Brian Contos: Welcome to the Cybersecurity
Effectiveness Podcast sponsored by Verodin.
The Verodin Security Instrumentation Platform
is the only business platform for security
that helps you manage, measure, improve, and
communicate security effectiveness.
I'm your host, Brian Contos, and we've got
a really special guest today.
Joining me is Ashley Zaya.
Welcome to the Cybersecurity Effectiveness
Podcast, Ashley.
Ashley Zaya: Hi, Brian.
Thank you for having me.
Brian Contos: Ashley, before we get started,
can you give all our listeners a little bit
of background about you?
Ashley Zaya: Sure, absolutely.
I've been a member of the Behavior Research
Team here at Verodin for the past seven months.
Originally, I'm from Pittsburgh, Pennsylvania,
so I'm a true Yinzer at heart forever and
always.
I went to Penn State University, where I studied
security and risk analysis with an emphasis
on cybersecurity.
I've been in the D.C. area for the past three
years now, specifically in Maryland, so I've
been enjoying my time here.
Brian Contos: Well, that's awesome.
We're glad to have you at Verodin, for sure.
I do want to get into the Behavior Research
Team, or BRT, a little bit later.
Before we do that, let's step back a little
bit.
What compelled you to start your career in
information security?
Ashley Zaya: That's a good question.
To be honest with you, it's not one of those
stories where I was young and I really wanted
to work with computers or anything.
Don't get me wrong.
I always loved playing with computers, playing
video games, everything like that, but I originally
wanted to go into animal science or work in
a zoo.
So, when I was applying to colleges, that's
what I was applying for.
Ashley Zaya: Then, right before I started,
I decided I really wanted to move over to
doing something along the lines of IT.
I worked at Best Buy for a long time in high
school, and I really enjoyed just working
with computers, so I went into comp-sci and
quickly found out that that was not what I
wanted to do.
One day I was in a gen-ed class, and one of
our professors came in.
His name was Smooth Dave, and he was telling
us all about security and risk analysis.
He really is smooth because he won me over.
I switched over to security and risk analysis,
and the rest is all she wrote.
Brian Contos: Wow.
You know, it's so interesting when I talk
to people in our field, how they got into
it and what their backgrounds were.
There's people with degrees in physics and
biology and psychology and all these things,
and very few people, I will say, actually
took a very direct path.
I think that really adds to the eclectic nature
of space.
We just have so many folks from so many walks
of life with different backgrounds.
It's probably why this is such an exciting
field, actually.
Ashley Zaya: Absolutely.
I agree completely.
Brian Contos: So, given your background and
what you've been doing and where you came
from, what motivates you, both professionally
and personally?
Ashley Zaya: By nature, I'm a person that
likes to give.
I like to be able to help people.
And when I'm able to see that and be able
to measure and show that I'm providing some
positivity into the world, that's what really
motivates me, both on a personal and professional
level.
I want to put as much good out into the world
as I can because it's better to leave the
place, this world, better than when you first
got here.
So, from a personal and professional level,
working with people, being able to help them
with problems or specifically, in this role,
being able to help measure against today's
attacks, I can see how I'm directly helping
customers or people or security analysts to
improve and get better every single day.
That's what really motivates me.
Brian Contos: Yeah, you know, I love hearing
that because I think it really encapsulates
this notion of Ada Lovelace Day, and while
it's very squarely about women in tech, women
in STEM, however you want to phrase it, there's
a much, much broader picture.
It's why women in tech, why women in STEM,
and it's this notion of making the world a
better place and leaving it better than it
was before you got here.
Certainly love hearing that.
Well, with that said, what did you do professionally,
and what was your career path to joining Verodin
and becoming part of the BRT, the Behavioral
Research Team?
Ashley Zaya: Prior to coming over to Verodin,
I worked in the SOC for Boeing, so I was there
for about two and a half years as an incident
response specialist.
So, we were in charge of the continuous monitoring
and detection of all the corporate networks,
so everything on the ground.
It was a very fun role and it was a great
role coming out of college.
Being in a SOC, you know, you kind of start
out slow, learning everything, but then I
got to grow so much, and I got to interact
with so many different teams.
In a given day, I could be working with the
forensics team or I could be working with
our cert team or our intel team and really
having a lot of collaboration.
Even more, every day was different.
I would be looking at different malware or
working different alerts, taking different
incident response reports, so it was a great
starting role.
Brian Contos: Oh, that's fantastic.
You know, I've heard people refer to working
in a SOC as a bit of a grind, but a grind
that a lot of people actually love because
you're always problem-solving and there's
never a lack of problems.
There's always something new.
Was it fun, was it interesting, was it frustrating,
was it everything balled into one?
What was your general SOC experience like?
Ashley Zaya: I think it's a mix of emotions,
and I think of people that have worked in
a SOC can feel that way.
You have days where you're like, "Yes, I did
really well.
We were able to solve this problem, think
outside of the box."
And then there's days where you just get slammed
with alerts and you feel like you can never
come up for air.
So, it definitely was a mix of emotions, but
I really did like it.
I prefer my work environment to be more fast-paced.
I don't like to just wait around and have
only a few things to do.
I like to keep busy, and I definitely kept
busy in the SOC.
Brian Contos: Yeah.
Well, with that personality, you definitely
came to the right place at Veridon, too, I
think.
Ashley Zaya: Absolutely.
Brian Contos: The fire hose never shuts off.
So, you know, there's a lot of women listening,
of course, to this podcast, as well as men,
but what piece of advice would you give to
maybe some of our women listeners out there
that are interested in starting off in InfoSec?
Ashley Zaya: Sure.
I actually kind of have two pieces of advice,
but the first one that I'll start with is,
as we all probably know, cybersecurity, information
security, is a very large umbrella, and there's
so many different fields or areas that you
could focus on inside of cybersecurity.
One thing that I quickly found out when I
joined is that you're not going to know everything,
but that's okay to not know everything.
It's being able to differentiate between what
you know, what you don't know, and when to
seek out help.
Acting like you know everything isn't going
to get you as far as you want, and you have
to work with other people because there's
always going to be other people that have
pieces to the puzzle that you might not have.
So, when you're not really sure of the answer,
reach out to people, talk to people.
It really helps to collaborate in this field.
Ashley Zaya: My second piece of advice that
I would give is [to] try to find a mentor
that you can talk with about these things.
I've been fortunate enough to not have one,
but two, great mentors in my career so far,
and you know, I haven't been in this field
for so long, but they've helped me grow and
excel and get me to where I am today, and
for that, I am so grateful.
So, if you have the opportunity, try to seek
out somebody that has been in the field for
a while longer who you can look to for guidance.
Brian Contos: Yeah, I think that's so important.
I have two daughters that are both very interested
in STEM.
They're very young, they're in middle school,
but they do programming and robotics and things
like that.
Where I live, here in the San Francisco Bay
Area, there is a number of organizations,
like Girls Who Code, and things like that
that actually take young women and find mentors
with them that are in engineering and leadership
roles with Bay Area companies so they can
learn from them directly.
So, it's nice to see.
Maybe you don't have these contacts or know
these people already, but there's actually
organizations out there that can help make
that connection for you, which is nice.
Ashley Zaya: Absolutely.
Brian Contos: So, you know, Information Security's
always changing, which is one of the reasons
it's so exciting.
If you're doing the same thing twice, you're
probably doing it wrong the second time.
Ashley Zaya: Sure.
Brian Contos: What do you do to stay up to
speed, up to date, on the latest and greatest,
both from maybe an offensive and a defensive
perspective?
Ashley Zaya: One of the first things I did
when I started out is I made a Twitter account,
and I follow a lot of researchers.
A lot.
Just from that alone, I can get so much information,
and it's always coming in in real time, and
that's helped so much.
Whether it be in my previous role, looking
at malware, malware runs coming in, people
that are researching that, posting information
about that online, to now, looking at vulnerabilities
and things like that.
Twitter is really great for [finding] information
quickly.
Brian Contos: Yeah.
Absolutely.
It used to be you had to really hunt and peck
to find information, but now, there's so much
data out there.
It's almost sort of getting it down to the
stuff that's really important to you tends
to be harder than just finding the raw data,
so Twitter's a great delivery mechanism.
Ashley Zaya: Yeah.
Brian Contos: So let's jump in.
We mentioned a little bit earlier about your
role at Verodin as part of the Behavioral
Research Team, or BRT.
Tell us exactly, what do you do as part of
the BRT?
Ashley Zaya: Yeah, so as part of the BRT,
our job is to research and identify today's
adversaries' techniques, tactics, and procedures.
So, what does that really mean?
In a given day, we're doing a lot.
Like I said, I'm on Twitter researching, trying
to find a lot of different information, whether
it's today's TTPs, it could be related to
malware or vulnerabilities that are being
released, zero days, and what we really are
trying to do is understand what our adversaries
are leveraging and being able to recreate
that and provide the content within the Security
Instrumentation Platform that our customers
can use.
Brian Contos: Wow.
That just sounds like it's an awesome job.
I mean, you get to do net new research, analyzing
sort of the latest and greatest trends and
attacks and capabilities, and then operationalizing
those.
What's your favorite part of that role?
Ashley Zaya: I think my favorite part of the
role is the fact that we get to see everything
from the beginning to the end, so we have
to think about everything from our adversaries
perspective.
So, what are they using, what tools are they
leveraging?
If they're using it, what kind of commands
with the tools, and we have to recreate that
in the platform, but then we also have to
understand, well, when the adversary is performing
like this, what kind of artifacts would we
see?
What would be in the event logs or anything
like that?
So we have to understand it from that perspective
all the way to, you know, if this goes through
one of many tools, like, what type of signatures
would that produce?
So, I really like being able to see it from
all perspectives.
For me, like I said, I came from the defender
role, so that's kind of how I operate, but
now, I get to do it from both sides of the
spectrum.
Brian Contos: Yeah.
Ashley Zaya: I like that a lot.
Brian Contos: Yeah, that's gotta be great
to see, both from the offensive and defensive
side.
Brian Contos: Ashley, thanks so much for your
input on your background and your advice for
women interested in InfoSec, and really, everything
that you do at Verodin as part of the BRT.
But I have one final question for you.
Who's your favorite superhero or super villain,
and why?
Ashley Zaya: Well, I could say Catwoman because
I am a low-key cat lady, but I'm not going
to pick that answer.
To be honest with you, I'm not very big into
superheroes.
I've seen the Avengers and everything that
came out recently, but not a super huge fan.
But if I had to pick one, I would pick Ironman,
and the reason that I would pick Ironman is
because Ironman 2 soundtrack is completely
AC/DC.
If you don't know me, I am a huge, huge classic
rock fan.
I love classic rock, and AC/DC is one of my
favorite bands.
I go to them when I need a good pump-up song,
whether it's in the gym or going into a big
meeting, so that's my answer.
Brian Contos: I love that.
I love that.
I remember when I was a kid and my...
I have two older sisters, and they had a record
collection that was very small.
It consisted of two albums.
It was a Molly Hatchet album, and it was AC/DC's
Back in Black, and that's the one I chose.
Ashley Zaya: Nice.
Brian Contos: I think I made the right choice.
Nothing against Molly Hatchet, but...
Ashley Zaya: I think you did.
Brian Contos: Awesome.
Hey, well, Ashley, thanks so much for joining
us today, and again, thanks to all our listeners,
as well.
Be sure to check out other Cyber Security
Effectiveness Podcasts sponsored by Verodin.
