Axel Schulz, a CanSSOC senior security analyst based at the University of Toronto, was recently featured in a Q&A blog series hosted by Siemplify, a cloud-native cybersecurity platform. A copy of their interview is shared below, re-published with permission.
To read other instalments in Siemplify’s “Sitdown with a SOC Star” Q&A series, visit their website.
Today we are joined by Axel Schulz, who, like a few others who have graced the “Sitdown With a SOC Star” series space, did not enter the security operations field in a traditional way. And he wants to scream that fact from the rooftops, as it just may encourage others to not overthink their previous experience and eventually help close the incontrovertible talent deficit facing the industry.
He’s also fanatic about threat detection & response, playbooks and bicycling. Plus, he shares his favorite SecOps resources and subject-matter experts, which can help you get better at your job. Oh, we asked him to answer 13 questions, but he responded to 17 instead and we had no interest in stopping him. Enjoy the Q&A!
Hi Axel! Thanks for (virtually) sitting down with us. Tell us about where you work, what you do there, and the role security operations play there.
I work as a senior security analyst for CanSSOC, but technically I am an employee of the University of Toronto. CanSSOC (Canadian Shared Security Operation Centre) is a partnership launched by six Canadian universities to help higher education organizations prevent and mitigate cyberattacks.
In my role, I help onboard new institutions to use our threat feeds for blocking malicious traffic. I do security research mainly around detection and response, and I do a lot of advisory-type work with partner institutions and Canada’s National Research and Education Network Partners (NREN partners). I’ve also had the opportunity to speak at a few conferences this year, which has been really cool.
We’re not really your conventional SOC, rather we are a shared initiative trying to support educational institutions across Canada, so we do a lot of research, support institutions in incident and response, and provide advisories to the community.
Describe your career path and what propelled you to want to work in security operations?
I’ve loved computers since I was a kid and became interested in the security part of things relatively early on. Back in high school, I finished top of my class in computer science. I was studying for a Cisco certification and would often write my programs the same day they were due. Partly because I spent the week helping friends write their code instead of doing my own work.
But I didn’t actually enter the sector for a while. I went to University for Civil Engineering initially, ended up switching majors a few times and settled on philosophy, mostly because I figured if I could get a degree in what I found most difficult then I could work my way through any subject. I was also passionate about helping solve the environmental crisis, which led me to starting a bicycle business. Being my own boss was great, but I also worked a lot in the summer and had free time in the winter. I wanted the opposite.
As a result, I applied to an IT customer support role at 2Keys (a cybersecurity corporation), with the objective of getting into cybersecurity. After about eight months I was promoted to work in the SOC. A few years later I was promoted to client incident Llad responsible for leading a SOC team through incident response. It was a lot of fun. After just over six years, I ended up in my current role at the University of Toronto.
What is CanSSOC doing to help advance security within the higher education sector?
CanSSOC was created on the principle that we cannot tackle cybe security problems alone. A lot of what we do is done in collaboration. CanSSOC has a couple of really neat initiatives in place focused around detection and response. Our threat feed service provides institutions with access to threat intel and helps them leverage that to block cybersecurity attacks. We also send security advisories and alerts to the community.
We are part of a new threat intelligence sharing partnership with Jisc, OmniSOC, U.S. Research and Education Networks Information Sharing and Analysis Center (REN-ISAC), and AARNet to help higher education organizations across the globe prevent and mitigate cyberattacks (see https://canssoc.ca/2021/05/25/new-global-partnership-helps-education-sector-defend-against-cyber-attacks/).
Since the pandemic emerged, what has been the biggest challenge facing your team and how have you worked to overcome it?
My biggest challenge has been staying connected remotely while avoiding the exhaustion that having too many meetings and long days brings. The pandemic really changed the way we work, and the security risks faced by organizations. All of this has put a large toll on security teams. On the flip side, threat actors haven’t really taken any breaks. So everyone is working harder and longer to deal with the increased security risks. I think having those regular conversations with colleagues the way we used to have coffee or water breaks at the office has been really helpful. It reminds us that we are human and want to socialize.
What’s the most important hard skill(s) and soft skill(s) for an analyst or engineer to possess to move to the next level?
Being a team player. Security is much like a team sport and nobody really succeeds doing it alone. I find that people who can write good documentation, an art form in itself, really shine. Having well-documented playbooks, processes, guidelines, and procedures really helps support the success of a security team. It helps bring order to the chaos that security can often be.
In terms of hard skills, I think a lot of the technical work depends on the role and it’s more important to have a desire to learn. But good forensic understanding of systems and networking knowledge is a plus.
Which common threat impacting organizations worries you the most/keeps you up at night?
Ransomware. I feel like there’s been an increase in ransomware attacks throughout the pandemic. And the past few months have had quite a few noteworthy breaches that netted threat actors millions of dollars. Even if you patch, there’s always the risk that a supply chain attack or zero days lead to ransomware in your environment.
There’s a lot you can do to help mitigate that risk. For example, having good backups that you test is so important, but also being able to detect and respond as quickly as possible can have a large impact.
What’s one piece of advice you’d give for someone considering a career in security operations?
I got into the field with a degree in philosophy! So don’t let your existing credentials stop you from pursuing a career in cybersecurity. If you love hacking things and have a passion for security, then go for it!
We’re big bicycle fans over there. Tell us about your passion for two-wheelers (and why we need fewer cars and more bikes, especially in big cities!)
I got into biking after tearing my ACL in my knee from soccer. And well since I was doing physio and couldn’t play the sport I love, I channeled that passion into other things. That’s how I got into bike touring, repair, and ultimately started my own bicycle business.
My passion for the environment, staying healthy, and seeing the world in new ways were also big reasons I started biking. It’s simply a nice way to get around the city and to see the world. I’ve done a few trails in the United States that I really enjoyed. The trails from Pittsburgh to Washington are really lovely! And Ottawa to Montreal is also really nice. I’ve also hitchhiked across Canada, and hoping to do most of the Trans Canada Trail on a bike when the pandemic ends. Plus less cars and pollution is always nice, but remote work helps with that too.
What’s one thing you wish was happening more in enterprise security that is still pretty rare to see these days?
More training opportunities for employees. There’s a lot to learn, and a lot of people are making great content out there. I’ve been very fortunate in my career and was given a lot of training opportunities. But that’s not the case everywhere.
I see so many job postings for “junior” roles that require a CISSP or five-plus years of security work, meanwhile a lot of people want to get into the field and are being passed up. We need to foster the learning mindset because some of the best employees I’ve seen had very little background in security but big appetites to learn.
What is the most interesting thing you’ve learned (or learned about yourself) since the pandemic began? It doesn’t have to be related to security.
The pandemic has opened my eyes to the joys of working from home, and I’m pretty sure I want to work from home on a permanent basis. My own personal time is one of the most valuable things I have, and not spending time in traffic every day just makes a lot of sense to me.
What’s your proudest professional accomplishment?
Definitely getting my CISSP during the pandemic! I joined a study group back in 2018 with the goal of getting my CISSP. It was the first certification I put serious effort into getting. And it was no small challenge. I felt a bit overwhelmed with the sheer amount of information and ended up focusing my efforts at the time on getting the Security+ certification.
Fast forward a bit, and I decided I needed to go back and finish up studying for the CISSP. I started running “Security Saturday” sessions at work, carrying the book with me everywhere I went, basically quizzing colleagues and myself all kinds of questions all the time.
Then the pandemic hit, and most of the testing centres closed for a while. I wasn’t sure when I would finally get a chance to go write the exam.
Finally around June 2020, the testing centres opened back up in Ottawa and so I booked my test and went and wrote it. Passed on the first attempt. I was over the moon happy!
Which security metric do you think is most under appreciated/underrated? And which is the most overrated?
It isn’t so much a “metric”, but I think we undervalue tracking asset management. So few institutions have a good understanding of their assets. Knowing how many assets you have, who has them, how they are related to each other, what state the software is in, and being able to query against that information to ensure you are patched allows organizations to have a good security posture. I feel like a lot of organizations have this blind spot.
Aside from that, a good metric that isn’t used often enough is how close you are to 100% adoption of 2FA across all your services/applications. Sometimes I feel that we put slightly too much focus on incident-related metrics. There are a lot of factors that can affect the number of incidents an organization has, like the amount of threats, awareness, how comfortable employees are with reporting issues, etc. Because of that, it’s important to understand what influences incident-related metrics.
What books, blogs or podcasts have you read that have helped you advance your security operations skills and career? (Choose one or more.)
There are so many good resources out there. A book I often go back to is the Official (ISC)² CISSP Study Guide. There are a lot of free security meetups. HTB YOW and OWASP DevSlop are probably my favorites. I really like the “SANS ISC Daily StormCast” for keeping me up to date, and the “GIAC podcast Trust Me, I’m Certified” has really good episodes about overcoming the impostor syndrome that is so common in infosec.
Which security industry luminary would you most want to have dinner with and why?
Probably Tanya Janca or Jesse Hirsh. Tanya’s conference talks are always top notch and full of energy, and she has so much great advice to share. Jesse’s talks are something else, and he’s got this contagious excitement about him. I feel like they’d both be top-notch mentors and a few hours over food with them would be better for my career than reading any book out there.
When you’re not security analyst-ing, what is your favourite thing to be doing and what do you like about it?
Spending time with friends and family. I love hosting people and socializing. I usually host a “Friendsgiving” each year. Canada has Thanksgiving earlier than the United States, and I use the American holiday as an excuse to host a second Thanksgiving dinner with friends. After that, probably soccer, rock climbing, kayaking or biking.
What value does security automation and orchestration (SOAR technology) bring to security operations?
There’s a lot of repetition involved in responding to security incidents, using SOAR technologies helps automate a lot of the repeatable processes. It can really help reduce the impact of alert fatigue, which is so common in SOC environments. Analysts end up reviewing a lot of information, and any tool that can help them make better informed decisions, faster, and more consistently is great. Plus you get those fancy dashboards.
What is your philosophy on how a security operations team should be built out?
Diversity is so important. There’s so much to learn in security, and really a lot of different ways you can tackle security problems. Having diversity on your team really helps ensure that each problem is tackled in the best possible way.