How to become a cybersecurity analyst

Chris Sienko: Hello, and welcome to another episode of the Cyber Work with InfoSec podcast. Each week I sit down with a different security industry thought leader to discuss the latest cybersecurity trends and how those trends are affecting the work of infosec professionals, as well as tips for those trying to break in or move up the ladder in the cybersecurity industry. Jonathan Butler started at Distil Network in May of 2016 as an IT security analyst, and since then he has worked his way from analyst to team lead to manager. He is going to speak with me today about his journey as a security analyst, his career steps along the way and how aspiring security analysts can make their best choices to get their career off to a great start. Jonathan Butler is the Security Analytics and Professional Service Manager for Distil Networks, the global leader in bot mitigation, which was previously acquired by Imperva. He had been with Distil Networks since 2016 and previously worked at Urban Science. Jonathan, thank you for being with us today.

Jonathan Butler: Thanks for having me.

Chris: If you've heard any of our podcasts, I start at the same point at most of them. So, tell me a little bit about how you got involved in computers and security. Was it something that you were interested at an early age or did it come later in life?

Jonathan: Yeah, it's funny because I grew up in a very rural area, had really bad internet service and there just wasn't a lot of money left around for computers and software and stuff like that. So, I actually didn't have a childhood that was too dependent around computers. It was more once I got to college, I studied mathematics at the University of Virginia, and part of the requirement of that major was you have to take a computer science course. I ended up taking this class that was pretty elementary. I mean, it just taught you about how the internet works, some of the history, how websites work, the computer network as a concept. And, that's really where it piqued my interest, and from there I ended up taking another course that really exposed me to the programming side of things where I was using JAVA and a couple of other languages to build applications and that's really where I think my interest piqued.

There was a particular project in that class where we more or less had to recreate Angry Birds, and I remember thinking it was really cool seeing the physics being baked into the language where you're recreating reality through this project. That is where I think I saw the potential of it and where I really got interested in it. But, I study math with a finance concentration so I thought I wanted to go that route. Ended up landing a job at a software development firm out of college, and it naturally took off from there. It went from a software development firm to Urban Science, which is a data consulting firm of sorts for the automotive space. There, I got exposed to really working with enterprise companies. Audi and Volkswagen were two of my major clientele.

So, that's where I got this exposure to bigger companies and how they work and operate, and that was a natural segway, weirdly enough, into my role here at Distil Networks. That's truly where I pivoted into the cybersecurity space. Up until that point, had you ask me if I was going to go to a cybersecurity company, I would have probably said, "Hey, maybe," but no actively searching for it.

Chris: Okay. When you were in college, you said that the internet was still ... It wasn't something you were familiar with pre-college. Do you feel that the people you were going to school with, that it was a fact of life for them? Did you feel like you were behind and needed to catch up in that regard?

Jonathan: Yeah, definitely felt that way, especially in that class. I mean, they were just people who it was like breathing oxygen for them. It was just their second nature. Where I was going, there were just so many smart people around me that I always felt like, "Man, I must be the only idiot in this class."

So, it was a little bit of catch up and I think there was just a very distinctive moment in one particular class I remember where I just sat down and made the decision, "Hey, you can't make that excuse for yourself. Just sit down, learn it and move on." But, I definitely had a lot of that because I came from the background that I did, whereas some of these people where technology was very much more baked into their childhood, had personal computers coming in. Which, when I went to college, it wasn't really the case and just all that.

Chris: Yeah. I mean, even beyond computer science folks who were swimming in it from an early age, do you feel like that the student populace in general was all ... Because when I went to college, man it was the dark ages, but the internet was just starting and it was both simultaneously omnipresent, like everyone had it, was given a username and account and so forth, but also just completely new to every single person. This is '92 or whatever. Did you feel like there were other folks even in other disciplines for whom the internet was still a novelty or were most people taking it as fact?

Jonathan: I think it was still a novelty for some people. Like I said, there were a lot of people around me that did have those types of upbringings where they were exposed to it, but it still was a new thing. I mean flip phones were still around, the Blackberry was there. So, technology was at a really interesting point when I was in college where it was starting to become this matter of fact part of everyday life. Even things like submitting papers was going to an online submission, those types of ideas which are probably second nature for kids today in school. That was the transition there. So, computers were starting to more and more bring themselves in our live, but we weren't fully there yet.

Chris: So, today we're going to talk to you about your career track as a security analyst, and now you're a security manager. So, tell me a little bit about your journey in this regard. What were some of the major steps along the way and what were the progression of skillsets that got you to this point? What sort of things did you have to learn? What types of jobs did you have to do to prepare yourself for working at Distil now?

Jonathan: My professional journey has never really been "I'm going to be here in five years, I'm going to be here in 10 years." It's always just put your nose down, work hard at what you're focused on and let the universe carry you from there. And, that's really a reflection of how my professional journey has been since I started working. I really was intrigued with finance, but my first job out of school was at a software development firm and it was there that I got exposed to databases and data analytics, and really that came with the territory of SQL and other programming languages and knowing what applications interact with back ends. So, I actually thought I wanted to be a database administrator, and from that I was studying for certifications, pursing that. I even asked the DBA of the company I was working at if I could get private mentorship from him afterward.

But as that progressed, I really wanted to get into the private sector. I was working for a government consultant and I stepped over into the private sector, moving to Urban Science where there still was a lot of opportunity to explore data analytics, and honestly with that and still have technology as a major component of that. And it was there that I think I got introduced to this idea of the consultant mentality, like really helping businesses make informed and intelligent decisions off of ultimately data-driven ... Helping them with data-driven decisions. I think that was a really big ah-ha moment for me. Maybe not any specific moment in time, but just that whole experience put a lot of pieces into play like these companies are usually working under tough constraints, financial budges, time management, resource allocation. All of these different things to ultimately deliver an end product, an end goal of some sort.

In the security space, that's securing your web application, that's securing your organization. All of these realities and constraints are constantly working against you, and you have to make best use of your time, best use of your dollar, best use of your team through that intelligence and get insight but also being able to navigate the business terrain. And that, I think, is really what teed me up ultimately for being able to pivot into the security space because when I came to Distil Networks, it was at that point in time a company that had a really great technology but their ability to turn around and explain it to the customer through data and help consult them on how to leverage it to the maximum and optimal extent was very weak. I mean, when I came in it was at a point where the company had basically said, "Hey, we want to build a professional services organization that can actually be sold on top of our technology stack to be product consultants and web security experts to help guide customers and give them this creme de la creme service."

With that, all of my learnings and findings at my previous role in that consultant position really bloomed and blossomed here at Distil Networks because at the end of the day, security is a very thankless and selfless pursuit. You're not always going to be pulled over and slapped on the back and said, "Hey, great job." You just have to have these intrinsic motivators that make you curious, that make you passionate and really want to move the needle forward for your customer. That could be your boss, your organization, your customer. So, it was just a really rewarding experience, but all said and done, I think it was just the combination of my exposure to databases and web applications in my first job and then learning the business language and learning all of these external constraints that you have to then creatively come up with solutions to navigate. That all came together at my time here at Distil, and helped grow the professional services, the security analyst function here at this company.

Chris: Okay. So, walk me through your average day as a security analyst. What time of day do you start work? Where does your work take you in the course of the day? How soon after you've built your to-do list for the day does it completely go up in flames and emergencies? What time are you done? Are you on-call all the time? Can you turn off your job? Things like that.

Jonathan: Yeah, sure. I'm in a little bit of an interesting position because today I'm a manager so I'm not so much of an individual contributor role, but to just give a lens into that, I think the job is unfortunately pretty 24 by 7. I am usually connected to my phone, even when I leave the workplace. Even last night I woke up randomly at 2:00 in the morning, decided to check my phone. Had a couple things pending so I responded to them, went back to sleep. That's a personal decision. We're at a company where things are moving so fast, we've got a couple of major projects on their way where those are ugly necessities in those moments, but we do work really hard to give work/life balance to our guys. However fast you want your career to move is probably going to directly be correlating to how much time you might have to give at a certain point.

And again if it's a big project, you'll have to be around the clock a little bit more. And again, that's ... Sorry.

Chris: No, no. Go ahead.

Jonathan: I was going to say that's just been my personal experience. I know there are plenty of companies that do put a premium on work/life balance and do try to bring that back because it's a little bit of a dying perk, unfortunately. It is a 24 by 7 job. The way that the work week goes is you come in, you typically know you have a couple of core priorities and projects you have to attend to. But they day, you want to take a hold of it versus it take a hold of you. So, I'll usually start by going through the email inbox, checking Slack and seeing what pending and critical projects are coming up. Usually there's a couple you can already expect to be there waiting for you, critical showstopper issues. And then from there, it's mapping your day out, mapping even your week out to an extent. I'm like, "Hey, I've got this on Thursday, this on Tuesday and I know I've got this next Tuesday, so let me plan accordingly."

And usually, once a week there's something that just totally derails your day where you have to throw everything aside, focus on that and jump on it. I don't know if that fully answered the question, but that's just been my general workflow experience Monday through Friday.

Chris: Yeah. For analysts, I assume they're working in the nuts and bolts of the actual problems whereas as a manager, you're probably spending more time translating the needs of the board or the CEO or whatever to the analysts and things like that. Can you talk a little bit about that?

Jonathan: Yeah, exactly. I mean, your workload and work week is probably going to be somewhat correlated to the system that you're operating or the base of customers that you're responsible to. For us, we have a global customer base, so a problem can pop up at anytime of the day, anytime of week. And because we sit in line with a lot of our customers websites, urgent issues are very urgent so we've got to jump on that. But from the individual contributor role, like the security analyst, the way we've crafted it, you typically have responsibility over some segment of customers and certain processes where you do have a little bit more stability in your day-to-day. I think that's something you can expect in a career in security is as you get more responsibility over bigger and bigger pieces, you're going to just naturally have to jump in when critical issues and situations come up.

But, we work with a lot of tools that we make sure our guys are getting trained up on. So, some part of your day is probably going to be self-development and constantly growing with the environment, growing with the tooling and those sorts of things. And then, the tooling can be environment to environment. We use a lot of Python, we use a lot of Tableau, which is data visualization. Obviously having familiarity with a terminal window and those sorts of things like bass scripts ... Our environment is pretty language agnostic. We'll usually have to jump into different things. And because we're with other customers, web infrastructures, you might even have to educate yourself, give yourself a quick little bootcamp on this language or this application or whatever it may be. I think that's another part of it as well.

Chris: Okay. And, in a really atomized point specific way, what are some tasks that a security analyst should be cool with doing every day? This is something that every single day you're going to be working with this kind of tool or you're going to be doing this kind of thing. What are some things that just keep happening in the job over and over and over?

Jonathan: That's a good question. So, I guess I almost have to preface the question with in my role we are almost consultants to the customer whereas some security analysts might work for a company, and you are responsible for building and defending the wall. For us, it's a very common expectation that you're looking out for your customer. You are doing things to scan their perimeter for them. And, over the history of my time here that went from us having to manually go into website logs and look for anomalous behavior and craft signatures to patch holes of sorts, and you do that enough days in a row and you're like, "This is goofy. This is silly. Why am I spending so much time on these very tedious, monotonous tasks? And, also why are they only going to happen when I'm online?" So it sparks that pivot of, "Okay, well maybe it's not about doing the task, it's about how can I architect the infrastructures to automate and programmatically do those tasks?"

Chris: Right, so you're not endlessly chasing the tail of the last thing that ran through the barn.

Jonathan: Exactly. It's one of those things where doing log analysis, looking for anomalies, thinking outside of the box and leveraging the tool set that you have is definitely the types of things are going to be doing day over day. The details of it could change environment to environment, but I do think that one core thing that the best analysts are going to be doing is how can I retroactively look at all of that and figure out how to automate or streamline or make all of that stuff more efficient because the security is such an evolving ecosystem that you doing the same thing day over day guaranteed you're going to fall behind in terms of comparing against your adversaries.

It's like putting money in a bank account, right? Interest is going to make that lose value over time, so naturally without anyone coming in and saying it every day, you have an obligation to yourself to improve your ability to be faster, be smarter, see more. So, I think that's what we really try and challenge our analysts with is like, "Hey, don't just do the jobs that I'm giving you the instruction set for, but try and think creatively and automate yourself out of that job, promote yourself out of that job." I think there's also that intrinsic day-to-day part of our operations.

Chris: Oh, that's great. So, you're saying basically the best way to move from security analysts to the next level is to, as you say, automate your way out of the position. Find ways to make it so that you're not just scanning logs endlessly and patching holes endlessly. That's really interesting.

Jonathan: Exactly.

Chris: Again, I know you've jumped up another level here, but when you were a security analyst, what were the most interesting parts of the job and what were the most boring and repetitive parts of the job? What were the things you would clap your hands when you were done with and what were the things that filled you with dread on Sunday nights?

Jonathan: I guess I'll start with the most boring parts of the job because I don't know if boring is the right word. I think there are parts you really hate and then there's the parts you really love, and there's not much in between, at least for me. The boring parts are probably just the monotonous work that every role is going to come with. You're going to inherit systems and processes that were there before you or maybe are there because of a wrong set expectation with some customer, or it could be your boss, it could be leadership, whoever. So I think those types of things are never fun, but they're also ugly necessities of any role, and the best thing you can do for yourself there is, to the earlier point, figure out how to automate that so that takes up less of your time.

I think the most exciting things about the job are security is such a constant discovery in terms of working in that space. I mean, we work in such a niche problem set that we are pioneering things of sorts, and it is really cool to be at the cusp of that. I've been in certain circumstances and scenarios where you don't want to applaud your adversary but you've just seen really cool things come across. There was one particular instance where they had figured out how to penetrate a web application by doing some unusual… and slipping things through the URL. And again, I didn't come from a security background so anything impressed me at this point in time but especially this, I was really impressed by. So, those little really cool things where you're like, "Man, someone ..." You almost applaud the ability to think and problem solve from both your own team and from the adversary.

Chris: Yeah, respect where it's due, man.

Jonathan: Exactly. I think the other thing, too, is just you're inevitably going to run into positions that frankly give you the sweats. They keep you up at night. Just having resiliency to face those situations and be confident and get through them, and grow your comfort zone, I think those are also really exciting moments in my job.

Chris: Now, do you hold any professional certifications? Especially now that you're a manager, do you feel that professional certifications play a role in enhancing security?

Jonathan: I think it does, and it's one of those weird things where from what I've always heard, there is a weird dichotomy going against each other. People that put a lot of emphasis on certifications, and then there's people that don't. I'm here in DC where it's so much of the security space is driven by the public sector and in the government that I think there's especially weight around those things. People almost see it as an obligation or a sad inconvenience versus an enthusiastic excitement that I'm pursing my career. It's like, "Ugh, I have to do this." But, I think it's different strokes for different folks. Some people really do learn how to build a house by just going and building a house, and some people learn how to build a house by watching YouTube videos and doing a bunch of online research, et cetera.

So, I think that that formal approach shouldn't be cast aside, but it probably does help some people. I only hope that the certifications keep pace with how fast that all of this stuff changes. That's really my biggest concern with them. But as someone who doesn't have any, I can't speak confidently, but I will say this, I am personally thinking about going back and starting to pursue some of these because I think it will eventually cap certain careers. Maybe you can get by in your earlier entry years of a security career, but sooner or later you have to know the talk and be able to walk the walk, and I think it naturally comes with the territory.

Chris: So as a manager, when you're looking at potential candidates or possible new employees for your security analyst department and so forth, if you see someone with a certification, a CCA or something like that, does that make you think, "Oh, they have a little extra something," or are you more interested in seeing what they've done experientially and the hands on and so forth?

Jonathan: It's one of those things where a lot of what we do is so in-house knowledge, and the space we work in is actually starting to become more commoditized so you can put weight around that. But very early on, all of it was in-house knowledge. Knowing how computer networks, how CDN's, how reverse proxies worked, how web applications worked was more important ... and knowing how to write SQL queries and do analysis had more of a premium for us than the actual security skills of web application security, which is really counterintuitive to say. But, as a lot of the barriers to entry we dealt with as analysts, like I had to be good at SQL, that I had to know how to work through Excel in the very early years, those things that distracted from the security skill have slowly but surely gone away and we're getting to the point where security is becoming the forefront of what we do day in and day out.

In that extent, I think it's critical to have them, and I think it never hurts a candidate. I'll say that. If anything, I think in the early years we were almost nervous to bring in someone with a lot of certifications because we just as a team environment weren't ready to necessarily scratch those itches for someone who really wants a robust security career.

Chris: Yeah, you're hiring for that specific task rather than to create this bouquet of skills or something.

Jonathan: Exactly.

Chris: Okay, so you mentioned that you're in a consulting position, but what types of companies require a security analyst? Is this something that's more commonly a consultant-ship or are there more security analysts that are working in-house, like you say, protecting them perimeter?

Jonathan: I think any company big or small needs a security analyst. Now, whether you have budget for it is a different story, but if there's one thing that I've really noticed is the bigger you are, the bigger a target you have on your back, and more likely you're going to have more people and more organizations and adversaries going after you. So, I think any company really needs a security analyst. And if you're a small shop, maybe it doesn't seem like you do, but just securing some of those basic perimeters, like making sure your website doesn't have a lot of open vulnerabilities, making sure if you're giving hardware out to your folks that they're not doing dumb things. There's a lot of low hanging fruit that if you could go hire security analysts to do some consulting for you would be very valuable to that company.

And, as you get into bigger corporations and organizations, they're running fully baked out security organizations and the role shifts into a different form and function. But, I think if you're working at a smaller environment you can probably expect, which has been more similar to my experience, that your day-to-day might not necessarily be fully in the form of security focused things day in and day out. It might be having to shift and pivot into other parts of the organization and wear a lot of hats. Whereas if you're going to a big company and you're gunning for that very bureaucratic organization that has very complex systems and some of the toughest adversaries and toughest security threats, you're probably more in a narrow lane where you are truly becoming a deep expert in one area of security. But, the con there is that you just might not get to see the broader picture. You might not have as much proximity to that organization's leadership and those sorts of things.

Chris: So, I feel like you're specifically in a great position to answer this. You mentioned that you were a late comer to computers and tech, and a lot of what you've done has been self-taught. Speaking to our listeners who might find themselves in a position or a career that they don't like and it might not even be tech-focused or security focused at all, what's one thing that you would recommend they could do in their current and and you know, sort of a lot of what you've done has been self taught. So I'm speaking to our listeners who might find themselves in a position or career that they don't like and that might not even be tech focused or security focused at all. What was, what, what's one thing that you would recommend they could do in their current position that you know, that they could do today even that would move them one step closer to getting on a path of being a security analyst?

Jonathan: I think there's so many online courses today, just taking an online course that intros you to security, cybersecurity, or even the CEH certification. That one I particularly have been eyeing. Certified Ethical Hacker. Those are slightly bigger commitments, but things that I think could really give you a taste and an appetite for whether you are going to be a good fit for it. I think other things that are much more easier to do and say you get a couple hours free one day. Google local security companies and look at some of the positions and actually see the requirements of those roles. I think those job descriptions are really crafted well to give you a better sense of what you might be doing. It's probably not 100% accurate, but think about those bullet points and say, "Okay, that's what it could be."

Just starting to give yourself more insight into what a security analyst might be doing, what are some of the possible career avenues? Because you don't want to just leap right into it and just assume you're down for it. There's a little bit of validation you have to take to make sure "Okay, this could be cool."

Chris: Yeah. So as we wrap up today, where do you see the role of security analysts going in 2019, especially now that you're a manager? Do you see the roles changing at all compared to previous years? Is it going to need to reflect different aspects of upcoming technology, or just security practices? How is it different now or in the future from where it was when you first started?

Jonathan: Yeah, I think a couple of things is just my experience so far in the security world has been that there are a lot of people that come into this space, small vendors, but all roads lead to consolidation and getting talked into bigger and bigger security stacks. I think with that you could see this further progression or shift towards the deep subject matter expertise versus the broader Jack-of-all-trades security analysts, right? As cyber threats get more and more evolved and sophisticated, it's probably going to be really hard for a single human to be able to know all of that, so I could see it just fragment where people are experts in these single lanes.

I think like the other thing too is that there's going to be a premium on tooling. You always hear about tooling and the ability to parse big datasets, complex data sets, non-traditional data sets to come up with better insights. So, I think there's also just going to be this really cool blend with AI and machine learning with the mathematics of all of that and the security space. There's still an explosion waiting to happen there and I'm really curious to see how all of that comes over the next 10 to 20 years. I think security analysts could really do themselves a big solid by learning programming skills and things like that because it might not necessarily be knowing the threat, but it's actually owning the systems that beat the threat and to do that, you need to be able to work your way around a computer, build programs and come up with little things for that. I think that's maybe where it's going, if I had to speculate and guess.

Chris: Yeah, there's going to be a lot more specialization, but everyone also has to wear multiple hats at the same time possibly.

Jonathan: Exactly.

Chris: So, tell us a little bit about Distil, the company you work for, and some of the projects your organization's working on at the moment.

Jonathan: Distil Networks, we defend web applications and mobile applications and API endpoints from automated threats. If you have a website, people are constantly writing scripts against that either to steal your content, perform malicious acts like login attacks, or they'll try and stop your gift card forum to bank out a bunch of gift card dollars. So, our platform and technology is really designed to prevent that automated scripting against those applications and endpoints.

Historically, we've been a reverse proxy solution where we're sitting in line with customer web applications, but we've actually found a lot of friction, especially with bigger companies like financial institutions that don't want that single point of failure risk, so we're moving more towards a lighter, JAVA script based solution that doesn't need API callout, that more or less does the same thing in terms of client inspection, but we're at the pivot point of that and we're starting to build that up and stand that product up on its own legs.

So, it's a really exciting time. It's like doing the same thing but with a new approach and a new tech stack. That's the current rumblings here at the company.

Chris: Okay. And if we want to find out more about Distil, where can people go?

Jonathan: Yeah, so as you mentioned, we just recently got acquired by Imperva. So, if you go to Imperva.com. DistilNetworks.com is still up and running. You can even find us on LinkedIn. Just Distil, D-I-S-T-I-L and networks, and we've got a page there as well.

Chris: Okay. Jonathan Butler, thank you for joining us today.

Jonathan: Awesome. Thanks so much. Really appreciate you having me.

Chris: My pleasure. And, thank you all today for listening and watching. If you enjoyed today's video, you can find many more of them on our YouTube page. Just go to YouTube and type in Cyber Work with InfoSec. Check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with InfoSec in your favorite podcast catcher. See current promotional offers available to podcast listeners and to learn more about our InfoSec Pro-Life boot camps, InfoSec Skills on Demand training library and InfoSec IQ Security Awareness and Training platform, go to InfoSecInstitute.com/podcast or click the link in the description below. Thanks once again to Jonathan Butler and thank you all again for watching and listening. We'll speak to you next week.