22 May 2024

Interview | SOC team spotlight: Tom Kinnaird

In preparation for a season of events that lift the lid on attack detection (starting with WTF does a SOC actually do? on September 8), we have been getting the lowdown from the members of our SOC and Engineering teams who will be presenting.

In this interview with Tom Kinnaird, Lead Microsoft Security Engineer, we cover everything from keeping up with the speed of change in cybersecurity, to why so few security teams understand what their external SOC is getting paid for.

Hey Tom. Tell us where it all began.

Tom: There wasn't one point for me. I do remember playing with our first ever home computer and breaking it, and straight away being interested in how it worked. I also got playing Counter-Strike religiously when it came out. And a group of us got good enough to host our own server, which then enabled us to play with each other's machines remotely and try to knock each other offline. Films like The Matrix came out not long after that and Spooks was on TV too, where there was always someone from GCHQ. And I thought: this is cool; this would be a cool thing to do.

I went on to do my Cisco Certified Network Associate (CCNA) certificate in sixth form, then a degree in networks and security. Honestly though, it was what I did outside formal education that made all the difference. I was constantly messing around with stuff like Armitage [Cobalt Strike's precursor] in my own time.

When I discovered the offensive side of security and came across Black Hat and DefCon my mind was blown. I suddenly understood the scale of the security community and everything that was happening outside my bubble in the UK.

You mention Black Hat and DefCon. A lot of public focus and perception begins and ends on the offensive side of cybersecurity. How do you see your role within the security community as a defensive practitioner?

Tom: I think the red team side can be a lot easier to relate to. Attackers do bad things; red teamers learn from them and mimic their behaviour to help us understand what they do and why and then pre-empt them. That sounds cool, right?

But if people ask what you do on the defensive side, you are like, "Well, I monitor networks and endpoints. I look for abnormalities and other signs that indicate an attacker is up to no good, so we can stop them." And it suddenly becomes a lot more complicated. It even took me a bit of time to move past the cliché hacker in a hoodie thing to work out what was really happening on the defensive side.

A previous company director said, "See yourself as working in law enforcement". That made it clearer. As a defensive practitioner, you exist to find people who are committing crimes. A victim gets phished, their password gets stolen, and their account is used to distribute spam - that's not just an inconvenience, that's against the law. It's a punishable offence. And my job is to find the perpetrator before or whilst they're doing this, working out how they've done it, and stopping them.

I'm fascinated by my work. Rather than specialising in web, or cloud, or social engineering, or whatever, I have to understand how these interconnect. That's probably what drew me to the defensive side. It's not just one thing, it's everything.

Like being a highly skilled jack of all trades?

Tom: Yes, in the sense that my job is to understand the whole picture and build a kind of hunting map. I focus on learning enough to engineer the best defensive approach. That's why my job exists.

What is it like working in a SOC?

Tom: It's really hands on, which I like. It's what I enjoyed when I was studying networks. It's the "real thing". The red team builds all that valuable intelligence, then the blue team does something with it. I hear about a new attack, so I go and figure out how to detect and mitigate it. Both are important. We're playing cat and mouse and each side pushes the other to be better, which reflects how things are in the real world too.

This is why cybersecurity is constantly evolving, probably much quicker than anything else in IT. Whatever happened yesterday in IT is weeks old in relative terms in security. By the time you've detected a piece of malware, a whole bunch of other strains are already out there. Basically, you're never done. That's challenging but it's what keeps security people hungry.

Our customers are really understanding this now, aren't they? The fact that security is continuous. There's no end point.

Tom: Definitely. We're moving away from any thinking that says, "Our job is done here". That's really positive. More and more teams are working with an "Assume Breach" mindset and getting to grips with the fact that someone will always try and many times, they will succeed. Honestly, it took time to get my head round it as well, especially because I'm responsible for detecting the threat. In my early days I was a bit paranoid about detecting and killing absolutely everything, but it's not possible and it's not even useful to approach detection like that.

As a red teamer or an attacker, you've got to be right 1% of the time. In the blue team, you've got to be right 100% of the time. It only takes one attack to get through. You can stop 10,000 attackers getting through, but one will get through. It was a big shift to think it's not "if" but "when" something will happen. You've got to follow the law of numbers. If you follow that, you're going to be better prepared to detect earlier rather than later when a threat has become a real problem.

We're moving in the right direction then. But what's missing from the conversation? Or, to put it a different way and focus on our upcoming event, what are the knowledge gaps that we still need to fill when it comes to attack detection?

Tom: The big question for organisations when their SOC gets outsourced is, "What am I actually paying for?" Leaders might be thinking "I've only seen 6 alerts in a month, so what's actually going on?" But if the SOC is doing its job well, that individual isn't going to see all 300 alerts that come through and need investigation so they can be closed as benign false positives or marked as lower priority things. If you work in IT or security in-house, your whole existence is spent putting out fires; it's understandable that when you're suddenly not overrun with alerts, you think the SOC is just sitting there watching a screen. 

It's not like that at all. Yes, we are in front of screens all day, but we're doing all kinds of things beyond just watching for alerts. We're proactive, not reactive. We're researching threats, we're building up a database of indicators of compromise so we can use them in our hunts, we're threat hunting, we're designing new ways to detect and isolate threats. 

When a major priority 1 threat comes in, that's when a customer will have the most interaction with us but what they don't generally perceive is all the work that enabled us to see that threat, raise the alarm, and respond as quickly as we did. It's the whole analogy of the graceful swan on the water with feet paddling constantly underneath.

We exist to make things work smoothly, so by its very nature the SOC looks like things are totally manageable until you're in the situation I just described. Even then, we have processes in place to ensure that when the worst happens, there is an orderly and pragmatic way of controlling it. Nothing should ever feel hectic or overwhelming to the customer. That's the point of an external SOC.

What do you hope people will learn from the event in September?

Tom: One of the key things I want to show them is the amount of work that goes into simply being able to confirm that there is a threat on a network. If you're building your own SOC or outsourcing it, I think it's hard to have any real idea about how much work is required. It's not a case of turning on the SIEM or the endpoint agent, leaving it for a few hours, and waiting for it to generate the data you need. These things need to be deployed to work with your environment and telemetry and then tuned, continuously. Without that, your defences can't do what they need to do.

What are you most looking forward to sharing with the audience?

Tom:Very simply, what security teams do day-in, day-out and how we think. That knowledge is kind of locked down at the moment.

Keep a look out for our popular webinar "WTF does a SOC actually do?" in the events section, along with any of Tom's other webinars.