Cybersecurity Mentors Podcast
In this podcast we discuss mentoring in cybersecurity, information for those that are looking to get into cybersecurity, and tips for those that are looking to advance their careers.
Cybersecurity Mentors Podcast
Peeling Back the Network Layers with Doug Burks
In this episode, we talk with Doug Burks, founder and CEO of Security Onion Solutions. He shares his journey from computer enthusiast to cybersecurity company founder and how he's helping defenders catch bad guys through accessible network security monitoring tools. We also discuss how important setting up your home lab is as a crucial learning environment for security professionals at all levels.
- Security Onion Solutions
- Doug Burks – Linkedin
- BSides Augusta
Check out our new merch shop! https://the-cybersecurity-mentors-pod.myspreadshop.com
Could you teach me First learn stand, then learn fly. Nature rules on your son, not mine, I know what you're trying to do. I'm trying to free your mind, neo, but I can only show you the door. You're the one that has to walk through it. What is the most inspiring thing I ever said to you Don't be an idiot Changed my life.
John:Welcome to this episode of the Cybersecurity Mentors Podcast. On this episode, we have Doug Burks here with us and it's great to have him. I've got to meet him in person a couple times at B-Sides Greenville I think. Most recently he's got the shirt on, which is awesome, and we talk about B-Sides. We talk about B-Sides often, right, if you're looking for communities to be part of. There's B-Sides Augusta, which Doug is definitely part of, yeah, and so it's great to have you here, doug, just just be, wouldn't mind just give a quick intro about who you are.
Doug:Absolutely Appreciate the invitation, john, and so I'm Doug Burks. I'm the founder and CEO of Security Onion Solutions. We are a cybersecurity company that produces a free and open platform called Security Onion, which helps you to peel back the layers of your network and make your adversaries cry, doing that for a long time. And you know, I just I love cybersecurity. I love helping my fellow defenders to be able to get better visibility into their environments and to be able to catch bad guys, and to me, that's that's really the most thrilling thing, right? Is you know how do you catch a bad guy and how do you bring that bad guy to justice, and what are the tools and techniques that we, as defenders, need to do so? So that's, that's what gets me out of bed in the morning.
John:Yeah, me too. Yeah, I think that's one of the things that you know, one of our episodes we're talking about like that's why I got into this right is to stop and protect our organizations. But I get, you know, I get motivated when it's actually time to go toe to toe with adversaries. I'm like, okay, this is what we're here for, right, we're here, we're here with this, what we're paid for, hopefully to prevent, ideally to prevent.
Doug:but sometimes you know you they're in and you got to go kick them out I think there was a moment in your last episode where you were talking about how, like it's been a while since you had encountered a bad guy, like you were ready to beat somebody up like that's. That's how excited I Like. Let's go to war, man. Let's kick these bad guys out.
John:Yeah, absolutely, and you know they're doing bad things right and they're trying to cause us havoc. It's fun to be able to actually to see them stopped for whatever their motivation or goals are right, to stop them in their tracks for things, and that is important too. Like you know, I've talked about this several times, but just being able to deal with that moment of hey, this is actually happening, think through the problem. How do we breathe? Take a minute, because it is stressful. You know, whenever those things happen, it is stressful, especially if you're new and you're not sure what we're supposed to do, and even if you practice these things Right. So that's why we got to. We got to help each other out.
Doug:Yeah, that's exactly right. You know it's. Everybody always goes back to that, that great saying by Mike Tyson, like everybody has a plan until they get punched in the face, Right, and that's that's how we, as defenders, are, you know, we're sitting there monitoring our enterprises and we think we have it all together, but the second that we encounter a real bad guy, that's that's the punch in the face that kind of wakes us up and says okay, are you really prepared for this? And hopefully we are. Hopefully we have the tools and we have the techniques, we have the training, we have the tabletop exercises and we have the muscle memory so that we can, you know, stay cool, calm and collected, uh, when we have that fight or flight, um feeling and, uh, ultimately kick those bad guys out.
John:Yeah, absolutely. Well, let's let's jump in just in general. I think you've been kind of in this world and IT and everything longer than I have you know, so you've been in the mix. So how did IT become a path for you? What did that look like?
Doug:goes back to the Christmas of I think it was 1984. My parents got me my first computer. It was a Commodore 16. Most folks had the Commodore 64, but we couldn't afford it. So I got a Commodore 16. And but even though it couldn't run all the cool games that the Commodore 64 could I, I taught myself how to program on that little Commodore 16. And you know, as an elementary school kid you know you're told by your parents what to do. Your teachers tell you what to do. But when you get your hands on a keyboard and you can tell the computer what to do, like that's a very addictive form of power. And I was addicted instantly. And so you know I was a computer nerd from a very early age.
Doug:In middle school a family friend said hey, doug, you're into computers, right? I said yeah, and he said you need to read this book. I said what is it? He said it's called the Cuckoo's Egg by Cliff Stoll, and lots of folks in our industry have heard of this book. They've read this book. For those who haven't heard of it or read it, it's the true story of Cliff Stoll who, through a 75 cent accounting error, caught a German hacker stealing United States government secrets and selling them to the Russian KGB, united States government secrets and selling them to the Russian KGB. And as a middle schooler who did not enjoy reading at all, I stayed up all night long reading this book because I could not put it down. It was just amazing to me. You know that here's this world of computers that I love, but now you're telling me that there's good guys versus bad guys inside the computer, and that's just amazing. And so I love the story but couldn't really envision that I could actually do that for a living because there was no cybersecurity industry at the time. The things that Cliff Stoll did throughout the process of that story he invented out of necessity, a lot of the techniques that we still use today, just because he couldn't go and purchase these tools off the shelf. Um, you know, so it was. It was amazing to read that stuff and, you know, think, like Cliff Stoll, he's like a very cool guy. Like you know, I just I looked up to him that he was able to catch this bad guy and bring him to justice and like he had the, the persistence and the perseverance to track this case and to track this bad guy and to, uh, to see it through to the end. Um, so fast forward. You know, several years.
Doug:I went to college, I got my computer science degree and I got out and, uh, after graduating I said, okay, what do I want to do now? You know, I had a job in kind of a small IT shop. So I was, I was the network guy and I was the firewall guy and I was the switch and router guy and I was doing email servers and database servers and some application development and web development, all these things. But I was like, what do I really want to do when I grow up? And it was like I want to be Cliff Stoll, I want to be the guy that catches bad guys. And so I got really, really focused on cybersecurity and specifically defensive security. And so I, you know, made it kind of my mission in life to figure out, you know, what is the best way to monitor a network and to identify adversaries and to track adversaries and to ultimately, you know, engage the incident response process and kick those adversaries out. And so, you know, that kind of led me to really a few things, and that's, you know, the thing that everybody's familiar with in our kind of network intrusion detection industry is snort. You know, that's the old standby for many, many years ago. And that was really the first thing that I got involved in.
Doug:You know, and and really kind of going back a few steps, I had been involved in open source communities since I first learned about Linux in 1997. And that that in and of itself is really like a key turning point for me, because, having grown up with, you know, commercial computers and Microsoft software and commercial software, it was just the thing to do that you pay for software and then I read this article that here's an entire operating system that you can download for free, and that's just mind-blowing. So I was very involved with Linux and open source communities and so when I got involved in cybersecurity, obviously I turned to the open source community to see what kind of open source tools were out there. I found Snort. Later I found Bro, I found all these tools.
Doug:Kind of learned along the way was after joining these communities and joining their respective mailing lists and seeing folks constantly struggling with how do I dot, slash, configure, make, make, install, how do I run through this process of, you know, compiling these pieces of software and getting them to work with their all their various dependencies and interdependencies and getting these things working. And so, okay, you spend a week or two trying to get this piece of software, to compile and integrate it with other pieces of software, and then, a couple of months down the road, there's a new version of that software tool that is released, and now you have to start all over again because you have to download it and you have to compile it and you have to reconfigure it. And so it just occurred to me that we, as defenders the vast majority of us we're spending the vast majority of our time really being more sysadmins and building and compiling software, rather than actually monitoring and defending networks, which is what our real job was. And this was really reinforced for me when I was working in incident. This was somewhere around 2010-ish and I caught this bad guy in my network that I was the company that I was working for at the time, and, because we had decent enough telemetry, you know, I could look at the packets and I could see the user agent strings that he was using to connect to our web server, and I could tell, based on that user agent string, that he was using what was back then called backtrack Linux. Of course, now it's called Kali Linux, and the thought just occurred to me.
Doug:You know the bad guys.
Doug:They've got this pre-compiled tool set, it's ready to go, they just download an ISO image and they don't have to do this compiling and configuring dance that all of us defenders have to do, and that's fundamentally unjust, right?
Doug:They have plenty of advantages, and this is just yet another advantage that they have. And so then it really became my life's mission to kind of rebalance that equation. You know how do we tip the scales in favor of the defenders and give them a platform that they can use to monitor and defend their networks, without spending hours, days, weeks, sometimes months, just building these tools and getting them to work so that we can do the real job of monitoring and defending the network, of monitoring and defending the network. And so you know that's kind of where Security Onion came from is this idea that there's got to be a better way, and we as defenders need to kind of take that next step and up our game and really bring the fight to the adversaries that are out there. And so I started the Security Onion project in 2008. I know we've talked about SAN certifications before, and so I started the Security Onion Project in 2008. I know we've talked about SANS certifications.
Doug:Before Part of it was, I had gone through SANS 503 with Mike Poore and it was time to do my SANS Gold research paper, and so starting Security Onion was kind of integrated with my research paper for SANS, and so I started on that in 2008, released the first version in 2009, and I was mentoring SANS 503 at the same time. And so all these things were happening and you know, over the first few years Securityion started catching on really kind of slowly at first, but eventually my hero and role model, richard Baitlick, who was very involved in the squeal and NSM communities for many years, he found SecurityOnion and he reached out to me and he said, hey, do you mind if I start using this platform in the classes that I teach? And you know what else am I going to say? But yes, please. And so you know, we started talking more and eventually he became the chief security officer at Mandiant and he asked me to be his deputy CISO. So how could I say no to that? So how could I say no to that? So I then had this amazing job working for one of the best cybersecurity companies in the world and had a really great time doing that.
Doug:And then this all happened over several years and at the time I was still building Security Onion in my spare time just as a hobby project, and that community was continuing to grow and ultimately, I came to a crossroads where folks were using Security Onion in production, they were catching bad guys with it.
Doug:They were reaching out to me and saying, hey, we need things like training and professional services and hardware appliances, and all these things like training and professional services and hardware appliances and all these things.
Doug:And so it just made sense to take this kind of leap of faith and start a company to provide those products and services that folks were asking for. So in 2014, that's what I did I started Security Onion Solutions as the company behind that free and open project, and so last year we celebrated 10 years in business, 15 years as a free and open project. And so you know it's. It's been a wild and crazy ride to kind of go from this this little kid reading about Cliff Stoll to actually kind of be in my own Cliff Stoll and catching bad guys, and then kind of going to the next stage, which is kind of helping others to be able to be cliff stole and catch bad guys in their own environment. So that's like I said at the beginning, that's what gets me out of bed in the morning and, um, you know it's, it's the best job I could possibly imagine.
John:That's great. No, that is. That was very good. There's a lot of little things I wrote down. Man, I you know I definitely have got the um, the war wounds, from recompiling and yeah make and doing snort and bro, it's like gosh. It was so terrible. Like I get, I don't have the right driver.
Doug:You know, just all this mess, it was just such a such a mess, um which you know just all this mess.
John:It was just such a, such a mess Um, which you know it was. I wouldn't want to do that every day. It was good. I feel good that I've I had to do it, just because I did have to figure some some things out, sometimes even like bro days. I remember like there was, there was a community, and it was a hope and pray, like if maybe somebody will answer if I submit this message. Hey, I'm getting this error message. I hope somebody will seem to take pity on me and help me with this because it's, you know, it's open source um and and you know at that time it was only open source um, and so, just going through that though I mean definitely have have seen that and had to live through having to try to figure out. Okay, we got to work through compiling this thing, getting it, the next version, up to speed.
Doug:Well, and to your point about you know communities. You know, as I mentioned before, I've been an open source community since 1997. And you know different communities operate in different fashions. No-transcript. Number one make sure that the software is easy to use. Number two make sure that the documentation is there for folks that do have issues. Hopefully they can figure out the issue from the documentation. And if they can't figure out from the documentation, you know we've got this welcoming community where we will never say RTFM, we will never say get out of here, noob. You know we might say here's a section of the documentation which contains an answer to your question, but we wouldn't. We wouldn't say RTFM.
John:Yeah, that is such a good point, because I do, I would. I would reread my question, like, okay, I'm about to drop this in the channel or the forum or the whatever. Like, okay, did I, did I go look this up, did I let me go make sure I looked up what the documentation says? And cause I know somebody is going to say did you read RTFM? Go read the manual.
Doug:Right, and like, did I read this.
John:Okay, I did, I did, I double checked it All right Now did I word this correctly before I hit the enter button Right, cause you, you're right Like sometimes you just get snarky responses and people don't have time for you. Sometimes you get silence.
Doug:It's the internet, right yeah?
John:yeah, sometimes you would get silence and you're like this I gotta figure this out. This is the thing that we need, right, um, but I would say, the majority of the time there you would, especially once you'd been part of the community and you really kind of figured out how to ask questions better. Right, that's something I would say, um, and you did your homework, you know, like, yep, I, this is what I did. Let me put the list in there. Here's what I did. I tried this and I tried this and I tried this, um, then you'd usually have a great responses and and patience with you because, as you're new and you could be kind of frustrating to somebody that just says, knows this and helped develop it, the patience that they would give you to help you walk through the problem and you're like man, thank you so much. Right, well, I think you make a great point about.
Doug:You know the right way to form a question. You know and having run this community for you know so many years now you know when I'm looking at the questions that come across our discussion site, I can pretty immediately tell, just by the way the question is formed, how long this person has been doing this and how much thought and effort they've applied to this particular problem or phrasing this particular question. So that's definitely a skill. You know when we talk about for junior folks that are coming up and trying to learn skills and you know practice skills, I mean that's certainly a very valuable skill to have, which is troubleshooting, the troubleshooting mindset and the scientific method. And you know forming a hypothesis and proving or disproving that hypothesis. And you know really the written documentation, like the written communication actually explaining, like you were talking about.
Doug:Here's what I did step by step. Here's the steps that you can use to duplicate my process or this particular bug, and I mean that's that's very valuable and that cuts down on a lot of back and forth on those kinds of you know community sites. So you know, for those folks out there that are are coming up and you know, trying to engage in these communities. That's one of the best things you can do is is try to think about how your message is received on the other end and try to anticipate any questions that they might have, and that will help the conversation move along that much faster.
John:Yeah, it's easy. The last thing I'll say on this this is a good point, though is that it's easy to just want to ask your question and hope that it's going to get answered, like you just want that quick answer, especially if you're stressed out and you're like I've just been beating my head against the wall. But, yeah, definitely the more effort a little, I think, a little extra effort to to try to make it easier for someone to help you for sure.
Doug:Yeah, yeah.
Doug:And you know, the other thing is we've seen a lot of examples over the past few years of open source communities where, um, you know the, the maintainers of that open source tool, you know they're, they're doing the best they can in their spare time, you know it's a hobby project for them, and you, you know they're, they're running the, the open source community, and they're answering questions on a mailing list or a forum site or whatever the case may be, and they're they're doing all this out of the kindness of their hearts.
Doug:And you know, folks are peppering them with questions and problems and complaints and feature requests and all these things. And we've seen several examples of open source maintainers saying, guys, I'm done, like I've reached a point of burnout, like I can't do this anymore because, you know, some communities are just, they can get rather nasty at times, demanding, they can get rather demanding at times. And so you know, I think that's, I think there's lessons learned there for both sides of the table in that equation. You know, for folks that are participants in the community, you know, make sure that you realize that the folks that you're talking to on the other side of the table, those are folks that you know they're volunteering their time and efforts to help you Right.
Doug:And for folks that are, that are on the maintainer side, you know, realize that you know you may be reaching a period of burnout but that doesn't mean that that particular person that wrote you that particular email is, you know, really the source of all your problems. So obviously there's, there's lessons learned, there's ways that we can all work better together as communities, and you know just sort of. I think another thing for maintainers is making sure that you're, you are maintaining a healthy environment in your community. You know, if there are folks that are abusive in your community like you, have to deal with that. You can't let it fester and you have to make sure that the community as a whole is operating in a very, you know, respectful manner.
John:That's a good point, yeah, and I was curious about that, Just kind of taking Security Onion from this project, open source project, to the business as a business. Just you know you don't have to give a full summary, but like, what does that look like? Like, how do you, you know, if somebody was looking like, well, I want to do that one day, right, Would you recommend that? Maybe maybe you wouldn't recommend it, but you know what does that kind of look like if somebody were to want to do that.
Doug:That's a great question and I would say that turning an open source project into a business is not for everybody. I think you have to be a little bit crazy in order to do it. I think for me, my grandfather owned several businesses. My dad owned a business at one point in time. So it was kind of in my blood, like there was always this kind of thought in me, that at some point I would probably want to run a business. I never really knew what that was until 10 years ago. But you know, for folks that might be considering doing something like that, you know you've you've really got to go into it with a good business model in mind, because you know, if there's, you have to realize that folks are. Folks are not just going to pay you out of the kindness of their own hearts, you hearts.
Doug:As much as folks love your software and they love your support and they love what you've done for them over the years. Unfortunately, the way of the world is that those folks that love your software and use your software, in most cases they're not the ones that are controlling budgets and they're not the accounting folks, they're not the bean counters and it's those business folks that have to sign off on spending money for your particular business product or service, whatever that may be. So you know it's it's almost like two totally separate things. Right, you have to have a, you have to have a very successful, free and open tool, but then you also have to have a way to turn that into a product or service that businesses are willing to pay for. And you know that's that's not easy, that's that's easier said than done, and and we're constantly figuring out the best way to kind of meet our customers where they're at and making sure that we are selling products and services that the market actually wants. So that means you know listening to your customers, listening to your prospective customers, and you know service after the sale, making sure that you're taking care of your customers and doing the right thing by them. So it's it's definitely this whole really kind of progressive scale of of work. Right, so it's.
Doug:I think of it like this you know, writing software is easy. We'll start there. Writing software for me is easy. If I'm writing software for me as the target customer, that's easy. Sure, okay, that's. That's step one. What's harder is writing software that somebody else is going to use Okay. So once you make that step up, the capability and maturity scale, then you're like, okay, well, that's, it's easy to to make software for me as the customer.
Doug:It's easy to make software for somebody else as the customer if it's free software, if they're not having to pay money for it right now. Then you have to go to the next step, which is okay, I'm going to create a product or service that that person wants to use. But they can also convince their boss, their accounting department, the bean counters, to actually pay real money for we keep on going up that scale. So there's challenges there and there's no clear cut, easy answer for everything out there like clear cut, easy answer for everything out there. Like you know, depending on what your tool is, there's different ways to monetize that. There's different ways to build things around that, whether it's a freemium model or whether it's. You know, we do this for free and we, we charge over here. There's lots of different ways of approaching that, but there's no one answer for everybody.
John:Yeah, no, that is super interesting. Yeah, thank you for that. I think not many people have that experience right of having gone from open source to a commercial company. And yeah, it's easier when it's free. The bugs are, features, right. Look, I'm working on this when I can, right, when it becomes a product and you are trying to, you know, get those technical people to also pitch it to their business, people Like, hey, this is something we think we need and but that's how much is that? You know how much you want to spend. You were using this for free, right? Why can't you just use the free one?
John:Right that you know how much you want to spend. You were using this for free, right.
Doug:Why can't you just use the free one, right, right, that's the, that's the thing, oh well, and that goes back to those.
John:Yeah, I was gonna say that goes back to those problems. When you're like I'm beating my head against the wall and I need. I can't do this, I need help. I gotta have somebody I can call right, that's where it comes into when you really can make the good cases. But sorry, what were you saying?
Doug:That's kind of how we started off as a company back in 2014, was talking to prospective customers, and the thing that I had always seen in open source communities was going back to 1997 with Linux just as an operating system. The thing where Linux always struggled was when you try to bring it into an organization that didn't have any existing relationship with Linux or free and open source software. You know management was always like well, whose throat am I going to choke?
Doug:when this thing breaks and I'm losing money as a business, right? So that was really kind of our first way of, you know, providing some sort of a business option to folks is look, we'll be that throat to choke. You can go to your management. You can say, you know, purchase a support contract, and if it breaks, you know they'll make sure that that it gets fixed. You know, so, for us that was a really good way to start the business, because I had been involved with SANS and I was a SANS community instructor. I started teaching security onion classes. That was a great way to bootstrap the company. Folks needed training. Not everybody is capable of delivering training, though, so that's why I said said before, like there's no clear-cut answer for everybody. Um, so, you know, that's kind of how we started off, and and? Um, there was another point you brought up, but I'm I'm drawing a blank right now. Um, so go ahead with your next question no, you know, I was just thinking.
John:I was thinking about, well, security onion. I think you kind of alluded to the name a little bit. How did that? How did that come up?
Doug:So when I was starting the project in 2008, you know it was, it was like, okay, you have to have a cool name, you have to have a memorable name, and you know.
Doug:So I just started thinking about, you know, okay, the industry right now at the time in 2008 was focused on intrusion detection and then there was kind of the network security monitoring piece and I looked at it as you know, the traditional IDS alerts that were coming from Snort that was really just kind of this superficial, very brief glimpse into what was going on. And if I want to do a real investigation, like I really need, you know, the other NSM data types that we talk about in the NSM communities and that's things like full pag packet capture and I need transactional data and I need DNS logs and HTTP logs, all these different things. And so, you know, in my mind it was. You know I'm peeling back the layers right, there's so many layers here of data that I really need as an incident responder, as a defender, and you know it just made sense. You know, plus, I like food, so let's make it food related.
Doug:So, onions, you can peel back the layers and make your adversaries cry and it just kind of fit. You know, and I really kind of started off as a it was just kind of a silly joke, but you know, the joke kind of caught on.
John:So now, I can't change it right, yeah. You know, I think of Shrek. You know, onions have layers, ogres have layers.
Doug:Well, and that was part of it too, because you know that was about the same time and so that was part of it. Security parfait wasn't really going to roll off the tongue the same way. Yeah, okay.
John:I like it. You mentioned Richard and Squeal. I hadn't heard of Squeal in a long time and I think of the Tao of network security, so kind of you know that sounds like a little bit of a mentor, mentorship relationship you guys had, if you don't mind talking about that, a little bit like how did, how did that work out? And you know, what are some things that that you learned from Richard and that experience?
Doug:Yeah, you know, as I mentioned before, I always saw Richard as my hero and role model. You know, having started my career in cybersecurity, when I first set on this journey to learn as much as I could about defending networks, I found his blog and read every single blog post he ever wrote, and there's literally thousands of them. You know he's one of the best really really writers in our industry and really historian in our industry. You know he talks about the entire history and it's funny because you can, I'm sure he has several blog posts about this squeal and network security monitoring.
Doug:Back to cliff stole, who inspired so many of us, um, because apparently it's kind of like, cliff stole inspired todd heberlein to write the original network security monitor software for the air force, which then inspired um bam visher and richard baitlick to develop squeal, and so it's like this long heritage, this lineage of folks that have been carrying on this tradition and um, but you know, richard has been my hero and role model and you know, to see somebody that's that brilliant, uh, but can also, you know, write very effectively, can also, uh, deliver, know, write very effectively, can also deliver public speaking very, very effectively.
Doug:You know, just somebody that I clearly wanted to model my career after, and so, you know, when I had the opportunity to go and work for him as deputy CISO at Mandiant, obviously I had to jump at that opportunity. It was a little bit intimidating because, you know, here's one of the best cybersecurity companies in the world and oh, by the way, we're the company that's kind of calling out nation state adversaries, and so when we're doing that, we're kind of painting a target on our own back, and so if I'm the guy who's responsible for monitoring and defending our company against these nation state adversaries, I better have my stuff together.
Speaker 1:Yeah.
Doug:So it was intimidating, not going to lie, but I said you know what? I'll see this as a challenge and an opportunity to really demonstrate what I've learned and what I've done and what I've seen and accomplished so far. And it was a crazy time, you know, and especially when we released the APT1 report. That was the very first public report about a very specific nation state adversary no-transcript. And you know, just in terms of words of wisdom from Richard, you know, what I learned through that scenario was, at some point he told me look, doug, you know heroics aren't scalable, aren't sustainable. You know you can work 14 hours a day for a few days, maybe a few weeks, but you keep on doing this. You're going to burn yourself out, right? So you know, that was something that I definitely learned from him and I I remind myself of to this day because you know now, being the owner of a company, you know it's, it's very easy for me to work 14 hours a day, if not more. But I have to remind myself that brilliant piece of wisdom that Richard taught me so many years ago heroics aren't sustainable. To make sure you're getting time to rest and you're spending time with your family and you're you're doing all the things and you're, um, you know, really just taking care of yourself, um, so that was a very important thing that I learned from him and and really, you know just things like strategy, um, you know, because I'm traditionally I'm I'm very much a tactical kind of you know boots on the ground kind of a thinker, but he really taught me to think with a much more strategic mindset. And you know, just given his tremendous experience and just working with somebody, with that, you know, you just pick up little little nuggets here and there, um, and sometimes it's not even, you know, an intentional something that he says or intentional something that he does, but it's just, it's something that's implied, it's something that's implicit in the way that that relationship works.
Doug:And you know, um, I would say that, out of all the bosses I ever had, you know he was the exact opposite of the micromanagers. Most of the folks that I worked for were micromanagers in the past not all my bosses, but many of them and he was the exact opposite. You know, he's the kind of guy that says, okay, I'm going to hire great folks that I'm going to trust to do great work and I'm going to give them a goal and let them figure out the best way to get to that goal. And I'm not going to micromanage it, and you know so. I I try to make sure that I'm I'm doing the same thing for for my folks, and you know so. Those are just a few of the things that, uh, I've learned from him over the years and, uh, it's just a great guy.
John:Yeah, no, that is good, I have to be reminded. And not that I I don't like micromanagers, I don't want to be a micromanager. I I try not to micromanage, I do try. I have a tendency to like hey, you know, I've had, I've tripped up here before. Let me help you not trip up here. Sometimes I need to pull that back and say that's okay. Right, if they trip up, it's fine, they'll learn from it, right just like with kids a stove and realize when they get burned.
Doug:experience is the best teacher, absolutely. And just like with kids A child has to touch a stove and realize when they get burned. You know, yep, yep. Just like with kids Experience is the best teacher.
John:Absolutely, absolutely. But no, that is really cool. I've not met him before, but I have followed him and definitely read some of his blogs and his books and I've definitely seen him as a leader in this as well and have definitely seen him as a leader in this as well. Let's pivot a little bit to just folks that are looking at this industry and they're interested in cybersecurity. Maybe they have a penchant for network security, monitoring, intrusion detection, that kind of path you know as at least a focus.
John:And with right, snort's been around a long time. It's still in use, right, we still use Snort. And with Security Onion right baked in and those skills, right. And you talked about Mike Poore's class, which I do. I'm glad I was able to take that class. That really put me on the path, for sure. But what would you, what kind of advice would you give folks about this and how to dive into it, wade into it and or like, with the future We'll talk about the future a little bit after this but like, what advice would you give folks that are like, hey, I think this is what I want to do. What would you recommend me If I was that person asking that question? How would I go about it?
Doug:One of the best things that folks can do is to build a home lab, you know, a place where you can just experiment with everything and you can break it, and it's not mission critical, it's not going to affect anybody, but you know, it's one of the best ways to learn. And I mean I'll give an example. I mean, here I am the founder and CEO of a cybersecurity company and I've got a home lab right. You know, I've got several little mini PCs here that are in a Proxmox cluster and I have lots and lots of different virtual machines running there. And this actually ties into a point you were making earlier that I couldn't remember, but I remember. Now I know, and that's that you know, I I use my home lab to do testing and quality assurance for our platform. You know, and the point you were making was you know, when you're, when you're just a free and open piece of software, like there's no guarantees that software is going to work.
Doug:Back then, when I was just a hobby project, I didn't have that much of a home lab to speak of. We didn't have automated tests. We had a little bit of manual testing when we would do a release, but it was really just me doing a quick installation. But that's one of those things that over time as a company we built up all these automated tests and all these manual tests that we run for each and every release. But I do that as customer number zero of the company on my home lab, monitoring my own home network. And you know I mentioned a couple of times now what gets me out of bed in the morning is threat hunting and incident response and catching bad guys. So literally when I get out of bed in the morning I come downstairs to my office and one of the first things I do is take a look at my network and I see what's going on, what's happened in the last 24 hours. And you know I can do that in my home lab and I'm not affecting anybody. I can experiment with lots of stuff.
Doug:Anytime that we are building a new feature, I'm going to dog food it in my home lab and make sure that it works and see if I can break it, cause I'd rather break it before we release it rather than putting it out there and somebody else breaking it. So you know putting it out there and somebody else breaking it. So you know a home lab is one of the best investments that folks can make and that doesn't even have to be security onion related, it doesn't even have to be network security monitoring related. You know, throughout my entire IT career, anytime that I've been in a hiring manager kind of a position, that's one of the questions that I'll always ask folks is tell me about your home lab. Right, because I can get so much insight into a you know a particular candidate's mindset by them just telling me about their, their home lab or lack thereof.
Doug:You know a lot of folks. Some folks will say, well, I don't have time for a home lab and that's fine, I get that Right. But for folks that do have a home lab, you know it's, it's almost a point of pride. It's like you know the, the old joke about you know your your pride and joy. You you open your wallet and you show pictures of your kids, or if you don't have kids.
Doug:You show a picture of your classic car or whatever collection you have. But home labbers, they love talking about their home lab and, hey, guess what? I pulled off and I built this thing and I have an Active Directory domain and I have a PFSense firewall and I have all this stuff going on and I have these things integrated together and they get really excited and passionate as they're talking about all of those cool things that they did in their home lab. But that's just, that's such an amazing playground that, um, folks can use to get real experience. Because that's that's.
Doug:That's another one of those catch-22s. Right, where you're especially if you're a student that hasn't gotten their first full-time job yet and you're applying for jobs and applying for jobs. I've been there, done that, like I know the problem of you're applying for jobs and they're saying, well, you don't have enough experience, and you're saying, well, how do I get experience if you won't hire me? Right, so home labs can help bridge that gap and you know, so I've, I've talked to folks in the past that you know, maybe they're fresh out of college but they can, they can tell me about their home lab and I'm like like that's, that's work experience in my book. Like you are, you are actually building things, you're troubleshooting things and that counts like that. That helps me understand what quality of candidate you are, and that's just a great way to learn.
John:Yeah, no, that is great. It kind of falls. I kind of came up with this term, I guess you call it just like build something, learn how to build something which is I would. You'd call it just like build something, learn how to build something which is, I would say is lacking. I'm not going to get in my soapbox here, but I could.
John:With security and folks that go into security, right, they and I see it, I work with college students all the time. I love my college students but they don't get that build experience right. They're not building Active Directory and they're not building a server. They don't get that build experience right. They're not building Active Directory. They're not building a server. They don't know how to stand up a Windows server. They don't have to stand up a Linux server that's running DNS. They jump into maybe SOC, they jump into these roles that are security specific, right. But if you do build it, ideally you can get a job in it. Maybe you get that experience. That's great. There's nothing wrong with that, that's actually good. But with your home lab you can build it. Get those reps building it right, get the. Hey, I built 80. How many times have you built 80? It made my home lab.
Doug:I had to build 80, five times You're going to get good at building.
John:Yeah, you're times you're gonna get good at building. Yeah, you're gonna get good at building active directory. If you have to do that, that's good, that's a good thing. Um, and then learn how to how to lock it down, like, how you know, put on that hat of like okay, if I had to secure this and and find what are all the right things that I'm supposed to do to secure an active directory environment or whatever, um, but then also learn how to break it right and then use tools like Security Onion and look for those attacks right, have it on your network and like, hey, I should definitely see my attack traffic going on here, right, and then learn how would you mitigate it? Right. Those are definitely really good advice and great advice. Is there anything that you would recommend? Like you know, you mentioned Proxmox and things like that. Like, how do you step into it if you've never built your home network? Any advice there?
Doug:somewhere. And so you know, maybe that's, maybe that's on your laptop, you know, maybe you install VMware and you just start bringing up a simple virtual machine. You know and to your point about you know I've had this conversation with several folks about. You know, when you and I were coming up right we we started off in IT and networking and we had to do things the good old-fashioned way before we could move into cybersecurity. But now the world is a different place and there's so much booming demand for cybersecurity folks this dramatic influx of folks that are new to the industry altogether have no experience in IT, have little to no experience in operating systems or virtualization or Active Directory or whatever the case may be. And so you know you have to start somewhere, and I think virtualization is a skill that really everybody needs to have at least a minimal understanding of. And so if you have a desktop or laptop, start with virtualization, install a virtual machine under VMware or Parallels or whatever. You know VMware.
John:VM hypervisor, virtual bots or something.
Doug:Yeah, whatever the case may be, get experience with installing virtual machines. Get experience with installing a few different Linux distributions. Maybe you try out some kind of a Red Hat derivative. Maybe you try out Debian 12. Maybe you try out Ubuntu and some other ones, just to see how these different Linux distributions compare and contrast. Try installing Windows Server. Try building Active Directory.
Doug:At some point, you know, if you're running all these virtual machines, you may run into resource issues on a single machine, but if you're running them concurrently but I mean, the great thing about virtualization is you can. You know you could have a hundred different virtual machines. Maybe you're not running them all at the same time, but you know you could have 10 different Linux VMs and you could have 10 different Windows VMs and you're bringing this one up and bringing this one down and you're working within the resources that you have available. But you start from there and you know, maybe then at some point you have some money and so maybe you go and buy a little mini PC and you know the ones that I have. I put 96 gigs of RAM in them and four terabyte NVMe drives, and so they'll run a heck of a lot of virtual machines at the same time. So for a few hundred dollar investment, you know you've got a lot of learning capability there, you know.
Doug:So I think folks have to think about it as really an investment in your future, right? Because I think back to when I was 19, 20 years old and, gosh, $500 is a lot of money, $1,000 is a lot of money. But if you consider that you're investing in your career and if investing $500 or $1,000 can get you that much further into your career, that much faster, well then it's probably a pretty good investment, and you know so. Maybe it's one of those things where maybe it's piecemeal, maybe it's an iterative approach of you know, I'm starting on my little laptop.
Doug:When I get some money maybe 500 bucks maybe I buy a mini PC and that gets me to a certain level of skills and maybe that gets me my first job, because I can talk about my home lab environment, talk about all the things I'm doing on this mini PC, and then, as I'm making money in my first job, I'm thinking, oh, that that first investment netted me my first job. So maybe, if I invest more, maybe that helps me get to the next step, maybe that gets me to a promotion or some other job. Yeah, you know so I've. My home lab has grown over the years and you know I'm I'm still continuing to grow it to this day. So I think that's again a tremendous investment that folks can make in themselves and their futures.
John:Yeah, and you could spend $500 on a new cert right, and you're going to learn from that. But it is kind of a point in time where your home lab again right, it's just another investment, but it can grow and continue and you can keep building on that as well.
Doug:And that's a good point too, because you know a certification is going to teach you, you know one specific focus area, whereas an investment in a home lab like that's that's got unlimited potential. I mean you. You can learn network security monitoring. You can. You can learn attack penetration testing. You can learn attack penetration testing. You can learn the basics of IT networking, virtualization, all these different things. You can use it for so many different purposes. It's just an amazing investment.
John:Yeah, I think it's the last thing I'll say on this for my final question. Last thing I'll say on this for my final question and having it somebody in an interview where you're talking through what they've done right, that's going to be impressive is, hey, I built this thing, talk me through how you built it, talk me through what you learned about it. Um, I think those are gold to bring to an interview. That is gold. You're bringing gold with you right, like hey, if you get the chance to start, if they ask you questions about well, how did you learn what you learned? Right, what do you do? How do you feel confident in your skills? Well, let me tell you right, this is what I had to do and I had to figure it out. So I would definitely think that that can help you a lot.
Doug:Yeah, and you know I think it's absolutely a true statement that the best interview questions are not necessarily concerned with does the candidate answer the question correctly, but they are more geared towards giving me an insight into that candidate's thought process. And that's why a lot of you know, you hear these great stories about interview questions at Google. You know Google's hiring somebody. They'll ask them these impossible questions that nobody can possibly answer, and they don't care that you arrive at the right answer. They want to see your thought process right, and that's what I care about.
Doug:Right, because I know that if I'm hiring somebody for a specific role, right, there's going to be problems that they run into that may not be solvable, they may be impossible problems, but I want somebody who's not going to just throw their hands up and say I give up, I can't do this. I want somebody who can reason it out and can talk me through their mindset of here's how I think about this problem. Here's what I think are the possible solutions. Here's why I think these possible solutions won't work. And I mean, that's it, man. The core of it is understanding the mindset and I think the flip side of that for folks that are listening and who maybe find themselves in that candidate position is, you know, be prepared for those interview questions where they're going to try to trip you up and they're going to try to give you impossible questions. But, you know, try to keep your wits about you and, you know, provide a logically consistent answer and, you know, just be able to share your thought process in a clear and concise manner. Absolutely.
John:A hundred percent agree. So last question and this has been great Doug With quantum encryption and quantum computing and look, the network is has grown so much, right, there's so much data. Uh, just the future of network security monitoring, right, what? What are your thoughts? If you had your crystal ball around, you're like, okay, what, what are we thinking about? Because I'm sure you guys are right, what, what are you? What do you see as maybe the future? What does that look like?
Doug:Well, I think the first thing I would say is that since very early on in the project, we've tried to make sure that we're not just limited to network security monitoring. So we've tried to, over the years, make sure that we're equally as powerful on the endpoint side as on the network side, because, as we all know, more and more of our network traffic is being encrypted. That's a great thing for privacy, but it makes our jobs as network defenders a little bit more difficult, and that's where endpoint visibility can help fill in those blind spots. So that's really the first part of the answer to that, and that's only going to continue to increase because you know at this point it's what? Well over 90% of our network traffic that's encrypted by default and there's ways to get around that. You know, if you're a corporation or an enterprise environment that can do SSL interception, that can give you some additional visibility into that traffic. But not everybody has that, not everybody can have that kind of capability. So endpoint visibility is a pretty big thing for us, but there's limitations with that as well.
Doug:Right, and this kind of goes back to. It's almost this thing that we see in the it industry as a whole, that everything is cyclical. You know, it was like back in the really old days. You had these big, huge mainframes and then we kind of downsized into pcs on everybody's desk and then we went to the cloud, which is really just mainframes all over again and and we have thin terminals on our desk, right. So everything is cyclical and we're kind of going through that with cybersecurity and that. We kind of started off with network visibility. We were focused on that and that was great and all. But network traffic became more and more encrypted. So we focused more on endpoint stuff. But now we're starting to see the limitations of that. That's not always great and really in that argument of network versus endpoint, the case against endpoint has always been that well, if an adversary compromises the endpoint, you can no longer trust that endpoint anyway, right? So if you're collecting the logs from your accountant's Windows PC and it gets compromised with some command and control malware, the bad guy's on that box and he could be deleting all the logs, he could be altering the logs, he could be sending you fake logs. So at some point you can no longer really trust the endpoint. And so now we're kind of back to the logs. He could be sending you fake logs, right. So at some point you can no longer really trust the endpoint, and so now we're kind of back to the network, right. So it's always kind of this dance, but we always have tried to make sure that we're equally powerful on both sides network and host.
Doug:But to your point about the future. You know, obviously AI is a big thing. Now We've spent a lot of time over the last couple of months really diving into AI because you know the last few years well, you know vendors were talking about it, but in some cases it was maybe kind of snake oil, you know, and maybe kind of marketing buzzwords. But I think we've all seen that over the last six to 12 months there's been some real, actual progress made in AI, where it's not just smoke and mirrors anymore and things are happening, and they're happening at a very rapid pace. So we want to make sure that we're not left behind. That we're not left behind. So we're doing a lot of investment in the AI space, making sure that we understand that and how defenders can use AI really as a force multiplier and get out there and be more effective in what they do.
Doug:You mentioned quantum and obviously that has far-reaching implications for our entire industry. As soon as we reach a certain level of quantum computing, then obviously we have to rethink how we're doing all of our SSL certificates and everything that we are encrypting across the network. But you know, that's just the nature of the beast and that's the nature of our, our industry that's moving it at light speed into the future. So you know, I think the the way that I would sum it all up is that you know, I I've always loved technology because it moves so fast, moves so fast, and you know. So I kind of started off in IT and I enjoyed being a firewall guy and a switch and router guy and an application development guy and a web development guy and all these things.
Doug:But I moved into cybersecurity because it was even more challenging. There was a new challenge every single day, especially when you're dealing with live adversaries. There was a new challenge every single day, especially when you're dealing with live adversaries. And so I think the summation of all that is that all these things that we're dealing with, that we're worrying about, that, we're learning something new every single day. This is something that I tell my daughters as often as I can. You know, don't rely on the school system to be your source of education. You're responsible for your education. I don't care if it's summer vacation. You have to learn something new every single day or else you're falling behind. And that's absolutely a true statement for the fast-paced industry that we find ourselves in.
John:Yeah, no, I think that's great. I think AI, in particular I was going to ask that. I'm glad you brought it up and we are thinking about that just as a security team, and we are thinking about that just as a security team and obviously, tools many tools have AI baked into it in different ways more machine learning, but more AI is coming, but I thought maybe we just need to build our own, whatever, right, because it can make your life easier, the more you can pull all that data in and find the answers quicker, right? So there, there's definitely some opportunity there. I think, overall, with everything you just said, there's opportunity. There's definitely a need, um to for for more people to come into this field and to help out and to continue to grow. You do have to come in and with into it with that growth mindset, um, because there mindset, because there's a lot to learn. Well, awesome, doug, this has been very cool, really. Thank you for your time to go through and I've learned some stuff today, so I can check that off my box.
John:But, no thanks again. I really appreciate it. Thanks for the invitation, Enjoyed it.
Doug:All right, see you guys later.
Speaker 1:Thank you for tuning in to today's episode of the invitation. Enjoyed it All right, see you guys later. Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast.
John:Remember to subscribe to our podcast on your favorite platform so you get all the episodes.
Speaker 1:Join us next time as we continue to unlock the secrets of cybersecurity mentorship. Do you have questions or topics you'd like us to cover, or do you want to share your journey? Join us on Discord at Cybersecurity Mentors Podcast, and follow us on LinkedIn. We'd love to hear from you. Until next time, I'm John Hoyt and I'm Steve Higuretta. Thank you for listening.