Dec 2021 – Oct 2023 · 1 yr 10 mos · Remote

• Lead multiple research and innovation teams, managing engineering managers and tech leads building automation for Unit 42 Security Consulting, including:
• a platform team building full stack React/Python apps in GCP that run our automation modules
• a complex subsystem team building automation to acquire evidence and forensic artifacts from AWS, Azure, GCP and other cloud service providers, as well as supporting large scale data transfers.
• a group automating Incident Response and security operations via XSOAR
• provide and coordinate operational support for Security Consulting
• help guide the creation of research initiatives born from the engineers
• Took 2 new platforms from prototypes/ideas to release and through to daily production use by consulting teams
• Grew the team 300%
• Migrated systems from on-prem + AWS to GCP integrated with AWS and Azure
• Accelerated the team from monthly releases to continual deployments

Feb 2021 – Dec 2021 · 10 mos

• Manager of 3 teams supporting the Detection Engineering, Incident Response, and Threat Intelligence areas.
• Grew a team of 3 SIRT members involved in all-the-security-things to 6 detection engineers focused on detection, analysis, and response
• focused effort to evaluate and select container telemetry and detection solutions, and research + design of container intrusion scenarios
• focused cross-team efforts towards AWS, GSuite, Okta, and Azure detection, analysis, and response w/ Red Team, Security Telemetry, and Product Engineering teams
• Accelerated detection criteria creation
• Support Cross Organization coordination of Incident Response activities between GitHub and Microsoft
• began purple team partnerships and focused collaboration with the red team
• Support SOC2 and FedRamp audit activities, and ISO27001 certification

Mar 2017 – Feb 2021 · 3 yrs 11 mos · Planet Earth

• security research + detection engineering evolving through many roles including:
• Worked with CTOs office and product management to align strategy and GTM on Cloud Detection and Response, took a research initiative from pitch to prototype to market for AWS, Azure, and Office365 Threat Detection and Response via purple teaming. This new capability led to increased sales for our flagship product.
• Matured processes and drove engineering efforts for detection engineering on Secureworks' new TDR platform.
• Expanded detection engineering beyond Windows and Network to include Linux and MacOS.
• managed endpoint detection engineering team
• Improved endpoint detection processes and tooling driving a 20% efficiency savings in "maintenance work" across the team's effort, that we reapplied to content creation, and drove engineering efforts that brought our endpoint detection content management from a bunch of Python scripts and CSVs to a continually running Django web application, resulting in greater efficiency gains. Prototyped various ML-"light" efforts around detection content.
• Performed Threat Research (malware analysis, endpoint agent countermeasures, data analysis) and deliver reports / presentations.
• Created emulators and configuration extractors for high priority malware families which were run via an automated system.
• Improved a large scale malware sandbox system running 80-120k samples per day used for malware analysis, threat research, and verifying detection coverage.

May 2015 – Mar 2017 · 1 yr 10 mos

• Anomali, the org formerly known as ThreatStream.
• People manager and leader of the threat analysis and detection component of Anomali LABS. The team of 4 researched threats (malware analysis including a pretty wide array of Mach-O / Mac malware, actor analysis, etc.), created content within TIP platform, webcasts and blog posts. I additionally assisted engineering w/ improving TIP platform both as a SME/Product Management role, via code commits, and paper prototypes for platform improvements.
• Public Presentations:
• BSidesDC 2015 - An Adversarial view of SaaS Sandboxes co-presenter w/ Jason Trost
• BlackHat WebCast Battlefield Network 22 Oct 2015 - Webcast on Hunting
• BSidesNYC 2016 - An Adversarial view of SaaS Sandboxes Part 2 co-presenter w/ Jason Trost
• AnalyzeCON2016 - Segments, Sections and Functions, Oh My! - Hashing your way to analytic shortcuts.
• BSides Austin 2016 - Segments, Sections and Functions, Oh My! - Hashing your way to analytic shortcuts.
• Anomali Detect 2016 - Effective Threat Intelligence Management
• ATTE Fall 2016 Quarterly - Threat Metrics
• A Conference on Defense (Jan 2017) - Decreasing Dwell Time
• SANS CTI Summit 2017 - Effective Threat Intel
• daily work with: Python, IDAPro.
• frequent work with: Volatility, Snort, Suricata, CarbonBlack

Jan 2015 – Apr 2015 · 3 mos · Redwood City, CA

• Early stage incubator startup creating an ML driven SIEM. Learned a lot about startups and product development / management.

Jul 2013 – Jan 2015 · 1 yr 6 mos · Greater Pittsburgh Region

• Performed hunting, incident response, and remediation surrounding targeted intrusions in Fortune-1000 organizations.
• Production of intelligence reports on threat actors, as well as malware analysis reports.
• Creation of host-based and network-based signatures to detect targeted intrusion activity and malware.
• Helped create and develop an endpoint agent and EDR tool suite.
• Disk Forensic Analysis.
• Memory Forensic Analysis.
• Log analysis.
• Network traffic analysis.
• daily work with Python, IDAPro, Volatility. Frequent work with X-ways.

Mar 2011 – Dec 2015 · 4 yrs 9 mos · Pittsburgh, PA

• Teach graduate students the basics and excitement of 95-769 Network Security Analysis

Mar 2009 – Jul 2013 · 4 yrs 4 mos

• Research and Development of advanced initiatives ranging from malware analysis, intrusion analysis, network analysis.
• Reverse engineer software associated with attacks, analyze incident information (network and log traffic), develop tools to help detect those attacks and make analysis easier.
• Performed in depth analysis of actor's intrusion activity over 5+ year periods as part of multi-agency working groups.
• Flow analysis.
• Engineering and Technical Analysis of operational and investigative initiatives

Oct 2003 – Mar 2009 · 5 yrs 5 mos

• transitioned from High Performance Computing Engineer, Grid Computing Engineer to Information Security roles.
• Intrusion Detection, Incident Response, design, build and deploy security infrastructure, etc.
• Implemented restricted environment for web-based science "portal" access to HPC resources using containers
• Developed and Implement IDS technologies writing and refining Snort rules and Bro modules, and a custom built SIEM
• Extend PSC's Grid Computing Infrastructure as part of the Teragrid

Jan 2002 – Jan 2002 · 0 mo

• Systems programming work including regression tools for Linux clusters, web-forms to interface with notification systems, and inventory control systems.