Skip to main content


I've written before about maximizing your core efficiency.  It was a good article, but I thought I could make it better.  It seemed to me that there was something missing.  I had points in the article, but not inspiration.  Not things that kept you going.  Let's see if I can fix any of that.

When I wrote before I talked about focusing on your job.  You were hired to do a job.  Maybe several jobs, but that's what you were hired to do.  All the other stuff is cruft.  If you maximize your efficiency and performance of your job, not only will everything else fall in line, but you will have more time to do whatever else you like to do.

Be calm.  Assess what you need to do.  Let's take a job that I have some experience at.  Since I am an IDS guy by trade, let's look at a typical IDS analyst's job.  What is the analyst there to do?  Pause here when reading this article.  Think for a second.  What is the analyst there to do?  Many of you will think of all the things that you do as an analyst or as a security professional.  You review logs, you review IDS's, you do pro-active scanning, you might even do a little penetration testing.  You probably write some documentation, SOP's, procedural documents, and the like right?  Am I am about right here?  Okay, so that's what you do during the day.  But what is your job?  If I asked you to describe what you do in one sentence or less in as few words as possible, what would you say?

I said this to a room of analysts one time.  We all gathered in a conference room and we sat around the table and I was given the task of organizing these individuals into a team.  I asked this same exact question, and we went around the room.  I heard some descent answers.  One liners.  

I said, "My job is to catch the bad guy."  That's it.  That's my job.

I stood in front of about 200 system administrators one time giving a speech about security, which, even though it should be part of every system administrators job, it's often put on the back burner.  But here I was giving a speech to a packed room.  I made another statement that day, it's a point blank in-your-face statement.  

"The bad-guys are already in your network, right now, as I stand here and speak, they are in your network.  Now what are you going to do about it?"

Think about that for a second.  Am I right?  Some of you will say no, I'm wrong, and go back about your business.  But I am saying it for a reason.  The Bad-Guy IS in your network, right now.  Still think I am wrong?  You aren't paying attention to security.  When I mean you aren't paying attention, I don't mean that you aren't reading the mailing lists and such.  I mean you aren't paying attention.  I am not going to explain to you what I mean about the Bad Guy being in your network, that's for you to figure out.  If you think I am wrong, it's also for you to prove that I am.  At this point you may be thinking that I am being a bit cocky.  No, I am being brash for a point, take the time to think what I mean.  

The Bad-Guy is in your network.  What are you going to do?

Your job as a network security analyst is to catch that bad guy.  What are you going to do?  Let's take it a bit bigger and look at security from a department perspective.  

Let's say you are a security department head for a corporation.  Not big, not small, or huge, or tiny.  It doesn't matter.  The difference between a 100 person startup company and a multi-trillion dollar organization is complexity.  The security of it is no more less or more secure, or no more or less important.  It's just more complex.  

Do not be afraid to roll up your sleeves on day one.  
Be honest with yourself, your employees, and your supervisors.  Don't be afraid to tell them the truth.  Even though the truth may not be what they want to hear.  The person hearing that truth will value you more for it in the end.  I didn't say blunt, or rude.  I said truthful.  You don't have to be an a** to get people to understand you.  You also don't have to tell people the whole truth to your point across.  Get in there and get dirty.  
When I go to a customer's site, on the first day I like to have a meeting with everyone I can.  Management, support staff, analysts, forensics, etc.  Sit them down and clearly state what we are all going to accomplish during this time.  

Don't lump too much into one time period.
Often times I am only on site with a customer for 4 or 5 days.  Sometimes I am onsite with customers for 4 or 5 months.  There is going to be a certain amount of things you can accomplish during this time period, and there are going to be things you won't be able to accomplish sometimes.  Don't stress over it, it's just the way the chips fall.  There is more time available, if it's truly important, I can come back.

Don't beat around the bush.
I kinda already said this up above, but face your challenges.  Putting them aside and procrastinating about projects, no matter how small or large, will only make them get worse.  The small ones will get bigger, the big ones will get monumental.   You've laid out your tasks, now get to it.

Never say anything you aren't sure of, and if you do, make sure the people you are telling that something to knows that you aren't sure.
If you are going to make a statement, make it.  But be right.  Better to not open your mouth and let people think you are an idiot, then to open your mouth and remove all doubt.  If you don't know the answer, and you have to give an answer, give them your best guess, but make sure they know it's your best guess and that you'll get a better answer for them shortly.  Then go get the darn answer.  Don't be afraid to ask for help if you need it.  You don't know everything, no one does.  But collectively a problem that seems like a mountain can shortly become a molehill.

What are you good at?  Make that list, then delegate the rest.
What are you good at?  IDS?  Packets?  Cisco devices?  Windows host based security?  Focus on that, become the absolute best you can be at that specific task.  Delegate the rest until you are the best at #1, then learn your #2's.  If you aren't good at Cisco devices, don't act like you are, find someone that is, hook up with them, learn from them if you can, and move on.  Do what you are good at.

I consider myself to be good at a several things, packet analysis, public speaking, explaining complex things in layman's terms, and teaching others.  I know I am not good at configuring firewalls, can I do it?  Yes, but that's not my core.  I know I am not good at writing documentation, can I do it?  Yes, but that's not my core.  But stick me in front of a large audience of technical people, CEO's, CFO's, and janitors, I can make sure everyone in that room gets my point, and am well understood.  I wasn't born with that, I had to learn it.  When I was first asked to stand in front of people and give speeches, teach, etc.  I sucked at it.  I was horrible.  But I was forced to do it, hundreds of times.   I use the old horse analogy.  If you fall off, get back on.  I wasn't good at teaching or public speaking at first, but I had to do it, so I did it, and I learned.  I didn't take courses at teaching or presenting, but I read books, I watched the masters at work, and I learned.  Now I am pretty confident and pretty good at it.   If you want me to come give a talk at your organization about security, etc.. my contact info is at the top of the blog.  (It says "Contact").  Let's talk.

Now, get a piece of paper (virtual or physical) and draw a line down the middle so that you have two columns.
On the left column, make that "I'm good at this" list.  Then make a separate list of things you wish you were better at on the right.  Take all the time  you need to do this.  Even if you aren't good at making lists. (put it on the right.)

Now look at your left column.  Really?  Are you really good at all those things?  REALLY GOOD?  Any you can concentrate better on?  Anything in there that you wrote down that you probably should have in the right column?  In your column of things I wish I was better at?  Go ahead, erase them and move them over to the right.  

Now how many things do you have on the left?  Probably 5 or 6 things.  Maybe 10.  Your right list should be much longer.  Now, what are your next steps to get better at the things on the right?  Anything you can do easily?  Get to it.

I'll make this a two or three part series.  So expect another post along these lines shortly.

 Subscribe in a reader


Popular posts from this blog

Offset, Depth, Distance, and Within

Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people sometimes misunderstand.  They aren't difficult, and hopefully after this explanation and a few examples, I can clear some of the air around these five modifiers.

The five modifiers that I am talking about are
OffsetDepthDistanceWithinnocaseThese five modifiers are not keywords of themselves, but rather they apply as modifiers to another keyword.  That keyword is "content". The content keyword is one of the easiest pieces of the Snort rules language as all it does is look for a particular string.  So for instance if I wanted to look for the word "joel" within a packet.  A simple:
content:"joel";Would allow me to do that.  The interesting part comes into play when you want to specify where inside of a particular packet you want the string "joel" to be looked for.  If you are running just a plain content ma…

Writing Snort Rules Correctly

Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical.  I don't want to discourage this person from writing articles about Snort rules.  It's great when people in the Snort community step up and explain some simple things out there.  There are mistakes, it comes with the territory.  If you choose to be one of the people that tries to write Snort rules, you also choose to be someone who wants to learn how to do it better.  That's why I write this blog post, not to bash the writer, but to teach.

I noticed this post today over at the "Tao of Signature Writing" blog, and to be honest I glanced over most of it figuring it was a rehash of things I've already read or things that have already been written from countless people about "Here's how you write Snort rules!".  I scrolled down quickly skimming, not reading at all really, and noticed this part:
Now, let us look at the second questio…

Safari 5.1.4 now available

Safari 5.1.4 now available, fixes issues and improves performance | TUAW - The Unofficial Apple Weblog:

Improve JavaScript performanceImprove responsiveness when typing into the search field after changing network configurations or with an intermittent network connectionAddress an issue that could cause webpages to flash white when switching between Safari windowsAddress issues that prevented printing U.S. Postal Service shipping labels and embedded PDFsPreserve links in PDFs saved from webpagesFix an issue that could make Flash content appear incomplete after using gesture zoomingFix an issue that could cause the screen to dim while watching HTML5 videoImprove stability, compatibility and startup time when using extensionsAllow cookies set during regular browsing to be available after using Private BrowsingFix an issue that could cause some data to be left behind after pressing the "Remove All Website Data" button