September 4, 2019 Security operations
Suzanne Moore Greg Bailey

Meet Greg Bailey: former red team lead, now director of incident handling

A former penetration tester and red team lead, Greg is using his enthusiasm for offensive security strategy to help organizations defend against similar tactics.

After just a few minutes of talking to Greg, you’ll notice he has a way of telling stories. Just ask him about the time he narrowly escaped capture by the ex-military after doing pen tests in a foreign country. (More on that later.)

Maybe it’s the smooth radio voice he developed during his brief stint as a broadcaster. Or maybe it’s the years he spent educating students as a SANS instructor. Either way, Greg is a skilled communicator and leader—and we’re thrilled to welcome him to the team.

Before joining Red Canary as director of incident handling, Greg ran security operations for a number of financial institutions and media companies. Get to know a little more about him in this off-the-cuff Q&A. We’re just sorry we couldn’t swing the radio version…at least, not yet.

How did you get into computers?

I have been working with computers for most of my life. I was lucky enough that my parents got me a Commodore 64 when I was a kid, mostly to play video games, but I quickly learned via the DOS manual that I could do a lot more. Eventually, I convinced them to get me a modem and was able to start accessing bulletin board systems (BBS) from numbers in magazines.

How did you get into security?

I was in college studying radio communications when this thing called the “World Wide Web” took off. After graduation, I was immediately hired by a small consulting company back home in Chicago because I “knew computers.” It was there I witnessed our firm and others get hit by some of the more famous viruses at the time: ILOVEYOU, AnnaK, Code Red, SQLSlammer, Blaster, to name a few. That first time I experienced running around our office pulling LAN cables with my IT buddy, I realized I was hooked. I had to know how these programs had gotten into our network and how they operated.

So after a brief stint in radio, I went back to school in Chicago at DePaul University and got another degree focused on security. From there it was a quick hop into professional services and consulting. They basically said: “Oh you don’t mind traveling and you can hack networks? You’re hired!”

What has penetration testing taught you about incident response?

Penetration testing initially taught me how to find vulnerabilities in systems and networks, eventually how to evade security controls like antivirus, and more recently how to evade detection by incident handlers, endpoint detection and response, and behavioral analytics.

Over the years, it became more and more important to start understanding how these detection mechanisms worked—initially in order to evade them, but more importantly so that we could help organizations find ways to detect them. I never subscribed entirely to the “Red Team vs. Blue Team” mentality. In my most humble opinion, the only true purpose of penetration testing or red teaming is to help identify gaps in detection capability, and most importantly, close them!

In other words, context is everything. Indicators may show us that something analogous is happening in a specific process on a specific system, but as incident handlers, it is our responsibility to put the bigger pieces together. We need to understand what is happening from a threat perspective so that we can go through the steps of responding.

Is there more to incident handling than incident response?

One of Red Canary’s biggest differentiators as a team is our holistic, artisanal approach to helping our customers level-up their security. Our number one motivation is to make our customers more secure every time we interact with them. That may mean during the middle of the night when an incident happens, or it might mean proactively understanding their environment in order to identify nascent threats.

What do you think is the biggest challenge facing the information security industry today

Keeping up! There is an ever-changing threat landscape as interconnected systems become more complex, more diverse, and expand outside of traditional network perimeters. As a community, and as an industry, it is our obligation to keep up as well. In order to do that, we need visibility.

A lot of folks talk of threat actors in the context of getting it right just one time, whereas on the flip-side defenders have to get it right every time. While this might over-simplify the problem, I tend to look at in terms of timeframes and visibility. Sure, that initial foothold might get them onto a system or network—but if we have the visibility on those systems and networks, it should only be a matter of time before we can detect and respond appropriately.

What problems does the information security industry solve particularly well?

Initially, system and network perimeter defense seemed to be addressed in a way that made sense, at least from a traditional engineering perspective. I love network protocols. I love how neatly they conform to a standard or RFC (my favorite is RFC 1149, of course). So as long as networks, and even systems, conform to appropriate standards, it should be easy to put automated detective, corrective, or preventative security controls in place.

The problem is us. Humans are not easily predictable, and threat actors, penetration testers, and sometimes just nice people doing the right thing (phishing) can circumvent these controls. Thus, identifying anomalous human behaviors and patterns is quite important!

What are the main differences between working at a security company and on an internal security team?

Internal security teams have the added pressure of working within the confines of the business risk model in place at their organization. Many times, security strategy and operational goals can conflict with the goals of the organization. This ultimately leads to a security operations team that is under-staffed, under-budgeted, and under-trained due to a lack of perceived value. This leads to further burnout, churn, and poor security in general.

Working on the business side of things for so long gave me insight into that gap, and working for Red Canary allows me to fill it. The value that we can provide in augmenting the security operations of organizations is a tremendous value add.

What’s your favorite information security story of the last decade?

Besides some of those early viruses that I loved to collect years ago, my favorite information security story is definitely Stuxnet. Kim Zetter’s book Countdown to Zero Day is the best analysis of the incident I have seen. While one of the first widespread, publicly identified pieces of weaponized malware, the fact that it was engineered to exploit such a very specific system with multiple zero-day exploits was highly unusual. The fact that a piece of code could actually cause physical harm to an environment was astounding.

How did you first become aware of Red Canary? What attracted you to this job?

Red Canary is one of several companies in the security industry that is well-respected across the community. That is a very hard thing to accomplish. So I had known about Red Canary, their blogs, and some of the experts that worked here for a long time. What attracted me to the job was the idea of working with those same experts who have the same goal in mind: to secure customers. It was an easy decision!

What is your vision for the incident handling team here at Red Canary?

To become a differentiator in the industry. Many companies would charge by the hour (some by the email) for the level of service that we provide. We should know what is happening within our customers’ environments as soon as they do.

I want us to be known throughout our industry and outside our industry as one of the best security teams in the world. I want our customers to see us as their go-to person in the industry if they have any security questions or concerns within their own organization.

Any stories about memorable incidents you’ve worked in the past?

I found out all of this after the fact, but I was (unbeknownst to me) chased down the streets of Puerto Rico by security staff who were all ex-military during a pentest. Luckily I must have been enough steps ahead of them that by the time I was sipping a Mai Tai in the beach hotel lobby bar checking my email, they had lost me.

 

Endpoint Security vs Network Security: Where to Invest Your Budget

 

Building security from the ground up as a team of one

 

Detection Engineering: Setting Objectives and Scaling for Growth

 

From corn fields to Galois fields to the field of threat hunting: meet Jeff Felling

Subscribe to our blog