Security Staff Acquisition & Development, Leadership, Network Security

H&R Block seeks out open-source expertise for SOC

An H&R Block location in Gillette, Wyoming. (Mr. Satterly, CC0, via Wikimedia Commons)

College graduates and cert-holders certainly make for valuable hiring candidates. But dig a little deeper and you’ll find that contributors to open source projects constitute an overlooked pool of talent who can bring diversity of thought and experience to your security team.

Take it from Carraig Stanwyck, manager of global security operations at Kansas City-based tax services provider H&R Block, which recently rebuilt its security operations center using open-source technology, after ending its MSSP contract.

Upon joining the company in May 2019, Stanwyck grew his in-house SOC staff from just six employees to 40, including several employees who have leveraged their open-source experience to become key members of the team. Before that, Stanwyck built an open source-based SOC for the U.S. Department of Agriculture as its information systems security program manager. Coming from U.S. Army intelligence background, Stanwyck understands that security talent can potentially spring forth from all sorts of unexpected places.

With open source technology, “you get a lot of enthusiasts that may come from atypical backgrounds. They may not have all the certs… yet they are able to come in and perform often better, because they were already able to play with those products ahead of time,” said Stanwyck.

Stanwyck’s SOC projects have leveraged such open-source solutions as the Zeek network analysis framework (formerly known as Bro), the TheHive incident response platform and ELK, a stack comprised of the Elasticsearch search engine, the Logstash data collection engine, and Kibana data visualization dashboard software. The company has also contracted with Corelight, a security firm that leverages the open source Zeek network analysis framework.

On the flip side, just as security leaders should be scouring the open source community for talent, contributors to open source projects should be thinking about how they can use their unique skills to propel their careers forward, according to Bernard Brantley, the brand new chief information security officer at the aforementioned Corelight.

Brantley was a former security engineer at Microsoft who helped build the open source network security infrastructure behind Xbox Live.

“I was basically brought in because I had experience [on] the open source side and knew things at the deep and technical levels that many of the employees that were there then did not have or understand,” said Brantley. “To come into Microsoft – a major enterprise – and leverage my understanding and usage of open source to state, ‘I'm here, I'm good, and I have something to provide, in excess of what it is that you asked of me,’ was awesome."

Brantley quickly climbed the ranks from contractor to full-time employee, before later becoming the threat hunting and threat intelligence lead for Amazon consumer payments. Then just this past March, thanks to his previous experience implementing Corelight technology at Microsoft, Brantley was officially named Corelight’s CISO.

“My ability to speak directly to the folks at Corelight about how I use their technology as a solution to my immediate problem – which was securing the network at Microsoft HVA [high value asset] services – more or less unlocked opportunity for myself to be a thought leader and present ideas to accelerate my career,” Brantley said.

Brantley hopes his experiences can inspire other open source enthusiasts to follow a similar path – and to spread the word, he’ll be speaking next week at virtual RSA Conference session titled “Open Source as Your Career Catapult” (followed by a live interaction deeper dive into the topic).

SC Media interviewed both Brantley and Stanwyck about how open source projects have helped shape their respective careers, and what attributes and skills open source community members bring to the table.

Bernard Brantley, Corelight

Bernard, what’s the core thesis behind your upcoming presentation at RSA?

Bernard Brantley (BB): The core thesis is that open source is a career accelerator. [It’s about] basically leveraging the openness and availability of open source technologies to find a route to what your desired outcome is. 

I've always been a bit of a dreamer. I've looked at where it is that I wanted to be and what I wanted to do and worked backwards from that… and my path has always been through open source. And I [am now] able to relate that experience to those in the audience and hopefully to a broader audience to say, “Listen, this is possible – and not only is it possible, there’s levels of achievement out there that you probably were not aware of.”

Building off of Bernard’s thoughts, can you explain, Carraig, what went into H&R Block’s SOC transformation and how open-source factored into that, in terms of tech and talent?

Carraig Stanwyck (CS): When I started at H&R Block, they brought me on board to rebuild the SOC, and that was actually one of the requirements – we're going to be a Zeek shop now. At the time we didn't have all the engineers, so we went with Corelight for an easier implementation because it comes pre-packaged. And we were able to grow the team.

In the first year, we [transitioned from our] MSSP and brought that in-house... We brought engineers onto the team so that we could actually have engineering functions for automation and for the actual deployment of tools. We deployed TheHive that first year.

Officially, we went 24-7 internally two weeks before had to send everybody home for COVID. So we were kind of transitioning, everybody moving to their homes, trying to do 24-7 ops from home. It was pretty wild. But it was successful. We did well.

A lot of the team have played a role in the open source community or are huge fans. [One of our employees] was a huge fan of TheHive. She had built TheHive all the way up. She really recognized it, she understood it. [Another member of my team is] a Bro fanatic, and so I could bring him in and he really understands the logs and how that works, because of that experience of being able to play with it at home.

What advantages do members of the open source community have in terms of unique skills, knowledge and experience that can help both themselves and their employers?

BB: I started my career in a way that not many in this industry do. I think mine was out of pure necessity. I was in a place where I absolutely hated what I was doing before I needed a change. I had no idea how to change, I didn't have the resources to go pay for school. Basically, I was willing to do whatever it took... And in came open source and it became a path and period of discovery, but it was also very difficult, in that with the jobs that I took, the response was usually: “Read the manual… learn what you need to learn and then come ask me a question that's reasonable and leads to your growth.”

But I think the grit it took to get through what it was that I wanted to achieve and learn specific open source technologies gave me superpowers in a lot of ways. One, that I know regardless of what it is, I can figure it out. And secondly, I am very confident in my ability to go research, apply, demonstrate, and then build on that.

And I think that comes along with working on open source projects. That if you get involved, you will find these things in yourself, and it gives you a leg up on the rest of the industry. It's not like you've been taught some very specific, very targeted thing and now you just go do that thing… Being in open source and seeing what's out there and how broad it is and how deep you can go, it just opens you up to apply that to all other areas that you [want to] involve yourself in – which is such a natural fit for security because a lot of security is going down rabbit holes.

Carraig Stanwyck, H&R Block.

CS: I have historically been a big proponent of intangibles over certifications. On my team, we don't care what certs you have, we don't care what college degree you have. We care whether you have the passion and drive to come in and learn. Cybersecurity changes so rapidly, I don't care if you graduated yesterday with a four-year degree. Next year, it's a whole new world already.

In the open source community… everybody is on the same team. If you go out to the forums and the blogs, everybody's asking whatever question comes to mind. And there's a really cool environment where you don't really see a lot of, “I'm better than you” or “why would you ask such a stupid question?” And so that translates to employees who are willing to go and Google stuff, or say, “Hey I don't know, but let's go put it on the forums and see what people say.” And ultimately, I think that has allowed us to have fewer blind spots, because we built that culture of making it okay to go and ask questions. It's okay not to know, it's okay to rely on the community support… That has really resulted in better engineers.

And you don’t get that kind of experience if you’re primarily working with proprietary products?

CS: If you get it off the shelf, if you get a Microsoft product, you go and you click install on it and you're done. And If you have a problem, you reach out to technical support and they take care of it. You don't get that in the open source community. It's a different kind of support, because you have the community support… it's more of a collaborative problem-solving approach.

I'll give a good example. We brought we brought an intern in a couple of years ago and she's actually one of my superstars now. Her name’s Elizabeth. And we started her with ELK... “Go play with it, go figure it out.” And so we gave her VMs and said go install it. 

And with the support of the community, she not only installed an entire ELK stack on her own… but as a big basketball fan she also imported all the data from the NCAA and built her brackets based off this ELK stack. 

And then from there she might have done 70% of the lift on our SIEM rip and replace.

When you get people passionate about the process, they can figure anything out. And that empowers them and makes them cross functional. You can throw any tool at them, and whether they know it or not, they know that they can go find a community… and build that out. 

Do you think the open source community is still a largely untapped area of talent? Are organizations failing to take advantage, perhaps out of a concern that open source experts’ knowledge on proprietary software might be limited?

CS: I can go on for days on how hiring has been done so poorly in the cybersecurity arena.

I think that there are a lot of companies that have this idea that if they use one type of technology, they need people that have experience in that same type of technology. And if they use off-the-shelf stuff there may be some truth to that. If people aren't forced to go figure stuff out, if they're handed everything on a plate, and they have paid technical support to handle any problems, then they're probably going to be more fixed on a subset of tools.

But the cool thing when you grow up in the open source community and you have that kind of culture is you can throw those people at anything… Give them a week, they'll have to figure it out… And that's created extremely flexible, extremely high-performing employees that have a lot our team that has allowed our team to really mature at a pretty incredible pace.

We can take whatever tools we want and implement them – because we have the skill sets that aren't siloed due to just how they approach their problem-solving.

I would make it a priority to tap the open source community… they have the drive, the passion, the mindset to go and succeed. So whether I was whether I was leveraging open source tools or not, the open source community would be key.

BB: [It’s] a question of responsibility. There's responsibility on the side of the companies that they are taking care of their employees, that they're targeting the right talent sources, that they are well aware of who's out there, what's out there and what they need.

On the other side, there's a responsibility of the talent pool to understand what it is that they're getting out of open source technology. Are you trying to sell yourself as an expert in Apache Snort or Zeek? Or are you taking the theme of what it is that you're learning and relating that to any business that's out there? As in: “This is what I'm capable of. I now understand these core concepts and I'm able to deliver… on these things. And this is what you're getting from me, it just happens that my route to this level of understanding is open source.”

What about using the open source community to find more diverse candidates, particularly diversity of thought?

Diversity of thought is the biggest thing because when you give people the space to solve problems in the ways that they want to… it gets very interesting to rework or step back and walk through how they got to the place that they're in. Everybody’s contributing in open source to that same common goal. Or maybe you're using that same common goal to find unique and interesting outputs. But at the end of the day, all we're really concerned about is: Do you have the capabilities to do X, Y or Z? And can you demonstrate those? After that, you're in the door, and let's start understanding and exploring how best use or leverage the things that are in front of you.

I had an old manager that would say to me, “You present people with the path to walk down, and then you watch how they choose to go about it. And at the end of that path, they will typically have walked a route that you never understood existed, and you will be happier for having watched it – and what they bring to you at the end is far beyond what you thought that they were going to bring…when you started them down.”

CS: I've also found the open-source community has a lot more diverse candidates… [including those starting second careers].

That's been the historical challenge. When I ran the SOC at the USDA for two years, I didn't interview, let alone get an application from a single female candidate. Not one in two years. Now my team’s 50-50 [men to women].

I think there's still a lot of historical, legacy mindsets that to be in cyber you’ve got to be a geek. I came into it from the military intel world, I didn't have cyber experience, but the skill sets are translatable. And now we're seeing that the more ideas, the more perspectives, the more different backgrounds that I can bring, the more powerful our team is because they approach problems at all different angles to find the right one.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Related

Crowdfense expands exploit acquisition program

Security Affairs reports that zero-day vulnerability research hub and acquisition platform Crowdfense has increased its exploit acquisition program to provide up to $30 million in total rewards, while expanding its scope to cover security issues impacting enterprise software, messengers, and Wi-Fi/baseband.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.