Hello world (& a little bit of history)
Hello World! After 25 years in security and many hours of talks with my teams, classes at universities, podcasts and conferences, I decided to write my own blog.
Why?
Because I believe in sharing ideas and collaborative work. I like to innovate in security and many of the ideas that I have applied throughout my career have been communicated in small spaces with much less impact than I would have liked. The main goal of this blog is to amplify the reach of these ideas. I hope they will serve as an encouragement and challenge to many.
What am I going to write about?
About two of my main passions: IT security and talent management. Two areas of expertise that are very scarce and difficult to combine. I believe that my experience building security teams and solving problems in complex environments can be useful for many who are starting in this world or who find it difficult to scale to a new version of doing things.
Who I am?
I am curious, restless and passionate. I am a Computer Engineer and a specialist in love with computer security (Cybersecurity is more glamorous today :). I am also passionate about spotting talent, building high-performance teams, challenging them, and creating good work environments.
My experience
As a security specialist I went through several “sides of the counter”:
I implemented security solutions when few were talking about security; I started with commercial solutions, mainly from Network Associates Inc. and Cisco. I implemented, among other solutions, Gauntlet (NAI) and PIX (Cisco) firewalls, PGP, VPNs with digital certificates (before 2000!) but I always looked for the Open Source side of life and when I learned something I investigated how to compare commercial solutions. That’s how I got to know Theo de Raadt’s OpenBSD (and luckily the mythical Core SDI since he was promoting it at that time), IPTables and its first steps in the stateful world (and the beloved IPChains!), the first versions of Snort and the first steps in active response given by Syn reset of suspicious sessions.
I was a pentester for many years and there I learned that everything can fail and that there is a process behind it that should guarantee that this does not happen. It was a stage not only of a lot of adrenaline but in which I began to question myself, what was happening on the other side? What process failed or was missing? From that stage my conclusion was that every attacker must think like a defender and every defender must think like an attacker. I called it the Yin and Yang of security.
From the pentester stage came my CISSP certification in 2005. I know! This certification has little to do with a pentester but at that time many of the clients in Latam were very immature in terms of security and that included the way they evaluated their security providers. More for penetration testing services! It was almost black magic. But strictly speaking, CISSP really contributed a lot to me and helped to complement the vision of processes that I had begun to build as a pentester in an ad hoc manner.
Also as a consultant and security enthusiast, I developed event monitoring solutions for firewalls, implemented the first versions of Snort and “played” with honeypots like the classic HoneyD by Niels Provos (for those with a memory). There I began to look for patterns in the attackers. To try to understand how they behave when they achieve an intrusion. Also to achieve efficiency in that analysis. In short, I started looking for patterns rather than pattern matching of knowledge.
Then I had a stage of performing forensics with a focus on detecting insider fraud rather than sophisticated attackers. However, from that step I understood that computers “talk” about the behavior of their users. Much more than its users imagine. My work was based on commercial solutions such as Encase but once again my head was looking for solutions in the Open Source world and there I came across dd, Sleuth Kit (+Autopsy), Helix, Foremost, among others. I also had to scan my own bastion host at home because it happened to be hacked. And while I didn’t really like that happening, it not only helped me to investigate LKM-based rootkits (which were just beginning to proliferate) but also to learn a golden lesson, no one is infallible. We must prepare for the worst even if we hope for the best. Thank you hacker friend, you are “in the wild!”. You gave me a great lesson!
I finally started my stage of managing (mainly) defensive teams in different organizations. My first lesson was that security is important but more important is that the company operates. That sophisticated attacks that come out as breaking news are very interesting, but it is better to have a pragmatic approach that guarantees that the effort is well focused on protecting valuable resources. But the key learning for my professional development was understanding that security is a cultural issue and that the solutions that are built must consider culture as a critical success factor. Understanding the culture is important in order not to be abruptly disruptive, and that the excess of enthusiasm to build does not play against us; but neither should it limit us to be disruptive when we should be. It is simply advisable to be strategic in building the security culture of organizations so that disruption is understood as innovation and not as something untimely and out of context.
What to expect from this blog?
As I said, my idea is to be able to help others. I don’t pretend to be a technical blog (perhaps because I’m rusty) but I will touch on technical issues and there will be links to specialist blogs.
To some I hope I can provide ideas to manage security in their organizations, to others I hope the ideas will help them to manage high performance teams in an environment where attracting, nurturing and retaining talent is a challenge per se.
For those who are interested in security aspects, they will find ideas to manage their security at scale, to think about resilience strategies, to optimize resources and respond automatically, etc.
For those who are interested in talent management, you will find ideas on how to find talent in a market where they are scarce, how to relate to teams horizontally and lose the fear of “not knowing”, how to admire your collaborators, how to challenge them and being challenged, how to develop in your career and not be afraid of “losing technical skills” or “dealing with people problems”. And if you are interested in both topics, you are one of mine and I will appreciate any feedback on what you read.
EOF
Keep hacking!
