Public Safety, Digital Forensics, and SOAR

July 29, 2019 • Zane Pokorny

Our guest is John Moran, senior product manager at DFLabs, whose offerings include a SOAR platform for cybersecurity. John shares his career journey from public safety to digital forensics and cybersecurity, his thoughts on some of the benefits and misconceptions surrounding SOAR deployment, insights on threat intelligence, and much more.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 118 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest is John Moran, senior product manager at DFLabs, whose offerings include a SOAR platform for cybersecurity. John shares his career journey from public safety to digital forensics and cybersecurity, his thoughts on some of the benefits and misconceptions surrounding SOAR deployment, insights on threat intelligence, and much more. Stay with us.

John Moran:

I certainly have had, I will say, a different career path. The short version is, I actually started out in public safety many years ago. While I was in public safety, I started teaching myself how to program on the side and developed an interest in programming and the IT side of things. From there, I went into IT doing sysadmin, network admin. During one of my classes that I was taking for that, I discovered computer forensics. That was a great mix for me. I still enjoy the public safety, the investigative side of things, but I also enjoy the technology side of things. Computer forensics was great for me.

I pursued computer forensics and worked in the computer crimes unit for a law enforcement agency for several years before transitioning to the private sector and doing incident response and computer forensics consulting. Then I found I enjoy doing the consulting, but I really have a love for finding ways to make things better, finding problems and fun ways to solve them, which is what brought me in my current role here at DFLabs doing product management.

Dave Bittner:

What sort of things does DFLabs do?

John Moran:

We have been around for a little over a decade now. Originally was a consulting firm doing forensics and incident response consulting and then pivoted into what was originally a case management solution. That was DFLabs’ ink man in its first iteration. Probably about four or five years ago now, the SOAR market started to emerge. We pivoted into SOAR, security orchestration, automation, and response. We now have a platform that is a full SOAR platform, but also has that very strong background in case management and incident management.

Dave Bittner:

I want to go back and talk a little bit about your time doing computer forensic analysis. You worked with the Maine State Police Computer Crimes Unit. Can you give us some insights? What is that job like? When you’re tasked with taking possession of someone’s computer that may have been involved in some sort of a crime, can you walk us through what’s that process like?

John Moran:

Sure. Obviously, it was a great experience. In many ways, I still miss working in that law enforcement environment. It was fun. It was challenging. They say everyday is different and that’s very true. Obviously, some of the material and things that you have to view on a daily basis can be a bit challenging, but overall it was very, very rewarding. The processes are very defined when you talk about actually specifically having to take somebody’s computer and go through those things. Obviously, there’s processes and procedures that you have to follow both just department processes as well as legal processes. Things like search warrants and subpoenas and all of that.

Of course, the processes have to be followed very closely because the worst thing that can happen is to go through all of that and have your case or your investigation thrown out because something wasn’t followed properly. It’s something that we stick to very closely.

Dave Bittner:

Were there any common things that you’d run into where … I’m thinking of things where the bad guys would think that they were doing something that was going to outsmart you all, but it wasn’t. It was something that it was easy for you all to overcome. Were there any sorts of things like that that you ran into time and time again?

John Moran:

You know, it’s actually funny. I think partially just because you would think that they would try to hide things very carefully and partially because I think sometimes that’s the way it’s portrayed on TV. It’s actually amusing how often people don’t really try to hide themselves very well. Now, obviously, when you get into some of the more advanced crimes with people that are perhaps doing this as a profession, if you will, they obviously go through some extra steps to try to remain hidden. But the average day to day people that you see involved in some of the more common cybercrimes really aren’t taking very many steps at all to protect themselves.

Those that do, it’s actually a nice challenge at some point because you actually have to spend some time. When you look at people who are using … Encryption is a common thing we run into or using some sort of a proxy or a TOR-like service. Those are the more challenging ones and makes it a little bit more exciting. I would say those are probably the two most common that we run into is encryption or a proxying or a TOR-like service.

Dave Bittner:

Now, the training that you received and the experience that you had as a public safety officer, what does that bring you in terms of the insights that you have with the work you do in cyber?

John Moran:

I think the investigative practices really carry over. You’re investigating obviously different crimes. They have different implications or different incidents with different implications, but the investigative process is still very similar. Working in law enforcement, it really, I think, prepares you well for working in investigations in the private sector. I think that’s why you see a lot of people either leave law enforcement or retire from law enforcement and go into the private sector and are very successful in that because you have that background that you really don’t get anywhere else. Obviously, it certainly exposed you to working under adverse conditions under high pressure situations.

Again, although it’s different, you certainly face those same sort of conditions and challenges in the private sector as well. It prepares you very well to deal with those.

Dave Bittner:

I would imagine too that it gives you a lot of good preparation for the human side of things.

John Moran:

Sure. Yeah, absolutely. As much as we sometimes hate it, there is certainly a human component to having to deal with humans sometimes in investigations whether it’s on the victim side or perhaps the suspect side of any investigation. It does. It obviously teaches you interview skills, but also how to be compassionate and work with victims or work with people who are perhaps experiencing a very bad moment, whether it’s professionally or personally, and be able to work with those people effectively.

Dave Bittner:

I want to dig into some of the work that you’re doing with DFLabs, specifically the security, orchestration, automation, and response, SOAR. For folks who may not be familiar with SOAR, how do you describe it?

John Moran:

Really what SOAR is designed to do is make your security operations process more efficient. If I had a one line description, that’s really what it’s about. It’s about taking the inefficiencies and the challenges that everybody’s facing in security operations and trying to solve those challenges.

When we talk about orchestration, the O in SOAR, you’re really talking about bringing those disparate technologies together, allowing your SIM and your EDR and your network technologies. Really bringing those together under one umbrella and giving you that single platform to work under.

When we talk about the automation in SOAR, obviously we’re talking about being able to automate processes to really take up the mundane tasks that analysts are doing everyday or those things that for every incident you’ve got to do the same thing over and over and over again. The automation is really meant to automate those mundane tasks and free up analyst time to really work on things that need human intervention. If I can free up that time that you’re taking to do the same thing, it may only take a minute, two minutes for every incident, but when you’re handling a hundred incidents a day, that’s a lot of time.

The automation component really allows you to free up that time and allow your analysts – their time is really valuable – to work on more critical tasks.

Dave Bittner:

What is the transition like? For companies who’ve decided that they want to adopt a SOAR approach, what sort of changes can they expect and is that transition easy? What sort of effort does it take?

John Moran:

Well, you know, I think the ease of the transition really depends a lot on the security program and the maturity of the existing security program. You don’t need to have a huge security program and dozens of technologies to integrate to be successful with a SOAR solution. But what you do need is a certain amount of planning and standard processes to really be successful with a SOAR solution. The organizations that we see that are the most successful are the ones that have done that pre-planning and have a set of policies or procedures, whether they’re complex or very simple, because that’s really what you’re doing with a SOAR solution.You’re building out your existing workflows and automating those and orchestrating those.

I have a malware response that I go through for malware incidents. I’m going to take those and I’m going to build out those same workflows in a SOAR solution. If those don’t exist, you have a lot more spin up time because you have to build those out on the fly. That I think is probably the single biggest key to success I guess, if you will.

Dave Bittner:

Now, are there particularly sized organizations that it works best with? Do you have to be of a certain size, or is there a sweet spot somewhere?

John Moran:

No, I don’t think you need to necessarily be of a specific size. We’ve seen obviously very large enterprises implement SOAR solutions, federal governments implement SOAR solutions, and they can be very successful with that. They are very successful with that. But we’ve also seen small to midsize organizations looking at SOAR solutions as well because while they may not have the number of technologies in place or the complex procedures in place, they also don’t have the amount of staff that these larger organizations do. They can still really benefit from the force multiplication of a SOAR solution.

Dave Bittner:

Are there any common misperceptions that you find people have about it?

John Moran:

Yeah. I think from the analyst side, I think one of the most common misperceptions that we see is that it’s really meant to replace an analyst. That we’re going to take this automation and this machine learning and then all these other fancy buzzwords and we’re trying to get rid of analysts. That’s simply not the case. People are, and I think always will be, a critical part of the security operations program. What we’re trying to do is make analysts more efficient. I talked about that force multiplication and that freeing up analyst’s time. We don’t want to get rid of the analyst. We want to allow these overworked analysts to have the information already ready for them.

Let’s automate the stuff that we can automate so that a human analyst can actually focus their valuable time on the stuff that they can’t automate, the stuff that requires a human decision or a human action to do, and maybe even start being proactive in our security programs. If you can free up enough time to actually allow your analyst to not just be reactive, but start being proactive, that’s a much better use of your analyst’s time. We’re definitely not trying to replace anybody. We’re just trying to give analysts the tools to be as effective as possible.

Dave Bittner:

I want to switch gears a little bit and talk about threat intelligence and get your take on where you think threat intelligence fits in an organization’s defenses.

John Moran:

I think threat intelligence, whether you’re talking about SOAR or you’re talking about manual investigations, is really a critical component. When we talk about threat intelligence, I think one of the critical things for me is really actionable threat intelligence. Threat intelligence can be great or it can be very poor. Obviously, I think anybody who’s worked in the industry for any length of time has probably experienced both ends of that spectrum. But really actionable threat intelligence is critical, I think, across not only the initial event validation stage, but throughout the entire incident response life cycle.

When you’re talking about not only investigating, but being able to effectively contain and even remediate threat, having that good quality actionable threat intelligence is super critical to make sure that, one, you’ve identified the threat, and two, that there’s nothing that you’ve missed or other indicators related or other infections that may be secondary that you may have missed. I think what I really wanted to touch on for just a second is the critical component that threat intelligence plays in a SOAR environment. We talked about it a little bit in the general investigative process, but I think it’s equally, if not more important, in an automated environment.

We’re trying to take the processes and the procedures that users go through when they’re doing a security event or an incident response, and we’re trying to automate those. We need to make sure that the threat intelligence that is being fed into the SOAR solution to base these automated decisions on is reliable and is actionable, because otherwise you really just lose some of the value of these automated decisions.

Dave Bittner:

Yeah. I’m wondering if you have any tips or advice to folks who are looking at cybersecurity as a career path, particularly since your pathway was a little bit unconventional. You had an array of experience. Any advice for folks who are thinking of joining cybersecurity?

John Moran:

I think one of the things that’s benefited me quite a bit was really having a solid background in network operations, in system administration. Having that core background is a great place to start. It’s not exciting. It’s not fun. It’s not sexy, but that stuff, that knowledge that you gain really informs what you’re going to be doing in security operations. You need to have that background knowledge. I think getting that base knowledge and then showing that you can take on additional tasks, especially in a larger environment, I think that can be a great way to get started and build some base knowledge. Obviously, some people are very pro certifications, some people are very anti-certification.

To me in my particular path, certifications or at least the certification classes were great for me. Not because I necessarily wanted to put a couple letters after my name, but because it gave me that introduction. It gave me that base knowledge that I could build off of because I was coming from a largely non-forensics background. Having that base knowledge really gave me a leg up and allowed me to at least get my foot in the door because so much of it then is on the job and learning as you go.

Dave Bittner:

You spent a good amount of time working on incident response. I’m curious, based on your experience there, what sort of advice do you have for folks in terms of, I don’t know, preparing for the inevitable? When that incident occurs, what are the things they can do ahead of time that’s going to make that less painful?

John Moran:

I think obviously having a good incident response plan in place is really critical. That was something that we used to do a lot in the consulting space was helping organizations develop their incident response plans. That planning on paper is critical, but equally as critical I think is testing those plans and doing exercises. Because having an incident response plan that you’ve developed and it’s documented and you spent months nailing down all the details and then it goes on a shelf or probably a shared drive somewhere or something and never gets seen again. It’s not doing you much good. We used to do a lot of of tabletop exercises and technical exercises with our clients and that was really beneficial because they would actually get to see that in action and identify any gaps. Things that sound good on paper, you actually put them into practice and you go, “Ooh, this may not work.” So that.

Finally, I think to go along with that, one of the most eye-opening experiences people in tabletop exercises have that I saw was when we brought in other teams into the tabletop exercises. It’s very easy to do a tabletop exercise with your security team and maybe your executive suite, but there’s going to be a lot of other teams involved in the incident response process. Legal, human resources, external counsel, corporate communications. That really was I think an eye-opener to a lot of people when we brought in those other teams because they really started understanding the larger picture.

Why do we have this incident response plan and how does it actually work and seeing what these other teams are doing, but also it gave them a better appreciation for what the other teams are doing and why it’s important to have them involved.

Dave Bittner:

Yeah. It strikes me that I would imagine that that could be at the outset a difficult thing to convince an executive team in particular that that’s time well spent, that the investment in that amount of time to do that is going to pay off. But then I would imagine on the flip side when they’ve had these aha moments that you probably experienced, then going, “Oh, okay. Now I get it. This was time well spent.”

John Moran:

Yeah, absolutely. For a first tabletop exercise or if you’ve never done one before, it might be a good idea to start out small. Do one with your security team and then build out from there. But I don’t think in all the tabletop exercises that I did with the executive and other staff that any of the executives ever came up after and said, “Wow, that was a giant waste of my time.” They were impressed, and they thought it was a very worthwhile exercise. We had numerous clients that we would do those year after year after year with them. Definitely it’s time well spent, precious time, because obviously it can take some time to get on the executive’s calendar, but time well spent. Absolutely.

Dave Bittner:

Our thanks to John Moran from DFLabs for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Zane Pokorny, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

Related Posts

Threat Hunting, Mentoring, and Having a Presence

Threat Hunting, Mentoring, and Having a Presence

December 2, 2019 • Monica Todros

Our guest today is O’Shea Bowens He’s CEO of Null Hat Security and a SOC manager for Toast, a...

From Infamous Myspace Wormer to Open Source Advocate

From Infamous Myspace Wormer to Open Source Advocate

November 25, 2019 • Monica Todros

If you are of a certain age — an age where you may have spent a good bit of your time online...

Solving the Business Challenges of Governance, Risk, and Compliance

Solving the Business Challenges of Governance, Risk, and Compliance

November 18, 2019 • Monica Todros

Our guest today is Syra Arif, a senior advisory solutions architect in the security and risk...