Cybersecurity isn’t just for guys! It’s crucial to highlight the important work that women and non-males are doing in the information security field.Previously I spoke with Thais, a Brazillian woman in Germany who’s doing some intriguing malware research. This time, I’ve had the honor of speaking to Kelly Shortridge. She went from high finance to an exciting infosec career as a product manager!Kim Crawley: I’ve had a chance to look at your website. It’s very nice! I like the minimalist style. So now you’re a product manager at BAE?Kelly Shortridge: Thank you! I’m currently a product manager at BAE Systems Applied Intelligence.KC: Yeah, that’s a more complete job description. How did that opportunity arise?KS: I knew friends who worked at the company and told me about the Threat Analytics product and their need for a product manager for it. I liked the opportunity to help build out the product, as it presents an opportunity similar to a startup in feel while at a larger organization.KC: What sort of threats does the product pertain to?KS: The product specifically looks for evidence of techniques (TTPs) used by attackers across the entirety of the attack lifecycle, from delivery to exfiltration. It isn’t based on specific malware strains or a static list of IPs. Instead, it digs into how attackers behave and what techniques they use.KC: Behavioral analytics is hot right now because we’re way past the stage where signatures are useful. Actually, I was just discussing that in my last interview with someone who also does malware analytics. You do very important work.KS: I think it’s a topic that’s rightfully hot at the moment because it’s become much more trivial for attackers to adjust malware or methods slightly to avoid signature-based or static detection.KC: Do you think signatures are still useful for endpoint AV software if augmented by heuristics?KS: I do think there’s still a place for signatures, and rules generally speaking, in the ecosystem. After all, they eliminate the lowest-hanging fruit for attackers, and that’s an important part of any defensive strategy. I also agree that it should be augmented with heuristics, ideally with a blend of methods such as anomaly detection, behavioral analysis, and machine learning.KC: I see you’ve written an article about blue teaming. Tell me a bit about that.KS: My personal belief is there has been a lot of attention paid to what defenders are doing “wrong” but not nearly enough attention to why they are making the decisions they are. Ultimately, if you want to change a behavior, you must understand the root of it before you can propose new strategies, and that’s what I’ve been attempting to do in much of my work. I’ve also talked a bit about the team-based nature of blue teams, which I also believe is overlooked. In most cases, there isn’t one sole “security person” at a company but a dedicated team–or at the very least, the “security person” will have to interact with other people at the company when making decisions. Research has shown that teams have their own quirks in how they make collective decisions, and I think it’s a valuable lens through which to examine some of the odd, or arguably inefficient, dynamics we see between blue versus red in the industry.KC: I used to think only in terms of white box, black box, and grey box related to how much is known about the target network. Depending on what the client needs to know about hardening, are there situations where red teams are more appropriate than blue teams, or vice versa? What about purple teams?KS: Those are great questions. I’m of the view that all three teams are probably necessary, though I’m cognizant of the fact that not all budgets can support them. At a minimum, I think realistic penetration testing is essential. Obviously disrupting services is far from ideal, but I think companies are not well-served by overly confining their red teams, whether internal or third-party services. Ideally, their blue team would be able to incorporate feedback from the red team and make it harder for the red team to successfully reach their goal in subsequent tests, since this makes for a well-oiled improvement loop. Purple teams are a luxury for most companies though perhaps necessary at larger organizations since to me they function similarly to project managers dedicated just towards ensuring the feedback loop actually results in improvements.The crucial point is that blue teams will not benefit from the lessons of the red team if they’re confined in a way that real attackers would not be. Companies need to evaluate which assets they seek to protect the most and task the red team to target those with whatever means they have at their disposal. After all, their adversaries will use whatever is in their own arsenal regardless of scope.KC: What do you think the biggest or most frequent mistake clients make when hiring pentesters?KS: There are a few key mistakes I believe clients make when hiring pentesters. First, it’s often viewed too much as a “check the box” exercise, as a form of proof that they care about improving their security. Therefore, any findings aren’t taken as seriously by blue teams, or suggested fixes are not prioritized. Second, it’s often an annual, bi-annual, or quarterly exercise rather than a continuous feedback loop. Yes, there needs to be time for blue teams to digest and incorporate findings from previous exercises. But I know many friends who are on red teams who lament the fact that they’re often presenting the same findings to the same company year after year. That isn’t to say that the fault lies solely on blue teams. Often red teamers fall into the same trap of providing a check list for the blue team rather than really embracing the idea of knowledge-sharing. There has to be mutual buy-in within the organizations and on both sides to support the notion of a continuous feedback and improvement loop.KC: If someone asked you how to become a pentesting professional, what advice would you give them?KS: With the caveat that I’m not a pentester myself, I would say a great way to start is by participating in CTF competitions. Not only is it a fantastic way to increase your relevant skill set. Additionally, companies absolutely recruit at CTFs and see who is participating in CTFs as a way to cultivate talent. There are local CTFs as well as ones in which you can participate remotely, so I’d suggest googling around to see which ones are of interest to you and giving them a stab.KC: How did you get into cybersecurity?KS: My path to cybersecurity is its own anomaly! I began my career in investment banking as a mergers and acquisitions analyst. A senior advisor at my firm had many connections to companies in the infosec space and tasked me with learning more about it to help create a new industry coverage area for it. For whatever reason, my first area of exploration was around zero-day vulnerabilities, and I subsequently went down a rabbit hole of learning about the technical aspects of exploitation. While understanding the defense part of the equation came later, I think that order was more valuable in some ways. I fundamentally believe you cannot understand how to architect a proper defense without understanding offense. While I enjoyed the actual banking work, I ended up falling in love with the technical side and decided to move into helping build defensive products full-time. A minor blip along the way was someone telling me to read Phrack to get up to speed, and I started at the very beginning and read all about phone phreaking.KC: I wrote an article not too long ago about strange ways people have gotten into infosec. But your story takes the cake.KS: I feel honored!KC: Were you interested in computers as a little girl?KS: “Obsessed” is probably the better word. I coded some dizzying and blinky Geocities and Neopets webpages back in the day, and I was a prolific gamer, as well. I was one of those people who loved creating custom PC builds and building my own rig. My father also introduced me at a young age more to the hardware side of things, so believe it or not for quite a while my primary image of hacking was more of the super low-level stuff that’s considered the most “elite” today.KC: And yet you went into finance or economics instead. Is finance more welcoming to women than IT or computer science?KS: I was drawn to economics because it’s ultimately the study of choice, and to me there is nothing more challenging than attempting to understand human behavior. We’re very complex beings! Finance is a natural path for anyone interested in economics, and investment banking specifically offers the chance to use a blend of quantitative and qualitative skills, which I found appealing.While I learned some front-end programming on my own, I didn’t feel as if there was necessarily a career in it. To be fair, I had decided on pursuing economics and being an investment banker from my early teen years, so that likely closed me off to other paths. However, I will say my experiences in finance vs. information security have been stark as far as being welcoming to women. While finance isn’t perfect, and there’s still quite a bit of “bro” culture, it was honestly a complete and utter shock to me when I started getting more involved in the infosec scene.It’s a bit embarrassing, but I honestly didn’t believe gender bias was that big of an issue in the professional world until I fully entered infosec and, specifically, began attending conferences. Part of it might be that finance, in general, adopts a more professional demeanor, while infosec often prides itself on not being “stuffy,” or that finance has already experienced sexual harassment lawsuits while infosec has yet to do so. I often surprise people by saying that, because they assume finance is the bro-iest of all industries.KC: So, tech sexism might be a little more in-your-face than Wall Street sexism.KS: Absolutely, and as much as I’ve heard tech people rip on Wall Street for being an old boys network, tech is just as much so — maybe more so. Maybe not an “old” boys network, but at least a top 40 under 40 boys network.KC: What do you think the biggest problems in cybersecurity will be in the next few years?KS: Cybersecurity I think is rapidly approaching a “come to Jesus” moment. We’ve been building an increasingly complex network of security products without revisiting prior additions to simplify. And complex systems will inherently be less secure. At some point, it starts to maybe get into some chaos theory. When does it reach the point where the equilibrium collapses? When does it become irrefutable that an additional layer of security is making companies less secure? I don’t think there’s a clear answer for how companies can efficiently simplify their security architecture. But I do think a good start is returning to first principles about “what is secure?”There will be huge resistance from the industry, as a lot of money goes into passing certain standards and audits, but my personal belief is that it’s necessary to really dig into what’s helping and what isn’t. And that isn’t really done now. I’m hopeful the idea of infrastructure 3.0 will alleviate some of the complexity issues a bit, as the promise of it is to help streamline and simplify and engender less reticence to using open-source tooling. The challenge is, of course, getting to that point or getting enterprise buy-in.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.