ISSA Chapter Meeting 12 November 2024:

 

Opening remarks: Hybrid meeting: Meeting held in-person at ECPI and virtually on Zoom. For questions, please raise your virtual hand or use the chat feature. Charles is attending virtually today. Please give us feedback after the meeting what did you like? What could we improve?

Agenda: Welcome/Membership/Education/Presentation/Business Meeting/Q&A/ Feedback/Adjourn

Organization Chart: This will be changing as elections are coming up! This will change in January, there are four elected roles, and some appointed positions, these are flexible and can be made as applicable!

Just because a role is filled does not mean you cannot contribute! You can always assist our seasoned board members.

ISSA-HR Professional Association Benefits: Build professional relationships, stay current on developments in areas of information security/risk/privacy, professional development, education opportunities, (looking forward to our presentation today!) Earn CPE/CEU continuing education credits, (Membership chair can handle CPE/CEU inquiries) learn practical and best practice solutions, career information and employment opportunities

Grow Professionally!:
Whether you’re a pre-professional, entry-level, mid-career, senior practitioner or security leader, ISSA offers strategic resources and guidance to successive career levels.
Membership Annual Cost: Professional (Not a student) $95, Student 30, (Chapter Dues $30) Professional = $125 total, Student = $60– Your company May even reimburse these dues! Does not hurt to ask.

*Select Hampton roads as your chapter

 

New Members: Welcome: nobody new in October but a few people did renew! Welcome Manual A!

Glad to have you, thank you for joining!

Social Media Resources:
Zeffy is used for event registrations

Feel free to pitch in and share ideas on our discord!
Discord (QR below), can use QR code, link or search “ISSA-HR”, there is a lot of activity on our server, great resource. (https://discord.com/invite/Jt3m7TWQzQ/ )

LinkedIn: great resource to get in touch with us:
Click the QR code (Above), link or search for “Information Systems Security Association – Hampton Roads Chapter” https://www.linkedin.com/company/information-systems-security-association-issa-hampton-roads-chapter/

Website: Be sure to also check out the Meeting recap on the ISSA-HR webpage!
Been blogging on the LinkedIn! Thanks Faith! We love feedback!
https://issa-hr.org/issa-chapter-meeting-6-august-2024/

 

Meetings and Social Events:

12 Nov: Tal Reznikov: People, Process, and technology: A Computer Science-Inspired Roadmap to DevSecOps Maturity

3 December: Holiday Party and Election results

7 January 2025: Xavier-Lewis Palmer, PhD Engineering (Topic TBD)

Looking for speakers as we look ahead to 2025! As well as in-house backup speakers. And a potential Speaker coordinator! Nobody else is nominated for President, Evan will not leave you hanging! He can teach you everything he knows about getting speakers

We may be looking for a new meeting program director as our current meeting director Evan is on the ballot for the President position. It’s a great way to have a reason to connect with people, network and invite them to talk for ISSA!

After-Meeting Networking Happy Hour: After ISSA meeting at plaza Degollado. (Around at the corner from ECPI).

Cyber Social at Casual Pint: Wednesday November 20th 6:00-8:30, it’s a great casual (non formal) event, always a good turnout. A great place to network. No current scheduling conflicts for this location. Definitely a good time!

 

Jobs:
Need a job: Type of Job, Elevator Pitch (Value you bring, qualifications, additional info)
Have a Job: Title of Job, basic requirements, contact information

ISSA has a job search page http://iz1.me/XJU31zUSeBV
https://issa-jobs.careerwebsite.com/jobseeker/search/results/

Government Jobs: USAJOBS.gov:
Government job resource: Great resource for fed resumes: Federal Resume Guidebook by Kathryn Troutman (https://www.amazon.com/Federal-Resume-Guidebook-Writing-Featuring-dp-173340760X/dp/173340760X/ref=dp_ob_title_bk)

Best way to get a job is through networking.

Need a Job: If you’re looking for work, now’s your chance to let us know! Let us hear your elevator pitch: an Introduction, summary of what you do: current role and why you are doing well there, relevant experience, explain your value/what problem you can solve, and a Call to action for what you’d want to do next. Whether you are currently employed or just want to practice, now is a great opportunity.

Optionally, for an extra 30 seconds you can add other details such as clearance status, remote, on-site or relocation preference, additional education/certs not already mentioned, and other short details. We can post your email in the chat if you want, we will ensure it gets to the right people.

Daniel W. has been a Linux sysadmin for about 8 years with 2+ years in management of an IT department for a private firm, Linux BSD Mac servers, Windows severs, Open source primarily, have dealt with enterprise software as well, Mostly dealt with medium/small organizations (medium: ~500)

James Y. is active duty, retiring transitioning at the end of January, 20 years of It randomness, chief stuff, trying to look for a role in the area, in office or remote, want to focus on network ops or cyber, active TS clearance. Sec+, ITIL, CISSP studying.

Manual A. is causally looking, been in industry for 4-5 years, general IT in the shipyard. Inherited a lot of stuff, a lot of reverse engineering, infrastructure upgrade, government contracts, taking all separate systems and automation across the board, a general everything job. A+, Net+, Sec+ Studying for CySA,

Jon B. is considering shutting his company down, have done business development, over the years, has an audit in January, and when they find out he has no contracts his org clearance may go into question.
Unless, something dramatic happens between now and then… he’s looking for work. He would like to maintain his personal clearance (TS) red team, CTFs, SCAL, etc,
I’m looking for work. Thank you.

Evan L is casually looking, for something before mid next year, has been interviewing, Program manager with red team, SIC work, led red team in the Navy, CISSP, CEH, PMP, Scrum master, and TS SCI clearance, not willing to move, could work onsite if it is the right role, preferably part time on site. Doing purely admin right now, would like to get back on a technical team.

Roopchan R. GS with Navy, Shore modernization, approve modernized IT system going to Navy sites. Risk assessments, lot of maintenance, training. Technical documents.
Core skills is problem solving, cross functional teams, I love organizational change, Like to be the voice that can help solve problems in the works. Looking to NASA, Joint, Air Force, ready for something new.

Have a Job:
Job title/Company/Type (Contractor, Government, Private sector, Internship, Full time, Part time)/Requirements (Years’ work experience, Education, Certs, Clearance)/Desired experience, qualifications and any other information desired (keep it short)

Mike W works for NARWC, they’re down in Charleston, if you find a job and apply for it, please let Mike know! Glad to help you

Faith W works for the city of Virginia Beach, there is always a good rotation of available positions.

 

Monthly Presentation: Building for Automation in Security


Tal Reznikov is a Technical Solutions Engineer at Google, specializing in SOAR solutions, security automation, and autonomic operations, with a background as a SOC Engineer. He has deep expertise in endpoint detection and SIEM platforms, including McAfee (Trellix) Mvision, EPO, ENS, ESM, Chronicle, and CrowdStrike, along with skills in Wireshark, PowerShell scripting, and Windows/UNIX environments. Tal’s technical proficiency extends to programming languages like Java, Python, C++, and C, as well as tools such as Unity, VMware ESXi, and Google Workspaces. Passionate about learning and teaching, he excels at simplifying complex technical concepts for non-technical audiences, driving process efficiency, and leading collaborative efforts to solve challenging security problems.

Join us as Tal talks, about today’s fast-moving cybersecurity landscape, Security Operations Centers (SOCs) must move beyond reactive defenses and embrace proactive automation. This talk explores how applying core Computer Science principles to security operations can unlock a mature DevSecOps approach, where People, Process, and Technology work in harmony. Attendees will discover practical strategies for bridging the gap between DevOps and security, fostering collaboration, and building automated solutions that address both known and emerging threats.

 

Agenda:
Speaker Introduction, Topic Introduction, Identifying Stakeholders, Defining Goals, Collaborating with SMEs, Designing for Automation, Providing Feedback mechanism, Encouraging proactive work, bringing it all together.
“If we don’t get to it all I’m willing to talk about it at another time.

Tal Reznikov: B. Sc Computer Science VCU, 3 years at MSSP, 4 years SOAR Professional Services

“Started out in SIEM, Normalization, etc, becoming the SME while learning it, after that worked for a SOAR provider, had a good feeling about the technology the automation, it’s a huge idea. The company was called Simplify, mergers and acquisitions isn’t always great but Google has been cool.
We sell product and I am responsible for helping to deliver that product.
This conversation has almost nothing to do with what I do, I am not allowed to talk about who my clients are, what I’m working on, or names. If they have gone public, I am allowed to talk about it. If you cannot Google it, I cannot talk about it.

Glossary:
DevOps: Development + Operations, the concept of using software engineering to handle operations workloads.
SOC: Security Operations Center, the team or teams responsible for threat hinting, incident response and monitoring. Sometimes to include the infrastructure Sys Admins (org structure/team).
MSSP: Managed Security Services Provider (Business).
CISO: Chief Information Security Officer
ROI: Return on Investment
Vendor: Software company that sells you a product or service
SIEM: Security Information and Event management platform
MDR: Managed detection and Response Services
EDR: Endpoint Detection and Response software
TIP: Threat Intelligence Platform
FUD: Fear, Uncertainty, and Doubt.

 

Introduction: What is a SOC?: The modern Security Operations Center is not a single type of environment and must be defined per organization.
“Everybody involved in technology has to answer to the security of the organization.”

How has the Modern SOC Changed?: External Perspective: Cyber incidents make national and international news, advances in technology create a lot of opportunities for FUD, mistrust of technology, over-trust of technology.
Adversaries: Average age of threat actor now is in the teens, automation is everything, a lot more collaboration, use of AI.
“It used to be for the expert, is they move into security, over time we have built entry level roles, before it was almost always just senior roles, the real skills gap is in the advancement. Degrees are not required, there’s much more breadth within cybersecurity, folks trying to be broad a have a lot to study, and those trying to be niche has so many niches to choose from. This is where automation comes in and is valuable.”

Q: You said degrees don’t matter, degrees were invented to demonstrate skills then certifications were invented, what is the new thing how does the company assess skills?
A: they do three different kinds, physical test, hackathons, CTFs, get points, the other ways are certifications, or to just start applying. The rule of thumb with Google is you won’t get in the first time. That’s true for almost all interviews”

Q: do they have rules, like everyone at this part of google has to take this test?
A: yes, there’s several rounds, the more technical the role the more technical the interview, the first interview is always a personality interview, they care about culture, so much.

 

“I’m not usually one to spout corporate cool aid, it tastes good.
There are not a ton of different certs, a ton of industries, GIAC, ISC2, then vendors, Trellix, Cisco, Palo Alto, Google, what do you do with those? It’s a Choose Your Own Adventure, it’s just get your foot in the door, you can always pivot.

What has changes is there aren’t as many broad experts, or niches, there’s a skill gap on individual, that’s why having processes like automation is valuable, to ensure skillsets are properly utilized. Not relying on one person having all the skills.
If you think you can’t apply because you only have half the skills, apply anyway! They only expect you to have half the skills.

Process automation from a human element, we are ultimately responsible for it.
The tech stack is taller than ever. Cloud serves are on the rise. Does is increase or decrease the attack service? MSPs also help manage the infrastructure. How do stacks talk to one another? The first SIEMs were just people really good at grepping.

The external perspective have also changed.
Cyber incidents no matter the minority make it to the news.
Now, the public cares, when the government used to care more.

Humans are scared of what they don’t understand, adversaries know how to abuse this.
We can use our external perspective to understand and push automations that are humanistic. We are all users of technology.

Our adversaries are trending younger and younger. The FBI has reported an average age of 16 years. There’s so many individuals connected to the internet, and some just do it for fun.

Automation becomes everything for adversaries too, they’re finding other people’s code, and learning how to use it, and setting themselves up for success by automating a breach. None of it is by hand anymore. There’s no way around it, the defensive team has to automate too.

They are on telegram, collaborating.”

 

What Does it Mean?: We must begin to accelerate our processes by implementing DevOps best practices to automate our SOC. Adversaries are also using automation and AI to do the same thing on their end. We must be proactive and ensure we are being efficient with our limited resources. DevOps principles can be applied to process creation for a security team. Before we can do that though, we must see the bigger picture to define our goals and unify the processes under one architecture.
“Since adversaries are using automation, we have to create a reliable system that does something we have already done, defined how we respond, our job now is that next time, nobody has to touch anything, the general ethos is whenever something happens in the SOC, nobody should panic, automation should handle the edge cases, to free the team up to handle other threats, efficiency, etc, the more you dot hat the closer you can get to a more than just the day-to-day.

A couple analysts to do threat hunting, actually threat hunting. Writing detection rules, think over how you can handle the alert when you’re writing these rules.”

 

Identifying Decision making Stakeholders: C-level or Decision Level: Can be technical or not. Possible titles: CISO, CTO, CEO, SOC Manager, SOC Director. Responsible for final say on tech stack, personnel and process.
“All sorts of different people, very important to have different levels. When the automation fails, got to now who’s head’s going to roll.
This stakeholders’ fundamental responsibility is making sure they don’t cost much money, that’s how MITRE breach was so heavy.”

Identifying Technical Team Stakeholders: Implementation Specialists a.k.a “Doers”: This is the team responsible for meeting the goals of the decision making level. Titles include: Engineer, Analyst, System Administrator, Helpdesk. This will be the team that benefits from, or experiences the consequences of changes to tech stack, process, or personnel. We speak to this team in terms of time and effort, as well as gauging skills and talent and effort calculations.
“If someone is doing a phishing campaign and a user submits the phishing link makes them a stakeholder now. Correlation logic can be pulled to automate an email to the reporter inquiring about steps made on their machines, to verify the user had made those actions or if
Identifying logic, sharing it with engineers, and the engineers can integrate that step into the automation.”

Q: Google probably is the best funded largest effort you have been involved in, are other companies doing this? Is the community headed this way? Who’s doing this massive automation effort?
A: Googles internal automation is nearly 100%, they do have a lot of funding, and teams, computer scientists who most have Phds, have decided they don’t want to handle events as humans, there is a series called Hacking Google, explains why our internal toolsets are why they are the way they are.
Not every customer can do it, smaller companies may not have time to automate everything, the idea is whet are offloading the labor to Manages Security service providers (MSSPs)
They see it as an economy at scale.

Q: so your work is eventually productized,
A: yes. I sit on the delivery side of that. I don’t have direct communication with the internals of the security team but I do have access to the folks that work on it.

Q: how long does it take a typical employee to integrate into Google’s ecosystem?
A: 3-6 months, Google has an insanely high expectation with their employees.

 

Identifying Vendor and Consultant stakeholders: Paid help: Vendors and MSSPs provide services and personnel augment for a fee or with your purchase of other SKUs. Titles include Support Account Manager, Professional Services Engineer, Consultant, Customer Success Manager, or any of the titles listed on the previous slide along with “Consultant”. These are augmentation resources that are available to help you get more ROI out of your SecOps Automation.
“Automation prevents burnout for many professionals, we are all familiar with it, as al got into the SOC somehow. Let them use their brains and don’t have them beat their head doing the same thing 30 times, let them repeat it twice, then work with engineers and automate it, ensure nobody has to do it by hand again.

Our companies pay them to help us, you can bully your vendor to do real work for you.”

Identifying and Defining Goals-PM: We must first identify who will track Goals and own the results. Project and Program managers can be used to fill this need. Without an individual or team monitoring progress, the process can quickly fall apart. It is paramount to any successful operation to be able to both document and measure progress. This starts before any work is done by identifying the stakeholder responsible for tracking of goals, and any support they may need in terms of chasing down implementation specialists or vendors.
“The powers that be expect x% automation by y time, x% was never defined and nobody is in charge of meeting that goal. Any operation must be able to document and measure that. Identify someone to own the project, chase people down or updates, etc, make sure they know how to track stuff.
(Assana, Jira, project management softwares, developed for software development teams. Marrying two ideas of software developmental security. Let’s teach engineers how to help us correctly.)”

 

Defining Goals – SMART:


“That’s how I remember it from college, it just means when your building these goals to ensure none of the goals are too specific to be not useful or too broad to not be achievable. These steps are important. This is a framework I learned in college. It’s PM framework that’s been around for a while. Your goals need to be ACHIEVABLE.

If goals are too broad, give them subgoals. Break it down into smaller goals,

Goal Setting – Perfectionism: Perfection is always the actual goal when it comes to security, so how do we keep it from hurting our progress as we define goals? Individual processes will never be perfect, backups and Disaster Recovery processes are how we handle the expected imperfection traditionally. The goal is thus to ensure we cover mistakes, not that we don’t make them. If we can automate mistake handling, or at least define the process to reduce time to resolution, we are winning. To ensure we are successful, when doing automation, goals must be set on an ongoing basis. Start broad, and drill down to specifics only when you can and it makes sense.
“When something goes wrong need to have automation to handle it. The customer’s experience, needs to be seamless. Nothing can go wrong for the user, the backend must be able to handle this issue. Identify a problem can be solved a slightly different way. To ensure success, they must be set on an ongoing basis. As we continue to implement gaps will be identified. Goal setting is always on going. concurrency running, maintains the stability of the environment. If one process fails, another will pick it up.”

Prioritize frequently: Defining your goals in a nested structure will already provide with a starting point. Some goals will obviously depend on other goals being met. Quick wins that save your team time should be prioritized higher so those tasks can be offloaded to automation and give the team the time back for other tasks. Rely on PMs but also communicate frequently about everyone’s progress. Reprioritize on a regular basis. Rely on all stakeholders for input. Try to prioritize automation of tedium or frustration.
“Organizations have ‘Oh No’ moments, they need to be able to be in flux, must be designed that way. We have to be both reactive and proactive at the same time, that only happens if we automate.
Processes need to be atomic, they cannot rely on external factors.
Individual goals should not have to rely on something else.
No reliance. No spaghetti code.
Dependencies cause technical debt. Include the analyst process in your technical process.”

Q: you don’t write your code with any? x,y,z inputs,?
A: when we write code, we abstract it out so the analyst isn’t limited.

 

Collaboration with SMEs: Subject Matter Expert (SME): There will be SMEs who are not direct stakeholders who you should still leverage to ensure you are building a good process. Anyone who is affected by your process changes should be consulted with prior to enabling changes. These can include owners of systems that are not technically security systems: Legal, HR, System Admins, Network/Firewall Admins. Highly depends on org structure.
“We want these people communicating, everybody’s goals need to be in mind to capture inefficiencies. The analyst needs to be able to communicate with the engineer. This can include people who may not seem like part of your security team such as HR, or Legal.”

Q: how do you guys handle meetings? Getting the right people together, not too much,
A: thats where the project lead comes in, they know out of band, updates can keep rolling, they can contribute the overarching roles. It’s not necessary to get them all in one room, make sure someone is keeping track

“It’s getting someone who knows who the right people are.”

Q: That sounds slightly different than PM,
A: it’s program/project manager, someone who needs to sit in the SOC. In a DevOps environment its an SRO (site reliability officer) process engineers exist in manufacturing but our industry is still fledgling in that regard. Product owner, may be a better title, or Process owner.

 

Vendor and MSSP Consultants: Use your resources wisely: Depending on your contracts, you will have access to certain enablements from your MSSP or your Software Vendors. These consultants will be experts in dealing with a variety of problems related specifically to their product or service. Use these folks to help identify gotchas and streamline access to needed information such as documentation, support tickets, and institutional knowledge. Try to get your technical team time with these folks for learning opportunities, especially if you have Entry level roles.
“Can give you information on what will slow you down, ahead of time. I help my customers recognize features that may or may not be useful to them, maybe another tool will fit them better. That breadth of knowledge is valuable.”

We have our requirements, now what?: Once you have defined all of your stakeholders, set goals, reviewed the goals with your vendors and MSSP consultants, and identified the highest priority, you are ready to start building architecture. We encompass everything we have so far talked about, by meeting our goals with the reality that is our actual infrastructure, Personnel, and Processes. This will inform our architectural decisions to ensure we can meet the highest level goals while not overburdening our implementation specialists.
”We need to start building, we have defined stakeholders, now we need to find processes,
-Log aggregation

  • Identifying what went wrong: thread hunting detection logic
  • response (triage/response in automated system is simultaneous) pull data, make analysis, take action. Identify goals for how to solve the problem. Then work that in the next thing. When not in state of full automation, focus on a state of getting there. Focus on saving time.
    In the SOC there will always be more skills to learn, we are not automating away. Up-skilling and training can be more effective.”

Site Reliability – Uptime: Site Reliability Engineering (SRE), is a unique position created to support a more automated approach to maintaining a site’s services. Sites must stay online and the services they provide must also. Downtime of any kind is to be avoided. SREs are responsible for responding to downtime events, as well as building automation to reduce downtime without the need for human intervention. They produce a lot of automation to ensure sites stay online, E.g: if one service goes down on a server, a secondary server automatically switches over to give the user a seamless experience while SREs work on the first server. Security processes can be built with the same mindset. We call this ”DevSecOps” or “SecDevOps”
“Processes that rely on one another should be able to fail “cleanly”, Google makes the news if it goes down.
Engineers maintain these processes in the background to ensure the user process is seamless.
Everything is ways happening, giving analysts more time helps them if they need to triage “old fashioned”.
Everyone can put input into how they improve the process.

At Google, uptime HAS to be 100%.”

Security has a different acceptable downtime: (0%). In security, our uptime requirements are a little bit different due to the repressions of any downtime. If the wrong process goes down at the worst possible time, that could mean a full blown breach that doesn’t get detected.
We handle this by making sure all hiccups can be addressed by existing processes, or that feedback on missing processes or mistaken assumptions can be remediated by the design of the process itself.
“Processes have to be place, remediation steps can be automated, things can be tried before the on-call person needs to be contacted.
It depends on the individual issues.”

 

Follow ACID Principles: ACID is an acronym used for defining how Database operations are run. Since databases have similar integrity requirements, we can mimic this principle in how we design our SOC processes.

Atomicity means we do not rely on any outside “magic” to ensure our automation runs. All needed data and logic is contained within our original architecture.
Consistency means we are able to predict the result with logic, and each time we start and end at a valid state (automation should not create problems or force cleanup)
Isolation means the automation can run without fear of interruption or of changed states that it cannot track, such as other processes messing with the same data and messing up calculations.
Durability means that once a changer has been made, it populates ans is actually static. Basically your results that were predicted, happen.
“Atomicity means we don’t expect something to be done for us, we shouldn’t rely on anything we cannot get into our automation, unless it is it’s own process. The SOC is constantly moving. The atomic process could rely on an API call, that call is expected to be static. The data provides the logic, the response relies on the logic. That’s atomic.”

Q: do you have anything that relied on CVE format change?
A: no, not individually, we had teams that refactored code but it was done quickly.

Q: How can changes be anticipated?
A: You don’t, you abstract out one layer and automatic a process when a change happens. Something breaks, immediate DR response.
Consistency means the logic runs the same every time.

“Isolations means when the process runs it does not have to worry about interrupts. Gaps are covered by concurrent processes.”

 

Providing Feedback Mechanisms: Feedback is what drives long term success: Your end users are your subject matter experts on process execution. They should be relied on to make suggestions and drive innovation. The more timer you save them, the more time they have to learn, be proactive, and provide that much needed feedback. Each team member should be enabled on the process so they can fully understand their role. This will in turn provide them with the needed learning to then provide recommendations and suggestions for further process efficiency improvements. Huge up-skilling opportunity for Analysts that want to move into engineering.
“The primary driver for building efficiency. Give them that free time, then encourage them to give that free time back. Make them have a sense of ownership that is done, you give them your time back. Should have feedback mechanisms for everything, they all know different things.
Keep the people informed, and enabled to help.”

Encourage Proactive Work:
As you identify and accomplish your first few goals and give some time back to your team, take the time to show how this process can snowball. Teach your stakeholders how to use their Subject Matter expertise to better assist in the automation efforts. Remind your team to follow the feedback requirements as closely as the previous procedures. Make sure team members are enabled to up-skill themselves as the automation takes away their tedious work and leaves more time for more intellectual work. Provide access to the processes for people to learn from. The more they know, the better their feedback will be able to further improve the process. If something doesn’t work for your team, they absolutely need to improve the process.
“Playbooks or run books can have a binary step, if it’s at the beginning, it can be captured early and the computation power can be given to another process.
A new detection rule can become a process, gathering the data normalization, detection rule. Define the beginning, middle and end of the process.
You can best guess an automated response if the threat is new.

The team has to be involved in improving that process. Make sure there is ownership of these processes.”

Bringing it All Together:
Now we know our overarching goals and a few simple low hanging goals, we can better design our processes to improve our ROI from our technology and our people. We can also use this to continue to improve and adjust our architecture utilizing the feedback we receive from those that of the day-to-day work. We can now design new architecture with help from all teams by following the defined process. New improvements will start to surface as people get more familiar with the concept of there being a lot of automation that they are as part of, and work alongside.. confidently reducing tedium and toil!
“Want to make sure you are setting yourself up for success.”

Wrapping Up:
We discussed modernization of SOC operations, and came to a reasonable conclusion that automation will need to play a larger role in how we tackle fighting adversaries. Designing for automation makes us that more of an edge. Adversaries are all using automation too. In fact, most hacking is done via pre-defined tools and automation nowadays.
“Basically, we NEED to automate.”

Questions?
Q: It’s obviously a culture thing, is there any one person, SRE, who’s job is it to go and find places that need automation, and implement it?
A: in a perfect world, your SOC manager, though it’s normally the vendor. If the manager burned out, their team burned out, and are not asking their team questions, they are setting up themselves for failure. If an org drops a product in three years, that’s losing money. Our Vendor is a combination of firms, software engineers are usually the vendor in the context of a SOAR, engineers and analysts work together to build it.

Q: is it airgapped?
A: currently no. we are cloud only. Though we are FedRAMP High.

Q: I have not heard you say anything about AI,?
A: We can chat later.

Thank you Tal!

 

Business Meeting:
Old business/New business/Membership Updates/Secretary: Meeting Minutes/Treasury Report/Social Media Updates

Old Business: CyberSocial, lot of great conversations, a great time! Audit committee finalized and presented.

New Business:
Election is open, please vote! (members only please): https://forms.gle/YC1oaxJxvQqBEDyN9

Holiday Party Potluck

Election Committee: Vote! ISSA-HR Board Election 2025-2026
As per Article IV of the ISSA Hampton Roads Bylaws: Election Committee: Johnnie Shubert, Richard Rychlicki

Nominations:
President: Evan Larsen
Vice President: NO nominees
Secretary/COO: Faith Walauskas
Treasurer/CFO: Peter Cook

//Reminder from October meeting: Johnnie would like to nominate John Bos for vice president, and he wants to express his gratitude for him
Evan has nominated Faith Walauskas for Vice President

Article V: Elections
Bylaws applicable to elections:
SECTION 1: The Officers shall be elected by popular vote, each general member in good standing to be entitled to one vote.

SECTION 2: The Nominating Committee shall consist of two members in good standing as selected by the Officers at the October meeting of each year (we are kicking this off early). Members in good standing may volunteer for this function.

SECTION 3: Elections shall be held during the December meeting of each year. Or as determined by term or moved as needed to accommodate extenuating circumstances such as hurricanes or Covid. When the election must be scheduled outside of December, every effort should be made to schedule as soon as possible. (I.e every other year for 2-year terms.) (See Section 6 below).

SECTION 4: The Nominating Committee Chairman shall prepare and distribute election ballots at least one month prior to the December meeting.

SECTION 5: Election results shall be announced at the end of the December meeting. Or at the beginning of the next meeting.

SECTION 6: The term of office shall consist of two years commencing at the conclusion of the December meeting.

Holiday Party Planning:
When: Monday, December 9th, 2024, 6-9 PM
Where: The Casual Pint, 3380 Princess Anne Rd. Ste 110, Virginia Beach VA, 23456
Food: Hors D’oeuvres provided. Order drinks and additional food from your server at your expense.
Register: through eventbrite by December 1st (Members $15, Non-Member $20)

Jon has donated $100 cash to the Holiday Party Paying it forward.

Conferences:
ShmooCon (the last one ever): Washington D.C: Jan. 10-12, $175, https://www.shmoocon.org/

SANS Cyber Threat Intelligence Summit & Training: Alexandria VA: Jan 27-Feb 3, $495 in person, Free online, https://www.sans.org/cyber-security-training-events/cyber-threat-intelligence-summit-2025/

CyberConVA 2025: Richmond, VA: Feb. 6, $200, $50 for students, https://rvatech.com/

Cyber Fusion 2025: Virginia Tech, Blacksburg, VA: Feb. 21-22, $FREE, https://cyberinitiative.org/events-programs.html/

CyberForge 2025: Newport News, VA: March 22-23, Early: $10-$20, https://www.cyberforge.cvcsa-cyber.org/

International Conference on Cyber Warfare and Security: William & Mary, Williamsburg, VA: March 28-29,$500 early, $300 student, https://cyberinitiative.org/events-programs.html/

CCI Symposium 2025: Richmond: VA: April 14-15, 2025 Early $200 https://cyberinitiative.org/events-programs/events-for-2025/cci-symposium-2025.html/

RVAsec 2025: Richmond, VA: June 3-4, $250, $200 early https://rvasec.com/

Thank you Roop for providing this months list with the help of AI!
Helps get an early look into next year.

We love to volunteer at local conferences! Great way to network, garner interest in our chapter. Some of the best networking opportunities compared to merely being a guest. We are always looking for people!

ISC2 Security Congress 2024, an Attendees Recap:

 

  • AI Doesn’t know what you want it to do.
  • It’s good for some sue cases but not all use cases
  • AI will always rely on the humans behind it

-AI is NOT new to cybersecurity:
AI aiding cybersecurity:
-AI fort SPAM detection: Machine/deep learning classifiers

  • AI for intrusion detection: Machine/deep learning anomaly detectors
  • AI for malware detection: Machine Learning (ML) based antivirus tools
    2000s: 2002: ML methods first proposed for SPAM detection.
    1990S: Early 90s: Neural Networks for anomaly detection first proposed
    First polymorphic viruses- 1996:IBM begins studying ML for malware detection

AI is not new to Cybersecurity:

Q-Day and PQC:

Future State and Some Thoughtful quotes:

Thank you Brian F. for sharing key points and attendees’ opinion from your experience at ISC2 Security Congress October 14-16 2024

Membership Update:
Number of members: 52
Last meeting: 14 members, 9 visitors in attendance
If you are expired/expiring, be sure to renew your membership to remain in good standing

October 1st Meeting Minutes: Meeting recap on website:
https://issa-hr.org/issa-chapter-meeting-1-october-2024/

Presentation Speaker: Austin McKean My Crypto Theft: protecting your crypto assets in a digital world
Old Business: Cyber Social, Board meeting,
New Business: Election Committee Audit Committee, Holiday Party
Treasurer Report Balance: $4,329.15 recorded.

Treasurer Report:
Balance: $4,282.15
“Sunshine Fund” has really been helping out.

2024 Events Calendar:



2025 Events Calendar:

ISSA HR Google Workspace, <<< is going to be rid of, will discuss migration options with Jon B.

Social Media:

Email Addresses: This will be updated post elections!:

Adjourn:
After Meeting: Networking Happy Hour @ Plaza Dellogado

Please give us feedback!: What did you like? Recommendations for future meetings? What could make your experience better?
Send your feedback to President @ ISSA-HR. Org

Thank you Roop for your service these past two years!

 

Written by