Friday, July 1, 2011

An Interview with Cindy Murphy

This is turning out to be the summer of interviews here on the blog. I am working on some right now that I am very excited about that deal with topics such as mobile devices, incident response, and security operations. This interview is with Cindy Murphy who one of my favorite digital forensics people. Cindy has made a name for herself by being heavily involved in leading the field in technical areas such as mobile device forensics and as a leader in several industry organizations.  This interview turned out to be one of my favorite ones to do so far because Cindy can discuss any topic in an entertaining and informative manor with her unique blend of insight and humor. Cindy is also fellow native Iowan so that is always worth bonus points. Additionally, Cindy was recently part of a fantastic all-female panel for the Forensic 4cast podcast which you can find here.

Professional Biography of Cindy Murphy

Cindy Murphy is a Detective with the City of Madison, WI Police Department where she has been employed since 1991. She has been in law enforcement since 1985 when she started her policing career as a Military Police Officer in the US Army. She is a certified forensic examiner (EnCE, CCFT-A, DFCP), and has been involved in computer forensics since 1999. Det. Murphy has directly participated in the examination of hundreds of hard drives, cell phones, and other digital evidence pursuant to criminal investigations including homicides, missing persons, computer intrusions, sexual assaults, child pornography, financial crimes, and various other crimes. She has testified as a computer forensics expert in state and federal court on numerous occasions, using her knowledge and skills to assist in the successful investigation and prosecution of criminal cases involving digital evidence. She is also a part time digital forensics instructor at Madison Area Technical College, and is currently working on her MSc in Forensic Computing and Cyber Crime Investigation through University College in Dublin, Ireland.

Detective Murphy has provided training for her department, outside departments, and the public in the areas of computer crimes, Internet safety, and digital forensics.  She has provided rank specific and specialty specific training to detectives from Madison Police Department and other Wisconsin Law Enforcement Agencies in the use of computer evidence in criminal investigations. She has also provided training at the state and national levels to prosecutors in the use of digital evidence in criminal prosecutions and regarding expert witness testimony in digital forensics cases.  She also developed and published “The CDMA Fraternal Clone Method” as well as several documents and white papers regarding the methodology of processing of cell phones as evidence. Detective Murphy is the president of the west chapter of Wisconsin Association of Computer Crimes Investigators (WACCI W), and is a member of the Chicago Electronic Crimes Task Force, High Tech Crime Consortium (HTCC), High Tech Crime Network (HTCN), is a board member of the Consortium of Digital Forensic Specialists, and is a member of the International Guild of Knot Tyers (IGKT).

AFoD: What led you to become a military police officer?

CM: I guess ancient history is as good a place to start as any, huh? Hmmmm.... 1985.  Let's do the time warp again... again.

I was a senior in High School at West High School in Iowa City, IA (Go Trojans!) and really didn't know what I wanted to do with myself after high school.  I knew I was good at school, but wasn't really sure what I wanted to study in college or what I wanted to be when I grew up, except for a vague dream of becoming a bush pilot in Alaska some day  (yes, really.... stop laughing Eric!) 

My twin sister Becky (identical, hash matching sister that is) had been contacted by an Army recruiter and dragged me down to the recruiting center to take the skills test with her – no commitment required, of course.  We both set the curve on the ASVAB test, and afterwards a sharp recruiter asked me what I wanted to do with my life, and then promised that by becoming an MP (95B at the time) I could get stationed in Alaska after training - It was even written into the contract I signed.  I thought my ship had come in and that providence was lighting the way to my future...

So, off I went to Fort McClellan, AL for Basic and AIT.  After graduation, I received my orders - fully expecting to end up in Alaska. I couldn't believe my eyes when the orders read "Fort Polk, Louisiana."  I actually probably could have legitimately gotten out of the Army at that point, but I have never been a quitter.  I got to see Alabama, Louisiana, Honduras, a tiny piece of Nicaragua, and little bit of Germany while I was in the Army.  I also met and married my first husband and had my daughter by the time I was 20.  I took to the policing role like a fish to water, and found that I really loved it.  In 1988, the year my daughter was born, I left the Army and moved to Massachusetts where I was offered a job as a VA Police Officer at the Brockton and Boston VA Medical Centers. I started college at Bridgewater state college where I studied Graphic Arts with a Criminology minor. 

Three years later, I saw an ad in Police magazine advertising police officer openings in Madison, WI.  I had studied the concept of Community and Problem Oriented Policing and had read about the great work done by then Chief David Couper and Professor Herman Goldstein at the University of Wisconsin. I applied for one of 24 police officer positions among a pool of over 1200 applicants.  When I got the job offer, I jumped at it and have loved it since the beginning.

I haven't made it to Alaska yet, but I'd sure like to go someday. 

AFoD: Sure, we can do “The Time Warp” again. After all, it's just a jump to the left and then a step to the right. How did your career progress with Madison and how did it eventually lead you into digital forensics?

CM: I joined Madison Police Department on August 12, 1991 with 23 other hard charging people. The academy started with a ropes course and a trek into the bowels of a deep dark Wisconsin cave where along with building confidence and reliance on ourselves and our classmates, we learned that Wint-O-Green Life Savers really do spark in the dark.  After the academy and field training, I spent my first year working nights on the East side of Madison, and then moved to second detail in the South and East Districts, and eventually to day shift in the North and East Districts. I loved patrol work dearly.  Not being tied to a desk and being free to do foot patrol and take on community problems when not at work on dispatched calls was a really good experience.  I got to know the people and businesses and conflicts and strengths in my various beats extremely well over the next 9 years.

There is no other job like being a police officer.  You see people and communities at their absolute best and at their absolute worst, and you learn your own strengths and weaknesses along the way.  I learned that I was a great problem solver and that I have the ability to see not only the larger problem, but the small problems that make up the larger problem.  I also learned that when it comes to a chase, I'm a bit like a Chihuahua after a pork chop - read that "relentless".  Being a good problem solver is pretty obviously a strength.  Having an on-only switch when it comes to a chase can be a strength, but can also get you hurt. In my case, several foot chases I was in resulted in injuries.  In the fall of 1998 I was involved in a high speed chase where an armed subject ran from a stolen vehicle after he crashed it.  I continued the chase on foot, which took both of us over a 5 foot chain link fence. Several hundred yards beyond the fence, another officer and I were able to tackle the suspect, disarm him, and get him into handcuffs. The other officer then kindly pointed out to me that my pants were torn from crotch to knee and I was bleeding profusely.  It was only then that I realized through the adrenaline and endorphin rush that I had not made it over the fence unscathed but had messed up my lower back and lacerated my hamstring in the process.  After a patch-up at the ER and several months of PT later, I returned to the streets determined to be a smarter chaser.

While on light duty, recovering from that injury, I caught the digital forensics bug.  I worked with a now long-retired detective from our department named John Mulcahy on one of the first computer forensics cases our department had done.  We worked that case using DOS commands on a DD image of the suspect's computer. It was a different and fascinating set of problems to solve, involving skills my dad had shown me when I was a kid.  I put in a training request to go to the NW3C's Basic Data Recovery and Analysis class and ended up attending in Helena, MT in 1999 with my twin sister (strangely enough, we didn't plan it that way - she was working in network security for Yellowstone County, MT at the time, and they sent her to BDRA too).

So, several months later, back on the streets, healed from my injuries, and a new fan of digital forensics, I got into another foot chase.  I'm not sure where my 'smarter chaser' attitude went, because when I came across 3 teenagers spraying graffiti under a bridge. When they saw me they took off running, and I took off right after them.  I chased them through a ditch beside the highway through waist-high grass, along side a parking lot where rain water runoff had etched out a three foot deep canyon that I didn't see because of the waist-high grass.  All three teenagers made it over the gully.  I almost made it over, but ended up blowing out my right knee - LCL, MCL, PCL and meniscus as I fell short, a$$ over teakettle into the trench. Another trip to the E.R., a round of knee surgery, and another long stretch of PT later, I came out in relatively good shape.  I went back on light duty, and worked on updating the department's web page and helping out with a new computer forensics case.

After consultation with my family, (who needless to say had come to worry that I was a hopeless klutz) I wrote for and was promoted to detective in 2000.  I started out working General Assignment the first 6 months or so, and then became a Financial Crimes detective.  During this time, I was also being tasked to help with computer related cases where they came in, and over the next several years they took over more and more of my case load until in 2003 the department created a new position in the detective bureau for Computer Crimes, and I was assigned to working computer crimes and computer forensics full time.

AFoD: Ouch. Ouch. Ouch. So what you are telling us is that one of the finest computer crime investigators in the field today came into being because the City of Madison was concerned it was going to run out of storage space for your medical records? My own patrol injury stories aren't nearly as good. They generally involve being bitten by dogs and wiping out on the ice shortly after getting out of a patrol car. I agree with you wholeheartedly on the value of a solid patrol education. I learned an incredible amount about people and myself during my patrol days that I still use each day in the private sector.

I also think there many intangibles you get out of that initial academy experience beyond learning basic police skills. You learn a tremendous amount about yourself and how to operate as part of a team. You also learn it's really funny to watch your buddy get sprayed directly in the face with Oleoresin Capsicum (pepper spray) while the rest of your buddies laugh like hyenas.'s a barrel of laughs right up until the point where it's your turn to get sprayed.

What has it like being a woman who entered law enforcement in the mid-1980s? Have you encountered any sort of sexism or similarly bad behavior?

CM: First of all... Aw shucks! I certainly wouldn't have the reputation I have in forensics without the dozens of really smart forensic folks out there who I've gone to for help on various problems I've encountered over the years, nor without the support of my department putting me through a whole lot of training.  One thing is for sure in this business - there's no way for anyone to know everything they need to know, so having a great professional network and keeping your own training and education qualifications up to date is really important.

There are some universals in policing, aren't there? I've had the obligatory dog bite and ice slips, as well.  It seems that Murphy is never far away and is forever enforcing The Law.

I think that any woman who has been in this (or any other male-dominated) field for any amount of time has faced a certain degree of 'sexism or similarly bad behavior' at one time or another. Luckily, I was one of three daughters raised by a feminist father and an extremely confident, skydiving other-mother. The message in our household was that we could accomplish anything we set our minds and hearts to. 

A few examples: In the Army, I had many male soldiers offer to dig fox holes for me, and a staff sergeant who stalked me and left gross messages on my answering machine.  On the street, I've had men volunteer to be handcuffed and who commented on how they loved women in uniform or women in positions of power.  Just a year or so ago a retired forensic investigator (not digital forensics) from my department commented to me after my testimony in a homicide case "my you've gotten smart haven't you, young lady?" My response to him?  "I've always been smart, you were just never smart enough to see it."  I didn't want to come across as bitchy, but he sure wasn't concerned about coming across as condescending and sexist.

Misogyny generally sticks out like a sore thumb.  It's easy to recognize and can raise its ugly head when someone of the opposite sex feels threatened by a strong and competent woman. Oprah said that "excellence is the best deterrent to sexism or racism" and I believe that to a certain extent that is true. On the other hand I also believe what Clare Boothe Luce said "Because I am a woman, I must make unusual efforts to succeed.  If I fail, no one will say, 'She doesn't have what it takes.'  They will say, 'Women don't have what it takes.'

I think that women bring a very unique and needed perspective not only to policing, but to digital forensics as well.  We have a creative and collaborative approach to problem solving that is a good fit in these roles. If you look at the sea of faces at any given forensics conference, and note the gender inequality, you'll see that we have a long way to go when it comes to recruiting and supporting women in digital forensics.  For the most part though, I have felt very accepted and respected among my male peers in the digital forensics community. More thankfully, I believe that the respect and acceptance I've garnered in this community is based upon my brains, my skills, my work, and my willingness to work with others rather than on my gender. And that means we truly have come a long way since the eighties.

AFoD: Can you tell the readers what your job is like on a daily basis?

CM: I work Monday - Friday 7:45 am until 4pm with every third Monday off for what I believe to be one of the finest police departments in the country.  Every work day begins with Detective briefing, during which each of MPD's five districts share information about the cases that have happened in the past 24 hours, and about events such as search warrants and lineups that require extra assistance from other district detectives.  After briefing, I head upstairs to my office and lab to check for new lab requests and answer email and voicemails.  Then, I turn on Pandora and I dig into whatever happens to be in my caseload at the time, and I pretty much keep at it until the end of the work day.  There are days when I look up at the clock and realize that it's 4:15 or 4:30, and that I should have left already.

Some days I get out of the office to help other detectives with a particular case, interview, or search warrant, or to the DAs office to consult with the attorneys there over cases from my jurisdiction or others.  Some days I work on developing training or presentations, and others I may be writing search warrants or subpoenas or researching a particular forensic artifact or problem that's relevant to a case I'm working on. Some weeks are wrapped up in trial preparation where all of my time and efforts are spent on getting the digital evidence end of things ready for trial.  This can even mean helping the DAs office by doing legal research and helping to prepare direct and cross examination questions, depending on the type of case, the experience and knowledge of the attorney, and the attorney's own crazy work load.  And some weeks, I get to go to a digital forensics or investigative conference and present on my work. I like those weeks a lot, as they are a chance to recharge my batteries and fuel my imagination about what's new in the field, but going back to the case load is always rough, because no one is working on my ever-growing to-do list while I'm away.

A friend of mine once expressed an analogy about detective work that I think fits pretty well for digital forensics in law enforcement.  Doing this job is like being a chef at a 10 burner stove, and nearly everything you have cooking is ready to boil over at any given moment.  As the chef, it's your job to make sure the food still comes out perfectly, which generally means lifting the pots off the burner long enough to stir them before setting them down to work on the next. When something is finished, you get to present it to the customer, but there's always another boiling pot to take its place. Only as detectives, our boiling pots are felony cases involving real victims, witnesses and suspects.

Each case involves living, breathing human beings with a vast variety of backgrounds, feelings, hopes and fears, biases, addictions, and expectations.  And we have to get it right because the stakes for those real people are so high. We have to be sure we have legal authority to do the things we do, and that we always scrutinize our work to be sure we've done everything we can, and have done it right.  Of course, we are human too, and we all make mistakes - when we do, it's our job to find them, correct them, and learn from them.  Sometimes the mistakes actually teach us more than the things we do perfectly.  The harder part is that we're being asked to do more and more with less and less, in a situation where we really didn't have that many resources to begin with.

Because of limited resources, with very few exceptions, every case I work on is a felony. When an individual's life story becomes involved as victim, suspect, or witness to one or more felony crimes, their story is by it's nature compelling.  There are literally hundreds of memorable stories that have emerged from the cases I've worked on over the past 12 plus years of doing digital forensics. I've worked a number of fairly high profile cases over the years, including the first computer crimes case charged under the Patriot Act, and have had one case go the the US Supreme Court and another go to the Wisconsin Supreme Court. To me, the small cases can be as interesting as the big ones, depending upon the story behind the evidence.  They say that the truth is stranger than fiction. I've seen some of the strangest truths out there doing this work, and the stories behind the cases are the main reason I find the work so compelling. 

AFoD: Can you talk about your case that involved memory forensics?

CM: I guess the case I'm probably best known for is the Madison Police Radio interference case involving a hacker named Rajib Mitra.  That case was compelling enough on it's own, but as with so many cases, it became two cases when I found encrypted child pornography during the forensic examination of his hard drives.  With a great deal of help from Milwaukee Det. Rick McQuown we broke the encryption on Mitra's drive and were able to charge and successfully prosecute Mitra for possession of child pornography and child exploitation.  The original computer crimes case began back in 2003, and the child exploitation case just ended this spring. Unfortunately, the day after he was sentenced in his child pornography case, Mitra committed suicide in jail. 

From January through November of 2003, my police department experienced a series of intentional jamming attacks against its newly installed computer controlled, trunked radio system.  There were three distinct attack methods used over the course of those 11 months, and Mitra was eventually identified as the suspect and then apprehended, prosecuted, convicted and held responsible for the attacks. The three jamming attacks looked like this:

1) Between January 15th and August 15th 2003 there were, at minimum, 21 jamming incidents where radio communications within a small geographical area of downtown Madison were interfered with. Police Officers, Fire Fighters, and Emergency Medical Services personnel in the affected area couldn't send or receive radio transmissions for short periods of time, generally around 15 to 20 minutes per incident. During these incidents, the error code “no system” was displayed on the screens of officer’s portable and squad radios. These “no system” outages generally corresponded with police calls involving bar fights or other radio-dispatched emergencies that occurred in the immediately affected geographic area.  Obviously, for those officers in the area when the radio system was being attacked, this was a really dangerous situation.

2) During the night of Halloween, 2003 a steady rogue tone was broadcast on the control channel frequency, effectively blocking emergency communications over a large geographical area of Madison and Dane County, Wisconsin and creating a significant safety hazard for public safety personnel and the public. Three times the control channel was manually switched to an alternate frequency in an attempt to alleviate the problem; and three times the attacker redirected the jamming signal to the new control channel frequency. Due to the nature of this interference it was readily apparent that intentional sabotage was the cause, as the rogue signal followed the legitimate one several times. This was a really dangerous attack considering that Madison traditionally has a large Halloween celebration each year that sometimes tends to end in riots anyway.  2003 was one of the riot years, by the way.

3) On November 11th, 2003 things got really strange.  MPD experienced additional problems with intentional radio interference consisting of thirteen sexually explicit audio clips piggy-backed onto the end of officers’ legitimate transmissions over a 2 1⁄2 hour period of time. The transmissions were broadcast across the repeaters and affected the entire city and county geographic area. The piggybacked pornographic transmissions were audible to any one monitoring radio traffic with a police radio scanner. While the thought of porn being played on police radios might at first seem funny, the natural reaction for officers on the street was to turn off their radios, effectively putting them out of communication with dispatch. 

I was assigned as the lead detective on the case after Halloween when it became obvious that the attacks were intentional.  One of the first problems was that unless an attack was ongoing, there was no way to trace where it was coming from.  I then engaged in a super-crash-course on computerized trunked radio systems, soaking up as much information as I could about how they work.  Thankfully, some of what I learned then applies nicely to cell phone investigations. Next, we basically put together an incident response team.  We didn't call it an IRT, but the same concept applies.  If you think about it the first two attacks described above are basically DoS attacks against the radio system, and the third was an intrusion and unauthorized user on the system. 

November 11th, (the night of the porn broadcasts) was literally a dark and stormy night.  It was cold, windy, and thunder-storming. Mitra was convicted in a Dane county courtroom for a speeding ticket, and left the courtroom angry.  45 minutes later the explicit broadcasts started, and the Officer In Charge initiated our response plan, calling in the people who had been prepping in the 10 days since Halloween. We tracked the intermittent rogue signals to an apartment building, but didn't get enough information to make an arrest that night.  We backgrounded everyone in the building until we came across Mitra, who had two previous hacking convictions and was a licensed HAM radio operator.  Two days and a marathon search warrant writing session later, we served the warrant on Mitra's apartment, and arrested him on his way home from class at UW. 

Mitra invoked his right to a speedy trial in the federal court system, and so within 90 days, we had a jury trial, after which he was found guilty and was sentenced to 7 years in federal prison followed by 3 years extended supervision.  It turned out to be the first computer crimes case charged under the Patriot Act, though I didn't know that at the time. He appealed the case all the way to the US Supreme court which declined to hear the case on Halloween day, 2005. In the mean time, Mitra sued me civilly to get the data on his hard drive back (I had returned his property to his parents at his insistence following the exhaustion of his appeals, but had wiped the drives because of the suspected child pornography on them). He wrote letters to the DA's office and other investigators involved in the case accusing me of being dishonest and even asking that I be charged for perjury.  His writings made some things really clear to me - first that he blamed me and ‘the system” in general and not his own behavior for the situation he found himself in, and second that he really, really wanted his data back.  Up until this point in my 20+ years of policing, I had never been sued or even accused of doing anything wrong.  Call me officer Friendly Mc. Goody-two-shoes... I follow the rules in policing, and they have never steered me wrong!

The process of dealing with the legal demands from his appeals and civil suits kept the drive and it's encryption problem on my front burner.  I went to a WACCI conference in June of 2009, and heard Rick McQuown talk about pulling encryption keys from hyberfil.sys files, and afterwards sent the registry files and then the full drive image to him.  Several days later, I got a call from him and he asked me, "Are you sitting down?"  I knew right away that he had good news - I will never forget that day.  He walked me through the process he had used, and viola'! Forensic magic of the best kind!

So, then I tracked down his victim and interviewed her, put together the new images case, and sent it to the DA's office.  A co-worker who was aware of all the headaches and stress I had gone through with the appeals, false accusations, and civil suits asked me something that I still think about once in awhile.  She said, "Now that the first case is over and all of his appeals and civil suits are done with, is this really worth it?"  I thought of the very predictable upcoming suppression hearing, followed by another jury trial, appeals, and the potential for more lawsuits.  In the end, the answer for me is that it doesn't really matter whether its worth it to me or not - it was my job to do it and to do it to the best of my ability.  So, there was a nasty suppression hearing in December 2010 where I was basically accused of conducting a warrantless search (with three warrants in place) planting CP in the drive back in 2003 to be found later (matching MD5 hashes ROCK) and of planning the timing of the second prosecution to coincide with Mitra's release from prison (like I control the timing of anything in the criminal justice system) among other things. 

Then we were off to the second jury trial in January, where the victim had to testify and have her photos shown to 13 complete strangers, the judge, the attorneys, and the defendant.  Mitra testified on his own behalf and the jury came back in just around three hours with guilty verdicts on all counts: 8 counts of possession of CP and 2 counts of manufacturing CP.  He was sentenced in April 2011 to 6 1/2 years in state prison followed by 7 years extended supervision, with no possibility of any use of any digital device until after supervision.  The day after sentencing, he met with his attorney, filed his appeal and then hung himself, after sending a suicide note to a media outlet.  

I began this story by saying his suicide was unfortunate, and I believe that it was.  He left his parents with all sorts of unfounded and unanswered questions and planted blame before he left.  He left his victim, whom he once claimed to love, with enormous amounts of guilt and put her through hell along the way.  He never did truly understand the impact of his actions on the people around him.  He left the world having wasted enormous potential with his intelligence and technical abilities.  A reporter recently asked the question whether Mitra was the dangerous man portrayed by the court record, or the kind and funny man portrayed in his letters to an acquaintance that he wrote from jail.  I don't think he was either one or the other - the truth is he was both.  And when it comes right down to it, he was a social engineer, able to use what charm he had and his intelligence to manipulate the world around him.

He also left me with several lessons that are important for all high-tech investigators and forensicators. 

1)  In his civil trial when trying to get his data back, Mitra* told the judge, 'My hard drive is an extension of my brain, and she took it away from me.' 

2) In a phone conversation with an ex-felon who asked his advice on whether to buy an iPhone or an Android, Mitra answered, 'You should get the iPhone. But me? I'd get the Android because it's more flexible and I could do more with it.'  What I heard was 'Watch out forensicators - that's a Unix box on a very large network of Unix boxes with users who know nothing about Unix security!'

3) In his sentencing hearing in April, the day before his suicide, Mitra told the judge 'I always made my own definitions of right and wrong.'

4) Genius without conscious and without empathy is dangerous and wasted. 

So... back to those chases that always seemed to end in injury... am I a smarter chaser than I used to be or am I just plain relentless? Again, I think the answer is both.

*Disclaimer – these aren’t exact quotes they are my personal recollections of his statements.

AFoD: That brings up something that you and I have talked about before privately. One of the things that we've learned doing this work is that in some cases a digital forensics examination can feel like a psychological exploration of another person. Sometimes a deep exploration of a person's digital media can feel like you are spending time in a person's mind. In your case, you are spending a considerable amount of time examining digital evidence that was used by people who are deeply involved with the sexual abuse of children. That has to be very disturbing at times. Do you ever get used to doing those types of exams? What do you do to protect yourself psychologically?

CM: I’m certainly no psychologist or psychiatrist, but any examiner who has looked at large numbers of computers and cell phones belonging to different people understands fundamentally that those devices reflect the personal interests, activities, and thought patterns of the person or people who use them.  Even how the file structure is organized (or not) can give clues about a person’s usual (or unusual) behavior and habits. I have openly predicted that as we move into the future of digital forensics, a new branch - let's call it "Computer Forensic Psychology" will develop based upon this phenomenon.  There are already people whose job it is to background and profile people based upon the contents of their personal electronic devices and the information they post publicly on the Internet. 

Computers are a fabulously convenient way for people to explore and develop their interests, legitimate and otherwise.  That exploration can lead to or facilitate an already existing double life, and those double lives are often what gets people into trouble - at home, at work, or with the law. When people use their personal computers and cell phones, they're generally not thinking about what they have to hide, and if they do think about it, often their impulse to engage in whatever secret life they're exploring, ends up outweighing their thoughts about the consequences if they're caught.  People often comment on how 'stupid' the people are that we catch, and my usual reply is that the people we catch aren't necessarily 'stupid', but rather they are impulsive.  In fact, as we can see from headline after headline, some really smart people engage in really impulsive behavior using their computers and cell phones, despite the obviously really high stakes of getting caught. 

As you, and many other forensic examiners have experienced, it can be somewhat disorienting to spend long hours picking around in the "extension of" another person's brain.  The fact is, stuff that that person might never ever in a million years admit to their wife, their priest, or their psychiatrist can 'live' there in the person's personal writings, messages, web history, and pictures. While you can’t hold someone responsible for the content created and posted by someone else, what they choose to repeatedly look at and expose themselves to can say a lot about their personal motivations and proclivities. Whether it's an arsonist, a burglar, or even a financial criminal, what you find inside their computer can be disturbing. It can be disturbing, disheartening, and it can be disgusting. 

It's hard for me to say whether I've 'gotten used to' forensic exams that involve child sexual abuse or not.  It's more that I've learned what reactions to expect from myself when I work those cases and how to handle them and take care of myself.   Many of us who work these cases think about the sheer numbers of nameless victims represented in the cases we work. We wonder where the kids are now, how they've survived emotionally and physically....sometimes whether those kids are still alive. I'm working two huge cases that came in last fall right now - one with over 1/2 million images and movies, and the other with likely over a million all told.  I find myself wondering how under reported the problem of child sexual abuse must be, and how hard it is for the average person to understand the scope of what a m.i.l.l.i.o.n. images of child sexual abuse means. 

It takes a great deal of emotional resilience to do this kind of work.  It takes the ability to transform your personal feelings about it into positive action towards making some sort of positive difference, while maintaining a high standard of professional ethics and objectivity. Holding the right person responsible is as important as anything else.  As far as protecting myself psychologically, what works for me is to talk about it with other examiners and if something just sticks in my head and won't go away, to talk with a therapist who uses EMDR (Eye Movement Desensitization and Reprocessing).  No one - I repeat - NO ONE - doing this kind of work should think twice about finding a good therapist and unloading the burdens on them. I also volunteer for an organization named PAWWS to Heal that provides animal assisted therapy and animal assisted activities to kids who have experienced trauma. That helps me to remember how resilient kids are and that healing is possible.  I try to spend time outside every day and I spend as much time as I can with Bailey, my Brittany Spaniel at the dog park and occasionally pheasant hunting. And, as a hobby, I tie knots.

AFoD: Knots?

CM: Yes, Knots. As you can probably tell by this point, I am a big fan of analogy.  Knots contain an awful lot of analogy, and have been used as symbols since ancient times. When I'm engaged in the hands on, up close, process of Marlinspike knotting, my mind gets to take a break from the larger problems of the world and play. That is therapeutic.

First and foremost, the process of knotting is extremely binary. Your choices when tying are basically over or under. You repeat a series of overs and unders a certain number of times, in a certain direction, and when you complete the pattern a certain number of times, in the end you come up with a beautiful knot. Anyone following the same set of instructions ends up with basically the same results (with the exception of the size of the cord, color, and neatness factors). In that way, knotting is a lot like a simple computer program.  If the outcome isn't correct, it means that you've messed up the programming somewhere along the way. Sometimes the 'mistakes' result in a knot that's even better than the originally planned knot, and you learn a new knot. For those who are interested, the original (and still best) knotting reference out there is the Ashley Book of Knots, a book that contains the basic programming for thousands of different knots.

When applied to investigations or forensics, think about the analogies that present themselves.  We follow leads presented to us in order to put the pieces of a case together.  When it comes together just right and all the pieces make sense, the knot is complete.  When leads dangle, don't come together correctly, or just plain don't make sense, we have more work to do or are just plain headed in the wrong direction in the investigation. You can take a lot of disparate facts that are all related to the same investigation and give individual explanations for each of them that make sense standing on their own. But there is likely only one set of facts that exists that explains all of those disparate facts as a whole.  In that sense, what we do as investigators and forensic examiners is untie and tie knots.

Knots are to me also a physical reminder of the intrinsic connection between science and art.  I've attached a picture of my current keychain.  It's a 16 bight, 20 lead,120 facet globe knot tied in one strand of blue followed round twice, and one strand of black followed round once in the middle (and yes, I am showing off.)  In every truly good and well tied knot, there is science - the geometry and math of the knot, as well as their fractal qualities; and art - the pattern, and aesthetic of the knot.  Where does the science end and art begin?  When you start thinking about it, the answer is in itself a knot, is it not?  ;o)
Another reason I love knotting is because it's an activity I learned with and share with my father and my twin sister. The other attached picture is of three Turk’s head bracelets tied by my father. Knotting is a great solo or social activity, and it’s a fairly rare art form, so when you find other people who are knotters, there’s always something to talk about. Plus, the knots you produce can be great give away items to people you like and care about, or even to strangers who admire the knots and compliment you on them. I’ve given away a lot of knots to investigators and forensic examiners who have ‘tied together’ great cases as well.

I could go on, but I think instead, I'll knot.

AFoD: You certainly aren't afraid of complex challenges. In addition to everything else you have going on, you are also in the process of completing your graduate degree.  Can you tell us about the program and what lead you to enroll in it?

CM: Sometimes an opportunity comes up that you know in your gut you just can't pass up without regretting the decision later.  In June of 2009, I presented a cell phone forensics method at the Mobile Forensics World Conference which I had developed for CDMA phones specific to a homicide case I was working on.  The method had been tested and validated by students of Gary Kessler's at Champlain College in Burlington Vermont, and of Rick Mislan at Purdue at my request because I knew if I ever had to testify to something that hadn't been done before (or if it had it wasn't documented that I could find) I would need to back up the validity of my work  and have it published, tested, and validated as a real method.

At that conference, I met a woman named Liz Conway from Ireland who was affiliated with University College in Dublin.  She came up to me after I spoke and told me about the UCD law enforcement Forensic Computing and Cyber Crime Investigation MSc Program.  I told her that it sounded perfect for me, but that I doubted that I would qualify for the program since I hadn't finished my undergraduate degree.

Let's take another jump to the left and time warp back to my early work history for a second.  I started a degree program at Bridgewater State College in Massachusetts in Graphic Arts and was also studying Criminology.  When I took the job in Madison, I started going to Edgewood College part time, and started a Sociology degree with a Criminal Justice minor. By the time I got close to graduation, my daughter was nearly 11 years old, and being the child of a newly divorced and very accident prone cop, it became obvious that she needed my time and attention more than I needed to finish the few courses I had yet to complete to finish my degree. DF training and education had come into my life and fulfilled my thirst for learning in the mean time, and since I had my career before my degree, school had always been something I did for myself rather than for the degree.

Now step back to the right...  back to MFW 09 - Liz told me that I probably wouldn't need to have a degree to enter the UCD program given my previous college credits, police experience and training, and DF experience and training, and because I was already published.  So, with her encouragement I looked into the UCD program in the fall of 2009.  I applied for grad school and my butt was sitting in a classroom orientation in Dublin, Ireland within 2 weeks.  That seemingly impulsive and huge life decision felt to me to be a complete no-brainer.  Here was a degree program that suited to my interests and needs that was located in a country I'd always wanted to travel to. And, I’d have to go there.

The program has been really good so far, and the opportunity to interact with other law enforcement officers from around the world involved in cybercrime investigations has been absolutely invaluable.  Most of the program is given online, but there is a requirement to go to Ireland ("please... don't throw me in the briar patch!" said Peter Rabbit!) for several hands-on workshops and exams.  I am currently working on my dissertation related to human perception and our ability to estimate the age of children from digital images. It's due in August, and I'll graduate with my master's degree in December.

UCD has expanded its program recently, and they now offer a similar non-LE program as well.  I have really been impressed with the way they develop their program around the needs expressed by the students who are currently in the program.  They build the future of the program based upon the real life experiences and needs of the students in the current program, an approach that should keep the program fresh and relevant into the future.

The programs currently offered through University College, Dublin related to Forensics and Cybercrime are:

     MSc Forensic Computing & Cybercrime Investigation

     Graduate Diploma Forensic Computing & Cybercrime Investigation

     Graduate Diploma Forensic Computing

     Graduate Diploma Cybercrime Investigation

     Graduate Certificate Forensic Computing & Cybercrime Investigation

     Graduate Certificate Forensic Computing

     Graduate Certificate Cybercrime Investigation

     Continuous Professional Development Modules Forensic Computing & Cybercrime Investigation

More information about the program can be found at  I think that I'm the first Law Enforcement officer from the United States to participate in the program, and if that's the case, it is certainly an honor.

AFoD: Can you tell us more about your dissertation and how your research will contribute to combating child sexual abuse?

CM: The title of my dissertation as it stands right now is "A Multidisciplinary Approach to the Estimation of Victim Age in Child Pornography and Child Exploitation Investigations."  In my research, I looked at what we can learn about child age estimation from several fields including medicine, psychology (more specifically perception), machine learning/artificial intelligence, and art. 

My motivation for choosing this topic was that this issue is one that often comes up in court.  Are we as forensic examiners or investigators qualified to estimate the age range of a child depicted in an illicit image, or does it take a doctor to do so? Can a layperson tell the difference between an adult and a child, and at what point in a child's development does it get more difficult to do so?  If it takes specialized training to make the determinations involved in age estimation, how can we expect suspects to know the difference? How good are humans at estimating age? And more importantly, if we're not good at age estimation, shouldn't we know that since the stakes are so high for suspects

Last fall, I put out a couple of Internet based surveys to gather some data.  The first was designed to gauge the scope of this problem, and how jurisdictions around our country and around the world are dealing with age estimation for cases where a victim's age and identity are unknown. I also presented respondents with stylized images of children and adults from artistic works and popular media to see whether they could determine from representations of humans whether they were depicted as adults or children.  In the second survey, I took images of real people, mostly children, but with a few adults interspersed, and asked respondents to identify the individual as adult, child, or not sure and then to estimate a three year age range for the person in the picture.

One of the most compelling parts of the dissertation process was review of the literature that's out there related to the topic in the fields of perception, machine learning, and art. Our perceptual cues to a child's age range are so much more comprehensive than simply looking at secondary sexual characteristics.  Think about the amount of change that happens in a child between birth and sexual maturity... for that matter, how much change happens over any given three year period of a child’s development. While children mature at different rates, the same sorts of physical changes happen (given normal physiology and development) in all human beings. I hope that compiling all of that information and giving the field a comprehensive and referenced source for the pertinent information will help them to deal with some of the arguments that come up in this area, as well as help them learn to identify and articulate the perceptual cues that are used in the process of age estimation.  Considering the length of the paper, I'm hoping to put together a shorter practical reference guide as well. 

AFoD: Have you had any instance where defense counsel has been successful in arguing that their client made a reasonable mistake based on age and, therefore, should not be convicted?

CM: Generally, when I've seen this argument made by the defense, it has been raised at the preliminary hearing stage of a case.  In felony cases in Wisconsin, the preliminary hearing is conducted in order to prove that sufficient evidence exists to establish that each of the elements of the crime has been established and that the person charged probably committed the crime. In many cases the preliminary hearing is waived by the defendant.  In other cases, the defense basically attempts to try the case at prelim and to discover as much information as possible beyond basic probable cause in the process.

One of the elements of the crime of possession of child pornography in Wisconsin is that the person knows or reasonably should know that the child has not attained the age of 18 years. The annotated version of our statutes goes on to say that "Reasonably should know" is defined as less than actual knowledge but still requires more than the standard used in civil negligence actions.

Like most forensic examiners working these types of cases, I'm pretty conservative about what images and videos I move forward for charging and the charged images generally depict individuals who are unquestionably children unless it's a case where we know the suspect knew the person was under 18 years of age through some other means.  I've never had an defense attorney use the "reasonable mistake' argument successfully, but nonetheless it is a common one and I have heard of it being successful in other jurisdictions. Still, questions about examiners qualifications to make a determination about whether a depicted individual is an adult or a child are common, even with depictions of prepubescent children.

AFoD: What advice do you give to people who ask you how to break into digital forensics?

CM: Aside from the fact that I very nearly literally 'broke' my way into digital forensics, I certainly don't recommend that method to people who ask!

One of the first pieces of advice I give people who want to work in this field is that they have to be prepared to never stop learning.  Build your basic ground level DF knowledge base - there are certificate and degree programs all over the place, as well as vendor based and vendor neutral trainings.  Use that basic education to figure out where your specific interests and talents are, and then pursue those further.  Look into whether there are internships available in DF companies or labs in your area, and go after them. Keep learning and keep growing - if you don't, it will come back to bite you in the end as technology and time move forward.

The field of digital forensics now encompasses such a wide variety of sub-specialties and focuses: network security and intrusion detection, e-discovery, iOS forensics, malware analysis, cell phones and GPS... different operating systems, hardware platforms, and different purposes - intelligence, corporate, criminal, civil legal, counterterrorism... you get the picture. There is no way for any examiner to know everything they might need to know to deal with the vast variety of potential forensics problems that they might be faced with.  This creates a need for constant growth and exploration so if you're not naturally curious, you might want to think twice about a career in DF.

Because the field is so broad based and covers such a variety of specialties there is great opportunity (and need) for new examiners to find a niche within the field that fits their particular interests and area of curiosity.  When you find that niche, If you find a new artifact or an easier way to solve a common problem, share it. People who are trying to solve the same problem or a similar one will be grateful, and you'll start to build a name for yourself. Network with other examiners at conferences, on listservs, on social networking sites, and through the various professional organizations that exist.  Get to know other examiners, what their DF interests are, and someday when your problem matches their interests, you'll know exactly who to call for help.  As Harlan Carvey often points out, bad guys are better at sharing than we are - we need to change that.

Along the lines of networking - don't be afraid to reach out to those people in forensics who wear the figurative super-hero capes or have earned the middle name "freaking".  Ovie Carroll, Rob Lee, Brian Carrier, Harlan Carvey, Eoghan Casey… the list here is of course not all-inclusive. The authors and speakers, programmers and teachers, movers and shakers in this business are nearly without exception exceptionally friendly, fascinating and approachable people who love to talk about digital forensics (not to mention music, scuba diving, magic, philosophy, photography, Rubik's cubes, beer, wine, gaming, running, singing, mountain climbing, banjo playing, horses, dogs and cats... the list goes on!) In my experience, the cape wearing veterans in DF all care deeply about this profession and want to see the next generation of up and coming forensicators thrive in it.

AFoD: What training and academic programs do you recommend to people who are interested in learning digital forensics?

CM: This is an interesting question, because there are so many certificate programs, undergraduate programs, and graduate programs popping up around the country right now, as well as the myriad vendor specific and non-vender specific short term but intensive training programs. And, its a difficult question to answer because so much of how and why a person chooses an academic or training program depends on what's available to them where they live and what they can afford.

I had a conversation with a young TSA officer recently who was going to school for digital forensics. I asked him where he was going to school, and his response was, "I'm embarrassed to say." I asked him why he was embarrassed, and It turns out he was most of the way through a DF program in one of the larger private schools which offered credits that don't transfer easily to other schools. He was going there because his local community didn't have another program available, and he was a hands on learner who didn't feel he would catch on as well in a mostly on-line environment. I asked him if he felt like he was learning a lot, and he said, "yes". I then assured him that he shouldn't be embarrassed, he should embrace that experience as the foundation of his education and continue to move forward from there.

My advice would be to choose trainings and programs that are developed and taught by people who are currently in, or who are actively engaged with people who are in the DF profession.  That way the course materials are more likely to be up to date and relevant. I would also advise that people choose a program that has a strong hands-on / lab component to it, whether that means logging in to a lab facility via VPN as happens in the UCD program, or whether it means physically sitting down in a lab environment.  This work is a good mix of both practice and theory, and there is just no way to practice the skills and apply the concepts you need in DF without a lab.  I would also say that those training and educational programs which are set up to have everything in the lab work perfectly the first time are teaching something that is somewhat detrimental to students. Problem solving is a HUGE component of this work, and facing problems in a school lab environment is a great way to practice for the sorts of things that come up every day in the real world.

The important thing is to really take a hard look at the programs ahead of time to see if they are going to fit your particular needs and interests.  Talk to graduates to see what their experiences have been.  Do a little research on the program and instructors to see what the overall reputation of the program has been. Hopefully this kind of approach will help you to feel that your time, efforts, and money have been well spent.

One other thing I would say is that all of us who are currently in the DF field ought to stay interested in learning digital forensics. Keep learning and keep growing as a forensic examiner.  Stay curious about new technology and what's coming around the corner.  Knowing what we don't know is as important, if not more important as knowing what we do know. Reach into DF areas that aren't necessarily your specialty and learn how they relate to the things you know well. I say this because while there are a lot of sub-specialties developing in our field, at some point they may well all fit right back together.  Part of the reason I see mobile phones as so interesting is that these devices are hand held computers, communication devices, and nodes on various networks all at the same time.  Garnering a better understanding of how all those factors come together starts to become more and more important.

Sunday, June 26, 2011

Security Operations: An Interview with Jeff Lahann

This interview is one of several that I’m working on that deal with the broad area of security operations. Jeff Lahann has extensive experience in building and leading high-performance security operations teams. We’re in an era in information security where the battlefield doesn’t favor the defender so it’s up to innovative leaders such as Jeff to create and lead information security teams that are up to the challenge. Jeff is one of the sharpest and most even tempered people that I’ve run across in security operations leadership and I’m grateful that he took the time to participate in this interview.

Professional Biography of Jeff Lahann

Jeff Lahann currently works at a multinational company building out the company’s first Security Operations department which has responsibilities for 24x7 security threat intelligence, threat monitoring & response, as well as, vulnerability scanning, vulnerability management, and data loss prevention missions.  Before coming to his current company, he evolved and ran a SOC at a large multinational manufacturing company where he worked with several government agencies to combat threats targeting government contractors.  He has been doing information security operations work for over 10 years starting out as a Security Operations Center analyst at IBM watching out over 220 fortune 500 companies.  Jeff has been a digital investigator and incident responder for several Fortune 100 companies, an IT threat intelligence analyst for IBM’s Managed Security Services Delivery team, and a Senior Security Analyst in a large multinational’s SOC.  Jeff was also an adjunct instructor at Colorado University - Boulder teaching IT Security classes to masters candidates.  He was also a corporate instructor training investigators/incident responders and has developed several beginning and advanced level courses.  Jeff has earned an MBA and a Masters of Science in Information Technology & Security.  Prior to getting into securing bits & bytes, Jeff served in the United States Air Force as an Explosive Ordnance Disposal Journeyman.

AFoD: So how did you go from being an Air Force EOD person to a career in information security? That's not exactly a natural career progression.

JL: What do you mean? I hear that going from "Bomb Squad Tech" to "Computer Security Tech" is quite common, no?  All kidding aside, you are correct, not the most natural of career progressions but one that my wife is far happier with than I.  Don't get me wrong, I have thoroughly enjoyed working in the IT Security field doing Security Operations work, incident response, digital investigations, security analysis, and I have even enjoyed my time on the dark side in security management.  However, not much else matches several thousand pounds of explosives going off or hovering over an interesting device wondering what you are dealing with.

AFoD: What was your first job in information security and how did it influence you to keep going down that career path?

JL: My first job in information security was riding a console as a Security Operations Center Level 1 Analyst in a SOC that was servicing a couple hundred Fortune 500 companies.  Those were some long 12 hour shifts trying to stay vigilant watching hundreds of log events roll by the screen for each customer.  Back in those days SIEM's were just coming on to the market so we had all sorts of paper based systems to keep track of suspicious events and correlations.  Back then knowing how to make military style coffee, the kind that eats away the cup if you don't drink it fast enough, was just how you survived the shift.  There were several things that really influenced me to keep going down this career path.  First was that it lined up with my general life calling of doing security and protection work.  Prior to IT Security, I was doing all types of security work in and around private sector, law enforcement, and military arenas.  Second, one of the best things about IT Security is the requirement of continual learning you have to engage in just to keep up with the bad guys and the field.  The final influential aspect was the people I worked with back in my starting days.  We had a very good team and it is always good to work with and for great people.  Even as we all spread out over the years, those folks are still a foundational part of my network.

AFoD: You eventually made the decision to move from being a skilled individual contributor to a leader. Why did you decide to go down the professional security leadership path?

JL: Well I was wondering when the question of why I would sell my soul and join the "dark side" was coming.  It was actually a pivotal point that I still remember well, but for the record, there are days when I'm slogging through a couple hundred emails and working on a power point that I miss the days of spending my hours on the command line doing something a bit more "real".  I had worked my way up the various skill paths and levels into a senior analyst and team lead role at a company when I had figured it was time for a change of scenery.  So I up and moved companies, states even, to land in another senior analyst role. It was only about 4-5 month into that gig that I had hit the top of my game again and being the type of person that never likes his feet falling asleep, I was already looking at the proverbial, "what's next for me" question.  Then one night it just kind of hit me; I figured it was game changer time when I could move around and hit my stride so early on.  It wasn't anything as dramatic as the devil showing up and offering me to sign in blood, it was more timing than anything.  The guy that had started the department I worked for was looking to move along and I had decided to try to look at positions up the ladder.  Things feel into place and the next thing I knew I had been running the shop for a year taking myself and the department to the next level.

AFoD: As part of your professional development, you obtained an MBA from Arizona State University. How has that benefited your ability to build and lead your teams?

JL: First, here is the back-story on getting an MBA.  I was a couple years into the management side of things and was still having issues with what I still see as a primary function of a security manager, no matter where you are on the ladder of security management, and that is the function of translator.  What I mean by translator is the job of taking highly geeky security specialist jargon and problem sets and turning it into more general terminology that others outside of security can understand.  I typically find that real world analogies work the best to describe to non-security types, complex attacks and impacts.  I was tasked with protecting the business but was struggling to get my urgent message into terms that business folks understood and wanted to take action on.  I figured that to go to battle over priorities and budgets with business types to get my projects funded, I needed to understand their world and speak their language. Thus came the idea to get what I termed, a "weaponized education" (hat tip to RM).  As far as the other benefits of my MBA, it has helped not only with what I mentioned previously so that my teams see progress in the fight to protect the company, but also in helping translate backwards from “business priorities” and “bottom lines” to what that means to security projects and security specialist geek types.  Overall, it has been a very eye opening experience, especially after getting through the universal term, "MBA Hell".

AFoD: Your career path has led you to a place where you are highly skilled in building and leading security operation centers. Can you explain what a security operations center actually does?

JL: Security Operations Centers or more commonly referred to as "SOCs" can be associated with several functions but the most common one tend to be some sort of security event monitoring.  Much like Network Operation Centers (NOCs) do for the entire IT environment/infrastructure by way of looking for problems in network flow, system outages, and the like that potentially cause business impact, SOCs do this from a security perspective.  Security monitoring can be done in many different ways but the best way is via pulling all relevant logs into a centralized logging solution and then feeding this aggregate information into a SEIM (Security Event and Information Management) system.  These systems allow you to correlate and make sense of all the various forms and types of event logs of interest to bring about alerts of suspicious or malicious activities.  Many SOCs will have expanded missions and taskings ranging from operational support of security type devices to incident response to threat intelligence and research.  But to the core, SOCs, and those that work in them, are performing some level of analysis of data to bring about action to protect the enterprise.

AFoD: Successful teams are made up of important elements such as people, processes, and tools. I'd like to start by asking about the people aspect of how you go about building your teams. What sort of people do you like to hire and how do you organize them into an effective team?

JL: People are a good part of the triad to start with as they usually make or break the team; you can have bad people with good processes and tools and you'll still fail.  Now if you have good people and bad processes and tools, you still have a chance at succeeding because of the ability for good people to adapt and work with what they have.  I've always been lucky to surround myself with good people and we always manage to pull off some pretty amazing things.  What types of people I like to hire depends largely on the environment the SOC is residing in and/or the charted missions.  But in a general sense I am always doing the obvious thing of trying to find the most talent I can afford for any position I am hiring.  In more specific terms, if I'm looking for entry-level analysts for the SOC (a great way to break into the security field) then I don't expect them to have any security experience, just good technical expertise (if I find someone that has been doing security learning above and beyond the day job it is just bonus).  In this case I am looking for someone that has aptitude to learn quickly and has a passion for the security field.  I've found that these two attributes for a level 1 analyst are what usually prove out to be the senior level analyst years later.  You have to have a passion and desire to continually learn in the security field because the learning curve is so steep all the time its more like scaling a vertical wall of ice that has had oil poured over it.  For level 2 analysts I am looking for someone that has been on the job doing security work for a company for at least 2-3 years, preferably in/around operations work; again I want to see the passion for the work and aptitude to learn.  Senior level analysts and higher is just more time in service and experience in several domains.  A final trait I look for across all the levels of analyst is that desire to keep pulling at loose threads, picking at the loose corner of a wrapped gift , the trait to keeping digging on something until an answer is found that makes sense.  In relation to shift organization, I pair two level 1 analysts and a level 2 analyst per shift in a 24x7 SOC and then spread the Senior level talent across multiple shifts as best I can.  From a manager perspective I try to keep the ideals of work hard/play hard, everyone has each others back, don't be afraid to say I don't know (something I picked up on the Bomb Squad for obvious reasons), and finally I try to enable the team to do the work and get out of their way.  By the way, did I mention I'm currently hiring several analyst and management positions for day and night shifts?

AFoD: Gosh, Jeff, you hadn't mentioned that! What a great opportunity! How would someone go about finding more information about your option positions?

[AFoD: Okay, dear reader, you caught us. I had the idea for this interview when I saw that Jeff was looking to bring some new people onto his team. I was in the mood to interview an experienced security operations leader and offered up the interview to Jeff as a way to get the word out for his new positions. Jeff is a very sharp fellow and if you have an interest in getting involved in this particular portion of the incident response and digital forensics world, he's someone you should talk to about your interests.]

JL: Well since you asked (*wink*) people interested in joining a newly built and deployed security operations center can hit the job site:

AFoD: The second leg of the triad is processes. Can you talk about what role processes serve in your teams? For example, what tasks do you create processes around and what tasks are treated with more of an unscripted case-by-case approach?

JL: Ah yes, processes.  These are very important but not so much the sexy side of things that people like to work with.  Processes and procedures are important to a SOC for repeatability and standardization of those things that need repeatability and standardization.  I make this circular distinction because I am a big proponent of standard operating procedures (SOPs) where they make sense.  However, it is important to note that you don't want to become imprisoned by processes or worse yet, take away an analysts ability to apply common sense to the situation.  There are many things in a SOC that you want described in a step-by-step procedure or overarching process.  For example if the SOC is responsible for updating IDS signatures on the sensors, then you want a clear process stating when and why you do this and a step-by-step procedure as to how this is done so you end up with the same result no matter which analyst completes the task.  SOC controlled or initiated change management, inbound security report handling, shift turn over, and system rebuilds are more examples of tasks that can be controlled by process and procedure.  On the contrary are those situations where process and/or procedures can hinder the analyst or strip away the analysts' intellectual contribution.  Incident response, compromise response, threat intelligence research, and malware analysis are all examples of situations or tasks that don't follow a script and trying to overlay anything more than loose guidelines can hamper the right efforts.

AFoD: I agree completely, of course. There's a time and a place for scripting repeatable processes in the name of standardization. However, analytical work can be just as much of an art as a science and it doesn't lend itself well to scripting. That's one of the fundamentals that I learned as a police officer.  Every department has a SOP, but there is only so much standardization you can get away with when you are doing police work. Good luck creating a repeatable process for handling a shots fired call.

What use do you make of concepts such as Six Sigma and IT Infrastructure Library (ITIL)?

JL: Six Sigma is great for manufacturing processes to which it was designed but I find it hard to completely extrapolate it into the IT world.  Though I have found use for the various before-ToBe process flows, TMAPs, and some of the statistical analysis where it fits.  As far as ITIL, this is a bit more geared to IT and my current organization is big on its structures.  It helps to get things into standardized methodologies and terminology but you have to be careful not to be too rigid or be a slave to the framework or you end up with too much overhead.

AFoD: How do you structure your security operations centers? We've talked about disciplines such as incident response, malware analysis, and threat intelligence.  How are you putting these pieces together to create a high-performance team?

JL: I typically approach building out a full SOC on what I call the "virtuous circle"; depicted as a self-feeding circle type diagram.  The three main ideas or missions I build a SOC on are Threat Identification, Threat Detection, and Threat Response.  You have to have threat intelligence research and malware analysis functions being done to provide data on the current threat landscape and how it applies to your current company setting.  This data should then feed into the detection and monitor mission by way of custom IDS rules, firewall rule sets, web filtering blacklists, etc.; this is commonly seen as the foundational SOC mission.  But once you have detected the threats you have to respond to them in a standardized method with specific tool sets.  I tend to favor the SANS incident handling methodology and tailor it to my current company setting as needed.  At the end of your response tasks, you typically end up with additional intel in which to feed back into your Threat Intelligence mission and thus we end up with the self feeding circle.  Of course you have to have reporting with all of these missions, something that all my former students at CU Boulder used to groan about as well as my current staff.  I still preach that if you have all kinds of good data points about the strengths and weaknesses of your security, it is worthless if you don't leverage it by reporting it to various stakeholders to get action.  The foremost function a SOC should be aspiring to is to use the front line trenches information it gathers in the execution of the virtuous circle to continuously improve the security posture of the enterprise it serves.


AFoD: That brings us into the last part of the people, process, and tool triad. What tools are your teams using to accomplish their goals?

JL: Tools and technologies tend to evolve with the general IT landscape and business needs as do security tools and technologies but they also have to try and keep up with that ever evolving threat landscape.  I look to base my tool purchases on a solutions approach, not a product approach.  Too many times over the years vendors have come at my teams trying to sell product versus trying to help us solve a problem and sharing honest and open dialogue with what they can do to help.  You help me solve a problem and support my team well and you start to earn some loyalty.  Philosophies aside, some of my favorite tool sets for a SOC executing the missions we've discussed previously are Sourcefire IDS, ArcSight SEIM, Encase, Mandiant Intelligent Response (MIR), Splunk, and good old fashion Linux.  Having worked in more budget downturns than "golden years" I've had to get creative trying to solve problems and I am always impressed with what you can do with a skilled security analyst who is passionate about protecting the company and a simple Linux system.