Host Tanya Janca learns what it's like to be a Principal Consultant doing Incident Response, with Shelly Giesbrecht! A long-time admirer of smart people, PowerShelly works hard to surround herself in people she can learn from. This is particularly easy to do in her day job as a Principal Consultant (IR) for CrowdStrike. She is frequently found wearing a bow-tie and some for reason!
https://twitter.com/nerdiosity
https://www.nerdiosity.com
This episode sponsored by Thread Fix!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter and/or contact us for more info!
Host Tanya Janca learns what it's like to be a Principal Consultant doing Incident Response, with Shelly Giesbrecht! A long-time admirer of smart people, PowerShelly works hard to surround herself in people she can learn from. This is particularly easy to do in her day job as a Principal Consultant (IR) for CrowdStrike. She is frequently found wearing a bow-tie and some for reason!
https://twitter.com/nerdiosity
https://www.nerdiosity.com
This episode sponsored by Thread Fix!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter and/or contact us for more info!
welcome to the we hack purple podcast
where each week we meet with different
members of the information security
industry to talk to them
about all their different types of jobs
if you are looking for career in
information security
and you aren't quite sure what you want
to do this is the podcast for you
i am your host tanya janca also known as
she hacks purple
and i am from we hack purple an academy
and online community that teaches
everyone about how to create secure
software
this week i have shelly giesbrecht
i definitely said that wrong but she is
going to correct me
and i know what you're thinking tanya we
want to get to the guest but first
our sponsor this week is threadfix
powered by denim group
and with that let's talk to shelly
hi shelly hi how are you
good did i say your name correctly you
actually did
it was perfect i was i gave you the
thumbs up
oh my gosh absolutely thank you because
i was
actually meant to ask you about that so
i could get it right so that's awesome
sauce
totally perfect so people might notice
today
um that there is a bunch of canadian
accents happening because we are both
in canada and are you canadian shelly
i am indeed i am indeed i was born and
raised
while i was born in calgary raised in
victoria uh and and then came back to
calgary so i'm
based out of calgary alberta awesome so
you might hear us say things like
abudz we might say the words giver
or the expression fill your boots and
we'll just translate as we go
for our american and international
listeners
oh my gosh shelly this is going to be so
good
shelly could you please tell us your
name
and your handle and your job title
uh my name is shelly giesbrecht
on twitter you can find me as nuriocity
my colleagues call me powershelly
and let's see
i am a manager with the crowdstrike
services team
i mainly focus on incident response but
i do a lot of proactive work
on uh the security development side as
well
i love power shelly i'm not sure i'm
gonna be able to call you shelley
anymore
i might have to call you power shelly
because that's so awesome
can you can you tell us about your job
and maybe
like tell us about it but actually and
then after tell us
kind of like what is a day in the life
like doing that job
yeah absolutely so most of my work is
reactive incident response and what that
means is
is we get a phone call uh from
an organization or perhaps the lawyers
that represent them uh to say
they've had some sort of incident cyber
incident in in their environment
uh whether that be you know hackers if
you will
or they've been breached or they've got
a malware incident there's lots of good
hackers by the way um
it's not a bad word um and so they've
been
they've been they've been breached in
some way uh and
so i like to say that we meet people on
the worst day of their business lives
um and so my job
as a manager is um i help one help the
customer scope the incident and
understand
what we can do best for them how do we
get them from where they are on their
worst business day
to uh back to business as usual or
usually better
really because this is usually what got
them into the the
issue to start with uh so we want to get
them somewhere
better than where they were before um i
like to think that
actually somebody asked me this the
other day i like to think that um
my job anyways as kind of managing
incidents and and working with customers
is probably about 70 percent um
counselor psychologist um
friend hand holder um and
and about 30 technical that said i have
an amazing team
of really technical people behind me and
we not only investigate the incident for
the customer but we also help them
um and recommend things to to make sure
that their
environment can be remediated and get it
back to where it needs to be
so day in the life uh yeah i don't know
that we have
a day in the life um our days are
different
every day um that's one of the things i
love about it um
you know the best part about infosec is
um the best answer for any question in
infosec is it depends um
so what's the day like it depends
um you know my wife says to me all the
time
how's your day today and i go oh it
doesn't look too bad right now and then
she'll say to me later you seemed really
busy today and i said well
you know so and so called and then i got
into this meeting and then we had to
meet with a new client and they had a
new incident and
yeah that's how my day usually goes so
um
it's uh that's what i love about it is
there's there's never
there's never a usual day for us i
agree wholeheartedly would you say that
um would you say that sometimes your
days are very long and sometimes your
days are very short
yeah absolutely absolutely um we
i think what i'm interviewing for this
position particularly people
who are coming into it new have never
been an incident responder before
one of the things i like to make clear
to them is this is not your monday to
friday eight to five job
um you know we deal in what we call
friday afternoon specials so 4 pm
on a friday afternoon is when the phone
rings because
some customer has been
dealing with something all week maybe
two weeks and they've decided on friday
afternoon
that that's when they need help
so um yeah
some days are some days really long um
some days don't end you know
um at all i've definitely even
you know recently you know worked until
three or four in the morning
but that's you know i wouldn't say
that's an everyday thing but certainly
some days are
are shorter and some days are longer so
yeah absolutely and and weekends
weekends are
kind of an ephemeral concept
oh my gosh i could not agree more
if if some of our listeners are
less familiar with what instant response
is could you kind of like lay it out for
someone who maybe
doesn't know very much about it yeah
absolutely because i think a lot of
people have heard of
forensics or digital forensics and and
doing
investigations into what's happened on a
computer
um and there's kind of two schools of
um we call it the digital forensics
incident response or dfir you'll see
that a lot
so digital forensics is really the
traditional what we think of
of collecting information uh and and
doing forensics on that so
doing an investigation into the bits and
bytes of what happened either on a
network
or a particular computer and then you
know providing those findings to the
customer based on
uh based on what we see incident
response
is a little bit more of a reactive
science if you will
um we are uh usually get called in
when there is actually a live threat
actor an unauthorized party
on on a network yep exactly uh that is
still
that is still doing bad things and so
part of our job
is to help the customer um figure out
where that's happening uh and contain it
stop that bleeding and make sure that
um that there's nothing there's no more
money leaving the environment that
that their their data is no longer
leaving the environment that's a big one
these days obviously with ransomware is
is
we're seeing a lot of data exfiltration
happening data leaving the environment
being stolen
damaged et cetera so um we have that
piece where we help them contain it
um we also do the investigation piece we
have a whole team
uh that does digital forensics so we try
to figure out what has happened if we
can
uh and and then help them out with that
uh and then obviously
the eradication piece which is helping
them get rid of
all that stuff that's in their
environment so
that's awesome that's a lot that is a
lot
what type of personality do you think
would be
best suited to do how about like
digital forensics and instant response
because
yeah um i think for me
like when i'm hiring for instance and i
think myself
is an absolute sense of curiosity that's
kind of where the nerdiosity name came
from which is
um a passion for all things and
curiosity for all things nerdy
um so nerdy hosting um but i think you
have to have that
that that um drive to know
and to figure out puzzles um that's
really what everything is is
it's a puzzle um so um
having that that innate sense of
curiosity and passion for what we do is
is is such a huge piece
i could not agree more would you also
say that
to do incident management perhaps
um you would need leadership or
the ability to be cool when uh
everything around you
is on fire yes
absolutely and that's definitely a
learned skill i mean honestly it is
um you know we um
i've had situations where um i've had a
cecil cry
on the phone because everything is
figuratively anyways burning down around
them they don't know whether they're
going to be able to
employ people make payroll have their
company continue in business
wow and um and and so
you know the ability to as i said part
of this is counselor um
and and and being able to um
you know be there for those folks and
you know in in their time of need
essentially the worst days of their
business lives so
um there's a lot of one of the things
interestingly i think
there's also the project manager piece
as well there's a leadership piece
there's a project manager piece
um i like to make sure the thing i
always tell my new consultants is no
surprises
there's no surprises to the customer we
want to anticipate everything that they
need
uh in real time uh and because we are
always dealing with
with it moves very fast incident
response is constantly evolving and
moving fast the incident
can change on a dime so having that
anticipation that sense of urgency
is is huge um and then being able to
manage those pieces
and organizational whether that's my
team and what they need to be doing or
whether we have customer tasks what need
to be doing so
um there's yeah there's a few different
pieces but yeah the leadership piece i
think
you know as you as you grow up as a
consultant um
i think it's something you pick up and
you go and it's been a
it's been a real learning curve for me
in the last five years as i
kind of moved into a leadership role but
a lot of fun
um so and i get lucky to work with the
best people so
it's ins i briefly worked in incident
response
uh and it was very exciting i i would
definitely use the word exciting to
describe
a lot of it and rarely horrifying
yes i i mean i think i always think of
that and i i don't even
i wondered recently if this is actually
the people call it the the old
people we referred as the old chinese
proverb may live in
interesting times i don't even know if
that's actually true if it's actually a
thing or we just is that something that
we just say
uh but i think ir is kind of like that
it's always
interesting whether that's interesting
good or interesting bad
it is a totally different thing but it's
always
yes we have a question in the chat from
way what is the heart of the
investigation
in instant response um
i'm not sure i'm not sure i 100
understand the question
but there's another um like follow-up to
it is there a chance that an
investigation goes wrong and the
responders can go
kind of into a black hole and how do you
tackle this
oh yeah okay so um i think
i mean the heart i would say the heart
of an investigation
is um is artifacts um
so having actual um artifacts and
evidence
to be able to produce findings um
and from a perspective of investigations
going wrong
i think that um not necessarily going
wrong but
um a lot of organizations still aren't
logging the things that they should
they aren't keeping the logs that they
have
um and uh and there's
or there's an assumption that it was
being kept but they never practiced or
tested those things
um so uh when we go and try to
investigate something and we say
do you have firewall logs for two weeks
ago and they go
oh those roll over right in about 24
hours
what do you have
you know so and so logs
oh no we don't keep those um so
certainly um that makes our job much
more difficult um
but i'm lucky enough that um i work for
a company that
um has produced um some really great
things um and so we
i think we do a really good job at that
but certainly lack of logging lack of
evidence
um is a huge um
interrupter to a good investigation
let's put it that way
yes i 100 have experienced
this and so i told you that at some
point i needed to find
um a reason to mention my book so i'm
just gonna bring the book up on the
screen that i just wrote alice and bob
learn application security
and i drone on and on about how your
apps
absolutely need to log things because
otherwise
shelly and i who you can see right now
on the screen
get new gray hairs because we can't
investigate properly because like see
shelly has great blonde hair so you
can't see but
my hair's dark it's very obvious when
there are gray in it
and i can name the incidents for each
one of them where there were no
vlogs so listen to shelley
there are more patients are interesting
because you know we deal with a lot of
legacy applications
and those are always the most critical
in an organization yeah
and and they were never written for
security
so you go in and there's there's there's
no username there's no timestamp there's
no ip address
there's just some random line that
doesn't you know
doesn't doesn't mean anything to anybody
except the guy who developed it
oh yeah error 431 come on shelly
that's enough information to solve the
entire incident
with no documentation
oh my gosh i'm grateful for folks like
you who are actually teaching
application security and and
good development i'm trying vlogs are
vlogs are everything vlogs are
everything yes we have another question
in the chat
and oh it's a good one what is more
difficult
containment or eradication
oh interesting um
i think i'm gonna i'm gonna ask your
answer with the best answer ever which
is it depends
um so
containment can be difficult if you
don't know of the organization that
we're working with doesn't know
what they can contain so um
i always recommend one of the things
that i always talk about is when you're
prepping for an incident response which
we should always be doing
um you should be understanding
of the things that you could do so in a
ransomware incident for instance
what are the things that you might need
to do um and understand whether you can
or can't do them
um and understand that uh whether you
would
you know if you need to ask for help for
instance from an outside vendor or
incident response firm
how they can help and make sure all
those things are
in line because containment can be
incredibly difficult
if you don't know what you can and
change control too that's a huge piece
right like
in the middle of an incident um if you
don't have the capability to step past
your
very entrenched and change control is
good i'm a big fan of change control
but if in the middle of an emergency you
can't take a you know a 10 second
downtime
to do one thing you're
you you haven't you haven't built your
change management process properly
um so there's a lot of words eradication
can be difficult
if um identification isn't done properly
i think
because if we don't know what we need to
eradicate
then actually that we start playing
guacamole
with with everything so i think
containment is probably
i'm going to say containment but um
eradication can be difficult if the
identification isn't done
properly as well i could not agree more
and the person in the chat says thank
you and basically your answers are
completely awesome
um i want to encourage anyone that is
listening right now to
write an awesome review and or subscribe
to our podcast
and if you are watching this on youtube
please click that
really nice yellow thumbs up button it
lets me
and shelly know that um well
that you like this episode that we are
quite funny
also um that you just think instant
response is cool
because quite frankly when you're
choosing topics for
a podcast i choose what i think is
awesome and i'm like oh i want to talk
to shelly
and i want to talk about instant
response this is excellent but it's nice
to know when other people also think
it's a good topic um
i wanna i have as you might have guessed
like dozens more questions
so first of all so
um what types of aptitudes do you think
a person could need in order to be
awesome at incident response and or
investigation so like you can say
incident management
response investigation however you want
to blend that but like
attention to detail hyper focus like
what types of things do you think makes
someone good
yeah i think um i will tell you that i
think almost everybody that i work with
is
a little bit adhd
we we move very quickly uh our minds
move very quickly
uh but um i think obviously there's a
technical aptitude
um but uh and i don't see a technical
skill technical aptitude um
and and also the ability to learn
quickly just like anything else in the
technical world
uh what we do moves very quickly we have
new artifacts new attacks
um and so we move very quickly in into
how to how to contain those uh and and
deal with those
um i think again that innate
curiosity um passion for learning um
is a huge thing um uh
active listening uh we do a lot of
listening to what our customers are
saying
uh i started out my first job in tech
was on a help desk
um and this is uh back a little farther
that i'd like to admit
and we didn't have remote control
software when i first started
we had the telephone and what the
clients told us and we had to tell them
to click on something and type in
something
wow and and so i consider that one of my
best learning experiences
because i learned how to listen to what
the customer was saying
interpret what they were saying and then
actually give them the answers that they
needed
because you know not everybody's
technical and that's okay
um i uh one of my first jobs my second
job i guess in tech was
with westjet airlines i was a help desk
i actually started my security job there
as well but i started out as a help desk
person at western airlines and i had a
pilot call in one day
and he said i forgot my password again
i'm so
terrible at this i'm so flat i'm so
computer illiterate you just i just need
help every time
and pilots only use at the time anyways
only used their passwords every so often
they didn't need to log in all the time
they weren't at a computer all the time
obviously um and so
you know they only use their their
computers or their their logins every
maybe
a month or so uh so
this poor gentleman is i'm so computer
illiterate and he's so down on himself
on the call and i said here's the thing
i can't fly a 737. so
i am flight illiterate you do what you
do i'll do what i do
um and i think that's an important thing
as well is um you know
we go into customers all the time that
are in like are having a really bad day
and it's easy to go in there and be
condescending about
um the level of security that they have
the budget that they have you know all
of the things that they aren't doing
properly
but at the end of the day again we're
meeting these people on their their
worst
business day of their lives and so going
in there sort of humble no
no ego and and that we're there to help
um so
um you know i think like any other
customer service
which you know i absolutely believe i am
um
having you know having the ability to
empathize and and
to really um go in there with with the
the desire to help um is a huge piece
oh my gosh i can imagine um
oh someone's giving me feedback that the
my mic is very sensitive and the muting
and unmuting is really unpleasant
sorry i'll stop doing that then uh i've
been told that my typing is loud too
but i'm gonna give it my best shot thank
you for the feedback yaddy
um if every single person in tech
could adopt that attitude shelly
wouldn't life be
fantastic it would be not only not only
to the customers but also to each other
a lot of gatekeeping goes on yeah
yeah and i think we learned from
everybody um
i i think i was telling you just before
we started i
was really honored to be asked
to lead the interim program at my
job this year for the 2021 intern class
and we have these great interns that
come in every year and then a lot of
them
turn into our associate consultants we
hire them on
and those guys are so smart they're
coming out of university they've got
again that passion that drive the
curiosity and
i learned something from those guys you
know nearly every day and
and i think that's really the
the way to look at for me the way to
look at life is there's always something
to learn
from somebody whether whatever level
that they are
so i could not agree more
i could not agree more shelly i wanted
to mention two things before
i go to more awesome questions in the
chat
so uh first of all i want to mention
or thank our sponsor threadfix they are
the
most stupendous vulnerability management
system
on this side of the galaxy and
we hack purple are really happy to have
them as our podcast
sponsor of many many many weeks now i
also wanted to mention
besides calgary which you happen to be a
big part of and i'm going to share
the link on the screen underneath you
besides
calgary.org do you want to tell us
briefly
i know it's a bit off topic but do you
want to tell us briefly what is b-sides
and anything cool about besides calgary
yeah b-sides is a sort of
grassroots community conferences
and they've been happening all over the
world now
and and in canada we've had them for a
number of years some of the larger
cities have had them for longer
calgary's is uh
three or four years old i think i want
to say i think we started in 2017 maybe
and i might be might be wrong on that
um and it just happened actually we just
we just finished it about a month ago
and and i i spoke at that as well um
what i love about the b-sides format
is anybody can submit and anybody should
submit
it's a very welcoming um i've spoken it
besides vancouver as well
um very very welcoming conferences um
great for first-time speakers
particularly
uh and just a great way to
build the infosec community within your
own community
that's a huge thing i think in canada
still we have a long way to go
with building security maturity within
organizations
um and so helping build and grow
relationships within our communities for
that
you know for the security professionals
for the new uh folks trying to break in
et cetera and on the students that come
as well um it is fantastic i was able to
actually make some contacts
at the university of calgary um in their
infosec
club and so i'm hoping to keep that
relationship up as well so that i can
hopefully eventually get some some
interns from the canadian side coming
into our our practice
at my work awesome i might um
i may end up sending you people because
people are constantly asking me if i
need
interns at wehack purple and i explain
to them
yes but more like digital marketing and
like web design and just the things that
a regular startup needs and they're like
don't you need an absec person and like
we sort of have
someone that pretty much is pretty good
at absec
yeah and she uh she handles that so we
need someone that's good at all the
things that she's bad at
do you know marketing
um we have some questions in the chat
and but then i'm like torn about asking
you more about b-sides
b-sides was the first conference i spoke
at and
i can't say i i it's hard to explain
just how supportive that besides has
been in my speaking career
we have b-sides in let's go
let's go uh west to east so we have one
in
victoria we have one in vancouver we
have one
in edmonton and in calgary do we have
any in saskatoon
saskatchewan i don't
know actually i i'm pretty sure winnipeg
yeah winnipeg and then we have ottawa
is there is there a toronto one i don't
think there is i think there's a devops
day
i don't know because they have tasks and
they have uh sector
but then there is one um there's one in
st
john's there was one this year in
halifax
um isn't there another one out east that
i'm missing
st john's halifax there are there's
quite a few
all over but i think that that might be
all of them but that's just in canada
yes and then i think i love for instance
um
besides las vegas for instance is done
in tandem with uh
black hat or defcon one of the two um
it's
done sort of it's overlapping it's
overlapping
that is the best best yeah it's
basically like during the same time as
black hat so the idea is is that it
it offsets so people that can't afford
to go to black hat i.e me and
you and most the people i've ever met um
especially because the canadian dollar
versus the american dollar yes
um yeah so then we can go to b
sides because it's somewhere between
free and 25
generally to get in one of my actually
one of my team
um who is in montreal is one of the help
is one of the organizers for um besides
las vegas
so from montreal though he goes down
there every year and
except obviously this year uh and helps
organize the whole event
so it it it's not even just you know
just the people in las vegas or just the
people
you know it's very much a infosec
community event
oh yeah very i'm i'm on the b sides
vancouver island
board and we have someone from the
mainland on our board and someone on our
board on the mainland
vancouver and victoria are very close we
do a lot of things
same with the oas chapters like their
chapter is always helping us
and uh the wilson chapters etc
okay but now let's talk more about you
so there are some
uh there's some questions in the chat
that i thought were really good
um most of them from way thank you way
okay so when you're hiring an incident
analyst level one
what do you look for um do you have
certain
certifications that you're looking for
that are best or that you can recommend
or like what else could someone do to
try to get noticed or
hired as a level one
yeah okay so um
for me i love uh
one that people have gone out and done a
little bit of research
so when you come to an interview on
instagram response
please know what incident response is at
least at some level
there's lots of resources out there um
and
and and so you know things like the
attack miter framework
uh i don't expect you to memorize it but
but understanding that you know what it
is is fantastic
uh uh the uh lucky martin kill chain
uh and and i'm just throwing us some
stuff out there but you're having a
basic understanding of
what it is and and what we do is is a
fantastic thing
um i i also love it when people have
you know base um
i.t skills i and that's that's a
personal bias i will admit i came out of
help desk
so by the time i got into security um
you know
i i had a good understanding of what
normal looked like um
what does what is what are normal
protocols uh
what is that what is a sort of normal
operating on a computer
look like uh and and with and so you're
able to if you know what normal looks
like you're able to see what
abnormal and my my job is all about what
the abnormal is picking the abnormal out
um from that haystack you know when they
talk about a needle in a haystack we're
frequently
picking out needles out of needle stacks
and you need to be able to pick out that
one needle
that is slightly different from the
others and that's by knowing what normal
looks like
so um you know coming with a sort of a
set of
um a base idea
of what operating systems are what what
a network is
uh are fantastic things to have
there's a lot of discussion around
whether you should have certifications
or not
and some people will tell you that
certifications don't mean anything
um i i personally and so i'm gonna
i have eight sans certifications
wow i know i know um
sans is a for those who don't know is an
organization
that does specifically um infosec
forensics
uh uh management leadership training uh
and um they've been a big part of me
growing up as a
as a as an analyst so i'm very very
grateful to them as an organization
um and and what i will say is having
eight certifications doesn't make me
better or worse
uh than um anybody else who's doing the
same job
but what it's afforded me to do is to
learn a lot that said
training can cost money and not
everybody has that and so i think that's
an important thing to note
that but there are i think there's a lot
of resources out there that we can
build on for free i always recommend
that people
build their network for instance
on social media social media can be not
a great place but it can also be a
really great place
place to to build your network meet
people
and and you know get to know
people in the in the industry research i
get a lot of
you know some of my best and interesting
research
from from reading articles that
somebody's posted on twitter because
sort of the latest and greatest gets
gets posted so most of probably 90 of
the people i follow on twitter are all
in the industry
um i mostly post about my puppies um so
i'm sorry for any of my followers
out there um but uh
they are cute so there it is um
but yeah i think um i always say though
with with um you know
juniors coming in that i can teach you
the technical skills
it's coming in with with that drive and
that passion that curiosity to learn
um and so i kind of gauge that with if
somebody shows up to the interview and i
say tell me what you know about instant
response
and even if it's not technically correct
if they if they've gone out and they've
learned something
um and they can you can tell me a few
different things
i feel like i can that's somebody that i
can teach that i can
that i can teach them the technical side
as long as they're willing to go out and
put the work in
so that that's a really that for me is
probably
the biggest thing um if i was gonna say
based notifications i apologize i'm
gonna keep talking
um that's a canadian thing though we
apologize for everything
um uh certifications wise
um from a forensics and incident
response perspective
um there are some again some great
courses with sans
um with regards to um there's a basic
uh forensics class i think it's 300 um
that's a great place to start to learn
um why we do forensics um and what some
of the artifacts are um
one of the courses i took uh early on
was from the carnegie millions
carnegie mellon software institute and
it was an incident handling class and it
taught me how to
manage an incident that was really
interesting as well
so there's there's a lot out there um
and there's some free stuff as well
um it's just a matter of finding you
know that that first half but
uploads yes i actually just started
following someone on twitter called dfir
diva and she has been sharing
yeah she's been sharing tons of free
resources on forensics and i'm like
you're
a totally awesome lady yeah she's she's
she's wicked um for people who are
listening
and who are wondering how to spell
shelly's handle
it's nerd so n-e-r-d and then it's i
o so nerdy as in nerd with an
i at the end so i o s i
t y so there's no y like th
because i was thinking nerdy like n e r
d y but so it's
n e r d i o c
i t y yes spelling for the win
[Laughter]
and there's a bit of conversation in the
chat about
why is sans so expensive and it's
probably because they
can because they're like the highest on
the market like i
i run a training company and if i could
afford to go to sans to learn the things
i don't know
i would probably want to go when i was
in the government though my
entire training budget for the year was
around 2000
to maybe 2500 canadian dollars and sam's
courses
range from like six to nine thousand
canadian dollars with the exchange
and then you add certification it
becomes around 10 000 canadian dollars
and we get taxed at a very different
rate than americans
so we actually pay a much much much
larger amount in tax and i remember
working it out one year and then after
tax it was 20 of my income for the
entire year
if i wanted to take one sans course and
i was like
in my brain i cannot find a way where i
find this acceptable and not just
irresponsible spending on my part and my
boss
just laughed at me but i actually
recently wrote an article of how to
justify training to your boss because
i've learned a lot
because i get turned down and turned
down and turned down and then i got like
better at asking
so i can share that in the chat an
article of like
how to show that the value of what
you're getting for your org will be
higher than what they're paying
yeah math it's it's tough
i mean honestly um so i i will tell you
that
um one of the big fan of sands um
two um i just literally last
week finished uh my masters of science
information security engineering from
the sense technology institute
um so uh and i'm about to embark
on um becoming a teaching assistant uh
for
sans so as as outside in my copious
amounts of free time
so so i i have some bias and i will i
will absolutely admit to that
there is some there's some bias inherent
in this uh how
i um was able to um
afford if you will a lot of the training
that i did um and and how i was able to
con my boss i want to say khan
um get my boss to agree to send me to
training um one of the programs that
sans runs and this is a big
up for this is they have a work study
program or a facilitator program
if you look on their website um it's
there
and if you get accepted into the work
study program
um the tuition is uh a fraction
of of what of what it is full price
um and and you get to what i love about
the program other than
the tuition part is i really got to then
be able to spend some time
um with the instructor who um you know
is just
like brilliant uh and so you get to kind
of get to know these people a little bit
more than just sitting in the back of
the class and maybe being a little shy
to
to talk but you kind of get to to
interact with people a lot more and i
think at a conference
uh particularly you tend to unless
you're really really
an extrovert you don't always meet
people if you're afraid to kind of stick
it stick your hand out there and say
hello
um but as a facilitator it kind of
you're kind of forced into it
so it's a that's a great way i did that
i think i think i've facilitated uh
three or four times
um and that's a great way to save your
boss
um i i'm doing this for way less than it
normally costs and you should send me
so that's awesome it's still tough um
let's face it especially in the times
that we're in
um getting budget for training is always
the last thing so
yeah but really i mean people doing
fishing and all sorts of other attacks
have certainly
upped their efforts unfortunately
they aren't out of work but anyway i'm
not going to complain about
heartless people doing ransomware
attacks during covet
anyway thumbs down on them
i haven't there's another awesome
question in the chat wait
way is on a roll so thank you
as you are a man are you the as you are
managing the team
what are the qualities of the best
incident responders
in your team um you mentioned active
listener and attention to detail
but how do you quantify that or
basically how could someone try to
be awesome at those things
uh i think those are really practice um
i so the other piece that is is a really
big one
is being able to explain the technical
to anyone
so we deal with very technical things uh
and
the customers that we deal with
sometimes we're sitting on a call with
the executive team
and they are not technical they know how
to log into their computer they don't
know how that works
and so when you tell them things like um
we found a persistence mechanism in a
registry key that's used to blah blah
blah what they hear us
want so
my job is usually to translate that so
my
my uh particularly younger analysts are
very technical
but don't always know how to translate
that into customaries
so i throw my associates and my
consultants in off the deep end and say
ethan would you like to explain what you
found and i
actually make them do it because
there's no better way to learn how to
actively listen
explain things to an executive uh
or uh you know even the you know
provide empathy um then practice it over
and over again
so like any good thing in life
it requires practice yeah
i just so people who are listening you
can't see me
nodding vigorously and also when shelley
makes jokes me trying to cover my mouth
before
i start laughing really loudly because i
usually mute myself when i get the
giggles
um but shelly has been cracking me up
with some of her answers but not this
one
um this is this is very good
so i have another question so when
people are trying to decide
you know their career for a lot of
people how much money you make
is an important decision
um or important deciding factor so does
incident response pay well is it you
know where would it rank on
the scale of you know software developer
versus
help desk versus executive
um i think we get paid well um
part of that is of course um we don't
we don't work on monday to friday eight
to five job so i think part of our pay
scale
has to do with the fact that we work
holidays and weekends and
middle of the night and um i've had
i when i so previous to crowdstrike i
worked at cisco i managed the team there
for three and a half years
uh uh with uh with another lead and
um i actually had one of my guys miss
his son's kindergarten graduation
because we had a customer that we needed
him to be at
um and i will tell you that i try to
avoid
that at if we can avoid and get somebody
else to do or go i will absolutely try
to do that in
in every time but sometimes
that's that's what we do and and that's
what we kind of sign up for
so i think part of our
our pay scale reflects that um
so compared to say someone who is
um you know doesn't have those first
rates as sort of a monday to friday may
have a
similar skill set but it's sort of
monday to friday eight to five
i think our pay scale reflects the fact
that we um
you know sort of have a an unusual
schedule
yes i recall um my 37th birthday
having 30 people in my living room while
i was upstairs
attempting to pass over management an
incident that i was managing and i'd
already been managing it 12 straight
hours
and i was like i have balls of champagne
and like 300
worth of raw oysters downstairs and my
friends are not eating and drinking
all of them i am getting some of them i
am turning 37 today
and this is happening and i have another
way more senior than me incident manager
that i'm handing this off to i'm like
dude i'm exhausted you don't even want
me anymore and he's
very upset he's like no i only want you
and i was like
no no this guy's way better and it took
me like an hour to get him off the phone
i was like
just calm down it's not even a really
big deal
yeah my probably my recent experience
isn't as isn't as dramatic as that that
is
that is but i was actually she's angry
yeah my wife and i brought a
trailer camping trailer this summer
because we wanted to
um obviously with the whole coveted
situation we haven't been able to travel
the way we like
uh so we we bought a a travel trailer
and we were taking it out for our first
weekend out in it
we were out in canmore in the canadian
rockies she isn't far from home for us
it's about an
hour but it's amazing we're all set up
ready to ready to to get some dinner on
and i got a phone call so i'm standing
in the middle of a campground
with my wife and she's already got a
drink in her hand and our dogs
and i'm on the phone with a customer who
is having a crisis
in the middle of a campground and thank
god i actually had had the signal but
um yeah it happens right so yeah um
yeah but i i'm i i would always say
you don't have to love what you do as
long as you get paid well
but um you can't hate it so
i'm i think i'm blessed that i also love
what i do
and and then i also get paid pretty well
to do it so
it's a good deal it really is if you
think about it
incident responders are sort of like
that emergency room at the hospital
person where it's like you're triaging
and like fixing everyone and just
you know what i mean and you're that
cool as a cucumber like don't worry i
got this you there you there
you must have amazing stress management
skills like
you must have all these things that you
do to relieve stress that are just
incredible you're like yoga ing and
everything do you do you have like a
whole thing
that you do to so that you can handle
like or calm down after an incident
you know what i actually got off a call
uh one time with one of my colleagues
and and he said to me and on the call um
the cso of the company had actually
yelled at me
um nothing that was our fault but he was
stressed and he decided he was going to
yell at someone and it was going to be
me
um and we got off the call and my
colleague
called me he said i can't believe how
calm you were
he said i would have i would have lost
lost it at him i can't believe how calm
you were and i said
you noticed that my camera wasn't off
you're like good
the voice was super calm
oh wow the face was not so calm but
uh you know i think it's a little bit of
sometimes it's that uh
that uh swan thing where you're all
screen on the top of the water but your
legs are going like this underneath
i i used to work at a computer repair
store like 20 years ago
and if we had a customer come in and
yell at us
i would bring whoever got yelled at into
the warehouse
and we were a warranty shop for apple so
we would have all these keyboards and
mice lying around because
unlike like the parts inside a computer
with a mouse and a keyboard they would
just replace them and my boss kept
keeping them and i didn't know why
so then i would just say keep smashing
keyboards
and throw them off the roof do whatever
you need to until you feel better and
they're like what i'm like like this
smash and then i just get them to like
i'm gonna climb up the ladder
just throw it and they're and i just
keep doing it so you feel better
sweep the stuff into the garbage and
come on back you've got 15 minutes just
smash
things and it works so well that's
amazing
it's amazing and we're supposed to throw
them out anyway so i was like
might as well make them messy it's fine
that's amazing that's amazing i feel
like i could talk to you for at least
one more hour
but we are actually like right near the
end so there's
there's one more question in the chat
and then um
and then i'm i'm gonna do the wrap up e
questions
okay okay so have you ever mentioned
someone in your team
uh that that has ever gone above and
beyond and
what made you and if yes what made you
do that so
has someone ever gone like way above and
beyond on your team
i guess and what what was it that they
did that you felt was so amazing
oh my gosh um you did it
yeah again i'm super blessed to work
with just just amazingly dedicated and
smart people so
um i think for us i'm
i'm working with you know a particular
team with a client right now and
so we work on a statement of work that
has a number of hours
associated with it for instance and we
finished an incident with a customer
um and um they were supposed to
implement a recommendation that we gave
them and it has not been done yet and
somewhere in the middle of that
unfortunately they got breached again
and
they came back to us and this is
literally a short period of time and
they came back to us
yeah it's terrible and and we had a very
small amount of hours left on this slw
and in the project manager that i'm
working with who's one of one of
the folks on my team um just jumped
right in um
and and we've put in a number of hours
there that are probably going to go
on you know unbilled um to make sure
that they had what they need um
but um i think one of the things we do
at crowdstrike did kind of help that you
know and and make that a culture
of recognition is we do awards every
year
um and i was lucky enough to give out
an above and beyond reward this year
actually too to one of our
one of our consultants and i think um
having that kind of culture of
recognition is huge but
um you know i think everything that we
do um is
is about getting that customer to where
they need to be so as i said
i'm super blessed to just to work with
folks that do that and
um my job as a manager is to make sure
that those folks get the recognition for
the work that they do
so whether it's on a customer call and
saying you know tony did this amazing
job finding this artifact
and i'm going to let her tell you about
it as opposed to me
you know being the one that's the
talking head all the time or um you know
getting on a call with
with my leadership or with the whole we
have all hands
meetings all the time and saying by the
way great job on this you know from this
person and making sure that they get
recognition for the work that they did
is
is a huge thing absolutely awesome
awesome way thank you thank you
so much so much are you hearing that
echo
nope no echo okay great then if you're
not hearing it i'm sure it's fine
um thank you i want to thank
um the people in the chat for all their
great questions especially way
with so many awesome questions thank you
shelley for being
on the show i have one last question
and where can people find more about you
because i know that you do
to speak at conferences and stuff so
let's say someone wants to
follow you or there's like a website
uh so um i am on twitter that's probably
the easiest place to find me is
uh is at nerdiocity um
i have a website uh nerdocity.com which
i don't
uh update nearly as much as i should um
i have a couple of research papers on
sans if you're interested in in my work
uh dns is a big is a big um
flavor of love for me and uh and so
there i have a paper
on sands i don't have any upcoming talks
um but um i'm hoping to
to do some speaking again next year last
year was the magnet user summit
um as well as besides calgary uh falcon
for crowdstrike
um i'm usually uh applying to most of
those conferences plus
a stanza conference or two um since dfir
conference is amazing this
and and oh plug again i apologize for
this but the sans
the sans uh the sand summits are all
free next year in 2021 they would be
virtual
they will all be free all of the summits
all of
so so thread hunting intel uh
dfir i'm not going to get any of all of
them right but ics they've got so many
and they're all free next year
virtual um which i think is is a lot of
companies doing that magnet did that
last year for their user summit as well
it was amazing
um and so look for those look for those
events
i think 2021 is going to be another year
for a lot of virtual stuff
um and and so um i hope to be at some of
those as well at least virtually
um and and so hopefully we'll see spokes
there
cool there is a question in the chat of
are you
on linkedin i am i am on linkedin
shelley geestrox linkedin
um so you see the picture with the bow
tie i think i'm actually wearing the
same
shirt in that picture um i love the bow
tie by the way i think it looks hot
especially i actually really like your
whole look
okay so i'm gonna stop complimenting you
on your fashion and
thank you so much for being on the shows
shelly you are the first person to talk
about instant response
and especially talking about incident
management this is super
duper helpful thank you very much for
being on the show
thank you for having me it's been
fantastic awesome
and with that that was the weehack
purple podcast
and i am still your host tanya janka
and that was shelley geez
breck damn it i hope i got that right
because she was such an amazing host
her her wealth of knowledge was
well basically i wanted to ask her
questions for at least four more hours
but i know that's inappropriate and
people don't like that
i want to thank our sponsor thread fix
for being
not only with us this week but for so
many weeks in a row
i want to let all of you know that
tonight at midnight basically
um the last course in the application
security foundations program
from wehack purple is coming out yes
that's right as soon as this podcast is
over that's exactly what i am working on
and so the entire program including the
certification is going to be
ready and available as of tomorrow so i
hope that you go over to the wehack
purple academy and check that out
while i have you on the call i want to
talk about the next couple weeks who we
have coming up
next week so december 17th right before
the holidays we have
majida afrin and she's going to talk
about being a bug bounty hunter
and then if you liked this episode about
instant response you definitely want to
show up for january 7th
with nashua lindsay and she's going to
talk about specifically
forensic investigation after that we're
going to have brian
anderson who's going to talk about
basically being an
operations manager and in charge of
security service delivery
and then after that we have sasha
rosenbaum and
if you follow me on twitter you've
probably seen a lot of sasha lately
because she has been tweeting
a lot about my book and gosh
i just couldn't even dream of having
such
great support of a wonderful friend like
that so with that
i am she hacks purple and this was the
we hack purple podcast
thank you and i can't wait to see you
next week