I face day to day are much less interesting while being far more impactful.
BSides are a must, I go to those whenever I can. I’ve really enjoyed ArchCon in St Louis as a great defender centric smaller conference. I’m also deeply involved in SANS and love the professionalism they bring to their summits. I’ve been involved with the SANS CTI and DFIR summits the last three and I’m excited to attend SANS Threat Hunting this spring.
With much experience, whether you're new to the field or seasoned, Scott's helpful suggestions are here for all. Follow Scott on Twitter for more valuable insight on cybersecurity defense.
If you enjoyed this interview, you can check out other inspirational thoughts from fellow defenders: