Preparation on All Fronts: How Military Experience Can Help You in High-Stress Cybersecurity Situations
Amanda Fennell: Thanks for tuning in to today's episode of Security Sandbox. If you like what you hear, please rate, and review us wherever you get your podcasts.
Welcome to Security Sandbox! I'm Amanda Fennell, chief security officer at Relativity, where we help the legal and compliance world solve complex data problems securely—and that takes a lot of creativity! One of the best things about a sandbox is that you can try anything. This season, let's explore how curiosity and personal passions inspire stronger security. Grab your shovel and let's dig in.
In today's episode, The Sandbox is heading to the training field for a fast-paced conversation with two military veterans and current Calder7 Security teammates—Gabriel Diaz de Leon and Zachary Languell—on how their experience executing highly detailed military processes and dealing with high-value, high-stress situations prepared them for a life in cybersecurity. So, let's lace up our boots and enter the fray.
All right, Zach and Gabe, I normally intro everybody. I'm not doing that because I want you to tell people what you do for a living here. You're on the team with me. We're going to start with Gabe. Gabe, tell people what you do. What's your daily life like? What's your title and your daily life?
Gabriel Diaz De Leon: I am a cyber analyst on the insights team. My role is dealing with insider threats. And my day basically is meant to prevent an insider threat from damaging our organization and ruining our reputation.
AF: Okay, I feel like it's so easy to double click on that about the military tie in, but I'm going to stop for a second. Zach, what is your day-to-day life like here and what is your role?
Zachary Languell: So, I am an advanced security engineer on the cloud security team, so my day-to-day operations are really focused on the identity and access management program we have here at Relativity, as well as our cloud governance in Azure.
AF: We're going to branch off that then, Zach. How does this relate back to what your role was in the US military, if it does?
ZL: Not directly. I didn't have a technology facing role while I was in the military. However, for all of us, part of the reason that we're here is we can draw those ties between being a soldier, Marine, airman, or seaman first. Those responsibilities translate very directly to roles in security.
AF: All right, then I think Gabe, yours might be direct. I feel like you did have some overlap in the insider threat perspective in the military. What was your role in the military?
GDL: My role in the military was that I was a field radio operator. I was part of the communications realm, and that kind of correlates in a sense to technology. I also had secondary roles, and one of them was a machine gunner. So, for me, I was supposed to provide security for our convoys in our logistics unit, so that taught me security in a physical sense. My main role taught me the security side of the launch, which is like the virtual realm. So I feel like I got the best of both worlds there.
AF: We’re coming up for Veterans Day. That's why I'm so excited. This is one of those things that, you know, it's not an easy conversation to have a lot of times about experience and background whenever you've been in the military. And I don't think we spend enough time giving some light to it. But that’s the whole point of The Sandbox. The theme for this entire year has been about personal passions. This is an area that I am personally very passionate about.
My father was in the military. I worked at Veterans Affairs for over five years as a contractor, but it's been like a way of life for me for many years. I've noticed as I've gone through my career in security that, every time I came across somebody who was super good at process and very targeted about the way they approach something with a goal, when I would needle a little bit about their background, it would oftentimes come up that they had been in the military. I was like, “Oh, I knew it, I knew it.” It's like a financial background in military. While it doesn't always feel like it's a direct correlation for how the military service would prepare you for your role, sometimes when you look back on it—and Zach, I would ask this of you as well—do you think that there was a certain amount of process risk management in the way that you would approach a goal that really prepared you for this?
ZL: Oh, absolutely. You know, the thing is that you can easily draw that line. You don't want someone figuring out late, “how do I use a med kit,” or “how do I use this radio to call in some sort of support request” when they’re in an incident where they need that. Having those procedures and everything already ready to go and everyone on the same page creates a uniformity so that everyone just flows through an incident. And that's what you want to see out of a security position. You don't want to have chaos and people running around, trying to figure out what to do when something's happening. You want everyone to just automatically go into that autopilot and start responding the way that you want them to.
AF: Have either of you ever had a time, interaction, or something whenever executing a procedure in the military that went badly because people didn't follow process and they didn't do what they were supposed to do?
GDL: No. That’s not necessarily the way that the military works. They implement some sort of training until you keep doing it over and over and over until it becomes muscle memory. But part of that is they teach you that no matter what happens, even if it doesn't happen according to the training, you are taught to think outside the box. So, in the Marines, you are given a leadership role from the very beginning. Anybody can take a leadership position. They expect you to take charge in case that leadership is gone. They teach you to think outside the box, but at the same time, they want you to realize that what they're training your for is one day going to come in handy. So, when the situation arises, you don't have to think about that training. It just kicks in and you just do it.
AF: Zach, do you feel the same way with no misses because you were trained with that muscle memory?
ZL: Oh, I mean, there's an old saying that goes back during the Cold War. The Russians used to say the hardest thing about fighting the Americans is that they rarely follow their own tactics and procedures. You can find their manuals. Although having those procedures is important, things rarely go to plan, right? We can always plan for the perfect response scenario; we can tabletop and discuss every possible avenue of an approach. And then the next thing you know, there's going to be a new one that we didn't plan for and that's how we got hit.
One of the big things that I think is important is being prepared for when things go wrong. Relativity does that well. It’s based in our core values because at the base of all those procedures are always some core principles that are going to guide us in that right direction, right?
In the military or the army, you have your general orders. I will guard everything within the limits of my post and quit my post only when properly released. So, in a scenario where I’m thinking, “Oh, what should I do? Should I run out and get somebody?” Well, my first general order says I need to guard my post. So even though this isn't something I expect, I fall back on those core principles to guide me in making sure that I take the next appropriate steps. And Relativity does that with our values.
AF: Let's get a little techie. What is it that you're looking for? What raises the alarm of like, “Oh, this might be something?” Let's educate the listeners here.
GDL: When I look for somebody who is considered somewhat of an insider threat, this is somebody who doesn't have the permissions and is asking for permission. They’re asking for more rights and they're asking for information that doesn’t relate to their position. So, for example, if you have somebody in marketing asking somebody in finance, “How much are we paying our employees? How much is this employee specifically making?”
It may not even be that. Let’s jump into say, engineers trying to get access to a system that houses all our corporate secrets. This person has just joined Relativity, say, three months ago, and now they're asking for the keys to the kingdom. So that raises some flags, and you want to know why they need this type of information, right? Are they planning on doing something or are they planning on taking some information? Are they working with somebody else? Part of that is we want to make sure that things that don't normally happen are being viewed and making sure that everything is checked out because we don't want somebody flying under the radar and taking information with them when they just suddenly leave.
AF: What do you do to look for this? And I mean, Zach, this is going to come to you in a minute because we're talking about identity access. So, Gabe, looking at people, process, and tech. What are you using in these three areas to sniff out anything that's going on for insider threats? But don’t tell me too much. I mean ...
GDL: We use basic technologies that are common in our industry. We're using SIM Technologies. We're using machine learning in a sense to spot out some differences with the user activity. We also want to make sure that if they had any machine that logged in at odd hours, we know about that. So, we want to make sure that everything is documented, logged, and reviewed so that way, if a user does get access—which I'm pretty sure SAX does a great job of locking them out—nothing is getting bypassed where it shouldn’t, and the procedures are being worked as they should. If something doesn't go according to procedure, we can investigate. My role works with many other teams to make sure that everything is going according to plan.
AF: It does sound very military by the way. There's no way to avoid that. You're always looking for this to be executed properly, to follow process, and if there's something out of the ordinary, you respond. Zach, so you're in charge of our identity access management in cloud security. What are you guarding? Let's tell everybody. What are you protecting? What's the access to?
ZL: We categorize our access management into a few larger areas to help break apart how access to those should be provisioned and managed. In this case, we have our backend, our frontend, and then our cloud infrastructure. Managing identity and access to those three bring their own challenges and complications. [It’s about] being able to give engineers enough access to do their jobs both quickly, efficiently, and well, but without giving them too much access where if someone was compromised, obviously we want to reduce that blast radius as much as possible.
AF: Blast radius is a very military term.
ZL: It's never about if, it's always about when something's going to get compromised.
AF: I love that you've got this CISSP book behind you because you're absolutely calling out all these privileges and access, right? This is the core part of that security role. These privileges go back to what Gabe said. We want the least people to have access to something, and when they do get access to it, that time is no longer than it should be. So ‘just in time.’ What is ‘just in time?’
ZL: It’s as you described. It's the amount of access for the amount of time that you need it and automatically revoking that access when that time is up. These core security principles apply to both our identity access management as well as when you start getting involved with clearances. A lot of people think, for instance, if you have top security—the TS clearance—that you can just access, you know, the president's family, everything.
AF: All the things.
ZL: But without that ‘need to know’ as well, you don't get access to just anything. It's both. You must have the clearance to access it and the need to know that information. And that’s critical to the United States’ information security policy.
AF: Wait, are you keeping anything from me? Do you think I don’t have ‘need to know’ or do you tell me everything?
ZL: I tell you everything that you need to know.
AF: Oh, it's so mean, though that's accurate. Do you two come across each other in your daily work? Gabe, you're on cyber and Zach, you're on product security. Do come across each other since there's obviously access requests with insider threats?
ZL: There’s a piece that we're collaborating on right now.
ZL: I manage the identity and access management program, but one of the biggest things we do is we need to fuel those logs and incidents. So, when something happens, I can tell him, “Hey, if this happens, we should be investigating. This is not normal behavior.” Then Gabe can take that information and turn that into a tangible response that our cyber team has. So, it's this cool collaboration between: I know how it works and what should be happening and what shouldn’t, and his team knows how to turn that into responses, red alarms, and everything that goes off.
AF: How long have both of you been here separately? So, Gabe, you answer first.
GDL: I am coming up on my three-year mark pretty soon.
AF: So, Zach, how long have you been here?
ZL: Two and a half years.
AF: So not far from each other in this amount of time in the last two and a half to three years. Has something gone wrong for you at work where you didn't feel prepared for what you were encountering? And if so, how did you adapt to it? I'm trying to see if you adapted to it in a similar way that you would have when you were in the military.
GDL: I can go first on that one. For myself, it has to do with pen testing. We're not told when they're going to happen. And sometimes, we just know that something's out of the ordinary, but we're not aware of it. We start responding right away. But part of that is also, you know, testing that and making sure that we know what to do and then we’re doing it until we're told, “Hey, stop. This is part of a test.”
For us, it's like, we react to incidents or events that happen. But I think part of that training is that we expect some form of attack to happen. We just don't know when. Even though it was a simulated test on our end for us and the organization, I feel like our training kicked in and we executed our plans accordingly, even though we were told to stop. But it happens.
AF: We did tell you to stop, and you all just kept going. The only reason is because when you do a pen test, from my perspective, it's like a super big waste of money for me to have hired a third party do it. You all caught them and blocked them right away. And it's like, “no, no, no, let them in.” It was funny because you all pushed back on me to put it in writing because you were like, “No, no. We'll stop attacking them or we'll stop blocking them when you put it in writing.” And I was like, “Oh my gosh.”
GL: The reason we wanted to do that was because we wanted to avoid any impersonation. We already knew somebody was getting attacked and we saw the traffic happening. We just didn't know whether the executive team was compromised, so we didn't want to take that risk.
AF: I'm always compromised. No, I'm kidding. Now that's a good point. That pushback on process and it was something that really it saved you all in the end, because in the retro, it was very much like, “Okay, did you get authorization to stop?” And you did, so that was good. Zach, [tell us about] something that went wrong.
ZL: You know, I can't think of something that's gone wrong necessarily to begin with. What I do think about is just whenever we do have any sort of incident or something that pops off, the teamwork really comes together. In the military, there's no individual. You’re a team and they will drop what they're doing, and help you. You pick up your fallen comrade, you keep going, and you drive forward together. So I see a lot of that if we have something that happens, people from all the different teams across Calder7 will pick up, chip in, jump onto bridges, and just get the job done.
AF: So, I've got three major themes that seem like they've already come out easily with having this conversation with you. I'm just excited. We don't always hang out—just the three of us. Thank you for spending the time with me.
The takeaways that I feel like we can see here prove there's definite overlaps in process and risk management techniques that are used in the military and the cybersecurity realm. First, it just helps to condense that chaos that can happen in either one of these realms.
The second one would be the muscle memory. It does seem like there’s a seamless, repeatable uniform need to think on your feet whenever things are not going to plan during a crisis, an event, or an attack. This muscle memory idea is an awesome one that I think we do lean on a lot in security.
And of course, attackers never sleep, and they don't follow a schedule. You always must be prepared to jump in and respond accordingly. It's not a matter of if, it's when. I love this idea in terms of your court order—knowing what you need to do. These are the fundamental things that we know are going to happen. But we always follow that court order fundamentally to make sure that we stay on our base.
I can't end an episode like this without quoting my favorite movie, which has a military background to it: 300. Everyone knows that I named my first kid Leonidas. Super into it. There's a part where Leonidas said something, and it just reminds me so much of working with both of you. And he said—and I'm going to say this a little gender generalized because I don't like it's all “him, him”—he says, “Spartans’ true strength is the warrior next to them. Give respect and honor to them, and it will be returned to you. First, you fight with your head.” Then Queen Gorgo said, “Then you fight with your heart.” The two of you, and throughout the two and a half to three years that you both have been here, you have absolutely fought with both your head and your heart. I look forward to many years with you next to me—shoulder to shoulder.
Thanks for digging into these topics with us today. We hope you got some valuable insights from the episode. Please share your comments. Give us a reading. We'd love to hear from you.