PEOPLE | Apr 30, 2020

Profession Security Operation Center Manager: an interview with Ferruccio Vitale

Keeping up with growing cyberattacks and with complex architectures: these are the daily challenges of a cybersecurity expert.

“In general, you realize the importance of cyber security too late, that is, when you have been the victim of an attack”. Ferruccio Vitale, SOC – Security Operation Center Manager at Cybertech, has been working in the cybersecurity sector for over twenty years. “I still greatly enjoy working: it’s a bit like playing cops and robbers. Every day I have a new challenge to overcome and this is the best part of this job”.

Fun that transpires from every word with which he describes the passion and enthusiasm he puts into doing its job. Talking about cyber security today, during a health emergency, is important because the risk of attacks, even to critical structures such as hospitals, for example, is tangible.

“There is currently – comments Ferruccio – an acceleration in the use of digital tools and, consequently, an increase in attention and investments on the cybersecurity front. Let’s think for example of smart working: when we work in a place other than in our company, not only does the workspace change, but also the safety perimeter of the information we manage. For this reason today, more than at other times, it is urgent to think about IT security and to do it before we are left assessing the damage of a possible attack”.

What does SOC Manager mean? What does a person in charge of the Security Operation Center do in practical terms?

“The SOC, together with two other structures such as the NOC – Network Operations Center and the MSS – Managed Security Service, monitors any threats detected on the customers’ systems and, obviously, intervenes in the event of a cyber incident to secure data and information and restore the service provision. We work on what I call a triptych: people, processes and technologies. We therefore insist on training and on raising awareness for the people who work in a given context; we monitor business processes and apply the digital technologies which are useful to do our work better.”

What does a typical day within the SOC entail?

“The days are marked by monitoring events “collected” in a computer system and analyzed in order to understand their nature and to then resolve any incidents. Should an attack be identified, in fact, the job of those who work at SOC is to identify the extent of the risk and therefore to understand the value of the corporate asset which can be targeted in order to assign a priority of intervention for the ongoing attack. Clearly it is the task of those who analyze to also try to understand what the attackers are doing, what the objectives are and above all whether the company perimeter has already been breached and the data has maybe come into their possession or whether they are only “testing” the security (or insecurity) of the system.

From this first skimming, the threat is usually assigned to the first layer, where people who can solve not particularly complex events work. If Layer 1 cannot solve the problem, a Layer 2 is activated where people with higher skills are employed, who are involved only in case of need. In practice, it is as if there were an actual triage of the analyzed event, which serves to understand the “severity of the disease” in order to be able to “cure” it in the best possible way and as quickly as possible.”

Is there a toolbox in the work of an IT security expert? What is the role of digital technology in managing SOC activities?

“The system we use for monitoring events (SIEM) allows a better identification of the types of attacks thanks also to artificial intelligence algorithms, capable of comparing events which have occurred on the network and systems with detection rules, known threats and with other alerts that can be identified thanks to the experience of other solved attacks. Obviously artificial intelligence is just a travel companion capable of supporting people’s work. It is the latter that make the difference thanks to their skills and above all to their intuition. We can safely say that, at the present time, it is unthinkable that this work should be carried out independently by the machines.”

What are the skills that a SOC Manager must have? What is the best course of study for this profession?

“If I had to talk about the necessary skills through my professional path and studies, I could say that my DNA is 90% technical. After attending a high school for scientific studies, I preferred to work immediately in this sector rather than tackling a university course which, at the time, I thought was too theoretical. A path which I then undertook a few years later by obtaining a degree in Applied Computer Science, at a time when I also knew how to appreciate its theory.

My experiences have been in software development, in the system area and then, for more than ten years, in offensive computer security. The fact of being a developer, systems engineer and hacker has often helped me find solutions faster and more effectively. If I were to give any advice to a young person who wanted to do this job, I could say that the certification paths related to cybersecurity are particularly useful. What I personally found very stimulating is the OSCP certification, in which the student is asked to “penetrate” a corporate network within a predefined time. In addition to the skills and passion for this topic, you need to have a good predisposition to think outside the box, typical of hackers. In addition to this, other useful skills are the ability to work autonomously, which leads people to look for solutions on their own, associated in any case with the ability to interact, as team work is fundamental for this job. You don’t achieve anything alone.”

What is the best part of this job?

“The best thing about this job is the continuous challenge that means you never become bored, because the complexity of the architecture and the opponents’ ability are constantly and continuously growing.”

What’s the worst thing instead?

“In general, there is little perception of the importance of this work and sometimes it is difficult to make its value be understood by the customer, who often perceives it as an intrusion into their field.”

How does a SOC Manager keep updated? What are the blogs or websites to consult in order to stay up to date on cybersecurity issues?

“I personally gladly consult the Cert website, Hacker news, the section of the Microsoft website dedicated to security, plus several Reddit discussion groups like Asknetsec.”

A book that left its mark on your life and that has somehow steered your choice of work?

“Definitely a book I read as a boy which exalted the original meaning of the term hacker, that is an individual who loves the intellectual challenge to creatively overcome the physical limits of the software systems of the past to obtain new and effective results”.