cyberSECURITY EFFECTIVENESS PODCAST:

Ada lovelace, ac/dc, and behavior research

09/26/2018
In the spirit of Ada Lovelace Day coming up on October 9th, host Brian Contos chats with Verodin Security Analyst Ashley Zaya about her role on the Behavior Research Team (BRT) and the perspective she brings to the industry. Ashley reflects on her career in InfoSec thus far, and the experiences she gained working in Boeing's fast-paced SOC. Ashley also shares valuable advice for women entering the field and one of her favorite movie soundtracks to jam out to.
We have to think about everything from the adversary's perspective and I'm able to look at problems from the offensive and defensive side. I can see how I'm directly helping customers to improve and get better every single day. That's what really motivates me.
ashley zaya
Security Analyst on Verodin's Behavior Research Team (BRT)
stay up-to-date with the latest from verodin

ashley zaya

Security analyst
Verodin
Ashley Zaya joined Verodin as a Security Analyst on its Behavior Research Team (BRT) in February 2018. Previously, Ashley was the Incident Response Specialist for Boeing's Security Operations Center (SOC). Ashley holds a degree in Security and Risk Analysis from Penn State University with an emphasis on cybersecurity and she has been a GIAC Certified Incident Handler since 2016.

Brian Contos

CISO
Verodin
Brian Contos (@BrianContos) has two decades of experience as an executive, board advisor, entrepreneur, and author. Brian worked at DISA, Bell Labs, Riptech, ArcSight, Imperva, McAfee, and Solera in over 50 countries, across six continents. He speaks at events such as Black Hat, BSides, and RSA, and is frequently interviewed by the press.
about the series:

cybersecurity effectiveness podcast

Cybersecurity experts from around the globe share experiences about their journey to increase security effectiveness. Do boards and business leaders understand the risks? Is security improving, barely keeping up with threats, or falling painfully behind? And more importantly, if what kept us secure has stopped working, what do we need to do to fix it? Join host Brian Contos and his guests as they explore these questions on the Cybersecurity Effectiveness Podcast.
Transcript: Ada Lovelace, AC/DC, and Behavior Research
Brian Contos:
Welcome to the Cybersecurity Effectiveness Podcast, sponsored by Verodin. The Verodin Security Instrumentation Platform is the only business platform for security that helps you manage, measure, improve, and communicate security effectiveness. I'm your host, Brian Contos, and we've got a really special guest today. Joining me is Ashley Zaya. Welcome to the Cybersecurity Effectiveness Podcast, Ashley.

Ashley Zaya:
Hi, Brian. Thank you for having me.

Brian Contos:
Ashley, before we get started, can you give all our listeners a little bit of background about you?

Ashley Zaya:
Sure, absolutely. I've been a member of the Behavior Research Team here at Verodin for the past seven months. Originally, I'm from Pittsburgh, Pennsylvania, so I'm a true Yinzer at heart, forever and always. I went to Penn State University where I studied security and risk analysis with an emphasis on cybersecurity. I've been in the D.C. area for the past three years now, specifically in Maryland, so I've been enjoying my time here.

Brian Contos:
Well, that's awesome. We're glad to have you at Verodin, for sure. I do want to get into the Behavior Research Team, or BRT, a little bit later. Before we do that, let's step back a little bit. What compelled you to start your career in information security?

Ashley Zaya:
That's a good question. To be honest with you, it's not one of those stories where I was young and I really wanted to work with computers or anything. Don't get me wrong. I always loved playing with computers, playing video games, everything like that, but I originally wanted to go into animal science or work in a zoo. So, when I was applying to colleges, that's what I was applying for.

Ashley Zaya (cont'd)
Then, right before I started, I decided I really wanted to move over to doing something along the lines of IT. I worked at Best Buy for a long time in high school, and I really enjoyed just working with computers, so I went into comp-sci and quickly found out that that was not what I wanted to do. One day I was in a general education class, and one of our professors came in. His name was Smooth Dave, and he was telling us all about security and risk analysis. He really is smooth because he won me over. I switched over to security and risk analysis, and the rest is all she wrote.

Brian Contos:
Wow. You know, it's so interesting when I talk to people in our field, how they got into it and what their backgrounds were. There [are] people with degrees in physics and biology and psychology and all these things, and very few people, I will say, actually took a very direct path. I think that really adds to the eclectic nature of space. We just have so many folks from so many walks of life with different backgrounds. It's probably why this is such an exciting field, actually.

Ashley Zaya:
Absolutely. I agree completely.

Brian Contos:
So, given your background and what you've been doing and where you came from, what motivates you, both professionally and personally?

Ashley Zaya:
By nature, I'm a person that likes to give. I like to be able to help people. And when I'm able to see that and be able to measure and show that I'm providing some positivity into the world, that's what really motivates me, both on a personal and professional level. I want to put as much good out into the world as I can because it's better to leave the place, this world, better than when you first got here. So, from a personal and professional level, working with people, being able to help them with problems or specifically, in this role, being able to help measure against today's attacks, I can see how I'm directly helping customers or people or security analysts to improve and get better every single day. That's what really motivates me.

Brian Contos:
Yeah, you know, I love hearing that because I think it really encapsulates this notion of Ada Lovelace Day, and while it's very squarely about women in tech, women in STEM, however you want to phrase it, there's a much, much broader picture. It's why women in tech, why women in STEM, and it's this notion of making the world a better place and leaving it better than it was before you got here. I certainly love hearing that. Well, with that said, what did you do professionally, and what was your career path to joining Verodin and becoming part of the BRT, the Behavior Research Team?

Ashley Zaya:
Prior to coming over to Verodin, I worked in the SOC for Boeing, so I was there for about two and a half years as an incident response specialist. So, we were in charge of the continuous monitoring and detection of all the corporate networks, so everything on the ground. It was a very fun role and it was a great role coming out of college. Being in a SOC, you know, you kind of start out slow, learning everything, but then I got to grow so much, and I got to interact with so many different teams. In a given day, I could be working with the forensics team or I could be working with our cert team or our intel team and really having a lot of collaboration. Even more, every day was different. I would be looking at different malware or working different alerts, taking different incident response reports, so it was a great starting role.

Brian Contos:
Oh, that's fantastic. You know, I've heard people refer to working in a SOC as a bit of a grind, but a grind that a lot of people actually love because you're always problem-solving and there's never a lack of problems. There's always something new. Was it fun, was it interesting, was it frustrating, was it everything balled into one? What was your general SOC experience like?

Ashley Zaya:
I think it's a mix of emotions, and I think of people that have worked in a SOC can feel that way. You have days where you're like, "Yes, I did really well. We were able to solve this problem, think outside of the box." And then there [are] days where you just get slammed with alerts and you feel like you can never come up for air. So, it definitely was a mix of emotions, but I really did like it. I prefer my work environment to be more fast-paced. I don't like to just wait around and have only a few things to do. I like to keep busy, and I definitely kept busy in the SOC.

Brian Contos:
Yeah. Well, with that personality, you definitely came to the right place at Verodin, too, I think.

Ashley Zaya:
Absolutely.

Brian Contos:
The fire hose never shuts off. So, you know, there's a lot of women listening, of course, to this podcast, as well as men, but what piece of advice would you give to maybe some of our women listeners out there that are interested in starting off in InfoSec?

Ashley Zaya:
Sure. I actually kind of have two pieces of advice, but the first one that I'll start with is, as we all probably know, cybersecurity, information security, is a very large umbrella, and there's so many different fields or areas that you could focus on inside of cybersecurity. One thing that I quickly found out when I joined is that you're not going to know everything, but that's okay to not know everything. It's being able to differentiate between what you know, what you don't know, and when to seek out help. Acting like you know everything isn't going to get you as far as you want, and you have to work with other people because there's always going to be other people that have pieces to the puzzle that you might not have. So, when you're not really sure of the answer, reach out to people, talk to people. It really helps to collaborate in this field.

Ashley Zaya (cont'd)
My second piece of advice that I would give is [to] try to find a mentor that you can talk with about these things. I've been fortunate enough to not have one, but two, great mentors in my career so far, and you know, I haven't been in this field for so long, but they've helped me grow and excel and get me to where I am today, and for that I am so grateful. So, if you have the opportunity, try to seek out somebody that has been in the field for a while longer who you can look to for guidance.

Brian Contos:  
Yeah, I think that's so important. I have two daughters that are both very interested in STEM. They're very young, they're in middle school, but they do programming and robotics and things like that. Where I live, here in the San Francisco Bay Area, there is a number of organizations, like Girls Who Code, and things like that that actually take young women and find mentors with them that are in engineering and leadership roles with Bay Area companies so they can learn from them directly. So, it's nice to see. Maybe you don't have these contacts or know these people already, but there's actually organizations out there that can help make that connection for you, which is nice.

Ashley Zaya:
Absolutely.

Brian Contos:    
So, you know, Information Security's always changing, which is one of the reasons it's so exciting. If you're doing the same thing twice, you're probably doing it wrong the second time.

Ashley Zaya:
Sure.

Brian Contos:
What do you do to stay up to speed, up to date, on the latest and greatest, both from maybe an offensive and a defensive perspective?

Ashley Zaya:
One of the first things I did when I started out is I made a Twitter account, and I follow a lot of researchers. A lot. Just from that alone, I can get so much information, and it's always coming in in real time, and that's helped so much. Whether it be in my previous role, looking at malware, malware runs coming in, people that are researching that, posting information about that online, to now, looking at vulnerabilities and things like that. Twitter is really great for [finding] information quickly.

Brian Contos:
Yeah. Absolutely. It used to be you had to really hunt and peck to find information, but now, there's so much data out there. It's almost sort of getting it down to the stuff that's really important to you tends to be harder than just finding the raw data, so Twitter's a great delivery mechanism.

Brian Contos (cont'd)
So, let's jump in. We mentioned a little bit earlier about your role at Verodin as part of the Behavior Research Team, or BRT. Tell us exactly, what do you do as part of the BRT?

Ashley Zaya:
Yeah, so as part of the BRT, our job is to research and identify today's adversaries' techniques, tactics, and procedures. So, what does that really mean? In a given day, we're doing a lot. Like I said, I'm on Twitter researching, trying to find a lot of different information, whether it's today's TTPs, it could be related to malware or vulnerabilities that are being released, zero days, and what we really are trying to do is understand what our adversaries are leveraging and being able to recreate that and provide the content within the Security Instrumentation Platform that our customers can use.

Brian Contos:
Wow. That just sounds like it's an awesome job. I mean, you get to do net new research, analyzing sort of the latest and greatest trends and attacks and capabilities, and then operationalizing those. What's your favorite part of that role?

Ashley Zaya:
I think my favorite part of the role is the fact that we get to see everything from the beginning to the end, so we have to think about everything from our adversaries’ perspective. So, what are they using, what tools are they leveraging? If they're using it, what kind of commands with the tools, and we have to recreate that in the platform, but then we also have to understand, well, when the adversary is performing like this, what kind of artifacts would we see? What would be in the event logs or anything like that? So, we have to understand it from that perspective all the way to, you know, if this goes through one of many tools, like, what type of signatures would that produce? So, I really like being able to see it from all perspectives. For me, like I said, I came from the defender role, so that's kind of how I operate, but now,I get to do it from both sides of the spectrum.

Brian Contos:
Yeah.

Ashley Zaya:
I like that a lot.

Brian Contos:
Yeah, that's gotta be great to see, both from the offensive and defensive side.

Brian Contos (cont'd)
Ashley, thanks so much for your input on your background and your advice for women interested in InfoSec, and really, everything that you do at Verodin as part of the BRT. But I have one final question for you. Who's your favorite superhero or super villain, and why?

Ashley Zaya:
Well, I could say Cat Woman because I am a low-key cat lady, but I'm not going to pick that answer. To be honest with you, I'm not very big into superheroes. I've seen the Avengers and everything that came out recently, but not a super huge fan. But if I had to pick one, I would pick Ironman, and the reason that I would pick Ironman is because Ironman 2 soundtrack is completely AC/DC. If you don't know me, I am a huge, huge classic rock fan. I love classic rock, and AC/DC is one of my favorite bands. I go to them when I need a good pump-up song, whether it's in the gym or going into a big meeting, so that's my answer.

Brian Contos:
I love that. I love that. I remember when I was a kid and my... I have two older sisters, and they had a record collection that was very small. It consisted of two albums. It was a Molly Hatchet album, and it was AC/DC's Back in Black, and that's the one I chose.

Ashley Zaya:
NIce.

Brian Contos:
I think I made the right choice. Nothing against Molly Hatchet, but...

Ashley Zaya:
I think you did!

Brian Contos:
Awesome. Hey, well, Ashley, thanks so much for joining us today, and again, thanks to all our listeners, as well. Be sure to check out other Cybersecurity Effectiveness Podcasts sponsored by Verodin.
download
stay up-to-date with the latest from verodin
Business Need
technology
company
resources
blog