- Member of “Tactical Response” team responsible for triaging hands-on-keyboard intrusions to aid Huntress partners in identification of initial access vectors.
- Acted as final escalation point for complex SOC incidents.
- Introduction of Azure Data Explorer (ADX) into the environment for rapid, automated analysis of telemetry via Kusto Query Language.
- Utilizing Azure services, prototyped an AI-enabled chatbot for incident reports as well as a Slack bot integration with ADX.
- Delivered technical webinars, including popular “Tradecraft Tuesdays”
- Authored technical blog posts relating to threat actor tradecraft as well as threat hunting methodologies.
- Lead team of three Senior Threat Research Engineers, including technical guidance, general mentorship and performance management.
- Introducted “Campaign” process to organize and streamline Sumo Logic out of the box (OOTB) content generation work into sprints, including process documentation and automation for Jira ticket creation. Campaign process responsible for generation of over two-hundred new pieces of content in the form of SIEM rules.
- Created lab environments utilized for content generation and validation using infrastructure-as-code paradigm, including creation of cloud lab environments using Terraform.
- Authored various scripts designed for task automation including the creation of containerized development environments.
- Creation of containerized honey pot network, including Kubernetes orchestration and deployment.
- Performed gap analysis for existing content and put initiatives in place to address gaps, resulting in coverage for technologies such as Azure/Entra, Active Directory, Office 365, Docker, Kubernetes (Azure AKS and AWS EKS) as well as additional coverage for Linux and macOS operating systems.
- Lead initiatives to create threat detection relevant content for User Behavior Analytics (UBA) rule types introduced to the Sumo platform.
- Worked with marketing teams to create and deliver technical presentation material for the RSA Conference (2022) as well as webinars delivered in partnership with the SANS institute.
- Sole author of numerous technical blog posts, resulting in thousands of additional views leading to high-ranking Google search results for key terms such as “Kubernetes lab”. Numerous blog posts also featured on popular security mailing lists such as “Detection Engineering Weekly” and “CloudSecList.”
- Created a capture the flag (CTF) exercise, including all infrastructure build as well as challenge creation that spanned on-premises to cloud-native use cases; designed to get internal and external stakeholders more familiar with the Sumo Logic platform.
- Worked with clients to plan, prepare and execute enterprise Purple Team engagements with actionable reporting deliverables.
- Designed and executed realistic attack paths based on the MITRE ATT&CK framework in combination with publicly available threat intelligence material on the latest techniques used by threat actors.
- Focused on visibility and defensive uplift, providing clients of varying sizes and across numerous industry verticals with boutique, high end white-glove style consultation regarding logging pipelines, queries and general defensive cyber security guidance.
- Conducted Azure and Office 365 architecture and security reviews.
- Conducted incident response and forensic investigation of both cloud and host-based intrusions.
- Sole author of regular technical blog posts, including release of the SysmonConfigPusher tool - written in C# - that is designed to assist in Sysmon deployments at scale.
- Creation and delivery of highly technical training material, focusing on telemetry pipelines, threat hunting and detection engineering.
- Created and delivered various webinars, customer presentations and other technical marketing materials.
- Responsible for conducting compromise assessments for clients of various sizes, including extremely large and complex Splunk deployments with data sources ranging from on-premises Active Directory to Kubernetes and custom application telemetry.
- Assisted sales and other functions throughout the sales lifecycle, responding to request for proposals’ (RFP) as well as statement of work (SOW) generation.
- Responsible for the configuration, maintenance and full operationalization of the McAfee Security Information & Event Management (SIEM).
- Lead team of third-party SOC analysts, including training and documentation for new attacker tactics, tools and procedures.
- Responsible for operation of Rapid 7 Nexpose vulnerability management system, including production of reports for senior IT leadership as well as prioritization and analysis of vulnerabilities.
- Considered corporate subject matter expert on matters relating to malware, incident response, vulnerability management, Linux and Windows best-practice logging configurations and system hardening.
- Worked with application and IT teams to remediate thousands of vulnerabilities across servers and workstations, resulting in a drastic reduction of risk to the organization.
- Conducted simulation of malware and attacker activities in order to create and validate SIEM alerts and logging configurations as well as to identify any gaps in visibility.
- Directly responsible for lowering third-party penetration test risk scores due to robustness of host and network-based detection capabilities.
- Introduction of Splunk Enterprise into environment, including planning, architecting and executing a full deployment, complete with Windows Event Forwarding and logging best practices.
- Project lead on various Azure Active Directory initiatives, including roll out of Azure Multi Factor Authentication as well as the implementation of Microsoft-recommended Conditional Access policies.
- Introduction of Sysinternals Sysmon into environment, including custom-written PowerShell log scraper, SIEM parsers and relevant SIEM rules.
- Responsible for ensuring day-to-day compliance with corporate information security policies and procedures.
- Responding to customer questionnaires regarding information security in a timely and comprehensive manner.
- Creating, editing and updating a large amount of documentation used for internal and external audits as well as PCI certification.
- Worked with various project teams – often under tight deadlines - to ensure that project proposals and implementations met TransUnion security policies and industry best practices.
- Responsible for reviewing and vetting of access requests to TransUnion internal systems.
- Designed automated access review system and conducted regular logical access reviews for critical TransUnion systems in order to satisfy audit and policy requirements.
- Provided general guidance to business units on various security issues. Acted as primary point of contact for various large-scale and high visibility projects.
- Provided external and internal customer support for a range of TransUnion products and services.
- Communicated issues to team members in order to ensure uninterrupted and consistent client support.
- Edited and produced service desk related documentation for TransUnion products, services and processes to ensure compliance with PCI standards.
- Provided desktop support and assistance to TransUnion associates.
- Entrusted with highly sensitive customer data on a regular basis.
| Year | Description |
|---|---|
| 2022 | Obtained Kubernetes and Cloud Native Associate (KCNA) certificate. |
| 2019 | Obtained ISC² Certified Cloud Security Professional (CCSP) designation. |
| 2017 | Obtained Offensive Security Certified Security Expert (OSCE) Certification. |
| 2015 | Obtained Offensive Security Certified Security Expert (OSCP) Certification. |
| 2014 | Obtained Associate of ISC² Certified Information Systems Security Professional (CISSP) designation. Full designation achieved in 2016. |
| 2010-2012 | Earned a multidisciplinary Master of Arts degree from the Munk School of Global Affairs, University of Toronto, specializing in European History and Political Science. Ontario graduate scholarship awarded two consecutive years. |
| 2006-2010 | Earned a Combined Honours Bachelor of Arts degree specializing in History and Labour Studies with a Minor in Sociology from McMaster University. Summa cum laude standing achieved. |
| 2002-2006 | Earned a Network Engineering and Security Analyst Diploma from Mohawk College. |
-
Sysmon Config Pusher: https://github.com/LaresLLC/SysmonConfigPusher
- Tool designed to aid security teams in managing various versions of Sysmon configurations, providing the ability to "tag" various configuration files and "push" them to different endpoints in the environment
- Demo video: https://www.youtube.com/watch?v=QcRVTe8NvaU
-
Sole author of Constructing Defense: https://course.constructingdefense.com/constructing-defense
| Year | Description | Link |
|---|---|---|
| 2017 | BSides Toronto – “Red and Blue Ping Pong” - Presented in conjunction with Lee Kagan, the talk outlined modern Windows attack and defense methodologies. | https://www.youtube.com/watch?v=sDEEDZkIZGw&t=2s |
| 2019 | BSides & TASK Toronto - “Beyond Logs: Why It’s an exciting time to be a Defender” – an outline of modern defensive tools and methodologies in the defensive space of cyber security. | https://www.youtube.com/watch?v=cnqDnrZxYkQ |
| 2021 | SANS Threat Hunting Summit - “Hunting Malicious Macros” – an overview of threat hunting and detection engineering techniques designed to track malicious Office macro usage. | https://www.youtube.com/watch?v=soF5iyeeWDg&t=1s |
| 2022 | Defcon Blue Team Village - "Hunting Malicious Macros" | https://www.youtube.com/watch?v=lrcAl_WD0HY |
| 2023 | Antisyphon Blue Team Summit - “Cloud Security: Does the endpoint still matter?” – an examination of lesser-appreciated credential access avenues such as file shares, cookies and cloud tokens with a particular focus on threat hunting through file access auditing events on Linux and Windows operating systems. | https://youtu.be/dYJzEubKaNw?t=3699 |
| 2024 | AtlSecCon - "Hunting for Cloud Session Anomalies - this talk outlined how to hunt for cloud session anomalies in cloud services like Microsoft Entra, Okta, Amazon Web Services and Kubernetes resulting from credential theft in the form of cookies or tokens. The talk covered telemetry sources, hunting strategies as well as testing and validation methodologies. | https://atlseccon2024a.sched.com/?iframe=yes&w=100%&sidebar=yes&bg=dark# |
- 2019-2021 - Part of The Canadian Collegiate Cyber Exercise (C3X) build team, designing and implementing a simulated corporate environment with various attack and defense paths for student participants.