The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Voice of the Community blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Maria Markstedter, Chief Executive Offer (CEO) of Azeria Labs, former Chief Product Officer (CPO) at Corellium, a Black Hat1 Review Board member, Forbes Person of the Year in Cybersecurity, and the author of a soon-to-be-published book on Arm assembly internals and reverse-engineering.2 The thoughts below reflect Maria’s views, not the views of Microsoft, and are not legal advice. In this blog post, Maria talks about the industry’s growing interest in Arm assembly and how to help security professionals avoid burnout.
Brooke: How did you become passionate about Arm as a processing language and how is it gaining momentum in security?
Maria: While working as a penetration tester, I attended a conference where security researcher Marion Marschalek gave a talk about reverse-engineering the computer worm Stuxnet and I was fascinated. I built up the courage to ask her to teach me. This is when I learned about x86 assembly and malware analysis. I got interested in Arm assembly and realized that I had way more Arm-based devices around me than x86 processors.
When I started studying the Arm architecture, the only devices based on Arm were IoT and mobile devices. Digging into it more, I realized that Arm was working on a 64-bit architecture and could take off in the desktop and server world. I was anticipating this shift. Arm is a very scalable platform and offers significant advantages over other processors, like power consumption and performance. Apple switched all their Macs to the Arm processing language. That raised the bar for high-powered yet energy-efficient computers. This shift puts pressure on other vendors that want to compete with laptops that are just as efficient and that have battery life that lasts just as long. It didn’t take long for Microsoft to catch up, with the SQ1 processor for Windows on Arm. Microsoft Azure recently implemented an entire cloud service. It’s gaining momentum because the architecture has become more powerful. It’s a new era.
There’s a huge gap in educational resources for people to learn about Arm. That’s why my current job involves training security teams on Arm reverse-engineering and exploitation. I also wrote a book about Arm assembly and reverse-engineering to fill that gap in a digestible format with lots of graphics. I’ve been working on it for two years and it’s about to be published. I hope that this book will help a lot of people ease their way into becoming proficient in something that is rather dry and hard to learn on your own.
Brooke: What is the biggest challenge facing security professionals today?
Maria: The biggest challenge is keeping up with new technologies and changes. From my work as a penetration tester, you get a new gig and new clients with a new product that uses a completely different stack of technologies, and you have to quickly familiarize yourself with it. Different technologies mean different attack vectors. That goes in every direction of security research. I know great reverse-engineers who have spent their whole career reverse-engineering malware and product components based on x86. If the architecture of these components changes, everything changes. If you are used to reading x86_64 assembly and are suddenly presented with a completely different assembly language, it’s like trying to understand Spanish if you are familiar only with French.
Organizations expect their security teams to keep up with these rapid changes. How will these security teams find the time to learn and stay on top of it all? It’s not reasonable to expect security professionals to learn outside of work hours when they should focus on their family and maintaining a healthy work-life balance because it’s easy to burn out in our industry.
Brooke: What are some signs of burnout that security leaders can look out for?
Maria: Last year, I experienced my first major burnout. I was taking on way too many responsibilities. As a result, I had to take a couple of months off of work to recover. I always thought, “When I burn out, I’ll take a week off and go on vacation.” It’s not as easy as that. It starts off very subtle and is very difficult to notice before it’s too late.
Some of the causes of burnout—and why I advocate for training—is if your employee feels they don’t have any impact, feels overwhelmed or like they can’t keep up, feels like they are expected to figure it all out in their free time, or doesn’t get the time to work on interesting things that feed their curiosity. In our field, we constantly see someone coming up with something really cool and think, “I wish I could do that.” But yet, we rarely get the time to explore and learn new skills and techniques, especially when they don’t directly correlate with our current role. Security leaders need to help their team nourish their inner curiosity and give them enough breaks and research time, and the opportunity to learn.
Also, people in the process of getting burnout have a hard time saying no. If you give them new tasks, they’re going to say, “Sure!” because they feel like they’re not contributing enough and that they need to prove themselves. As a manager, ask the right questions and monitor their workload. You get more out of someone if they work a little slower but don’t burn out. If they must take sick days off or are so anxious or depressed by the end of the week that they barely get any work done, you’re not getting your results either. If they do less in a focused and balanced way with a clear mind, they will produce more value. Keep your employees happy and motivated; don’t treat them like workhorses.
Brooke: Should the opportunity to study and grow be considered a recruitment and retention tool?
Maria: Yes. People in our profession are generally very curious and driven. Otherwise, they wouldn’t be in this field. They are very eager to learn. If you feed the curiosity of your security team and give them new learning opportunities, you might be surprised at what they come up with. It makes them more versatile, confident, and motivated. Every security area overlaps with another, so they might come up with an idea that you haven’t thought of, which could lead to security advancements internally.
At my first company, I was working as a penetration tester and wanted to attend a training course about forensics, because we’d had a couple of forensics incidents, and they would send us penetration testers, even the ones who had little knowledge in forensics. But they said they wouldn’t pay for it, mainly because they didn’t want to invest in their employees and were scared that this investment would lead to them leaving the company. I ended up leaving the company because they would not give me continuous educational opportunities and expected employees to learn everything in their free time instead of investing in their skill development.
Brooke: What would you recommend to Chief Security Officers (CSOs) filling cybersecurity roles?
Maria: You’re better off if you hire for potential and character. You can always train people. Hire for potential and pick people who are fast learners, are curious, and have demonstrated that they have invested in their own skill development as best as they could. Train them internally and send them to security conferences where they can meet like-minded people and learn. If you’re waiting for the perfect candidate, it’s rather hard to find enough people for the job. If you train them up, you have a better chance of filling all the spots.
You can outsource certain security teams, like penetration testing and incident response, as many organizations do, but it’s risky to not have an in-house security team. If an incident happens and your people are not skilled enough to respond to it, you may try to contract with an external firm, but they could be overflowing with projects because it’s a global incident. CSOs should expand their own security teams and leave room for skill development, not just in their own niche but also nurture their interests. It’s the organization’s responsibility to provide the resources and space for employees to evolve their skills.
Brooke: What is the biggest threat to organizations right now?
Maria: If you focus on one threat, it will become irrelevant in no time. The biggest threat is the rapidly changing environment and that security professionals might fall behind. So, when it’s time to act, they are not able to. Your security team is the backbone of your security posture. If you neglect that, you will not be able to keep up with evolving trends. I have seen people being sent to security incidents last minute who had to pull that off on the fly and work all day, every day for weeks on short notice with no prior knowledge. Things are always so rapidly changing that it’s all about how quickly you can respond. Do you have the resources to respond to what’s being thrown at you?
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1Black Hat USA 2022, Black Hat.
2Upcoming Book Series: Arm Exploitation, Maria Markstedter.