Today’s interview is with SIEM master Rocky DeStefano. Rocky is one of the (if not THE most) well respected SIEM experts on the planet…though he’ll never admit to it.
Q: Tell us a little about yourself.
I’m a Christian and I’ve been married to my high school sweetheart for nearly 17 years. I’m the father of 4 wonderful rugrats/mutants (at about age 12 they complete the transition from rugrat to mutant). My wife is a MFM (High Risk OBGYN) Doctor here in Austin,TX and my kids are a hell of a lot more intelligent than I am. Everything I do is an effort to make life more fun for my family.
I’ve been playing with technology for as long as I care to remember. I was playing computers all the way back in elementary school – just as my kids do now, though they have much cooler computers than I did. For the majority of the last decade I’ve been involved with SIEM and Log Management solutions in the context of security operations and incident response.
I’m motivated by seeing others succeed and knowing that in some small way I helped to enable that success.
Q: How did you get interested in information security?
Divine intervention. I entered the USAF “open/general” meaning without a plan other than to serve my country. I took a battery of placement tests and somehow talked my way into the intelligence field. From there things fell into place for me. Let’s just say the Intelligence community took a young inquisitive mind and added analytical rigor and focus on a mission. Once I left active duty I moved over to AFCERT and found even more ways to stretch my mind with real-world application working alongside some of the best security professionals on the planet!
Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?
I have mainly learned OJT through real world successes and failures. I’ve been lucky enough to be surrounded by some seriously brilliant people of the years who took pity on me and provided serious mentorship.
I do have the prerequisite industry certifications although there current usefulness is questionable. Certain contracts I was on required them so I spent an hour or so studying and took the tests and put the rest of the paperwork together.
Biz/Mgmt Training: I’ve attended several hundred hours of management and business training courses over the years through both university and commercial offerings. I’ve also run my own businesses or major aspects of other businesses so I’ve had years of OJT. Spending your own money really helps you appreciate the finer points of getting business buy-in on IT Security spending. The best management training was to allow myself be managed and learning from those around me. I’ve experienced the best and the worst, but I’ve always learned important lessons. I look at every interaction I have with people as an opportunity to learn, about them, about myself or about whatever subject we’re talking about.
Technical Training: I’ve had a significant amount of technical training on everything from stuff I can’t talk about to the normal vendor training. From the self-training aspect – I still maintain a fairly extensive lab at home (17+ physical machines), though I moving much of it to Go-Grid and Amazon or consolidating older machines to VM’s to host on my Mac Pro. I love learning and try to find something new to learn (or teach) every day.
Q: What did you want to be when you grew up? Would you rather be doing that?
I probably would have been a Hitman or if I had learned to listen to my conscious I would have been a Cop/Federal Agent. Some days I can honestly say that I’m not sure which way I would have leaned. I also realize that I’m still growing up (ask my wife she’ll be the first one to confirm that statement) so I might wind up in an entirely different place 10 years from now. We’ll see.
Q: What projects (if any) are you working on right now?
I’m launching my company VisibleRisk and its associated blog and podcast. The company is focused on overall intelligence for enterprise focusing on more than just point product analysis, increasing the visibility of the actual risk the company is facing. Not in terms of an assessment, but from the perspective of what an intelligence analyst would present based on all source data and broad context.
I’m also working on creating solutions to support SIEM (tools Like ArcSight) and network analysis tools like NetWitness by providing or using intelligence feeds and making available updated contextually relevant content. Basically, subscribe and receive daily (or at least very frequent) content updates – I call them detection profiles.
The podcast is about sharing information, pushing ideas further and letting everyone listen in. It’s about the subject matter and the participants, not me.
Q: What is your favorite security conference (and why)?
I tend to prefer smaller more focused activities – IANS Forums are a treat for me because I get to facilitate some awesome discussions. I really enjoyed the recent SANS What Works in Incident Detection Summit. I loved SOURCE Boston last year it was absolutely fantastic, intimate and the quality of the presentations was amazing.
Of course I do wind up at BlackHat/DefCon and have fun catching up with everyone and to be honest I enjoyed myself at RSA this year. Experiencing a conference like that from a “press” perspective is so much different than participating as a vendor.
Q: What do you like to do when you’re not “doing security”?
Wrestling (mentally and physically) with my kids. There is nothing I’d rather do than spend time with them. I learn so much from them and am amazed by them. God help us all when this generation takes over, they are even more impatient and sarcastic than I am.
Q: What area of information security would you say is your strongest?
Analysis is my strongest area, which means tools like SIEM and Network Analysis tools come very easy to me. I’ve enjoyed some success and endured a lot of learning opportunities at the hands of some of these products over the last decade. I also have a talent for bridging the technical and business gap in communications. Being “hands-on” from both perspectives allows me to fit natively in all aspects of that discussion.
Q: When deploying a SIEM solution in a new environment, what are some of the things people should consider or plan for?
I’m way to verbose on this topic. First I’d point them to my blog, simply because I’ve spent years trying to get the information out in a helpful manner. To summarize it, if they know they NEED a SIEM then they should already understand their use-cases. If you understand your use-cases then the data inputs, correlations, reports and users are already defined and your SIEM deployment will fit into your operational model. It will take work but it will be successful. If you do not know your use-cases and you buy a SIEM it will take more work, cost you excessively and the project will probably never be integrated as well as it could or more likely just fail.
Q: What about your weakest?
Weakness? I have to admit a weakness? Ok… I have a habit of personally taking on way too much. I like to solve problems that are way over my head – but sometimes I can take on a few too many of them at once. This is primarily due to a lack of patience (I see a problem and it needs to be fixed) or sometimes simply thinking that I can still work 30+ hours straight without sleep and/or food. Another “weakness” is that I focus on people, I care deeply about those that work for me and for those I do business with. I don’t see this as a “business” I see this as my life and enjoy the people interaction and the focus on the mission we are trying to accomplish a lot more than the personal financial aspects, which in the end is why I’ll never be a billionaire.
Q: What advice can you give to people who want to get into the information security field?
Find a mentor/peer or 12, use them to keep you sane and on track. One small example: There are several of us that share blog posts ahead of time to refine them and make them relevant and engaging for the reader.
I also maintain a network of very senior people across the industry that I trust. I seek their input them about every major career decision I make. Sometimes I even follow their advice, but I always appreciate the fact they are willing to listen and offer assistance. You can’t do anything meaningful in this field alone. Most of us are on the same team and are willing to help out – you must seek it out and be willing to hear the honest truth when you do reach out. I mentor others and enjoy the the mentorship of others. My role is simple – Learn as much as I can and then share my knowledge and experience so that others can go further.
Q: How can people get a hold of you (e.g. blog, twitter, etc.)