Sitdown With a SOC Star: 11 Questions With Sentara Healthcare’s John DePalma

John DePalma, winner of the 2021 Security Engineer of the Year Award at the inaugural SOCstock Awards, joined the hot seat for another edition of “Sitdown With a SOC Star.” DePalma, a security engineer at Sentara Healthcare, describes himself as an “IT security enthusias,t” and after reading this interview, you’ll realize his fondness for protecting things transcends his professional career.

Like others who have appeared in this space, DePalma’s career trajectory to his current role was anything but “ordinary,” but, in short, he swapped car engines for computer servers. We’ll explain more in a bit.

DePalma is passionate about everything from using SOAR technology as a vehicle (no pun intended) to keep analysts from burning out to helping aspiring cybersecurity professionals – or anyone who is looking for security advice. In fact, if you frequent the r/cyberscurity subreddit, you may have already virtually run into him.

Enjoy the conversation with DePalma!

1) Hi John! Thanks for (virtually) sitting down with us. Tell us about where you work, what you do there, and the role security operations plays there.

I am a cybersecurity engineer at Sentara Healthcare in Virginia. My duties include, but are not limited to, the following:

  • IAM provisioning.
  • Assisting in DFIR engagements.
  • Evaluating and setting up new security technologies.
  • SIEM administration.
  • SOAR administration.
  • Creating automations to ease workloads.
  • PKI administration.
  • Cloud and on-premises controls auditing and configuring.
  • Penetration testing, designing pen tests and working with hired testers.
  • Assisting in troubleshooting never-before-seen applications.
  • Anything else with the word security or a concern for the confidentiality, integrity or availability of company assets. Every day is something new!

2) According to your LinkedIn profile, you have taken more of an interest in DevSecOps. Why is the concept of DevSecOps gaining traction within organizations, and what can they do to get it right?

If you consider the average day-to-day operations of an IT or IT security admin ,you might note that most of the tasks are reactionary. 

Some server has multiple high-severity vulnerabilities, the containers are running as root, the vendor for an application asked for the service account to be global admin, you need to safe list 20 URLs and 10 IP addresses, and all of that has to be cleaned up. Or, something worked but after an update or application of a security control or best practice, that something is broken now. With something like DevSecOps, the idea of security is considered from the start instead of the typical after-thought.

3) What’s the most important hard skill(s) and soft skill(s) for an analyst or engineer to possess to move to the next level?

Problem solving as the soft skill. I know it sounds so generic, but the ability to logically reason and troubleshoot a problem – one never before encountered – is by far the most important aspect of this field. What good is the ability to quote NIST 800-53 if you can’t apply the controls to your environment? Or, figure out why they fail (or succeed)? Every day, all day, SOC analysts are required to solve new problems that have no procedure or workflow, so they need to be able to address the problem dynamically and move on to the next. An additional soft skill I would list is threat actor methodologies. Certainly helps with investigations if you know how attacks are carried out.

Hard skills? Anything IT and IT security. SOC personnel need to have a wide breadth of skillsets with different technologies so they can readily respond to any event. If I had to name a few: identity and access management (Microsoft ADUC), firewalls, intrusion prevention systems, anti-virus, endpoint detection and response tools, cloud network security groups, SIEMs, Linux and Windows logs, vulnerability management tools and forensics software.

4) What’s one piece of advice you’d give for someone considering a career in security operations?

Start a home lab! Begin with some  virtual machines (VMs), a Windows VM and a Kali Linux VM, and attack the Windows machine. (There are many tutorials out there for this.) Then, start investigating the attack and determine solutions to mitigate impact and stop the attack from recurring. Continue to try out different techniques while learning both blue team and red team techniques. Not only will this prepare you for the role, but talking about your home lab during an interview will demonstrate your skills and enthusiasm. (Editor’s note: We agree!)

5) When you’re not SOC’ing, what is your favorite thing to be doing and what do you like about it?

When not professionally SOC’ing, I am usually working on my home lab, which is basically a miniature corporation of desktops, servers, domain controllers, firewalls and the whole security stack. I like to switch out different tools and then (launch “attacks” against my “corporation”) to see how the tools respond and how I can tweak them.

I control servers at locations in North Carolina and Virginia. These servers are equipped with the tools your typical threat actor might use. I use these servers and the tools on them to conduct attacks against my fake company.

I control servers at locations in North Carolina and Virginia. These servers are equipped with the tools your typical threat actor might use. I use these servers and the tools on them to conduct attacks against my fake company.

Occasionally I’ll round up some students from the local university and have them see what incident response in a SOC is like.

6) Which industry luminary would you most want to have dinner with and why?

Mikko Hypponen (longtime chief research officer at security firm F-Secure). Mikko and his whole team! They’ve done terrific work in the field and work to interrupt bad actors.

7) You spent more than a decade as an automotive mechanic before switching to the cybersecurity field. How did this unusual career path come to be (although thinking more about it, it seems like many of the skills might be transferable)?

I started out as an automotive mechanic because I was good with solving problems with cars (namely my own that broke down weekly) and because I needed a job. At the same time I had a lot of interest in computers and technology – I was the neighborhood IT guy after all – and spent most of my free time tinkering with computers or code.

A mechanic’s job is hard on the body. Take a look at the “old-timers” in the field and you’ll see the scars. After nearly 15 years on the job I really wanted to get away from abusing my body and wanted to apply my computer skills instead. So, I went to the nearby university, tackled the first “computery” degree option they had, which was computer science (I didn’t notice the IT degrees for some reason), joined the university’s Cybersecurity Club and eventually got invited to participate in an internship for a hospital as a cybersecurity analyst. 

A mechanic’s job is hard on the body. Take a look at the ‘old-timers’ in the field and you’ll see the scars. After nearly 15 years on the job I really wanted to get away from abusing my body and wanted to apply my computer skills instead.

I found I really enjoyed cybersecurity, and the problem solving skills I gained over the years working on cars and my home labs really paid off. Over five years later, I still enjoy solving the interesting problems network security offers.

8) What value does security automation and orchestration (SOAR) technology bring to security operations?

Immense! There’s too much noise, too much signal for the human being to make sense of everything. SOAR helps enrich events, and at the bare minimum, save the analyst time on the enrichment, and, on the maximum, can determine if an event is really worth looking at. How many SOC analysts out there get burned out after tirelessly tracking down hundreds of failed (login attempts)?

Security Operations Burnout: A Guide for SOC Professionals

With SOAR we can automate the base tasks of the Tier 1 analyst and free them up to do more meaningful work. SOAR can’t and won’t replace the human, but it can enable the human to be more effective.

9) We’ve read that you run a quasi-MSSP out of your home for friends and family to help them stay protected. We’re intrigued. Were you tired of all the help desk texts and emails?

Ha, no! If anything this little project created that work. After all the time spent with my home lab and several SIEM-like technologies, I figured I could onboard real data and provide meaningful services to real people. Depending on comfort level, I might be managing a firewall, anti-virus and web-filter on the entire network of a household with all logs (Sysmon ftw!) shipped to my SIEM. Occasionally there’s an alert, but usually most of the time is spent managing the tools (PKI for the web-proxy is so annoying nowadays) so ensure the network doesn’t feel a negative impact of protection. It’s been a great learning resource too!

10) What’s the No. 1 thing security operations teams can do to improve their maturity?

SOCs have a difficult job. There’s no projects to mark complete, no satisfying conclusion to an endeavor. They don’t get to set up a new tool and celebrate that the world is safer now. No, they have to react to the tool. Every day is a fire drill, but they have 100 fires to choose from. SOCs need tight organization. Tickets come in from every angle – SIEM, anti-virus, help desk, threat hunting, vulnerability reports – which necessitates the need for prioritization and something like a case manager to possibly perform the initial triage, determine priority, assign to a caseworker and follow up with other cases. Sounds tiring, right? Perhaps SOAR can assist here.

11) You mentioned you spend a lot of time talking to students about the cybersecurity industry. Why is this something you are passionate about and what methods do you use to reach them?

My answer might rub some people the wrong way, but I am also passionate about my answer: I believe most of today’s education platforms are failing our students when it comes to cybersecurity. The majority of these programs are in their infancy and barely provide the students with the needed skillsets to succeed. The IT security field doesn’t need bodies in chairs, it needs skilled people. Ask nearly any student working towards a cybersecurity degree, and they’ll most likely remark on how easy the classes are. But they don’t feel they are learning anything and are worried they won’t be able to get a job, let alone know what to do if they land one. They are not being taught to problem solve IT issues or investigate suspicious events. I don’t think I’ve spoken to any student that’s had hands-on experience with a SIEM, yet we expect entry-level analysts to sit down at the company SIEM and get to work.

The IT security field doesn’t need bodies in chairs, it needs skilled people.

I can be found attending security conferences and speaking about the value of setting up a home lab to help bridge the skills gap that education systems miss. I’m also active on the r/cybersecurity subreddit, usually the “Mentorship Monday” bit but also responding to the heaps of questions on “how do I get started?” And I also stay active with the local university’s Cybersecurity Club, where I craft capture-the-flag challenges for students or provide different methods of creating a lab that will help prepare them for the field. Sometimes I try to run some students through my own little incident response “training course,” which provides hands-on SIEM and investigation on actual servers and desktops.

You can connect with DePalma on LinkedIn here.

Are you or someone you know a SOC star whose insights would be valuable to share in this space? We’re always looking for new candidates! Just email Content Director Dan Kaplan.

The post Sitdown With a SOC Star: 11 Questions With Sentara Healthcare’s John DePalma appeared first on Siemplify.

*** This is a Security Bloggers Network syndicated blog from Siemplify authored by Dan Kaplan. Read the original post at:

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)