Welcome to the second installment of the “Meet the Logician” blog series, where we highlight the people and users that make Anvilogic the best overall cybersecurity startup of the year.
This week we’re featuring Threat Detection Engineer Christina Westfall. Christina had an unconventional path into cybersecurity, first earning a degree in the audio and film industry, then becoming a trainer at Apple, sparking her interest in learning more about technology. Her Apple expertise eventually landed her a job working as a Computer Technician and System Administrator at a local school district, where she became more aware of the importance of cybersecurity. Ready for a career change and further inspired by the TV series Mr. Robot, Christina went all-in on cyber, earning several certifications, including CISSP and pivoting to security analyst work at MSSPs.
Based in New Jersey, Christina is putting her skills to the test as she builds detection logic that empowers Anvilogic customers. Our conversation with Christina revealed her lifelong learning philosophy and why she’s confident that a product like Anvilogic would’ve been helpful during her time in the SOC.
What brought you to Anvilogic?
I was in the process of interviewing for pen testing and red team roles when a recruiter working with Anvilogic got in touch with me about the threat detection engineering role. As I was going through the interview process, meeting the team, and researching how Anvilogic was founded and who founded it, I realized, “Oh, there’s really something interesting going on here!” As I found out more about the product, some specific investigations from my time in the SOC came to mind, and I found myself thinking, “If only I’d had a tool like this. As an analyst, I was sometimes asked to do the impossible. Anvilogic would have made some of those asks possible.” I realized this was a great opportunity. And so, here I am.
Thinking about your experience in the SOC, how would have a solution like Anvilogic been helpful for you?
During incident response, you’re trying to work your way backwards and figure out how something has happened. Sometimes, it’s obvious where to look, but it’s not always so cut and dry. I remember one situation where there was a compromise, and we had an idea that it may have originated from an endpoint out of a specific office location. So I was asked, “Hey, can you stay late and just do some threat hunting on these thirty systems to see if you could figure out which one might have been involved in the attack.” Without much more information than that, it was a lot of manual work to go through and find a needle in thirty haystacks. Having to manually correlate that information between firewall logs, EDR logs, and our SOAR platform would have been hundreds of hours of work. The expectation that it could be investigated in a couple of hours was unrealistic. The Anvilogic platform would’ve easily let me look for events happening in this period of time. Instead of hours, this platform probably would have done it in about 10 minutes. It is a lot easier to manage the day-to-day responsibilities of an analyst when you have a tool that is so good at cutting out all the extra manual work you end up doing.
What do you do as a Threat Detection Engineer at Anvilogic?
Our content team runs attacks in our lab environment, documents the steps they took, and the date and time of the test. Based on that information, I look at the logs generated during the simulated attack’s timeframe, analyze the artifacts left behind, and write detection logic to find it. Then, I translate that rule into different query languages for different repositories. Some days, my manager Eric Hines [Anvilogic’s Threat Detection Manager] will say, “This team is asking for Google Cloud content. Let’s go write some rules for that.” So then we look at logs and figure out how to write detections for something new. It’s fun. There’s always something new to learn.
What’s the most challenging part of writing detection logic? Were you proficient in other query languages before?
Before Anvilogic, most of my experience with query languages involved Elastic. I had some exposure to Splunk from studying in my home lab. The most challenging part is establishing best practices for writing a good search and figuring out the best way to translate it. Some tickets I can knock out in a morning. Other times, I’ll spend a lot of time researching a technique or attack to determine the best way to detect something malicious without detecting a lot of normal activity. Writing translated versions has gotten easier with a bit of practice. It’s a lot easier when I have someone like Eric to go to for help — learning from him has been one of the best parts of working here.
What makes you excited about being at Anvilogic?
It’s important to me that the work I do helps people in some way. With Anvilogic, I know from first-hand experience how useful a tool like this would’ve been in my previous roles. I know how this can make an analyst or a threat hunter’s life easier and empower them to find the information they need in a much shorter time. Working on a product that does all of these things, and knowing our customers are very happy with it too, is really gratifying. I truly believe our product helps people and does what we say it does. It’s really easy to show up to work every day excited about the projects I’m doing and moving them forward.
What advice would you give to someone who’s just starting out in cybersecurity?
Just know that the learning process is never going to stop. The security landscape is always changing, so if you don’t consider yourself a lifelong learner, I might consider a different field. But if you have a passion for cybersecurity, this is a really exciting field to be in, with different directions on which way to go. When I was working at an MSSP, one of the benefits was being exposed to different types of environments and businesses. That makes it easier to figure out which direction you want to go. At the same time, you might find out what you don’t like to do, and that’s a gift in itself because you know where to redirect your focus.
What’s one thing that you love about the security community?
One aspect I love about the security community at large is how there are some really talented folks who are generous with sharing their knowledge and findings. I always appreciate when an organization has a culture that encourages that kind of generosity with information, internally as well as externally. There’s so much value in sharing knowledge and making it easy to access because security is a field where it’s impossible for one person to know everything.
Doing cybersecurity work can be pretty stressful sometimes, what do you like to do to unwind?
I like to travel and am looking forward to doing more of that soon! For the time being, I enjoy hanging out at home with my wife and our cats and dogs and getting out to the lakes and mountains around here.
Did Christina’s detection engineering background spark something in you? If so, check out this on-demand webinar to quickly turn IOCs into behavioral pattern-based detections.