Categories
About us Featured Podcast Interviews

The State-Of-The-Art SOC

Chris Crowley is a US-based veteran cyber security expert specialising in security operations centers (SOCs). He works as an independent consultant through his company Montance, has a SOC-Class and is a SANS Institute senior instructor. He discusses how he carved his path in cybersec and shares some insights into what makes a state-of-the-art SOC.

🔊 Subscribe to the podcast

Check out more of our interviews and podcast episodes.


How did you get started in cyber security? 

It’s kind of interesting. I started working in technology when I was 15 years old, back in 1988. That was my first job where I actually went into an office, as until then I had done a bunch of stuff off of my computer, independently, like doing mail merges for one of my mom’s friends in order to send out letters advertising her business.

They hired me to basically come in and do reel-to-reel backups. Literally, they needed somebody to put the tapes on and spin them up and get going. So that’s the kind of stuff that I started doing in technology.

I actually graduated in molecular biology because I thought I would go into medicine and scientific research. After I did basically a full undergraduate degree, I decided I didn’t really want to do that for work anymore. I had worked in labs, etc., but I didn’t want to do that for the rest of my life.

I had always worked with computers. So it was sort of an easy switch for me to do another undergraduate in computer information systems in order to have the credentials. So I did that, and I started working in IT operations.

In the 2000 time frame, there wasn’t a lot of cybersecurity focus. And then things started going wrong. I was working at Tulane University at the time. And the FBI showed up and they are like “you have to take all these computers offline”. We had problems with spam when literally, prior to that, there wasn’t really a problem with spam on email. I’ve dealt with compromised computer systems. I’ve had to deal with Blaster and Nachi, SQL Slammer, so all these early worms that we weren’t ready for and that destroyed networks.

So, that’s kind of how I got started on cyber. I was the IT operations person, and we had cyber problems. And it was a huge struggle initially because there wasn’t a lot of information. Now you can go Google cyber security but, in 2000-2003, you went like what on Earth is going on? You know you’d just have to try to figure it out.

And how did you eventually become the independent cyber security expert that you are today?

So, a major change happened for me personally in 2005. In 2005, Hurricane Katrina hit New Orleans. I was living in New Orleans at the time. My house flooded. Tulane University was dramatically impacted, so I went through this big disaster recovery experience.

And I had been doing a bunch of cyber stuff at that point, and I knew that that was the direction that I was going. I moved to Washington DC, and that kind of changed things. I started working at U.S. government agencies and working in cyber programs. Also around the same time I started teaching for SANS Institute.

At this point, I was like, “OK, if I want to continue along this path, it would probably be better for me to exit employment.” And this was not really something that I had planned to do. I had not planned to go into business, to go out on my own, but that’s what ended up happening. Mostly because I couldn’t balance the full-time job plus the training stuff and the opportunities that I had for some other things.

I kind of joke about it, but I had three part-time jobs that were about 50% of what a normal workday would be. I didn’t know how to do it and I ended up like this for the first three years. Just feeling completely overwhelmed and hustling and doing all the things that were necessary. And I wasn’t even really chasing customers. It’s just that I had like 3 contracts that I was working on.

Since then, I’ve continued to do that and I think I’ve gotten better. I still work about 60-70 hours a week, but it’s just kind of spread out and it’s a little bit more comfortable for me.

That’s my career in a nutshell. I have my company Montance that I do consulting through, I have my SOC class in which I do training for security operations, and I still teach through SANS Institute. I have the opportunity to do a lot of things.

What are you working on these days?

Right now, I’m working with a managed security services provider out of the Middle East. I’m also working with two large financial services companies doing maturity assessments or tabletops for their capabilities. It’s really interesting for me, and it has become phenomenal. Of course, it continues to be a little bit uncertain, always wondering where the next gig is

You mentioned juggling all these part-time gigs as you exited permanent employment. What key learnings about yourself and the way you work have you gotten out of your transition into independent work?

I want to say yes to everything. I really do. People ask for help or want me to do engagements and so on, and I want to say yes all the time. And the problem is that I can’t do that. I have to pick which things I will actually engage in that will allow me to do a good job.

I’m the sort of person who wants to do all the different things. I’m not a specialist, I’m very much of a generalist. So, in addition to the saying yes to everything, it has been hard for me to allow delegation to other people. It’s strange because, when I work in teams where I’m the team lead, I tend to be really good at delegating. But when it comes to my own work, when it’s more, when it’s more of a reflection on me, it’s harder for me to delegate.

So those have been the specific things that I’ve adjusted in my approach.

Where do you draw the line between a junior cyber security professional and a senior one?

That’s a great question. I like the terminology of junior/senior much better than the tier 1, tier 2, tier three kind of stuff.

A senior-level person is able to make an informed, coherent decision, weighing all of the appropriate information that might be available. A senior-level person should know that they need to get more business context. They need to be aware of other people in the organisation who might be affected by a cyber-based decision and get their buy-in or get them to weigh in.

I don’t think that I can expect a junior level person to have the appropriate level of awareness, skills and social interaction and acumen on all the details to be able to come up with that same complicated synthesis and then provide a defendable opinion. I mean, junior-level staff will try to do something like that, but they simply lack the experience and the capability and the technical acumen to come up with the best opinion.

What makes a state-of-the-art SOC?

Anytime I start talking about security operations centers, I fall back on to five things.

We’ve got inputs, people, procedures to work through, technology to work with, and then there are outputs, the sort of things that come out of the SOC that are work products.

From an input perspective, if you had to focus on one thing to have a state-of-the-art SOC, that would be the ability to absorb a tremendous amount of data at speed and have that be something that is constantly changing the instrumentation across every different type of system. Effective ingestion is a hallmark of the state-of-the-art SOC.

In older SOCs, what you would get was “Well, we need to write the connector for that, and we need to hire professional services to do that, and I can’t take the data in from that system.” State-of-the-art is “Give us the data, we’ll figure it out, and we’ll consistently be able to absorb it.” 

Connect with MIndquest Newsletter

Also, you need to have a way to absorb historically, so even after things have happened. If you can go back in time for absorption, and this is relevant both to threat intelligence as well as to logging or other artifacts, then everything gets synthesized into the picture of what you’re doing.

For the people, the human aspect, you need people with skills and capabilities. The modern SOC is a learning SOC. The modern SOC is not a helpdesk. I don’t want to disparage the help desk, but the idea of a help desk is basically: we tend to have a given set of things that are within our scope; here’s what we do, here’s what we work on. If you’re part of this or meet the criteria, we run it through things and we assign it to the right people.

The state-of-the-art SOC handles uncertainty on behalf of the organisation. It handles the unprecedented. I can’t write a routine for something that we haven’t anticipated. We can say we’ll handle it. But then we’re going to figure out on the fly what to do. We’ll deal with it, and we will do it with a degree of grace. It’s not going to be highly polished the first time through. But it’s also not going to come crashing down with people quitting in the midst of it. Because that happens sometimes.

From a procedural aspect, a state-of-the-art SOC has a flexible deployment of its staff.

We have the ability to do a lot of things quickly and efficiently, but we also have adaptability, thinking and business relevance.

In terms of technology, I’ll name a couple of technologies, but I don’t want to limit it to these. As an example, if you don’t have a SOAR and you aren’t implementing SOAR, you are behind the curve. Right now, that is a technology that a lot of people are embracing. And, if you don’t have a SOAR technology, but you’ve written all of your own custom PowerShell or Python or whatever in order to do stuff, I still think that counts for SOAR. But that notion of effective automation is really important for current state-of-the-art capability.

I gave a talk at RSA earlier this year where I went through and listed out my technology taxonomy. It is basically is every single thing that I could think of that a state-of-the-art SOC needs. You can find it in PDF here.

Finally, the fifth thing that makes a state-of-the-art SOC is the artifacts that come out of it. The modern SOC is more about portals, automatic notifications directly notifying the constituents as well as the affected system owners and responsible parties with minimal human interaction.

The SOC analyst is interacting with some form of a system that’s collecting that information, and the system is notifying people rather than the analyst copy-pasting everything into a Word document, printing it to a PDF, and sending that out. I have no problem with collecting reporting into a document, but we already have that data in our various systems. Why aren’t we just programming them to do what computers do well? You know, hit the bits that need to be hit and distribute that information appropriately so that it’s much more portal-driven and constituent-focused than “Here. Encrypt this report.” It’s hard to get there, but I think that that’s a hallmark of the current state of the art.


Join our community and find your next job or expert in IT


For more cyber security and SOC-related tips, make sure to follow Chris on Twitter and LinkedIn or through Montance.

Join his SOC-Class for a deeper dive into security operations centers. August and November sessions are now available.