Justin Hall

Just started this role! I will be leading a team of security researchers that help all Tenable products detect vulnerabilities and weaknesses in customer environments.

In 2005, CBTS was building a fledgling Security Operations team for an internal IT group at General Electric that served several of its business units: Transportation, Energy/Oil & Gas, and Aviation, which happened to be a defense contractor for the US government. The idea of Security Operations was new in the industry, and the eight of us were charged with care and feeding of the security tools used by this IT group. This included endpoint protection, network IDS/IPS, web proxy, firewall, vulnerability scanning, and full disk encryption. We also assisted with vulnerability remediation, malware cleanup, and forensic investigations.

As the years went on, other technologies were added to the list - SIEM, DLP, and forensic tools. The team grew, and my individual role - initially overseeing network IPS - grew to oversight of the vulnerability management process, contributing to application security reviews, and eventually managing a group of junior security ops staff. Towards the end of the time on this project the customer began migrating their mission from defense against commodity malware to facing off against nation-state attackers, and our organization was critical to that effort, as we brought in an up-and-coming incident response firm called Mandiant to train the GE security teams (and our crew). We learned best practices for investigating sophisticated intrusions by state-sponsored adversaries. As we stood up that effort, I transitioned away from GE, to our company's new Security Services team as its first full-time assessor and consultant.

Key projects:

• Team lead for security operations group contracted to Fortune 5 manufacturer, handling day-to-day responsibilities of maintenance and administration of global security infrastructure that included endpoint protection, network monitoring and defense, intrusion detection and prevention, two-factor authentication, and vulnerability assessment systems.
• Designed, deployed and managed global network intrusion detection and prevention infrastructure, protecting hundreds of datacenters and office sites in dozens of countries worldwide. This system monitored internal segments as well as network perimeters with third-parties and the public internet. Developed custom detection signatures and created organization’s production policies.
• Ran SIEM bakeoff, developed quantitative product evaluation scorecard for company, used in future bakeoff engagements.
• Managed deployment of selected SIEM solution, including correlation rule development, log source integration, report creation, and connection to ticketing systems for incident tracking
• Developed vulnerability management practice, including regular vulnerability scanning & analysis, audit assistance, research, and custom internally-published vulnerability bulletins
• Recruited, trained and managed incident response team, responsible for alert monitoring, triage, incident investigation, and mitigation of compromised systems. Led group of analysts in multi-stage investigation of APT actors in pursuit of sensitive intellectual property.
• Performed forensic imaging and analysis of systems suspected of compromise, as well as those used by employees for violations of policy. Developed tools and scripts to improve team’s investigation efficiency.
• Developed cooperative programs with other business units’ incident response teams to facilitate sharing of information, tools and methodology.
• Reviewed critical changes to production IT environment for compliance with security policy and best practices. Built security architecture team to review internal projects, applications, new infrastructure, etc. for adherence to policy and best practices.
• Developed courseware to teach best practices and techniques to security and IT operations staff, covering log analysis, network forensics, and penetration testing.
• Deployed data leakage prevention system to monitor the use of sensitive data. Developed custom signatures to identify proprietary information and track usage with DLP tools.

With the runaway success of our security operations program, CBTS leadership decided that security consulting was a lucrative business. In 2009 I joined the founder of the security ops program, to help develop a standalone team that would serve our other customers.

We had no prior experience developing this sort of service offering, so all of the materials, go-to-market strategy, and methodology had to be developed from scratch. What kinds of services will we offer? How do we scope and execute engagements? How do we deliver findings? I helped iron out these details as I began performing consulting engagements, learning by doing.

After 3-4 years, we added a more few consultants and had enough of our approach fleshed out that we began delivering solid, reliable work and started seeing repeat business. I was doing vulnerability assessments, penetration tests, phishing, gap analyses against frameworks like ISO27000 and the (then) SANS Top 20. I was also dabbling in incident response again, performing the occasional investigation or forensic examination for customers. We were going along swimmingly until the summer of 2013, when our consulting work was put on hold, so that we could contribute to another effort in the company.

Key projects:

• Developed assessment methodology for vulnerability assessments, penetration tests, and framework gap analyses, including scoping questions, assessment processes, and deliverable models
• Expertise in NIST 800-53, Cybersecurity Framework, Risk Management Framework, ISO27000 series, and the CIS Controls
• Delivered over 100 successful consulting engagements for dozens of customers of various sizes and in a variety of industries
• Acted as technical SME for security in presales conversations
• Expert witness for forensic work as a part of federal criminal investigation in 2012

In 2013, CBTS founded its Advanced Cyber Security (ACS) group, a startup team whose mission was to develop a proto-Managed-Detection-and-Response product. As we were the company SMEs for security, the folks from the consulting team were merged with this group to serve several key roles.

First, we were tasked at building a separate, secure network in which the ACS team would work to develop and deliver its product. This was a greenfield network design, and I was a part of the team to design, build, and harden the environment. We used the CIS Controls as our reference framework to formulate a set of required controls. We sourced, deployed, and configured them to ensure the environment would withstand attacks from the threat actors we anticipated we’d face. For the duration of my time on this team, I acted as security administrator for the environment, managing identity & access management, network security, endpoint security, data protection, and dozens of other aspects of day-to-day information security work.

Next, we began to consult with the development and product management teams about the product and threat landscapes in which they would operate. I was able to provide real-world examples of other products in the intended space, the competitive situation, and features and functionality that would be essential. I was also able to act as the voice of the potential customer as I was one of the only team members that had spent time in a customer-facing role.

Finally, I was asked to build and run the managed security services team. This was the most involved role (alongside security administrator). I developed a SOC strategy, hired 12 team members, created and executed a training program, and brought in tier-2 and 3 analysts to oversee the tier-1 team, who used the MDR product we created to monitor customer environments and alert them about suspicious activity. This also involved building and managing our managed email security solution, which used Symantec’s MessageLabs product in the backend.

The ACS team grew until it was spun off from CBTS in mid-2015 as Morphick. Morphick was privately held until it was acquired by Booz Allen Hamilton in 2017.

Key projects:

• Built standalone greenfield network for 40-employee division, including network, compute, cloud, applications, IAM, and security.
• Acted as security architect and administrator for team and environment, including design, implementation, and monitoring of all security controls
• Assisted with MDR solution development strategy, testing, and competitive analysis
• Built managed security services team. Hired and trained SOC resources, including Tier 1-3 analysts, developed service methodologies, staff success metrics, customer onboarding/offboarding procedures, and service toolset and knowledgebase
• Built and managed email security service offering, integrating MessageLabs MSSP solution with MDR product suite, onboarding and managing customers, and troubleshooting service issues

Once Morphick was spun off, I resumed security consulting work for another year or so. When our director of security consulting left, I was promoted to that position.

We had a fairly rigorous approach to scoping, delivering, and managing engagements. That said, I found several places where I could improve processes. I developed questionnaires, marketing material that listed specific repeatable services, and a more consistent, effective contract creation process that cut down on rework. I also worked with legal to improve the language that would cover us against the CFAA or civil suits.

Managing a team of four means juggling schedules, training, and tools so that we can deliver 60+ engagements in a year. We continue to show profit, provide a great working environment for technical security practitioners, and contribute to the overall security practice at CBTS.

As I spent more time talking to customers scoping engagements, the conversations started tending towards overall guidance and strategy. Today I spend equal time “selling” – promoting my team and scoping consulting work – and consulting myself with customer security leaders and staff, sharing our knowledge, best practices and buzz from the industry, and stories from other customers, all in an effort to help mature our customers’ security programs. I became the de-facto security SME at CBTS, acting as security evangelist, writing blog posts, and speaking on behalf of the company at industry events and conferences, as well as spending time on my own research. I also write much of our other marketing material – website copy, infosheets, case studies, and slide decks.

I also help develop our vendor portfolio. As a VAR, CBTS works with over 400 technology partners, and 70 of those are security vendors. Which ones do we sell? Which do we skip? In which new tech should we invest engineering and sales resources? I lead the effort to sort the garbage from the gold and make sure our portfolio reflects the best of breed solutions that deliver what they promise and can actually help our customers achieve their security goals.

Finally, I act as advisor for the rest of the security practice: managed security services, cloud security, professional services, and product sales. I continue to work to deliver quality consulting for our customers, take care of my team, and serve our company and leaders.

Key projects:

• Led successful consulting team, selling and project managing 60+ engagements a year, including P&L, budgeting, and training
• Developed dozens of pieces of sales collateral and marketing material to promote the security practice
• Company SME for security, evangelist and strategist to hundreds of customers large and small and in every industry
• Go-to internal security advisor to peer technical teams, and member of CBTS Security Council
• Signed dozens of new security partners for service delivery and product resale
• Built Azure-based security lab, deployed and managed assessment, file exchange, and communication tools for consulting team
• Created several new service offerings, including cloud security assessments, cloud penetration tests, and virtual CISO progream

I started as a sysadmin and took over the IT team when my predecessor left. I went on to oversee the IT organization and infrastructure for four years. I managed the network, server environment, and hosted software solutions. This is where I first got hands-on developing and implementing a rigorous security program.

Managed customer-facing team to field issues and requests. Interface between users and systems / network team. This is where I learned systems administration and networking.

Sold and repaired computers and peripherals, back when web browsers were sold in boxes on shelves.