DefCamp #11: Arturo Cedillo on how to keep your eyes on the big picture while working on the elements it’s grounded

It takes a special kind of person to take on an incident response role. It’s a high-pressure, high-stakes role that Arturo embraced over 3 years ago, deploying his expertise in two different companies.

If you ask industry specialists, they’ll tell you that working in Incident Response comes with huge responsibilities. To get to this role, you need to gradually build your skills, know-how, and resilience, which our guest has been doing for well over a decade, with the last 7 spent in cybersecurity. 

We talked to Arturo Cedillo, Incident Manager at Rabobank in the Netherlands, for DefCamp #11. We may not have a conference this year (no, not even an online one – here’s why), so we’re keeping you in the know by giving you firsthand insights from some of the best people in infosec so you can fuel your own growth.

From mobile security to pentesting to building SOCs, Arturo has an impressive roster of experiences. Here’s your chance to see how the infosec industry has evolved this year, which changes matter the most, and how they could impact your own career and development.

Challenging the talent shortage in infosec

There’s a lot more room to learn and grow in information security than you might see at first glance. Arturo makes a very important point about the current talent shortage that’s plaguing the industry. It might be that companies can’t find the people they need because they’re only focused on the technical skills layer. However, cybersecurity work involves a lot more – take it from people who’ve been in the trenches or years.

We know from our own experience that individuals from all backgrounds can find their place in this field. There’s almost always a way for them to transfer and use their existing experience, skills, and knowledge to make a meaningful contribution to infosec if they feel drawn to it.

“There is an expectation that people working in information security should know about every aspect of the industry. And like in any other field, this is – of course – not possible.

I believe this could be a reason for the perceived shortage of talent. The infosec community should be focusing on how to set the bar so anyone feels welcome to start their career in the industry.

There is a lot of focus on the technical side, which is of course important, but there is also the other side of the coin: writing policies, documenting processes, drafting presentations for management and end users and so forth.

In my view, these activities are very important, but, for some reason, they are not seen as a priority by organizations.”

These roles are especially important to create clarity, internal alignment, and build the processes that keep a company safe beyond the tech layer, which can only do so much. Plus, it’s also essential to get key people the help they need because the best infosec specialists are often overwhelmed, having to constantly put out fires. Arturo knows this the best given his role.

The alert that cried breach

The biggest security challenge Arturo is actively tackling right now is reducing the number of false positive alerts.

“Even though this is not a security issue by itself, it can become one because of incident analysts missing true positive alerts given the large amount of false positives. Unfortunately, I have made mistakes as a result of this situation.”

If you’re not familiar with what incident response entails, here’s a less James Bond-ish story and a more real one that shows how infosec specialists make a difference every day.

“Security Operations Centers (SOC) operate in different ways, but something they have in common is that, before going home, the largest amount of alerts or incidents in the queue should be resolved.

In a busy day, where tens of alerts have to be triaged, it becomes difficult to prioritize when, in the past, similar events were triggered and turned out to be false positives.

If the same false positive alerts keep reoccurring, the incident analyst’s natural reaction will be to close them without even taking a look. However, there is a chance this new alert may be a genuine incident which it will now be completely ignored.

Therefore, I believe it is important to have the least amount of false positives to prevent incident analysts from neglecting alerts, allowing them to focus and properly triage every single one of them.”

The tech can really make a big difference here and keep a data breach from reaching disastrous proportions, like we’ve seen too many times before.

The tech only works if you use it (properly)

Endpoint Detection and Response (EDR). Even though this is a technology that has been around for several years, not all organizations are making use of it.”

One of the best advancements in cybersecurity over the last few years is often untapped by organizations. In spite of cybersecurity being a main concern for companies and institutions around sectors, their actions and investments sometimes don’t work to mitigate the risks that fuel that concern.

Arturo shares a boots-on-the-ground perspective:

“One reason could be the pricing; however, I do believe it is worth it. This tool brings a great deal of visibility at the endpoint level in parallel to enabling incident analysts to perform remediation actions as well as gather forensics artifacts.

Some EDRs even perform checks for patching levels allowing to gather statistics around which hosts are vulnerable. This allows the vulnerability management team to chase the right asset owners to request them to patch their systems.

Lastly, most EDRs integrate with Security Information and Event Management (SIEM) platforms and IT Service Management (ITSM) solutions, granting the possibility to automate several processes, reducing the amount of time SOC analysts need to spend in manual work.”

Automation can be incredibly helpful for a company’s security, freeing up resources to tackle important projects, strategic activities, and optimization initiatives that boost productivity and, most of all, increase their security posture.

So how can infosec specialists get through to decision-makers who can make that happen?

Arturo has a few essential recommendations that will help you get better at managing up and also elevate your professionalism and impact.

The 3 key things you need to grow in infosec

Written communication abilities will get you very far, clarify your thinking, and make it easy for you to communicate needs, requirements, and potential impact to managers, peers, partners, and other stakeholders.

“We, technical folks, believe people understand what we talk about when it comes to our line of work, so we tend to dive into details.

When dealing with an incident, a lot of the communication will take place in a written manner: an email, a report or a presentation. This communication will most likely go outside the SOC, so it needs to be clear and concise.

Knowing how to communicate with non-technical individuals while delivering the right message with the least amount of details is not an easy task. My recommendation would be to read that email or report several times before you send it, to make sure the person on the receiving end can make sense of the message.”

A key thing to remember here is this: never assume the other person has the background or knowledge that enables them to easily understand your points. Give them context, link to relevant resources, and match your communication to their role (business, operational, etc.). It will make your job easier and you’ll be able to achieve better results together.

Then there’s the vital ability of conflict management.

“Information security professionals are well known to use the word ‘No’.

It is very common to push the breaks on projects when security is not being considered. For example, by denying a website or application to go live until the proper checks have been done or refuse to close an incident until the proper criteria is met.

This causes tense situations with stakeholders who push to move things forward. It is important to learn how to de-escalate these situations while remaining calm. This is no easy task, especially since each organization deals with these situations differently.”

So what’s something you can do to figure out how to manage these situations that make everyone irritable, less receptive, and more inclined to stick to their guns? Arturo has an excellent recommendation:

“My suggestion when working in a new organization is to shadow a senior person to meetings to observe how discussions take place. Once you feel comfortable, don’t be afraid to take the lead and get under difficult situations. Even though it is not pleasant, you will learn a lot about yourself and greatly improve your communication skills.”

Learning and practicing Agile is Arturo’s third piece of guidance. Here’s why:

“Working in a high pace environment such as a SOC makes it easy to lose track of all the activities that are taking place in parallel: investigating incidents, creation of playbooks, connecting new log sources, implementing use cases and so on.

After working for years using agile methodology, I strongly recommend to implement it in your team.

There are several tools and exercises that can be implemented to better collaborate and connect as a team. This becomes especially relevant in these COVID-19 times, where a clear picture needs to be in place of who is doing what.”

Keeping people aligned, engaged, and productive is difficult nowadays. It’s more challenging than before because we’re all strained, anxious, and tired. That’s why having a system to get work done, to create transparency, and measure progress is invaluable for everyone.

Agile can really help you achieve that.

There’s more infosec work to be done. Organizations need you

World changes have always impacted security because what we do in this industry is closely connected to how people behave – individually, in groups, in companies, in societies. When fundamental shifts shake things up, security must also adapt to meet the new challenges. Cybercriminals certainly do it extremely fast.

“Organizations are realizing employees do not need to be in the office to be productive. Google, for example, just announced a change in strategy where employees will work from home and come to the office for certain activities.

I believe this change in policy will impact on how attackers target organizations.

I foresee an increase in phishing and ransomware attacks. As organizations strengthen their defences at the perimeter due to employees working remotely, attackers will aim for the employees, most of whom are still connected to the organization via VPN or Citrix, allowing them to amplify a ransomware attack.

As employees work from home, it is likely they will take longer to report an incident to the Service Desk or the Security team, potentially increasing the impact of an attack.”

There’s a lot you can learn from Arturo Cedillo and many topics you can explore further. To leave with actionable steps, we captured some of the key ideas he shared.

3 key takeaways to build on:

  1. Which skills, experiences, and knowledge you already have can be useful in cybersecurity work? Think beyond technical roles and find you way in so you can continue to grow from there.
  2. Which “false positives” are keeping you from doing work that really matters to further your career and personal development? Maybe it’s doomscrolling, maybe it’s getting into too many things and not following through on the ones that count. Clear up your backlog and pursue what makes an impact.
  3. Develop these 3 skills to be more effective in your role and grow faster: improve how you communicate in writing to increase clarity and impact, get good at conflict management so you can diffuse tension, learn how Agile works and apply it to your workflow.

    Related articles​

    ⏱ Less than one month until DefCamp Capture the ..

    BY florina
    If you get a thrill solving cybersecurity puzzles and enjoy collecting awesome experiences (and prizes!), CTFs..

    An open letter to the DefCamp community

    BY florina
    Back in 2011, when DefCamp started, we didn’t even imagine that we would take the small meetup among friends..

    Phishing attacks are already targeting your ..

    BY andra.zaharia
    When you look at your company’s security, do you pay as much attention to what’s happening inside of it as..