You are browsing the archive for Preaching.

Bits about People Management, and Team Building for IT Sec teams

November 15, 2018 in People Management, Preaching, Puzzles

Over years I had a privilege of managing a number of teams at different companies. While the feedback I get from my old reports is typically positive, I only hear it from people who are happy to maintain a friendship with me after our professional paths split. So, while this pleasant availability error could put me on a  pedestal of people management… the reality could be as well that I totally suck at it. Who knows?

People Management is hard.

People often ask: how to get better at people management, especially in a technical world?

I think the question like this is a premature one.

First of all, people management s not for everyone. And IMHO most of technical people should not be doing it, unless they have a real call for it. Seriously. No hurt feelings, but just no. Individual contributor can climb the corporate ladder too and very high, with no burden of ‘having to deal with reports’.

Also, not every manager position is good for every people manager, yes, even a good one, one that ‘delivers’. Some people managers find themselves performing better with younger teams, because they can ‘energize’ them, mentor them and empathize with their struggles during these first years of a professional career. Others will find such tasks daunting as they just want to get stuff done. Quickly. Such people managers will work very well with a well-developed, and often older, more experienced team. Let’s be honest, they are actually more Project Managers than People Managers. It is a HUGE difference. Directing multiple and multi-level teams is a completely different game as well.

So, how to get better at it?

It is still a premature question.

Do you know why you are there? What are your powers and responsibilities?

I didn’t know when I became one. It escalated quickly, because as a technical person I had to suddenly have a lot of 1:1 with individuals. And I am not too social. But I know my reports are not either. So that helps. We are sitting there barely looking at each other and we are both getting better at it.

Still… such a new experience, cuz… we no longer talk binary. We talk about life. Mainly their life and aspirations. And this is one of the reasons why people management can be very tough, mentally; you really need to deal with your employees’ personal life, and understand their circumstances. Very technically ‘non-sexy’. And when it gets ugly for some reason it is something that a regular employee typically deals with on a ‘office gossip’ level. And usually ‘after the fact’ , while a people manager hears first hand and has to think on his/her feet pretty quickly. Other than the usual admin work (and there is plenty!), s/he encounters cases of personal tragedies, unexpected life circumstances, new&better, or ruined futures, sudden departures, hassles with req approvals, HR and legal involvement in some cases, and not only exciting hiring process, but also laying off. Not fun. And there are metrics to maintain too 😉

So, how to get better at it?

Practice. Do not treat people like reports. Treat them as your SMEs. Empower to speak, shut up and listen and then discuss, in the end be _decisive_. Keep your promises, or tell your side of a story to give the context if you can’t. Be HONEST. It goes a long way. And IMHO nothing kills technical people more than a corporate jargon. So, there you have it.

But… that’s not all…

Managers are often tasked with organizing team events. If they are lucky to have some ‘people person’ on the team it’s easy to delegate. If not, you just need to deliver on your own…

And now, after such a long intro tirade it:

  1. … actually gives me an excuse to write some more about people management in the future
  2. … is time to bring up the topic that I actually want to talk about today!

I love puzzles and riddles. Not all of them, but… since I was a kid I was always a big fan of crosswords, any sort of word plays (anagrams, palindromes, homonyms, etc.), pun games of any sort, “Weird Al” Yankovic and –wannabe songs, as well as mechanical puzzles (if you never heard of Hanayama, please drop everything and look it up, like… right now).

Recently, I had a chance to play the escape room game.

While it was something I heard of before, I had a very incorrect perception of what it is. I don’t watch too much TV in last 15 years, never really played MUDs, and not that many board or card games, plus never bothered to actually look it up to correct this wrong perception so… mea culpa. For some, more or less biased reason, anytime I thought of it I had the mix of a Survivor, ‘panic room’, Houdini escapes, and Fort Boyard games in my mind (again, I don’t watch TV, but have a vague idea of what these TV shows are or were). Since I assumed it includes some cheezy role-playing, lots of muscle work in closed tight spaces,  plus I am cynical and bit claustrophobic I simply stayed away from it.

What a strategic mistake…

Playing the game for the first time I realized that I was totally wrong about what it is + I actually really liked it. In case you don’t have a clue what it is about, perhaps this post will make it easier for you to try…

The escape room is basically a room full of puzzles.

Whatever the escape room game setup is… doesn’t really matter. You get some intro story that sets you up in the escapist mood (oh man, it is actually a bit of a cheezy role-playing after all!), and the narrative of what happens next. You will get some vague instruction and… off you go. And of course, you are in the room or rooms and you can walk out anytime you like.

You and your buddies may get a few props. It can be a treasure chest, a cryptex, a map, a puzzle pieces that need to be put together, a key or a clue hidden inside a mechanical puzzle, a word riddle, a bunch of mathematical equations that need a solution, sometimes may have a few, pieces of wood, metal with some magic symbols on it, and plenty of red herrings, as well. You may need to write things down, search the room for clues, and use your detective and investigative skills.

The props may be ‘HarryPotterized’ or otherwise ‘alchemized’ and ‘mystified’; while their role is to fit the narrative and help setup the mood+actually give you the riddles to solve, it’s actually pretty cool to see them having the ‘look and feel’ that makes them more ‘real’, and aligned with a particular story play. Some may include ‘burnt’, crumpled, stained  sheets of papers with various types of riddles, 3d-puzzles, mazes, cryptogames, substitution ciphers, riddles hidden in poems, etc.. Some may use a different medium. I am intentionally writing about in a generic way, because the less you know about it, the better it is when you have to solve things on the spot!

The common denominator is that the whole experience relies on solving puzzles. No muscle work, no confined spaces, no holding your breath under water for extended periods of times, no crocs, no magic tricks. There is also an element of time pressure, some ad hoc challenges for your team, and really surprising collaboration that you will encounter during this puzzle solving experience.

The last bit is especially interesting to me as a people manager, because my skepticism towards team building activities is usually pretty high. Participating in the escape room game actually changed my opinion about it. Probably for the first time I felt it was a team building experience that is almost by design aiming at your regular IT SEC person, and not a sales guy, an HR person or C-level guys. No off roads, no shooting ranges, no golf, no Disney world, no go-go clubs, no gambling, no alcohol, no karaoke singing, no dry presentation quizzes, no motivational training and shpiels, no human knots, etc. Maybe I am in minority, but these don’t speak to me at all. I find these pretty irritating, to be honest. (and okay, I lied a bit, some alcohol is ok 😉

But… puzzle solving ?

YES!

And then comes the collaboration element:

  1. you will see natural leaders, or alphas at work; there may be actually a few of them, and also quite naturally all of them moving places, positions of influence as the game progresses; it’s definitely not democratic at all, there is a bit of an internal competition, but it shows the strengths of each temporary leader emerging for a moment as a Subject Matter Expert; it’s pretty cool to observe; it is a moment of empowerment for everyone
  2. you will realize that while you are good at some puzzles, other guys are good at puzzles you don’t have a clue about! this is a very nice, humble lesson; probably the best part of it really; you may be caught off-guard when you notice some of the coworkers you know not that much about actually killing it; yes, THEY TOO, same as you, if no more, DO have IT in them; mutual respect grows this way quickly
  3. the collaboration, even with complete strangers, is actually possible; you will form small teams organically; they will rise and they will die down quickly, but it does build that ‘solving problem together’ atmosphere which is very rewarding, especially if your mini-team solves the puzzle and gets the whole team that one more step closer to the final riddle; it is to be expected that next time you meet the ‘stranger’, s/he is no stranger at all, you will have a great memory to share (no ice breakers needed!)
  4. solving problems together gets both very creative and dumb – depends on the puzzle, and overall progress of the game; you will get stuck, go back, regroup, rebuild mini-teams, and the solutions will appear; pretty cool demo of testing solving problems in pairs, triplets, fours: some of them don’t work & some deliver beyond expectations; and lots of laughs and head scratching
  5. cheating is an art form – you need to quickly develop the per-game skill and hide it from opposing teams and escape room ‘guides’ 😉 yes, you need to cheat by all means (but not by googling the answers; more by changing the odds of the game to your favor – again, I won’t cover in detail not to spoil anything to anyone)

Overall, building teams is a really hard work; there are conferences (quite a passive interaction), the gamut of HR-driven activities I partially described above (usually not attractive to naturally introspective individuals, let alone imposter syndrome badge holders), there are very active technical CTF exercises, but these are not for everyone either (the bar is typically set at least ‘high’+it’s almost like work since you get stuck at the computer for many hours), and then there is an opportunity to go out, meet in a strange new place, and together solve the puzzles… of an escape room. And that’s probably the best way to build the team – escape the room/office/cubicle and… together solve problems. That human interaction is not imposed on anyone. It just happens and it’s great to watch and participate in.

p.s. one may argue there always individuals who love some of the ‘other’ activities I listed; I can see that of course and not arguing to completely abandon it; I am also aware that I have a very subjective view that is based on years of participating in various activities that were supposed to build a team, but imho failed miserably due to managers not understanding what makes the audience ‘kick’. Perhaps an anonymous poll is a good way to choose what clusters of reports like? perhaps there is a need to have all these different activities at some time to keep everyone happy? I really don’t know. This is a moving target and people managers have to keep up. I know I just like puzzles, and I hope you and your team do too.

10 years of IT SEC everything and nothing

November 3, 2018 in Personal, Preaching

In 2008 I joined a security consulting company in London trying to do something different. After working for an antivirus company for a while I wanted a change. I’ve been looking for a job in London for nearly a year… so…. when this magic consulting opportunity popped up I jumped on it, even if I had to sacrifice a bit of a salary cut. And… I have never done security consulting work prior to that, plus I am/was/will be always quite anti-social… so… understandably… I was  terrified.

In my new role I got to do work for two ‘branches’ of the company’s security team:

  • one that did pentesting, code reviews, and forensic work on credit card breaches (PCI) in a private sector, and
  • the other one that I would only occasionally support: the forensic team that did the ‘heavy on mind’ work for law enforcement.

Without going into details: I had to quickly learn a new set of soft and technical skills, fail miserably both in acquiring them and using them on my first IR gig, learn to appreciate the fact that I am not the smartest in the room, or that ‘technical knowledge alone’ doesn’t actually sell, and kinda by accident… eventually start adapting to this new, emerging DFIR market.

Having the reverse engineering skills helped a lot. I was able to quickly make some sort of impression on a number of people – both peers and clients; I was ‘flying’ through the samples they were sending my way and was providing them answers faster than anyone else could.

Good.

This helped, and became ‘my thing’ in the next consulting company I worked for as well; it helped the company win some brownie points with a number of customers, and organizations, and most importantly – the relationships I built at that time I still cherish today.

You may be wondering why am I writing this?

Mid-life crisis? Mental breakdown?

Hmm probably, but not really, I hope 🙂

10 years later I must admit I think of these times with a bit of a nostalgia, and, probably like many people in the industry who share a similar experience, I can’t think of it any other way than ‘what a crazy decade it was, but I loved it’… We all literally not only witnessed, but also helped to build a new industry!

Soon after I entered this forming ‘scene’ we had an avalanche of reports in the news: aurora and apt craze, stuxnet, a torrent of never-ending white papers about state-sponsored attacks, Snowden leaks, any leaks really, lulzec, anonymous, POS Malware, ATM malware, more ATM malware, lots of hacking stunts; even migration from old-school social media to new became a thing; blogs to Twitter, then random coding web sites migrated to Google code, github, the Usenet and CodeGuru/CodeProject to Stack Overflow, and so on and so forth… oh, and let’s not forget the ‘everyone is now coding in python’ bit – the coding lingua franca du jour replacing perl, bash, vbs, C and everything else, and then the decompilation magic of the Hex-Rays decompiler, the ‘wow’ effect of first iphone jailbreaks, superawesome pwn2own awards, Project Zero, the new security measures (ASLR, DEP, etc.), development of sandboxes, spy companies being hacked, doxed, then emergence of ‘new’ security industry branches: threat intelligence, EDR, and threat hunting, and tones of new reversing and forensic projects that completely changed the way we do things from manual to automation and conquering new platforms (volatility, plaso, SIFT, autopsy, xdbg64, radare2, remote forensics, etc.). Lots of new great & strong researchers and developers joined the community as well, plus, we even started sharing! And while a bit less related – we observed lots of company acquisitions — bye bye boutique companies. Welcome to big business taking over. And… yeah… imagine that 20 years ago… Windows now hosts Linux.

WTH?!

For me personally, the luck put me in the shoes of a programmer, localization engineer, writer, an investigator of early PCI DSS breaches, forced me to do some pentesting (not the biggest fan, for some reason it doesn’t click with me), and code reviews, then people management, project management, some compliance work, accounting, company secretary, and finally introduced me to a number of super smart individuals. And in the end these experiences helped to land more interesting jobs at a number of companies I would never dream of joining (ok, partially, because I didn’t even know they existed! :)).

As they teach you during MBA – people networking is the key. And it’s the people networking that I never believed in too much… that somehow happened accidentally! This decade was probably for the first time in my life I felt I was in a right place at a right time. The Hexacorn project was built upon all this sentiment and excitement, the ideas I sat on for a long time eventually finally had its outlet and I launched it in October 2011. Simultaneously, between 2011-2018, for 7 years, I held the FTE job at various fintech companies while spending private time cracking problems for my Hexacorn clients and doing researching. To be honest, I do hope I can come back to it in the future, but now I am taking a break (It actually feels good to just focus on one [new to me] thing and not having to work till 2-3am on the moonlighting projects).

Again, why the heck am I writing it?

As you throw yourself deep into one of these ‘specific’ infosec subjects, let it be reversing, forensics, log analysis, SOC, CERT function, threat intel, threat hunting, writing tools, or even less work-related events: attending conferences, doing networking and blogging…. the other trends in the industry progress with a really rapid pace!

You kinda know it, you feel it, and have it within your hand’s reach until one day you wake up to realize that other than the articles or their headlines…. you know nothing about new top 10 OWASP, CPU bugs, cryptominers, IoT, ICS, Cloud, 2FA standards and bypasses, Smartphones’ internals, and yes, even JavaScript – many of which you probably or kinda knew by heart back in a day(!), let alone new network protocols, new HTTP headers, new rules enforced by browsers, GDPR, introduction of web sockets, web assembly, completely new types of vulnerabilities, pentesting tricks, and tones of other things, including increasingly growing vendor offering, more and more bug bounty programs… and also – your knowledge about other stuff that is getting really old is actually… declining. Yup, while we are constantly looking at all ‘new’, who has the time to revisit these old RFCs?

The never-ending paradox of being in the middle of it, but also totally outside of it is… well… quite depressing.

We can’t forget about our progressing age either.

You now work with a new generation of security pros who know more, think faster, and know everything about the ‘current state of affairs’ more than you
+
I don’t know what they do, but they seem to know all the memes better than me!!!

Yet another reason to feel obsolete, redundant – I guess it’s time to give up and retire.

Right?

From ‘the youngest chap in the room’ a few years ago you suddenly become that ‘the oldest one’…

Ouch.

How the heck did THAT happen?

As you get engaged with the younger, and smarter, as you talk, as you read what they write, as you feel their excitement you will hopefully realize that your experience actually does have a bit of a benefit. First of all, you can quickly adapt. Secondly, you have ‘seen it all’ (okay, lots of it, at least). Thirdly, they are not against you, and may even see you as a teacher and friend – and on that note – you can learn a lot from them too! If you are lucky, they are actually like you, or better than you, greedy for knowledge, really fast, and just a bit younger. You may become their mentor, but also… their mentoree.

And with that… time for an explanation: why did I write all this…

Over XY years ago almost all my buddies at the uni were learning Java. It was the FUTURE.

While they were talking UML, Eclipse, etc. I was focused on x86 assembly language, the art of cracking games, bypassing protectors, and understanding how demoscene demos and viruses are made. Most of these guys were shrugging it off – I was just a weirdo and had my weird hobby… While they became unbeatable masters at Java, I got to skim through stuff, and learn and program some of that Java (my BSc project was Java-based!), I got to use my x86 / x64 asm skills a lot, I got to learn how to C, Pascal, Delphi, VB, VBA, VBS, unix, Windows, osx, basic Objective-C, use tools, build own tools, and face a lot of challenges they will never face (e.g. cracking a password for a very obscure private application), etc… And most importantly, I never learned _any_ of it fully. Yup. ended up being the sad Jack of all trades.

Is that wrong?

I don’t think so. I learn new stuff every day, I constantly ‘index’ interesting bits from every blog/twit I read, and while I am aware my knowledge is becoming obsolete every single day, no doubt, I know that I am also capable of things, given an opportunity.

I think we are forced more and more to be IT Security generalists. Ones with an interest and capability to deep dive if necessary, and in many topics new to us. We don’t actually build things anymore. We delegate. We try to understand the big picture, but more importantly – we try to understand it in a security context. And then in a business context. So that we can delegate with a guidance. Over and over again I learn that people outside of IT SEC don’t know what I am talking about and it always takes an effort to explain this stuff to others. No, they don’t know what you do. They don’t care/know/couldn’t be bothered. So, you need to explain, explain again, and then rinse and repeat. By the sole nature of being on this cutting edge we end up being preachers, educators, and yeah, as some describe themselves – evangelists or strategists.

One thing for sure, it’s not for everyone. It’s not comfy to know that 10-15% of it. ‘Real’ developers or architects won’t like it. ‘Real’ pentesters won’t like it. ‘Real’ compliance guys won’t like it. And ‘real’ hardcore forensics analysts or ‘firewall’ guys won’t like it either… The IT Sec is now a soup of everything else, an amoeba, and amalgamate, sometimes a bit of a mess that hits the fan – to deal with it you need to feel comfy with… the chaos.

Perhaps this post is my way of dealing with the impostor syndrome. Perhaps it’s just a fake infosec wisdom I am pretending to understand. One thing for me _IS_ sure, and I will preach it to everyone who dares to listen: never rest on the laurels. While I am looking back at my past I must honestly admit that in my own eyes I did commit this sin twice in my career and it took me a long time to catch up afterwards. Each time.

So… DO NOT REST ON LAURELS.

As long as you don’t rest on laurels, you are an impostor with a purpose – probably the only meaning of our infosec life…