In 1974, the great Mohammed Ali said of his opponent, George Foreman, “His hands can’t hit what his eyes can’t see.” The same principle rings true in the cybersecurity world; we can't stop an attack until we know it is happening. That is why SIEM experts, like ProCircular’s Josh Resch, dedicate themselves to monitoring our clients’ networks for suspicious activity. Although each SIEM product works a little differently, they are all designed to help identify and track early signs of malicious activity on your network. A well-maintained SIEM can drastically reduce recovery time from a security incident by showing exactly where the attacker has been.
Josh works from northeastern Ohio as ProCircular’s Defensive Security (Blue Team) manager. As a self-defined “tinkerer,” Josh found computer science to be rewarding from an early age. He applied that curiosity to a career in radio communications for the US Army. Primarily interested in access security and forensic investigation, he found a home in the cybersecurity field.
It was exciting to sit down with Josh before he takes paternity leave to support his wife and first-born son. We talked about today’s cybersecurity trends, as well as the features and limitations of SIEM.
As one of the more recent additions to the ProCircular team, what aspects of the company have struck you as unusual?
I came from a larger service provider who does a little of everything. I like that ProCircular is security-minded and security-focused.
How did you become interested in Defensive Security?
Around the age of fourteen, my grandfather gave me an old computer. The first time you figure out how to install an operating system on a computer, or you can take it apart and put it back together because you know where things go, it’s pretty rewarding. That’s how I started out. I used to watch CSI with my step-mom, and I was always fascinated by the episodes that had anything to do with computer forensics. I was on the edge of my seat, trying to figure out what they were doing and how!
How did you start a career in cybersecurity?
I decided I wanted to join the military when I was twelve. Just like my grandfathers on both sides, and my great- grandfather, and his father, and so on, I considered it a family tradition. I left for the military about two weeks after I graduated high school. My official title was Radio Operator-Maintainer. I went to Airborne School and got assigned to 10th Special Forces Group! We worked with satellites, servers, all communications, and most of the information was “secret” or higher. I saw the different levels of security for “unclassified,” “secret,” and “top secret” data in those systems. Occasionally, people would make mistakes and swap something by accident. Our command would get a call within 24 hours to say that someone had plugged a secret hard drive into an unclassified network. I was interested in how they were able to find that out so quickly.
After I got out of the service, I wanted to focus on small-team, family-like environments. I pursued an associate’s degree in Fire Science and volunteered as a firefighter/EMT for a couple of years. Eventually, I missed being around technology and gadgets. I realized that my younger dream of working in the security realm was still alive. So I went back to school for Network Operations and Security and started working as a network operations center specialist. Within six months, they converted our NOC to a SOC, and my title changed from NOC Specialist to SOC Specialist. Another six months later, I was promoted to a manager, and it took off from there!
Explain your role as ProCircular’s Blue-Team manager.
I do a little of everything. I’ll do some of the eyes-on-glass, tier one, or tier two. My tier one and tier two guys have me consult and double-check things. The management-side is just making sure that the processes and escalation procedures are in place and that they are followed by tier one and tier two guys. My job is to make sure that my team has the expertise to keep our clients monitored and protected.
What are some recent trends you have noticed in cybersecurity?
There is more awareness. Organizations are taking security a little more seriously and getting a little more educated. I attribute that to the big uptick in ransomware attacks. A lot more companies are getting hit, and more regulations are controlling it. However, as much as we try to educate and secure things, our adversaries are doing the same thing. We try to keep up-to-date and watch the trends to stay ahead of things. As a blue-team member, we don’t have time to sit around and test out the different exploits. The bad guys could be sitting around for two or three years, just messing around, and stumble upon a way to break into something. It only takes one little character in a URL, and they have full control over somebody’s network!
Is SIEM the best defense against ransomware?
I wouldn’t say “defense.” ‘Defense in depth’ is what is going to protect you. Hardening your systems, keeping unnecessary ports closed, following your standard hardening recommendations for your network and system are all going to help. Maintaining vulnerability and patch management programs will also help. These are all proactive steps. I wouldn’t say that SIEM is so much of a proactive tool. SIEM just compiles all the traffic and logs it sees on your network devices, systems, cloud applications, wherever it may be. It correlates everything and generates an alarm when it detects unusual activity.
In an example of ransomware, we could see that a user logged into their email account from an IP address overseas. We see multiple connections made to other malicious IP addresses. We see that there are internal inbound scans are running, or a file with a known malicious behavior was pulled into the network. The SIEM collects and compiles these logs from several tools as these steps unfold. The visibility won’t defend, but it will help us detect and react faster.
Don’t machines and applications have built-in logging? Why use a SIEM?
Yes and no. Adversaries will often try to go in and cover their tracks by deleting the logs. By having a SIEM, you are taking those logs and storing them in a second location. If you needed to perform incident response or forensic investigation, those logs would be available somewhere. We could go back and find out if data was downloaded and off-loaded somewhere, even if those logs were cleared. Without a SIEM, it would be basically impossible to know what was accessed. SIEM also keeps your data consistent. Different tools use different logging, but the SIEM pulls that information together and puts it in a consistent format.
Finally, what is one piece of advice for anyone up at night, concerned about ransomware or security incidents?
Seek out advice! In many situations, companies know that they need to do more for their security. However, their needs are often overwhelming, and they don’t even know where to start. Seek out advice from security professionals that can help point you in the right direction.
SIEM Engineers have the eyes-on-glass that watch over your network. They look out for suspicious activity and use logs to investigate attacks. To learn more about ProCircular’s managed SIEM, click here or visit our Contact page!