August 10th, 2022
Cybersecurity Expert Interview: Whitney Champion
Please introduce yourself and tell us what you do.
My name is Whitney Champion and I'm the lead architect and one of the co-founders of Recon InfoSec. Basically I'm responsible for building and maintaining our security stack, our applications, and also our training platform: The Network Defense Range, or NDR. We're a managed security services provider, and we're based out of Austin, Texas. There are roughly 15 of us and we provide managed detection and response services and training.
Very cool. What made you want to start an MDR Company?
Well Eric (Capuano) had actually been running Recon solo for a couple years before I joined him. It was kind of a side gig for him. He's been in the security industry for a long time too. Initially I joined him in his efforts to get one of our side projects, OpenSOC, up and running. I joined him to help get that automated and bring it to life because he'd been doing it on his own and I had cycles to jump in. So after we worked together on that for a little while, I started doing work for Recon on the side. I was still full-time at my day job, working with Red Hat, and I really missed the startup life. Before I was at Red Hat, I was at a company that had a head count of about 40 people when I started, and then we grew to about 400. I jumped over to Red Hat and that’s, as you know, a pretty big company. I really missed being in the small environment, I missed the grind, and building things from the ground up.
I loved what we were doing at Recon and knew we could make an impact in the industry, and so did Eric. We needed full-time infrastructure work, and security engineering. So, eventually I went full time for Recon when we were able to, and a few years later here we are.
It's been a wild ride, but I'm really proud of what our team has accomplished so far.
That's great. I think once a certain type of person gets a taste of what it is like to work in a startup they can never imagine going back to a big company. You can't put the tiger back in the cage.
Exactly. It's hard to go back.
Is there anything you've learned along the way as an entrepreneur that you wish you had known at the beginning?
To be honest, I knew it would be a lot of long hours and elbow grease. It was that way since day one, and it's kind of what made it so exciting and what made me want to go full-time. It was just a constant fire hose, and it was essentially a blank canvas with a huge end goal in mind–to build cool things and grow the company. The freedom that comes with that is unmatched.
But I also knew that if we put in the hard work up front, eventually things would get a little easier, and now we have an amazing team of really sharp, reliable people, and everybody brings a lot to the table. Looking back now at everything we've done and built, I think if I had known in the beginning the level of effort that would go into the last few years, it would have been completely terrifying. So I am glad I didn't know the whole of it. But I'm very thrilled that it unfolded how it has so far.
That’s funny because I always want somebody to give me this piece of magic advice when the best thing is to not know because it would probably scare you off.
As I was preparing for this interview, I was checking out your social media and I'm really curious what angry.unicorns.lol is, because it seems very different from the rest of the things you do.
They're my creations. I started drawing years ago, and I can't draw on paper to save my life, but making them in Illustrator was really fun. A lot of them were made into stickers and people kept asking for them. So I would bring bundles into my old office and throw them out on the table for people to take, and I mailed them around the globe a few times. And some of them are really special to me and were birthed from special points in my life. But ultimately, they were just kind of an outlet and if other people enjoy it then that makes me happy. So it's just a fun thing to do.
I totally get it, you need to have that creative energy go somewhere.
What is OpenSOC.io?
It's actually Eric's brainchild from years ago. He started running it for his security team when he was still at the Texas Department of Public Safety. He wanted to turn it into something more exciting, so it became OpenSOC, and we built it. It's a BlueTeam CTF. We built the competition based on open source and ‘accessible to everybody’ tools. We run our own range. It's a full enterprise environment with all the bells and whistles. We’ve got user automation, traffic generation, and mail generation. It generates a ton of telemetry and all that gets shipped to our OpenSOC security stack. We provide participants with a suite of open source DFIR tools like OpenSearch, or ELK as most probably know it, Velociraptor, osquery, Arkime (which was formerly known as Moloch) and then we essentially execute one or more scenarios as if we were various threat actors or APTs. So the participants then become the incident responders, and they have to go find all the artifacts throughout the environment and basically piece together the incident.
So when they're in there, they've got access to firewall and IDS logs, Thinkst Canary logs, Windows and Linux system logs, packet captures. They have the ability to interrogate all the endpoints with osquery and Velociraptor. So, all the things. And then they start threat hunting. They’re trying to figure out things like, did the attacker exfil any data? What is the impact? How did they get in, and what did they access? Was there any lateral movement, what systems were affected, or even, how could this have been prevented? And so on.
We've been running it for a handful of years now. We've run it around the country for thousands of people at a ton of conferences, including DEF CON for several years. We were the largest blue team CTF and achieved Black Badge status there. We've run it at a bunch of BSides events, CactusCon, DakotaCon. Texas Cyber Summit was another good one, and some others. We also run our NDR training platform, which essentially grew out of OpenSOC, and we offer it quarterly through Recon. That's the one that we're running again at Black Hat this year. And as you know we've integrated LimaCharlie into the offering, which is exciting.
So we're stoked about that, but it's definitely a labor of love. It's been really valuable to a lot of people in the industry, and it’s been fun
We're super excited about it. I know Maxime is actually going to go down there because he wants to be there to answer questions, but it sounds like a really amazing piece of software you’ve made.
Yeah, I heard that he was going to join us the other day. That's exciting, and will be fun.
This one's out of left field, but tabs or spaces?
I feel like I should respond with an angry Richard gif from Silicon Valley. Always tabs. I was fighting with it just this morning.
I'm a tab person myself. I think Maxime
I feel like that's fitting. He seems like he's got the mind for it.
Yeah. We have a linter though, so I don't have to think about it too much.
There you go.
When you take on a new client or go into a new organization is there something that you often see that could be considered low-hanging fruit? What would you say to organizations in general as the simplest thing they can do to improve their security posture?
Yeah, absolutely. Sometimes it's simply making sure they've got MFA wherever possible. It still kind of surprises me how frequently that comes up. Same thing with single sign on. We still see Windows 7 and 2003 in the wild. We've got to get rid of those little guys. It still takes you by surprise every now and then. Take advantage of endpoint protection, whether it's Defender or some other vendor. We typically get agents on all of our endpoints as soon as we can when we onboard someone just to ensure that we're getting telemetry as soon as possible. I think one of the biggest ones, though, is simply security awareness training. I know we all hate sitting through it and watching those super fun videos, and we’ve had to do it for years now, but it has real benefits. Some people simply don't know and then they get hit, when it could have been prevented. Especially phishing training. People in our industry still get hit by it and we’re the ones that are supposed to know better. So I feel like even something as simple as that can end up being pretty huge.
What are your thoughts on the current cybersecurity vendor market? Cybersecurity is infamous for having too many buzzwords and things like that. Yeah, we joke about the annoying buzzwords all the time. But I feel like for years, this whole industry has been dominated by the big companies with huge marketing budgets and the big shiny whatever. It's really refreshing to see some smaller companies in the limelight that are really technical, capable, and effective doing big things in this space. It's kind of awesome.
I share that sentiment.
I'm sure you do.
Are there companies or thought leaders or community members that you look to as good examples of people that are doing the right kinds of things in cybersecurity?
Some of my favorite companies and leaders to watch, besides Recon obviously: Andrew Morris and GreyNoise, Haroon Meer and Thinkst Canary, Mike Cohen and Velociraptor. We've been working with Mike for a long time and his platform is amazing. You guys and LimaCharlie obviously, to name a few. Fleet is another awesome company, and awesome team. I think those are really good examples of super sharp teams building incredible platforms that they've clearly poured so much into, and then they still give back to the community. That has always been a solid core value of ours at Recon–to always give back to the community. It's what those companies I mentioned have always done from the get go, and in really big ways. I think that's pretty badass. Security is hard and it's even harder when there's a huge dollar sign barrier to entry, and I feel like those folks are doing it right by making it a little bit easier to get in there.
Yeah, I think overall everybody benefits by taking the attitude that we go together and build this security posture together. I really hate the zero sum thinking on the business side of all of this. There are more problems than there are people to solve them right now. So let's not worry about who gets what piece and let's just just go forward in good faith that we're all gonna get there together.
Do you have any advice for people early in their careers that are considering getting into cybersecurity?
Yes, dive in. Security spreads far and wide and deep and there are so many avenues to consider. Not to mention there's job security in the security industry. We will always need it, and more importantly, it's fun and it's challenging. Like I said earlier, it is a fire hose and there's always something new to learn and room to grow, and it’s never boring. Complacency is not an option. So I feel like if you like a challenge, it's a pretty good time and a good place to be.
Do you have any predictions for the future?
This feels like a loaded question given the state of the country, and basically the world right now. It's a little scary to think about. But I will say that I see Recon growing. We're building big things right now, and it's a really exciting time for our team. So I'm looking forward to seeing where we go next, but I also predict a smashing success at Black Hat with LimaCharlie in two weeks.
Wow, it's coming up quick, isn't it?
Right, right around the corner. So that will be fun.