 Welcome to the Blue Team Village. Our next talk is Blue Team Guide for Fresh Eyes. Christine will be our speaker. Christine has leveraged her development background. She builds tools for automated security for cloud environments as a security and tools engineer. She's relatively new to the industry. So she provides a fresh pair of eyes and with her colossal appetite to learn and execute, she's rapidly conquering the world. Let's give a big hand for Christine. All right. So I guess I'm one of the last two things standing in between you and happy hour. But thank you for coming to my talk. Blue Team Guide for Fresh Eyes. So like my, what's your name? What's your name? Like my friend, long time friend Owen has said, I am new to the blue teaming world and new to industry in general. So I hope that you find it relevant because if you're new, you will probably feel or encounter some of the challenges that I have faced and still continue to face. And if you are a manager or a director, then this would hopefully get you to understand what the new guys on your team are feeling and what their mindsets are like. All right. So this is me. I'm a security engineer. If you want to follow me on Twitter, please do. Okay. So keeping the agenda simple, simple. I'm going to go over the challenges that I have faced. Some of the gotchas, limitations, how to tackle the challenges because what good is it if you're only acknowledging what the problem is but not trying to address them or fix them. And then while doing all of these things, the mindset that you want to have. Okay. So jump in right in. Early career challenges. If you are new to the defensive role or you're fresh out of school, you're going to face some of these things that I have faced. You'll have a minimal amount of security knowledge. You'll have little industry exposure. So understanding how the business works and how to communicate to the business. And a lack of experience overall. All of this is new and it's not intuitive. For someone who is senior or staff or principal, they have been in the field for a while. And so all of this is second nature. But for someone who is new, it's hard. And then specifically as a security engineer or an analyst, there are other things that you want to keep or be on the lookout for. Like unless it's the organization that you're at is a startup or they're building something from the ground up. The chances are that there will be technical debt. So understanding how things work and then understanding how things were built in the past is really critical to continuing your role and your career within that organization. Then you also find that even though there might be corporate policies or standards to be followed, the best practices might be saved for later. It's always, all right, we have this new feature, let's deploy. And people will forget to encrypt things at rest or make sure their passwords are not left in plain text. Then on top of all of that, there will be meetings, there will be incidents, there will be priorities that compete for your attention. And as someone who is still trying to play catch up and do their everyday tasks, it's a lot to juggle. But it's okay. It's going to be okay. But if you're like me, you'll find that coffee is really helpful until you learn to depend on it a bit too much. So you might get a bit of a startling look from others when you tell them you have a coffee addiction. So approach it. Try to avoid that. So tackling the challenges. You want to assess what your role is, right? Where are you not as strong when it comes to like being a security analyst or an engineer? What are your weak points, right? Assess that and then develop a baseline. You want to stay current with technology trends. It's good to understand where we were 20 years ago and five years ago. But you also want to make sure that you're continuing to drive your knowledge base and your career by staying up to date with the direction that technology is going in. On top of all of that, you want to plan and you want to execute. You want to drive it home. So elaborating some more on those things. Planning. Right? It's one thing to know these are the things I need to do but you want to have a game plan. It doesn't need to be super detailed. The success doesn't happen overnight. Tomorrow you're not going to suddenly wake up and you're going to be that senior guy on the team. It could happen but there are steps along the way. So take the time to plan for those milestones. To plan for the things that you need to do to ensure your success. But like I mentioned earlier, there are priorities that compete for your attention. So plan for failure because not everything is going to go the way you want and if you don't plan for the disappointments, it's going to hurt in the end. I would know. But keep in mind that you want to be the best or the best individual contributor that you can be and it starts with being able to deliver what you're promising, what your current task is at the time. So plan and focus on what you have to tackle today and then add in the steps that you need to take tomorrow and next week. So as you're planning, keep these things in mind. You want to assess your weaknesses and your pain points and it's not an elaborate or it's not something that I can spell out for you because every shop is different and everyone's roles are different. You could be a sock analyst and you could be working with your Sim and only your Sim, you could be a security engineer building tools for detection or you could be a hybrid and everything in between. So you need to figure out what your role is and what is expected of you in order to successfully come up with a plan and then execute upon it. So after you know or you figure out what you're supposed to do, figure out what weaknesses you have, where do you fall short of being successful or the subject matter and those things. So if you're working with Splunk and you don't know the Splunk query language and that is something to get familiar with and if you're working with other business units in your team and you're doing security reviews, you're trying to explain encryption keys to them but you don't know what RSA is, then definitely brush up on that and get familiar with the skills or not the skills, the tools that you work with day in and day out. I don't know how many times I had to learn this lesson the hard way but it's not enough to just read the description of the tool or the service. It's going into the documentation and it's really doing your homework, right? Reading what the API does and what are the limitations and what are the gotchas. So an example would be S3 buckets in Amazon, right? You put things in there and yeah, don't make it public but what about other people in the accounts that can reach into it? What if the bucket contains really sensitive data that should only be viewed by a select a number of people on your team? Well, it's not enough to just read about S3 buckets. Okay, they store data and it should be made private. You need to understand like the bucket policies and how to write those things. So really do your homework. Oh and the pictures are coffee because I like coffee. Okay, then once you have the foundation laid out for you, really build upon it because I'm someone who doesn't like to take the bare minimum and just keep at it like and stay stagnant. Okay, I don't like to settle for good enough so being up here I wouldn't recommend settling for good enough to anyone. You want to build upon what you have. Go outside of your comfort zone. So some of the things that you can do to expand upon your knowledge base would be considering your solution. Like what do you have in place right now? Does it work? Okay, but can it be better? Can it be cleaner, faster or more robust, right? Eventually your infrastructure will scale. If you have a solution that's trying to detect anomalies in accounts or you're just trying to monitor accounts, what happens when you have a thousand accounts versus a hundred? So thinking about those things and learning, trying to make your solutions better will definitely grow you as a security professional. I know it sounds easy to say, but it's hard to do because you have time constraints and you have deadlines. So it's not always possible to make a solution better. But in the times that I have taken the extra step to make something better, I've ended up learning a new skill or a new tool and it ended up being helpful for some other task along the way. So just because your current task is to spin up your Splunk cluster, it doesn't mean that you can't write an add-on for collecting your logs or filtering your logs. And maybe that will be helpful for when you need to build it or build something else, like build a new tool because then you would have that automation or development background. So built upon what you have, try to make current solutions better and if you have things that are done manually, try to automate them. The automation and development really is helpful because you don't want to keep on configuring the same hosts like 50 times. If you need to tear down your infrastructure and spin it back up, you don't want to do all of this by hand. And on top of doing this, you're saving time and developing a new skill. So it's not a waste of time. It'll come back for the better. Okay. So you know what you need to do. You know what your weaknesses are and how to build upon them and now you're adding more going outside of your comfort zone. So how do you make sure that your career continues to grow and in a positive direction? Well, staying up to date with technology trends, right? What are the new toys out there? Whether it be security solutions or new vendors products, it's nice to know what they are and what's being offered in the security space. Understanding why is there appeal and then going in there, tying this back to doing your homework, understanding the limitations and concerns. Because you will have to evaluate your environment over time as your business grows or scales and you want to bring or relieve your current security tools, right? So if you understand what you need to use for your environment, this will help you assess what you need to have. Then on top of that, you're a defender. You're a blue teamer. So your job is to protect and it's hard to do that when you're caught off guard. So things like Kubernetes or Docker, even if your team isn't using them, your engineering teams probably are. They're trying to spin up clusters and they're trying to make things more containerized and more efficient. If you aren't caught up with the basic mechanics of how these things work and a new CVE comes out, it's going to be hard to advise your teams to either patch or remediate, right? Just in this past year, if you look at MITRE's page, there are about 20 CVEs for Docker and 20 other CVEs for Kubernetes. So staying up to date would help you stay on your toes and you wouldn't be caught off guard and then it will help you assess your environment and security tools as well. So staying up to date, you're doing your daily tasks and trying to fill in the gaps of your security knowledge, catching up to the senior guys on the team. You want to execute, right? You know what you need to do? You have somewhat of a game plan. Well, run with it. It's better to do something and drive it home than to start a whole bunch of things and finish none of them, right? And with all of your competing responsibilities, you're going to drop the ball, all right? I'm new to security. I'm new to industry. I've dropped the ball a lot. I've missed deadlines. People weren't happy. But I've learned that it's better to complete and get something done than to leave this security gap there, right? It's better to come up with a playbook and put in place the detection a bit later than desired, but it's better to do it than never. So you're working in this chaotic environment, doing these things. It's going to be a lot to bounce around. So keep a positive mindset, right? Know that the business is going to keep going and you can't stop it or you can't really change it. So remember that you can't really say no. So instead of, no, you can't do this, it's, let's find a way. And keep the mindset of wanting to learn because you're going to have to learn. This security space or this industry, it's rapidly moving and it's evolving in different ways. So you need to stay caught up and you're always going to have to learn. Then while all of these things are competing for your attention and you're super stressed, you still want to remain calm and be humble. So elaborating on some of the things that I just mentioned, let's never know, let's find a way. Whether it be doing a security review for an engineering team and they're like, we want to deploy this super vulnerable configuration. You can't tell them no and say you can't push this future to production. You want to say, let's find a way to deploy this to production in a secure manner. And you can also interpret this in the way of, shit, this is too hard. I don't know how to get this working. You should think of it as, if there's a will, there's a way. You want to grow. You shouldn't stop just because something's hard or there's an obstacle in the way. And you want to keep learning. Like I said, it's a rapid environment. You want to stay on your toes. I've learned that it's a really relieving feeling to not be like the person put on the spot all the time. And you absorb so much by being the dumbest person in the room. You're going to be surrounded by other subject matters. So not playing dumb, but remaining one of the people who have the least amount of knowledge for something. It will definitely grow your career and you'll learn a thing or two about the business units and topics that you've never even heard of. And then remain calm. Everything's on fire. But you just got to keep going with it. I know I'm speeding through because I'm running out of time. So I'm at the edge. Any questions? Yes. How do I manage expectations? How does my manager manage expectations? I have no idea what you're saying because I cannot hear you. Yes. Yes, that's a really good question. The question is, managers have expectations of you. So how do you or I, in this case, manage their expectations of me? And the way that I found to be really effective is to communicate. I like to be the person who volunteers for a lot of things. But if I don't tell my manager what I am capable of or incapable of, they're not going to know. They are not mind readers. So communication would be it. If they know that you're trying your best and they're only so many hours in a day, they're not the best managers if they're going to set you up for failure. As long as you communicate, I can do these things in a certain amount of time. And if there isn't enough time, then these would be the results. So they should take that into account when setting the expectations for you. And there's also the talk of like underperforming. But that's a different story for half after hours. Anyone else? Does anyone want to dance battle? Okay. Thank you for coming.