Roxy Dee, Threat Intelligence Engineer

Some of you might be familiar with Roxy Dee’s infosec book giveaways. Others might have met her recently at Defcon as she shared with infosec n00bs practical career advice. But aside from all the free books and advice, she also has an inspiring personal and professional story to share.

In our interview, I learned about her budding interest in security, but lacked the funds to pursue her passion. How did she workaround her financial constraint? Free videos and notes with Professor Messer! What’s more, she thrived in her first post providing tech support for Verizon Fios. With grit, discipline and volunteering at BSides, she eventually landed an entry-level position as a network security analyst.

Now she works as a threat intelligence engineer and in her spare time, she writes how-tos and shares sage advice on her Medium account, @theroxyd

Transcript
Cindy Ng: For individuals who have had a nonlinear career path in security, Threat Intelligence Engineer Roxy Dee knows exactly what that entails. She begins by describing what it was like to learn about a new industry with limited funding, and how she studied security fundamentals in order to get her foot in the door. In our interview, she reveals three things you need to know about vulnerability management, why fraud detection is a lot like network traffic detection, and how to navigate your career with limited resources.

We currently have a huge security shortage, and people are making analogies as to the kind of people we should hire. For instance, if you're able to pick up music, you might be able to pick up technology. And I've found that in security it's extremely important to be detail oriented, because the adage is the bad guys only need to be right once and security people need to be right all the time. And I had read on your Medium account the way you got into security, for practical reasons. And so let's start there, because it might help encourage others to start learning about security on their own. Tell us what aspect of security you found interesting and the circumstances that led you in this direction. –

Roxy Dee: Just to comment on what you've said. Actually, that's a really good reason to make sure you have a diverse team is because everybody has their own special strengths and having a diverse team means that you'll be able to fight the bad guys a lot better because there will always be someone that has that strength where it's needed. The bad guys, they can develop their own team the way they want and so it's important to have a diverse team because every bad guy you meet is going to be different. That's a very good point, itself.

Cindy Ng: Can you clarify "diverse?" You mean everybody on your team is going to have their own specialty that they're really passionate about? By knowing what they're passionate about, you know how to leverage their skill set? Is that what you mean by diversity?

Roxy Dee: Yeah. That's part of it. I mean, just making sure that you don't have the same person. For example, I'll tell my story like you asked in the original question. As a single mom, I have a different experience than someone that has had less difficulties in that area, so I might think of things differently, or be resourceful in different ways. Or I'm not really that great at writing reports. I can write well, but I haven't had the practice of writing reports. Somebody that went to college, they might have that because they were kind of forced to do it, by having people from different backgrounds that have had different struggles.

And I got into security because I was already into phone phreaking, which is a way of hacking the phone system. And so for me, when I went to my first 2600 Meeting and they were talking about computer security and information security, it was a new topic and I was kind of surprised. I was like, "I thought 2600 was just about phone hacking." But I realized that at the time...It was 2011, and phone hacking had become less of a thing and computer security became more of something. I got the inspiration to go that route, because I realized that it's very similar. But as a single mom, I didn't have the time or the money to go to college and study for it. So I used a lot of self-learning techniques, I went to a lot of conferences, I surrounded myself with people that were interested in the topic, and through that I was able to learn what I needed to do to start my career.

Cindy Ng: People have trouble learning the vocabulary because it's like learning a new language. How did you...even though you were into phone hacking and the transition into computer security, it has its own distinct language, how did you make the connections and how long did it take you? What experiences did you surround yourself with to cultivate a security mindset?

Roxy Dee: I've been on computers since I was a little kid, like four or five years old. So for me, it may not be as difficult for me as other people, because I kind grew up on computers. Having that background helped. But when it came to information security, there were a lot of times where I had no idea what people were saying. Like I did not know what "Reverse Engineering" meant, or I didn't know what "Trojan" meant. And now, it's like, "Oh, I obviously know what those things are." But I had no idea what people were talking about. So going to conferences and watching DEF CON talks, and listening to people. But by the time I had gone to DEF CON about three times, I think it was my third time I went to DEF CON, I thought, "Wow. I actually know what people are saying now." And it's just a gradual process, because I didn't have that formal education.

There were a few conferences that I volunteered at. Mostly at BSides. And BSides are usually free anyway. When you volunteer, you become more visible in the community, and so people will come to you or people will trust you with things. And that was a big part of my career, was networking with people and becoming visible in the community. That way, if I wanted to apply for a job, if I already knew someone there or if I knew someone that knew someone, it was a lot easier to get my resume pushed to the hiring manager than if I just apply.

Cindy Ng: How were you able to land your first security job?

Roxy Dee: And as far as my first InterSec job, I was working in tech support and I was doing very well at it. I was at the top of the metrics, I was always in like the top 10 agents.

Cindy Ng: What were some of the things that you were doing?

Roxy Dee: It was tech support for Verizon Fios. There was a lot of, "Restart your router," "Restart your set-top box," things like that. But I was able to learn how to explain things to people in ways that they could understand. So it really helped me understand tech speak, I guess, understand how to speak technically without losing the person, like a non-technical person.

Cindy Ng: And then how did you transition into your next role?

Roxy Dee: It all had to do with networking, and at this point, I had volunteered for a few BSides. So actually, someone that I knew at the time told me about a position that was an entry-level network security analyst, and all I needed to do was get my Security+ certification within the first six months of working there. And so it was an opportunity for me because they accepted entry-level. And when they gave me the assessment that they give people they interview, I aced it because I had studied already about networking through a website called "Professor Messer." And that website actually helped me with Security+ as well, and I was just able to do that through YouTube videos, like his entire website is just YouTube videos. So once I got there, I took my Security plus and I ended up, actually, on the night shift. So I was able to study in quiet during my shift every day at work. I just made it a routine, "I have to spend, you know, this amount of time studying on," whatever topic I wanted to move forward with, which I knew what to study because I was going to conferences and I was taking notes from the talks, writing down things I didn't understand or words I didn't know and then later I was researching that topic so I could understand more. And then I would watch the talk again with that understanding if it was recorded, or I would go back to my notes with that understanding. The fact that I was working overnight and I was not interrupted really helped, and then from there...and that was like a very entry-level position. And from there, I went to a cloud hosting company, secure cloud hosting company with a focus on security and the great thing about that was that it was a startup. They didn't have a huge staff, and they had a ton of things that they had to do and a bunch of unrealistic deadlines. So they would constantly be throwing me into situations I was not prepared for.

Cindy Ng: Can you give us an example?

Roxy Dee: Yeah. That was really like the best training for me, is just being able to do it. So when they started a Vulnerability Management Program, I have no experience in vulnerability management before this and they wanted me to be one of the two people on the team. So I had a manager, and then I was the only other person. Through this position, I learned what good techniques are and I was also inspired to do more research on it. And if I hadn't been given that position, I wouldn't have been inspired to look it up.

Cindy Ng: What does Vulnerability Management entail, three things that you should know?

Roxy Dee: Yeah. So Vulnerability Management has a lot to do with making sure that all the systems are up to date on patching. That's one of them. The second thing I would say that's very important is inventory management, because there were some systems that nobody was using and vulnerabilities existed there, but there was actually no one to fix them. And so if you don't take proper inventory of your systems and you don't do, you know, discovery scans to discover what's out there, you could have something sitting there that an attacker, once they get in, they could use or they might have access to. And then another thing that's really important in Vulnerability Management is actually managing the data because you'll get a lot of data. But if you don't use it properly it's pretty much useless, if you don't have a system to track when you need to have this remediated by, what are your compliance requirements? And so you have to track, "When did I discover this and when is it due? And what are the vulnerabilities and what are the systems? What do the systems look like? So there's a lot of data you're going to get and you have to manage it, or you will be completely unable to use it.

Cindy Ng: And then you moved on into something else?

Roxy Dee: Oh, yes. Actually, it being a startup kind of wore on me, to be honest. So I got a phone call from a recruiter, actually, while I was at work.

This was another situation where I had no idea how to do what I was tasked with, and the task was...So from my previous positions, I had learned how to monitor and detect, and how to set up alerts, useful alerts that can serve, you know, whatever purpose was needed. So I already had this background. So they said, "We have this application. We want you to log into it, and do whatever you need to do to detect fraud." Like it was very loosely defined what my role was, "Detect bad things happening on the website." So I find out that this application actually had been stood up four years prior and they kind of used it for a little while, but then they abandoned it.

And so my job was to bring it back to life and fix some of the issues that they didn't have time for, or they didn't actually know how to fix or didn't want to spend time fixing them. That was extremely beneficial. I had been given a task, so I was motivated to learn this application and how to use it, and I didn't know anything about fraud. So I spent a lot of time with the Fraud Operations team, and through that, through that experience of being given a task and having to do it, and not knowing anything about it, I learned a lot about fraud.

Cindy Ng: I'd love to hear from your experience what you've learned about fraud that most people might not know.

Roxy Dee: What I didn't consider was that, actually, fraud detection is very much like network traffic detection. You look for a type of activity or a type of behavior and you set up detection for it, and then you make sure that you don't have too many false positives. And it's very similar to what network security analysts do. And when I hear security people say, "Oh, I don't even know where to start with fraud," well, just think about from a network security perspective if you're a network security analyst, how you would go about detecting and alerting. And the other aspect of it is the fraudulent activity is almost always an anomaly. It's almost always something that is not normal. If you're just looking around for things that are off or not normal, you're going to find the fraud.

Cindy Ng: But how can you can tell what's normal and what's not normal?

Roxy Dee: Well, first, it's good to look up all sorts of sessions and all sorts of activity and get like a baseline of, you know, "This is normal activity." But you can also talk to the Fraud team or, you know, or whatever team handles...It's not specific to fraud, but, you know, if you're detecting something else, talk to the people that handle it. And ask them, "What would make your alerts better? What is something that has not been found before or something that you were alerted to, but it was too late?" And ask just a bunch of questions, and then you'll find through asking that what you need to detect.

Like for example, there was one situation where we had a rule that if a certain amount was sent in a certain way, like a wire, that it would alert. But what we didn't consider was, "What if there's smaller amounts that add up to a large amount?" And understanding...So we found out that, "Oh, this amount was sent out, but it was sent out in small pieces over a certain amount of time." So through talking to the Fraud Operations team, if we didn't discuss it with them, we never would have known that that was something that was an issue. So then we came up with a way to detect those types of fraudulent wire transfers as well.

Cindy Ng: How interesting. Okay. You were talking about your latest role at another bank.

Roxy Dee: I finished my contract and then I went to my current role, which focuses on a lot more than just online activity. I have more to work with now. With each new position, I just kind of layered more experience on top of what I already knew. And I know it's better to work for a company for a long time and I kind of wish these past six years, I had been with just one company.

Each time that I changed positions, I got more responsibility, pay increase, and I'm hoping I don't have to change positions as much. But it kind of gave me like a new environment to work with and kind of forced me to learn new things. So I would say, in the beginning of your career, don't settle. If you get somewhere and you don't like what you're being paid, and you don't think your career is advancing, don't be afraid to move to a different position, because it's a lot harder to ask for a raise than to just go somewhere else that's going to pay you more.

So I'm noticing a lot of the companies that I'm working for, will expect the employees to stay there without giving them any sort of incentive to stay. And so when a new company comes along, they say, you know, "Wow. She's working on this and that, and she's making x amount. And we can take all that knowledge that she learned over there, and we can basically buy it for $10,000 more than what she's making currently." So companies are interested in grabbing people from other companies that have already had the experience, because it's kind of a savings in training costs. So, you know, I try to look every six months or so, just to make sure there's not a better deal out there, because they do exist. And I don't know how that is in other fields, though. I know in information security, we have that. That's just the nature of the field right now.

Cindy Ng: I think I got a good overview of your career trajectory. I'm wondering if there's anything else that you'd want to share with our listeners?

Roxy Dee: Yeah. I guess, I pretty much have spent...So the first two or three years, I spent really working on myself, and making sure that I had all the knowledge and resources I needed to get that first job. The person that I was five or six years ago is different than who I am now. And what I mean is, my situation has changed a bit, to where I have more income and I have more capabilities than I did five years ago. One of the things that's been important to me is giving back and making sure that, you know, just because I went through struggles five years ago...You know, I understand we all have to go through our struggles. But if I can make something a little bit easier for someone that was in my situation or maybe in a different situation but still needs help, that's my way of giving back.

And spending $20 to buy someone a book is a lot less of a hit on me financially than it would have been five years ago. Five years ago, I couldn't afford to drop to even $20 on a book to learn. I had to do everything online, and everything had to be free. I just want to encourage people, if you see an opportunity to help someone and, you know, for example, if you see someone that wants to speak at a conference and they just don't have the resources to do so. And you think, "Well, this $100 hotel a night, a hotel room is less of a financial hit to me than to, you know, than to that person. And that could mean the difference between them having a career-building opportunity or not having that." Just seek out ways to help people. One of the things I've been doing is the free book giveaway, where I actually have people sending me Amazon gift cards and there is actually one person that's done it consistently in large amounts. And what I do with that is, like every two weeks, I have a tweet that I send out that if you reply to it with the book that you want, then you can win that book up until I run out of money, up until I run out of Amazon dollars.

Cindy Ng: Is this person an anonymous patron or benefactor? This person just sends you an Amazon gift card...with a few bucks and you share it with everyone? That's so great.

Roxy Dee: And other people have sent me, you know, $20 to $50 in Amazon credits, and it's just a really good...It kind of happen accidentally, and there's the story of it on my Medium account.

Cindy Ng: What were the last three books that you gave away? - Oh, the last three? Well... - Or the last one, if you...

Roxy Dee: ...the most popular one right now, this is just based on the last one that I did, is the Defensive Security Handbook. That was the most popular one. But I also get a lot of requests for Practical Packet Analysis by Chris Sanders and Practical Malware Analysis. And so this one, actually, this is a very recent book that came out called the Defensive Security Handbook. That's by Amanda Berlin and Lee Brotherston. And that's about...it says, "Best practices for securing infrastructure." So it's a blue team-themed book. That's actually sold over 1,000 copies already and it just came out recently. It came out about a month ago. Yeah. So I think that's going to be a very popular book for my giveaways.

Cindy Ng: How are you growing yourself these days?

Roxy Dee: Well, I wanted to spend more time writing guides. I just want to write things that can help beginners. I have set up my Medium account, and I posted something on setting up a honeypot network, which is a very...it sounds very complicated, but I broke it down step by step. So my goal in this was to make one article where you could set it up. Because a lot of the issues I was having was, yeah, I might find a guide on how to do something, but it didn't include every single step. Like they assumed that you knew certain things before you started on that guide. So I want to write things that are easy for people to follow without having to go look up other sources. Or if they do have to look up another source, I have it listed right there. I want to make things that are not assuming that there's already prior knowledge.

Cindy Ng: Thank you so much for sharing with me, with our listeners.

Roxy Dee: Thank you for letting me tell my story, and I hope that it's helpful to people. I hope that people get some sort of inspiration, because I had a lot of struggles and, you know, there's plenty of times I could have quit. And I just want to let people know that there are other ways of doing things and you don't have to do something a certain way. You can do it the way that works for you.