In this episode our host Tanya Janca (also known as SheHacksPurple), talks to our guest Shelly Giesbrecht to learn what it’s like to be a Principal Consultant doing Incident Response! A long-time admirer of smart people, PowerShelly works hard to surround herself in people she can learn from. This is particularly easy to do in her day job as a Principal Consultant (IR) for CrowdStrike. She is frequently found wearing a bow-tie and some for reason.
welcome to the we hack purple podcast where each week we meet with different members of the information security industry to talk to them about all their different types of jobs if you are looking for career in information security and you aren't quite sure what you want to do this is the podcast for you i am your host tanya jenka also known as she hacks purple and i am from we hack purple an academy and online community that teaches everyone about how to create secure software this week i have shelly giesbrecht i definitely said that wrong but she is going to correct me and i know what you're thinking tanya we want to get to the guest but first our sponsor this week is threadfix powered by denim group and with that let's talk to shelly hi shelly hi how are you good did i say your name correctly you actually did it was perfect i was i gave you the thumbs up oh my gosh absolutely thank you because i was actually meant to ask you about that so i could get it right so that's awesome sauce totally perfect so people might notice today um that there is a bunch of canadian accents happening because we are both in canada and are you canadian shelly i am indeed i am indeed i was born and raised while i was born in calgary raised in victoria uh and and then came back to calgary so i'm based out of calgary alberta awesome so you might hear us say things like abudz we might say the words giver or the expression fill your boots and we'll just translate as we go for our american and international listeners oh my gosh shelly this is going to be so good shelly could you please tell us your name and your handle and your job title uh my name is shelly giesbrecht on twitter you can find me as nuriocity my colleagues call me powershelly and let's see i am a manager with the crowdstrike services team i mainly focus on incident response but i do a lot of proactive work on uh the security development side as well i love power shelly i'm not sure i'm gonna be able to call you shelley anymore i might have to call you power shelly because that's so awesome can you can you tell us about your job and maybe like tell us about it but actually and then after tell us kind of like what is a day in the life like doing that job yeah absolutely so most of my work is reactive incident response and what that means is is we get a phone call uh from an organization or perhaps the lawyers that represent them uh to say they've had some sort of incident cyber incident in in their environment uh whether that be you know hackers if you will or they've been breached or they've got a malware incident there's lots of good hackers by the way um it's not a bad word um and so they've been they've been they've been breached in some way uh and so i like to say that we meet people on the worst day of their business lives um and so my job as a manager is um i help one help the customer scope the incident and understand what we can do best for them how do we get them from where they are on their worst business day to uh back to business as usual or usually better really because this is usually what got them into the the issue to start with uh so we want to get them somewhere better than where they were before um i like to think that actually somebody asked me this the other day i like to think that um my job anyways as kind of managing incidents and and working with customers is probably about 70 percent um counselor psychologist um friend hand holder um and and about 30 technical that said i have an amazing team of really technical people behind me and we not only investigate the incident for the customer but we also help them um and recommend things to to make sure that their environment can be remediated and get it back to where it needs to be so day in the life uh yeah i don't know that we have a day in the life um our days are different every day um that's one of the things i love about it um you know the best part about infosec is um the best answer for any question in infosec is it depends um so what's the day like it depends um you know my wife says to me all the time how's your day today and i go oh it doesn't look too bad right now and then she'll say to me later you seemed really busy today and i said well you know so and so called and then i got into this meeting and then we had to meet with a new client and they had a new incident and yeah that's how my day usually goes so um it's uh that's what i love about it is there's there's never there's never a usual day for us i agree wholeheartedly would you say that um would you say that sometimes your days are very long and sometimes your days are very short yeah absolutely absolutely um we i think what i'm interviewing for this position particularly people who are coming into it new have never been an incident responder before one of the things i like to make clear to them is this is not your monday to friday eight to five job um you know we deal in what we call friday afternoon specials so 4 pm on a friday afternoon is when the phone rings because some customer has been dealing with something all week maybe two weeks and they've decided on friday afternoon that that's when they need help so um yeah some days are some days really long um some days don't end you know um at all i've definitely even you know recently you know worked until three or four in the morning but that's you know i wouldn't say that's an everyday thing but certainly some days are are shorter and some days are longer so yeah absolutely and and weekends weekends are kind of an ephemeral concept oh my gosh i could not agree more if if some of our listeners are less familiar with what instant response is could you kind of like lay it out for someone who maybe doesn't know very much about it yeah absolutely because i think a lot of people have heard of forensics or digital forensics and and doing investigations into what's happened on a computer um and there's kind of two schools of um we call it the digital forensics incident response or dfir you'll see that a lot so digital forensics is really the traditional what we think of of collecting information uh and and doing forensics on that so doing an investigation into the bits and bytes of what happened either on a network or a particular computer and then you know providing those findings to the customer based on uh based on what we see incident response is a little bit more of a reactive science if you will um we are uh usually get called in when there is actually a live threat actor an unauthorized party on on a network yep exactly uh that is still that is still doing bad things and so part of our job is to help the customer um figure out where that's happening uh and contain it stop that bleeding and make sure that um that there's nothing there's no more money leaving the environment that that their their data is no longer leaving the environment that's a big one these days obviously with ransomware is is we're seeing a lot of data exfiltration happening data leaving the environment being stolen damaged et cetera so um we have that piece where we help them contain it um we also do the investigation piece we have a whole team uh that does digital forensics so we try to figure out what has happened if we can uh and and then help them out with that uh and then obviously the eradication piece which is helping them get rid of all that stuff that's in their environment so that's awesome that's a lot that is a lot what type of personality do you think would be best suited to do how about like digital forensics and instant response because yeah um i think for me like when i'm hiring for instance and i think myself is an absolute sense of curiosity that's kind of where the nerdiosity name came from which is um a passion for all things and curiosity for all things nerdy um so nerdy hosting um but i think you have to have that that that um drive to know and to figure out puzzles um that's really what everything is is it's a puzzle um so um having that that innate sense of curiosity and passion for what we do is is is such a huge piece i could not agree more would you also say that to do incident management perhaps um you would need leadership or the ability to be cool when uh everything around you is on fire yes absolutely and that's definitely a learned skill i mean honestly it is um you know we um i've had situations where um i've had a cecil cry on the phone because everything is figuratively anyways burning down around them they don't know whether they're going to be able to employ people make payroll have their company continue in business wow and um and and so you know the ability to as i said part of this is counselor um and and and being able to um you know be there for those folks and you know in in their time of need essentially the worst days of their business lives so um there's a lot of one of the things interestingly i think there's also the project manager piece as well there's a leadership piece there's a project manager piece um i like to make sure the thing i always tell my new consultants is no surprises there's no surprises to the customer we want to anticipate everything that they need uh in real time uh and because we are always dealing with with it moves very fast incident response is constantly evolving and moving fast the incident can change on a dime so having that anticipation that sense of urgency is is huge um and then being able to manage those pieces and organizational whether that's my team and what they need to be doing or whether we have customer tasks what need to be doing so um there's yeah there's a few different pieces but yeah the leadership piece i think you know as you as you grow up as a consultant um i think it's something you pick up and you go and it's been a it's been a real learning curve for me in the last five years as i kind of moved into a leadership role but a lot of fun um so and i get lucky to work with the best people so it's ins i briefly worked in incident response uh and it was very exciting i i would definitely use the word exciting to describe a lot of it and rarely horrifying yes i i mean i think i always think of that and i i don't even i wondered recently if this is actually the people call it the the old people we referred as the old chinese proverb may live in interesting times i don't even know if that's actually true if it's actually a thing or we just is that something that we just say uh but i think ir is kind of like that it's always interesting whether that's interesting good or interesting bad it is a totally different thing but it's always yes we have a question in the chat from way what is the heart of the investigation in instant response um i'm not sure i'm not sure i 100 understand the question but there's another um like follow-up to it is there a chance that an investigation goes wrong and the responders can go kind of into a black hole and how do you tackle this oh yeah okay so um i think i mean the heart i would say the heart of an investigation is um is artifacts um so having actual um artifacts and evidence to be able to produce findings um and from a perspective of investigations going wrong i think that um not necessarily going wrong but um a lot of organizations still aren't logging the things that they should they aren't keeping the logs that they have um and uh and there's or there's an assumption that it was being kept but they never practiced or tested those things um so uh when we go and try to investigate something and we say do you have firewall logs for two weeks ago and they go oh those roll over right in about 24 hours what do you have you know so and so logs oh no we don't keep those um so certainly um that makes our job much more difficult um but i'm lucky enough that um i work for a company that um has produced um some really great things um and so we i think we do a really good job at that but certainly lack of logging lack of evidence um is a huge um interrupter to a good investigation let's put it that way yes i 100 have experienced this and so i told you that at some point i needed to find um a reason to mention my book so i'm just gonna bring the book up on the screen that i just wrote alice and bob learn application security and i drone on and on about how your apps absolutely need to log things because otherwise shelly and i who you can see right now on the screen get new gray hairs because we can't investigate properly because like see shelly has great blonde hair so you can't see but my hair's dark it's very obvious when there are gray in it and i can name the incidents for each one of them where there were no vlogs so listen to shelley there are more patients are interesting because you know we deal with a lot of legacy applications and those are always the most critical in an organization yeah and and they were never written for security so you go in and there's there's there's no username there's no timestamp there's no ip address there's just some random line that doesn't you know doesn't doesn't mean anything to anybody except the guy who developed it oh yeah error 431 come on shelly that's enough information to solve the entire incident with no documentation oh my gosh i'm grateful for folks like you who are actually teaching application security and and good development i'm trying vlogs are vlogs are everything vlogs are everything yes we have another question in the chat and oh it's a good one what is more difficult containment or eradication oh interesting um i think i'm gonna i'm gonna ask your answer with the best answer ever which is it depends um so containment can be difficult if you don't know of the organization that we're working with doesn't know what they can contain so um i always recommend one of the things that i always talk about is when you're prepping for an incident response which we should always be doing um you should be understanding of the things that you could do so in a ransomware incident for instance what are the things that you might need to do um and understand whether you can or can't do them um and understand that uh whether you would you know if you need to ask for help for instance from an outside vendor or incident response firm how they can help and make sure all those things are in line because containment can be incredibly difficult if you don't know what you can and change control too that's a huge piece right like in the middle of an incident um if you don't have the capability to step past your very entrenched and change control is good i'm a big fan of change control but if in the middle of an emergency you can't take a you know a 10 second downtime to do one thing you're you you haven't you haven't built your change management process properly um so there's a lot of words eradication can be difficult if um identification isn't done properly i think because if we don't know what we need to eradicate then actually that we start playing guacamole with with everything so i think containment is probably i'm going to say containment but um eradication can be difficult if the identification isn't done properly as well i could not agree more and the person in the chat says thank you and basically your answers are completely awesome um i want to encourage anyone that is listening right now to write an awesome review and or subscribe to our podcast and if you are watching this on youtube please click that really nice yellow thumbs up button it lets me and shelly know that um well that you like this episode that we are quite funny also um that you just think instant response is cool because quite frankly when you're choosing topics for a podcast i choose what i think is awesome and i'm like oh i want to talk to shelly and i want to talk about instant response this is excellent but it's nice to know when other people also think it's a good topic um i wanna i have as you might have guessed like dozens more questions so first of all so um what types of aptitudes do you think a person could need in order to be awesome at incident response and or investigation so like you can say incident management response investigation however you want to blend that but like attention to detail hyper focus like what types of things do you think makes someone good yeah i think um i will tell you that i think almost everybody that i work with is a little bit adhd we we move very quickly uh our minds move very quickly uh but um i think obviously there's a technical aptitude um but uh and i don't see a technical skill technical aptitude um and and also the ability to learn quickly just like anything else in the technical world uh what we do moves very quickly we have new artifacts new attacks um and so we move very quickly in into how to how to contain those uh and and deal with those um i think again that innate curiosity um passion for learning um is a huge thing um uh active listening uh we do a lot of listening to what our customers are saying uh i started out my first job in tech was on a help desk um and this is uh back a little farther that i'd like to admit and we didn't have remote control software when i first started we had the telephone and what the clients told us and we had to tell them to click on something and type in something wow and and so i consider that one of my best learning experiences because i learned how to listen to what the customer was saying interpret what they were saying and then actually give them the answers that they needed because you know not everybody's technical and that's okay um i uh one of my first jobs my second job i guess in tech was with westjet airlines i was a help desk i actually started my security job there as well but i started out as a help desk person at western airlines and i had a pilot call in one day and he said i forgot my password again i'm so terrible at this i'm so flat i'm so computer illiterate you just i just need help every time and pilots only use at the time anyways only used their passwords every so often they didn't need to log in all the time they weren't at a computer all the time obviously um and so you know they only use their their computers or their their logins every maybe a month or so uh so this poor gentleman is i'm so computer illiterate and he's so down on himself on the call and i said here's the thing i can't fly a 737. so i am flight illiterate you do what you do i'll do what i do um and i think that's an important thing as well is um you know we go into customers all the time that are in like are having a really bad day and it's easy to go in there and be condescending about um the level of security that they have the budget that they have you know all of the things that they aren't doing properly but at the end of the day again we're meeting these people on their their worst business day of their lives and so going in there sort of humble no no ego and and that we're there to help um so um you know i think like any other customer service which you know i absolutely believe i am um having you know having the ability to empathize and and to really um go in there with with the the desire to help um is a huge piece oh my gosh i can imagine um oh someone's giving me feedback that the my mic is very sensitive and the muting and unmuting is really unpleasant sorry i'll stop doing that then uh i've been told that my typing is loud too but i'm gonna give it my best shot thank you for the feedback yaddy um if every single person in tech could adopt that attitude shelly wouldn't life be fantastic it would be not only not only to the customers but also to each other a lot of gatekeeping goes on yeah yeah and i think we learned from everybody um i i think i was telling you just before we started i was really honored to be asked to lead the interim program at my job this year for the 2021 intern class and we have these great interns that come in every year and then a lot of them turn into our associate consultants we hire them on and those guys are so smart they're coming out of university they've got again that passion that drive the curiosity and i learned something from those guys you know nearly every day and and i think that's really the the way to look at for me the way to look at life is there's always something to learn from somebody whether whatever level that they are so i could not agree more i could not agree more shelly i wanted to mention two things before i go to more awesome questions in the chat so uh first of all i want to mention or thank our sponsor threadfix they are the most stupendous vulnerability management system on this side of the galaxy and we hack purple are really happy to have them as our podcast sponsor of many many many weeks now i also wanted to mention besides calgary which you happen to be a big part of and i'm going to share the link on the screen underneath you besides calgary.org do you want to tell us briefly i know it's a bit off topic but do you want to tell us briefly what is b-sides and anything cool about besides calgary yeah b-sides is a sort of grassroots community conferences and they've been happening all over the world now and and in canada we've had them for a number of years some of the larger cities have had them for longer calgary's is uh three or four years old i think i want to say i think we started in 2017 maybe and i might be might be wrong on that um and it just happened actually we just we just finished it about a month ago and and i i spoke at that as well um what i love about the b-sides format is anybody can submit and anybody should submit it's a very welcoming um i've spoken it besides vancouver as well um very very welcoming conferences um great for first-time speakers particularly uh and just a great way to build the infosec community within your own community that's a huge thing i think in canada still we have a long way to go with building security maturity within organizations um and so helping build and grow relationships within our communities for that you know for the security professionals for the new uh folks trying to break in et cetera and on the students that come as well um it is fantastic i was able to actually make some contacts at the university of calgary um in their infosec club and so i'm hoping to keep that relationship up as well so that i can hopefully eventually get some some interns from the canadian side coming into our our practice at my work awesome i might um i may end up sending you people because people are constantly asking me if i need interns at wehack purple and i explain to them yes but more like digital marketing and like web design and just the things that a regular startup needs and they're like don't you need an absec person and like we sort of have someone that pretty much is pretty good at absec yeah and she uh she handles that so we need someone that's good at all the things that she's bad at do you know marketing um we have some questions in the chat and but then i'm like torn about asking you more about b-sides b-sides was the first conference i spoke at and i can't say i i it's hard to explain just how supportive that besides has been in my speaking career we have b-sides in let's go let's go uh west to east so we have one in victoria we have one in vancouver we have one in edmonton and in calgary do we have any in saskatoon saskatchewan i don't know actually i i'm pretty sure winnipeg yeah winnipeg and then we have ottawa is there is there a toronto one i don't think there is i think there's a devops day i don't know because they have tasks and they have uh sector but then there is one um there's one in st john's there was one this year in halifax um isn't there another one out east that i'm missing st john's halifax there are there's quite a few all over but i think that that might be all of them but that's just in canada yes and then i think i love for instance um besides las vegas for instance is done in tandem with uh black hat or defcon one of the two um it's done sort of it's overlapping it's overlapping that is the best best yeah it's basically like during the same time as black hat so the idea is is that it it offsets so people that can't afford to go to black hat i.e me and you and most the people i've ever met um especially because the canadian dollar versus the american dollar yes um yeah so then we can go to b sides because it's somewhere between free and 25 generally to get in one of my actually one of my team um who is in montreal is one of the help is one of the organizers for um besides las vegas so from montreal though he goes down there every year and except obviously this year uh and helps organize the whole event so it it it's not even just you know just the people in las vegas or just the people you know it's very much a infosec community event oh yeah very i'm i'm on the b sides vancouver island board and we have someone from the mainland on our board and someone on our board on the mainland vancouver and victoria are very close we do a lot of things same with the oas chapters like their chapter is always helping us and uh the wilson chapters etc okay but now let's talk more about you so there are some uh there's some questions in the chat that i thought were really good um most of them from way thank you way okay so when you're hiring an incident analyst level one what do you look for um do you have certain certifications that you're looking for that are best or that you can recommend or like what else could someone do to try to get noticed or hired as a level one yeah okay so um for me i love uh one that people have gone out and done a little bit of research so when you come to an interview on instagram response please know what incident response is at least at some level there's lots of resources out there um and and and so you know things like the attack miter framework uh i don't expect you to memorize it but but understanding that you know what it is is fantastic uh uh the uh lucky martin kill chain uh and and i'm just throwing us some stuff out there but you're having a basic understanding of what it is and and what we do is is a fantastic thing um i i also love it when people have you know base um i.t skills i and that's that's a personal bias i will admit i came out of help desk so by the time i got into security um you know i i had a good understanding of what normal looked like um what does what is what are normal protocols uh what is that what is a sort of normal operating on a computer look like uh and and with and so you're able to if you know what normal looks like you're able to see what abnormal and my my job is all about what the abnormal is picking the abnormal out um from that haystack you know when they talk about a needle in a haystack we're frequently picking out needles out of needle stacks and you need to be able to pick out that one needle that is slightly different from the others and that's by knowing what normal looks like so um you know coming with a sort of a set of um a base idea of what operating systems are what what a network is uh are fantastic things to have there's a lot of discussion around whether you should have certifications or not and some people will tell you that certifications don't mean anything um i i personally and so i'm gonna i have eight sans certifications wow i know i know um sans is a for those who don't know is an organization that does specifically um infosec forensics uh uh management leadership training uh and um they've been a big part of me growing up as a as a as an analyst so i'm very very grateful to them as an organization um and and what i will say is having eight certifications doesn't make me better or worse uh than um anybody else who's doing the same job but what it's afforded me to do is to learn a lot that said training can cost money and not everybody has that and so i think that's an important thing to note that but there are i think there's a lot of resources out there that we can build on for free i always recommend that people build their network for instance on social media social media can be not a great place but it can also be a really great place place to to build your network meet people and and you know get to know people in the in the industry research i get a lot of you know some of my best and interesting research from from reading articles that somebody's posted on twitter because sort of the latest and greatest gets gets posted so most of probably 90 of the people i follow on twitter are all in the industry um i mostly post about my puppies um so i'm sorry for any of my followers out there um but uh they are cute so there it is um but yeah i think um i always say though with with um you know juniors coming in that i can teach you the technical skills it's coming in with with that drive and that passion that curiosity to learn um and so i kind of gauge that with if somebody shows up to the interview and i say tell me what you know about instant response and even if it's not technically correct if they if they've gone out and they've learned something um and they can you can tell me a few different things i feel like i can that's somebody that i can teach that i can that i can teach them the technical side as long as they're willing to go out and put the work in so that that's a really that for me is probably the biggest thing um if i was gonna say based notifications i apologize i'm gonna keep talking um that's a canadian thing though we apologize for everything um uh certifications wise um from a forensics and incident response perspective um there are some again some great courses with sans um with regards to um there's a basic uh forensics class i think it's 300 um that's a great place to start to learn um why we do forensics um and what some of the artifacts are um one of the courses i took uh early on was from the carnegie millions carnegie mellon software institute and it was an incident handling class and it taught me how to manage an incident that was really interesting as well so there's there's a lot out there um and there's some free stuff as well um it's just a matter of finding you know that that first half but uploads yes i actually just started following someone on twitter called dfir diva and she has been sharing yeah she's been sharing tons of free resources on forensics and i'm like you're a totally awesome lady yeah she's she's she's wicked um for people who are listening and who are wondering how to spell shelly's handle it's nerd so n-e-r-d and then it's i o so nerdy as in nerd with an i at the end so i o s i t y so there's no y like th because i was thinking nerdy like n e r d y but so it's n e r d i o c i t y yes spelling for the win [Laughter] and there's a bit of conversation in the chat about why is sans so expensive and it's probably because they can because they're like the highest on the market like i i run a training company and if i could afford to go to sans to learn the things i don't know i would probably want to go when i was in the government though my entire training budget for the year was around 2000 to maybe 2500 canadian dollars and sam's courses range from like six to nine thousand canadian dollars with the exchange and then you add certification it becomes around 10 000 canadian dollars and we get taxed at a very different rate than americans so we actually pay a much much much larger amount in tax and i remember working it out one year and then after tax it was 20 of my income for the entire year if i wanted to take one sans course and i was like in my brain i cannot find a way where i find this acceptable and not just irresponsible spending on my part and my boss just laughed at me but i actually recently wrote an article of how to justify training to your boss because i've learned a lot because i get turned down and turned down and turned down and then i got like better at asking so i can share that in the chat an article of like how to show that the value of what you're getting for your org will be higher than what they're paying yeah math it's it's tough i mean honestly um so i i will tell you that um one of the big fan of sands um two um i just literally last week finished uh my masters of science information security engineering from the sense technology institute um so uh and i'm about to embark on um becoming a teaching assistant uh for sans so as as outside in my copious amounts of free time so so i i have some bias and i will i will absolutely admit to that there is some there's some bias inherent in this uh how i um was able to um afford if you will a lot of the training that i did um and and how i was able to con my boss i want to say khan um get my boss to agree to send me to training um one of the programs that sans runs and this is a big up for this is they have a work study program or a facilitator program if you look on their website um it's there and if you get accepted into the work study program um the tuition is uh a fraction of of what of what it is full price um and and you get to what i love about the program other than the tuition part is i really got to then be able to spend some time um with the instructor who um you know is just like brilliant uh and so you get to kind of get to know these people a little bit more than just sitting in the back of the class and maybe being a little shy to to talk but you kind of get to to interact with people a lot more and i think at a conference uh particularly you tend to unless you're really really an extrovert you don't always meet people if you're afraid to kind of stick it stick your hand out there and say hello um but as a facilitator it kind of you're kind of forced into it so it's a that's a great way i did that i think i think i've facilitated uh three or four times um and that's a great way to save your boss um i i'm doing this for way less than it normally costs and you should send me so that's awesome it's still tough um let's face it especially in the times that we're in um getting budget for training is always the last thing so yeah but really i mean people doing fishing and all sorts of other attacks have certainly upped their efforts unfortunately they aren't out of work but anyway i'm not going to complain about heartless people doing ransomware attacks during covet anyway thumbs down on them i haven't there's another awesome question in the chat wait way is on a roll so thank you as you are a man are you the as you are managing the team what are the qualities of the best incident responders in your team um you mentioned active listener and attention to detail but how do you quantify that or basically how could someone try to be awesome at those things uh i think those are really practice um i so the other piece that is is a really big one is being able to explain the technical to anyone so we deal with very technical things uh and the customers that we deal with sometimes we're sitting on a call with the executive team and they are not technical they know how to log into their computer they don't know how that works and so when you tell them things like um we found a persistence mechanism in a registry key that's used to blah blah blah what they hear us want so my job is usually to translate that so my my uh particularly younger analysts are very technical but don't always know how to translate that into customaries so i throw my associates and my consultants in off the deep end and say ethan would you like to explain what you found and i actually make them do it because there's no better way to learn how to actively listen explain things to an executive uh or uh you know even the you know provide empathy um then practice it over and over again so like any good thing in life it requires practice yeah i just so people who are listening you can't see me nodding vigorously and also when shelley makes jokes me trying to cover my mouth before i start laughing really loudly because i usually mute myself when i get the giggles um but shelly has been cracking me up with some of her answers but not this one um this is this is very good so i have another question so when people are trying to decide you know their career for a lot of people how much money you make is an important decision um or important deciding factor so does incident response pay well is it you know where would it rank on the scale of you know software developer versus help desk versus executive um i think we get paid well um part of that is of course um we don't we don't work on monday to friday eight to five job so i think part of our pay scale has to do with the fact that we work holidays and weekends and middle of the night and um i've had i when i so previous to crowdstrike i worked at cisco i managed the team there for three and a half years uh uh with uh with another lead and um i actually had one of my guys miss his son's kindergarten graduation because we had a customer that we needed him to be at um and i will tell you that i try to avoid that at if we can avoid and get somebody else to do or go i will absolutely try to do that in in every time but sometimes that's that's what we do and and that's what we kind of sign up for so i think part of our our pay scale reflects that um so compared to say someone who is um you know doesn't have those first rates as sort of a monday to friday may have a similar skill set but it's sort of monday to friday eight to five i think our pay scale reflects the fact that we um you know sort of have a an unusual schedule yes i recall um my 37th birthday having 30 people in my living room while i was upstairs attempting to pass over management an incident that i was managing and i'd already been managing it 12 straight hours and i was like i have balls of champagne and like 300 worth of raw oysters downstairs and my friends are not eating and drinking all of them i am getting some of them i am turning 37 today and this is happening and i have another way more senior than me incident manager that i'm handing this off to i'm like dude i'm exhausted you don't even want me anymore and he's very upset he's like no i only want you and i was like no no this guy's way better and it took me like an hour to get him off the phone i was like just calm down it's not even a really big deal yeah my probably my recent experience isn't as isn't as dramatic as that that is that is but i was actually she's angry yeah my wife and i brought a trailer camping trailer this summer because we wanted to um obviously with the whole coveted situation we haven't been able to travel the way we like uh so we we bought a a travel trailer and we were taking it out for our first weekend out in it we were out in canmore in the canadian rockies she isn't far from home for us it's about an hour but it's amazing we're all set up ready to ready to to get some dinner on and i got a phone call so i'm standing in the middle of a campground with my wife and she's already got a drink in her hand and our dogs and i'm on the phone with a customer who is having a crisis in the middle of a campground and thank god i actually had had the signal but um yeah it happens right so yeah um yeah but i i'm i i would always say you don't have to love what you do as long as you get paid well but um you can't hate it so i'm i think i'm blessed that i also love what i do and and then i also get paid pretty well to do it so it's a good deal it really is if you think about it incident responders are sort of like that emergency room at the hospital person where it's like you're triaging and like fixing everyone and just you know what i mean and you're that cool as a cucumber like don't worry i got this you there you there you must have amazing stress management skills like you must have all these things that you do to relieve stress that are just incredible you're like yoga ing and everything do you do you have like a whole thing that you do to so that you can handle like or calm down after an incident you know what i actually got off a call uh one time with one of my colleagues and and he said to me and on the call um the cso of the company had actually yelled at me um nothing that was our fault but he was stressed and he decided he was going to yell at someone and it was going to be me um and we got off the call and my colleague called me he said i can't believe how calm you were he said i would have i would have lost lost it at him i can't believe how calm you were and i said you noticed that my camera wasn't off you're like good the voice was super calm oh wow the face was not so calm but uh you know i think it's a little bit of sometimes it's that uh that uh swan thing where you're all screen on the top of the water but your legs are going like this underneath i i used to work at a computer repair store like 20 years ago and if we had a customer come in and yell at us i would bring whoever got yelled at into the warehouse and we were a warranty shop for apple so we would have all these keyboards and mice lying around because unlike like the parts inside a computer with a mouse and a keyboard they would just replace them and my boss kept keeping them and i didn't know why so then i would just say keep smashing keyboards and throw them off the roof do whatever you need to until you feel better and they're like what i'm like like this smash and then i just get them to like i'm gonna climb up the ladder just throw it and they're and i just keep doing it so you feel better sweep the stuff into the garbage and come on back you've got 15 minutes just smash things and it works so well that's amazing it's amazing and we're supposed to throw them out anyway so i was like might as well make them messy it's fine that's amazing that's amazing i feel like i could talk to you for at least one more hour but we are actually like right near the end so there's there's one more question in the chat and then um and then i'm i'm gonna do the wrap up e questions okay okay so have you ever mentioned someone in your team uh that that has ever gone above and beyond and what made you and if yes what made you do that so has someone ever gone like way above and beyond on your team i guess and what what was it that they did that you felt was so amazing oh my gosh um you did it yeah again i'm super blessed to work with just just amazingly dedicated and smart people so um i think for us i'm i'm working with you know a particular team with a client right now and so we work on a statement of work that has a number of hours associated with it for instance and we finished an incident with a customer um and um they were supposed to implement a recommendation that we gave them and it has not been done yet and somewhere in the middle of that unfortunately they got breached again and they came back to us and this is literally a short period of time and they came back to us yeah it's terrible and and we had a very small amount of hours left on this slw and in the project manager that i'm working with who's one of one of the folks on my team um just jumped right in um and and we've put in a number of hours there that are probably going to go on you know unbilled um to make sure that they had what they need um but um i think one of the things we do at crowdstrike did kind of help that you know and and make that a culture of recognition is we do awards every year um and i was lucky enough to give out an above and beyond reward this year actually too to one of our one of our consultants and i think um having that kind of culture of recognition is huge but um you know i think everything that we do um is is about getting that customer to where they need to be so as i said i'm super blessed to just to work with folks that do that and um my job as a manager is to make sure that those folks get the recognition for the work that they do so whether it's on a customer call and saying you know tony did this amazing job finding this artifact and i'm going to let her tell you about it as opposed to me you know being the one that's the talking head all the time or um you know getting on a call with with my leadership or with the whole we have all hands meetings all the time and saying by the way great job on this you know from this person and making sure that they get recognition for the work that they did is is a huge thing absolutely awesome awesome way thank you thank you so much so much are you hearing that echo nope no echo okay great then if you're not hearing it i'm sure it's fine um thank you i want to thank um the people in the chat for all their great questions especially way with so many awesome questions thank you shelley for being on the show i have one last question and where can people find more about you because i know that you do to speak at conferences and stuff so let's say someone wants to follow you or there's like a website uh so um i am on twitter that's probably the easiest place to find me is uh is at nerdiocity um i have a website uh nerdocity.com which i don't uh update nearly as much as i should um i have a couple of research papers on sans if you're interested in in my work uh dns is a big is a big um flavor of love for me and uh and so there i have a paper on sands i don't have any upcoming talks um but um i'm hoping to to do some speaking again next year last year was the magnet user summit um as well as besides calgary uh falcon for crowdstrike um i'm usually uh applying to most of those conferences plus a stanza conference or two um since dfir conference is amazing this and and oh plug again i apologize for this but the sans the sans uh the sand summits are all free next year in 2021 they would be virtual they will all be free all of the summits all of so so thread hunting intel uh dfir i'm not going to get any of all of them right but ics they've got so many and they're all free next year virtual um which i think is is a lot of companies doing that magnet did that last year for their user summit as well it was amazing um and so look for those look for those events i think 2021 is going to be another year for a lot of virtual stuff um and and so um i hope to be at some of those as well at least virtually um and and so hopefully we'll see spokes there cool there is a question in the chat of are you on linkedin i am i am on linkedin shelley geestrox linkedin um so you see the picture with the bow tie i think i'm actually wearing the same shirt in that picture um i love the bow tie by the way i think it looks hot especially i actually really like your whole look okay so i'm gonna stop complimenting you on your fashion and thank you so much for being on the shows shelly you are the first person to talk about instant response and especially talking about incident management this is super duper helpful thank you very much for being on the show thank you for having me it's been fantastic awesome and with that that was the weehack purple podcast and i am still your host tanya janca and that was shelley geez breck damn it i hope i got that right because she was such an amazing host her her wealth of knowledge was well basically i wanted to ask her questions for at least four more hours but i know that's inappropriate and people don't like that i want to thank our sponsor thread fix for being not only with us this week but for so many weeks in a row i want to let all of you know that tonight at midnight basically um the last course in the application security foundations program from wehack purple is coming out yes that's right as soon as this podcast is over that's exactly what i am working on and so the entire program including the certification is going to be ready and available as of tomorrow so i hope that you go over to the wehack purple academy and check that out while i have you on the call i want to talk about the next couple weeks who we have coming up next week so december 17th right before the holidays we have majida afrin and she's going to talk about being a bug bounty hunter and then if you liked this episode about instant response you definitely want to show up for january 7th with nashua lindsay and she's going to talk about specifically forensic investigation after that we're going to have brian anderson who's going to talk about basically being an operations manager and in charge of security service delivery and then after that we have sasha rosenbaum and if you follow me on twitter you've probably seen a lot of sasha lately because she has been tweeting a lot about my book and gosh i just couldn't even dream of having such great support of a wonderful friend like that so with that i am she hacks purple and this was the we hack purple podcast thank you and i can't wait to see you next week