June 5, 2007
At SANS recently we were looking for some fresh talent to help us with our webcast and information security industry analyst programs and we came across Seth Misenar. His skill set included:
- Hacking tools/techniques
- Vulnerability assessments
- Windows server and client security
- Intrusion detection/prevention
- Enterprise security product research and analysis
- Cisco router/switch security
- Web server/application security (with more of a host/network as opposed to developer emphasis
- Regulatory compliance (esp. HIPAA)
And he seemed to be a life long learner; as Seth put it, "In case it matters, I am currently taking the Forensics track via OnDemand and have already achieved the following GIAC Certifications/Certificates with an average score of 94:GSEC
GCIH (served as Mentor)
GWAS (taught via StaySharp)
SSP-GHD (taught via StaySharp)
So we asked Seth if he was willing to be interviewed for this series. Seth, have you always been interested in information security?
I've always really enjoyed studying for tests. At times I wonder if that, in part, fueled my decision to get into the computer industry. I decided rather abruptly at the end of my Junior year at Millsaps College not to pursue a PhD in philosophy, as had been the plan for the previous 3 years. I was physically stricken with a sense of dread at the thought of spending 5 more years studying esoteric works only to ultimately be encumbered with an overtly political prospect of "tenure track position." I balked. I only had 14 hours remaining for my BS in philosophy and yet had decided against that as a viable career.
So you punted an academic career in philosophy, how did you start to get into information security?
Having heard of the wonders of IT throughout the 90's, I decided that would be my career. I got a job at a book store for the employee discount and began reading. I had never actually opened a computer or installed an OS, much less pen test a network, but I was bound and determined to make this work.
Did a certification play a part in your career change?
When I wasn't sleeping or working to pay for books and certs I was studying. Three months and approximately 13,000 pages later, I had my A+ and MCSE. Although possibly anachronistic for the time, I would now have been dubbed a paper MCSE. I would gladly wear this moniker with pride though, as I was able to immediately land my first job as a Network Engineer in a state agency.
So your A+ and MCSE helped you get your foot in the door, then what happened next Seth?
After landing my first entry level job, my career has skyrocketed, the likes of which I had not imagined. Oddly, my first job in security was as the ISO for that very same state agency. My primary task became regulatory compliance (HIPAA) and policy administration. Although the pay was far superior to my previous hands-on gigs, I still longed for the hands-on technical side of the fence. Even though I wasn't completely taken with my first venture into Information Security, I had caught the bug and knew exactly how I wanted to spend my career. Security seemed so sexy, I just couldn't resist.
Security has been a fun ride for me as well, so what were your next steps?
I watched The Matrix a few dozen times, bought a trench coat, and went knocking on all the IT consulting companies' doors trying to find a hands-on security gig. First try was the charm. I was hired on as a Network Security Engineer primarily because the small consulting company thought they would mine gold from my HIPAA knowledge. I was there. Mirror shades in hand, I had my first pen test in front of me. Bruised ego and broken mirror shades, my first pen test was behind me. In the midst of my testing came the sudden realization that I was out of my depth. Although I knew how to use a few of the tools well, I lacked the fundamental understanding of networking and protocols that was required to fully comprehend the pen test.
Now that you are a heavyweight in the industry, what do you plan to do next?
Several years, many failures, some successes, and thousands of pages later, I have started moving back toward my first position in InfoSec, and also my first career ambition. My will to understand has been very rewarding in my career, and I am now serving in a hybrid technical/management position that is rewarding on numerous levels. Not surprisingly, I have also done some serious reflection on my previous desire for a PhD in Philosophy. The appeal for me wasn't necessarily Philosophy qua Philosophy, but rather it was teaching. More specifically, it was teaching a subject matter that would allow me to witness that paradigm shift in thinking where absorbing breeds understanding. My career seems to be coming full circle as I have now begun serving as a SANS Mentor and StaySharp instructor (I have been in discussion with Scott Weil about my desire to teach at a Community SANS event). And, who knows, now I might even return to the dreaded academia and pursue graduate studies in InfoSec at the The SANS Technology Institute. Or, perhaps, I will give up every last ounce of free time and begin studying for the lab portion of the CCIE Security.
One last question Seth, can you tell us just a bit about the person? What do you do for fun when you are not playing with computers and networks?
Well, Seth v2.0 just came into the world 2 months ago, so what semblance of life and free time I had seems to have been left by the wayside. However, when Jude (Seth v2.0) accommodates, I do love spending time with his mother, Rachel. Prior to Jude's arrival, Rachel and I spent a month doing mission work in Orange Walk, Belize. Being a highly decorated teacher, Rachel educated the educators at a local school. Meanwhile, I built a network and computer lab for the school using donated equipment and software. The experience changed our lives and our relationship, and we hope one day soon to do it again.