dnsUNFILTERED: Quinn Varcoe, Blueberry Security

Podcast > Episode 9 | January 01, 2024

Quinn‚Äôs a wizard when it comes to Security Operations Centers and she‚Äôs here to spill all the beans. We‚Äôre talking about everything from the ABCs of SOCs, to carving out a career in the cyber world, and the rollercoaster ride of launching a cybersecurity startup.

View Transcript ▼

[00:00:00] Mikey Pruitt: Quinn Barco, the SOC specialist is joining me in the studio. She's just off of a cross country flight, a little jet lag, but she still took the time off her day to talk with us. You have had a storied history in the SOC industry. You've been an analyst, a soc analyst, a SOC manager a SOC engineer. Lots of titles after the soc term.

So tell me like a little bit about yourself.

[00:00:23] Quinn Varcoe: Yeah I am one of the. Rare few people who entered the cybersecurity industry with no background. Besides just growing up and touching some stuff. I had no background in cybersecurity. I had no experience degrees or certifications. I came in at 18 started off as an analyst, worked night shift, worked my way up to engineer.

Finally got back in front of people after one and a half years. And then I started working at a whole bunch of different places that are more well known. I was on a contract for Medicare and Medicaid, and then I went to CVS Health and then yeah, and then I started helping this startup company do soc and so that's when I started managing and designing SOCs.

And I actually built two SOCs. In six months, pretty much from scratch. I came in, they were both completely leveled and we rebuilt them. And then yeah, and I'm here and then I, and then I, after I did it a few times myself, I was like, you know what, I'm just gonna start my own business.

[00:01:26] Mikey Pruitt: Yeah. And that's what I wanted to touch on first is you've been a few different positions, like every position there is in the sock, it's not like. 30 different jobs. Really in a soc. There's only like a handful and you've done all of them or most of them, and have worked at some different places, which I'm guessing gave you a lot of different experience different threats, styles, different threats coming in.

How to figure out what they are in different environments, how to triage them, how to respond. And now you're basically an entrepreneur startup. Yourself. So tell me a little bit about blueberry security.

[00:02:03] Quinn Varcoe: Yeah we started in November of 2024. No idea what we were gonna do. It was just me and my business partner and I was just like, yeah, we should start a business.

Let's try to figure it out. And it took us about eight months to figure out like a marketing strategy and, how are we gonna. Sell our products or our services. And so we eventually figured that out. And that's about when I met you. We kicked off a marketing campaign that generated like 1.5 million views within three months, which is pretty good.

Yeah. And then. Yeah, and then I hired a sales director and stopped doing LinkedIn thought leadership and and then I started serving the clients that we met in those few months.

[00:02:48] Mikey Pruitt: The successful business owners delegate early, so congratulations. It looks like you're going places.

Thanks. And I was gonna say a lot of the, audience for this will be like MSP owners employees. And a lot of MSPs get started, like an accidental entrepreneur. They're like, I know how to do this stuff. I'm doing it for other people. I feel like I could make a bigger impact. I just did it myself.

Ran the whole show. And it sounds like you had a very similar journey.

[00:03:17] Quinn Varcoe: Yeah. So for me, I. I have just always been the type of person who wants to start their own business. And after I, I've been doing this for a few years now, and I'm like, okay, I know what everybody's doing wrong.

I'm just gonna go in there and I'm gonna do it myself and I'm gonna do it right. And I think it's mostly worked.

[00:03:40] Mikey Pruitt: Go ahead. Yeah. Let's talk about how it worked and doing it right. So you designed a few SOCs, and honestly, I know very little about SOCs other than what I've seen on like movies and based on our brief LinkedIn chat, you're like, it is like that.

So yeah, it can be Tell me like what is a sock? What's the mission of a.

[00:03:59] Quinn Varcoe: So SOC means Cybersecurity Operations Center. A lot of companies will call them a CS o instead of a soc. Essentially what it is a monitoring center where we monitor logs from applications all over the organization.

We ingest them into a monitoring tool called a sim, and then from there we create threat detection rules to detect if somebody's trying to hack a company. To simplify it as much as I can. The sock usually is not responsible for the incident response process, but the exciting and the adrenaline rush stuff, the really awesome stuff that's in movies that, that is in a sock or at least the soc hands off to the IR team.

For us that's the case. That's there's two separate teams. Yeah, so the incident response team essentially will. Receive an alert that somebody, something bad happened, and then they'll go and investigate and they'll have to create the story of, who, what, when, where, why, what was the crime and can we stop it live?

Or did we lose something? What did we lose? And. How can we best recover?

[00:05:06] Mikey Pruitt: Yeah. How do we stop the bleeding and how do we make it not happen again? So when you're, designing a sock, you mentioned sim and alerts does like when in that designing process is like the alerting a really big factor, I would imagine so.

[00:05:23] Quinn Varcoe: So yes and no. So I think the most common mistake that people make is that they try to turn on as as many alerts as possible. And it creates a lot of noise and causes analysts to miss things. It's more important that. The alerts are like very high value, but low amount that's how you get the most out of, be out of your system.

Because at the end of the day, your sim and your analysts are not gonna detect hacker every single day. It's gonna be like once ever, maybe twice, ever. And which is crazy that we design systems like this to prevent one crime. But it save, it saves millions of dollars if it's done right anyways, it should save you millions of dollars.

[00:06:05] Mikey Pruitt: What is an example of a high value alert in your opinion?

[00:06:09] Quinn Varcoe: Yeah, so I think alerts that are lower priority should be turned on to reduce risk. And alerts that are higher priority should be turned on to catch bigger incidents. So a low priority alert would be a network detection using your IDS or, and it says something like Clear text credentials detected, it's.

Maybe not the super highest priority, but somewhere on your network, it's a bad guy

[00:06:35] Mikey Pruitt: poking at the network, basically.

[00:06:37] Quinn Varcoe: It's it's a misconfiguration, so nobody's broken in yet, but it's something easy that a bad guy could find. And so finding those things early in your sock is something that sets your sock apart.

So it's proactive versus reactive versus both at the same time.

[00:06:56] Mikey Pruitt: That's really interesting because, so at DNSFilter, we block DNS queries and more things in the near future like URLs and ips and all this stuff. And a lot of times what we tell people to do when they first get our software is to turn it on deploy it, but don't block anything yet.

Just see what comes in so that you can craft a policy and alerts that are more beneficial. So it sounds like you're taking a very similar approach and the employees. Whoever is doing the work is going to be providing you with those different levels of alerting. So like you can use them like Guinea pig yourselves to figure out those easy things to cut off essentially.

[00:07:38] Quinn Varcoe: Yeah, that's very true. So once we observe an environment, it's easy to see more of what the threat landscape is, which I think sounds like a funny word. And it's more of a buzzword. But the more stuff that you have in your organization, the easier it is to have a larger service for attackers to attack.

And that's, you're right, that's the purpose is once we know it's in an environment, then we can make better decisions.

[00:08:06] Mikey Pruitt: So what would, I don't know if you mentioned a high level, high value alert, in your opinion, what would one of those look like?

[00:08:12] Quinn Varcoe: Yeah. And so here's a good example that I think would be really easy for you to understand as well.

If we get a DNS callback for a malicious domain, let's say it's a domain associated with the ransomware group, that is surely not a good thing that will ever happen. Even if it's blocked, it means that you're compromised. That would be a high priority alert that is high value, and would really easily engage the IR team to come in and do their incident response.

When did we get breached? How far did the infection spread?

[00:08:46] Mikey Pruitt: That's a great example. You please use DNS as an example. Anytime it's always DNS as they say. What are some of the structural roles in a soc? I know you've been a analyst, an engineer, a designer, a SOC manager. Are there other roles that people could craft the path of their career towards?

[00:09:08] Quinn Varcoe: So it really depends on the size of the organization and how it's, how their security team been has been designed. But typically there's analyst engineer. Architect manager and then you have incident response. You have, team leads, your technical team leads on the incident response team on the SOC team.

And then you have your threat intelligence team, which is generating new content for your team. They essentially do research on what are adversaries looking to do to your organization and, so threat intelligence is actually super, super cool. 'Cause you have to go undercover and pretend to be a bad guy and steal data.

From them. I was just about to ask you, which

[00:09:53] Mikey Pruitt: was your favorite? It sounds like the threat hunting is really where you, like

[00:09:57] Quinn Varcoe: I, so I actually really like being an incident commander, which is the people who run the incidents, they're the ones in charge of organizing this the staff to contain an incident.

I think I'm a fan of the threat intelligence. Role, but it's not something that I have done. I'm sure I could do it well if I ever do it, but just at this point, I'm not go, I'm not going back to

[00:10:22] Mikey Pruitt: work

[00:10:22] Quinn Varcoe: it.

[00:10:24] Mikey Pruitt: Yeah. That's a whole different trajectory. I totally understand that.

What, let's talk about some of the tools that you would use in a soc. What are some of the software packages that are pretty common that you see?

[00:10:36] Quinn Varcoe: Yeah. I would say the, one of the most important things that every organization has is an EDR tool, like CrowdStrike, defender for endpoint Sentinel One, just to name a few.

Those, so those are some of the tools. There's also the I-D-S-I-P-S, so you'll hear about ADA and Zeke correlate. You'll probably hear about different sim options like Splunk Microsoft Sentinel. Google Chronicle, logarithm. And then there's like open source. There's so many different types of sims.

Our company, we actually focus on open source because we want to reduce costs and there are free tools that do pretty much everything better than the proprietary tools. There's a very big misconception in this industry and. I guess in pretty much every industry, the world that the misconception is that because it's proprietary, it's safer and that's not true.

Open source is safer, and so I try to use open source tools as much as possible.

[00:11:40] Mikey Pruitt: Yeah. So you're saying there's EDR tools and other tools that are emitting data. There's a sim that's catching the data, and that's where like the alerts are crafted in that sim. So the sim seems like the central point.

[00:11:54] Quinn Varcoe: Yeah. So the SIM's, the central point it's where all the logs go. It's where the detections are made. The tools that feed into that, I-D-S-E-D-R.

[00:12:04] Mikey Pruitt: It's funny. It's funny that you mentioned open source 'cause, and I didn't give you these questions, but next question on my list is, what is the role of open source in cybersecurity?

Because like you, I believe that the open source should be our first thing, our full first tool that we grab. Just not because. Just because they're better and I'm not saying they are better right now, but I feel like they should be better and they're more responsible. Exactly. And even now they are better in some instances.

So it's great to see you guys are focusing on open source sim tools. Are you also recommending open source eds? 'cause I do know those exist as well.

[00:12:46] Quinn Varcoe: So the way our model works is we will always recommend an open source tool first. The other thing that we do is we try to integrate with whatever customers already have.

Let's say they, for whatever reason, they're a fan of CrowdStrike. Our model is we are going to set everything up in their environment so they can have it. If they don't wanna work with us, it's all open source. It'll save the money. They can scale it as quickly as they want and it's all theirs.

[00:13:15] Mikey Pruitt: So what is Blueberry's role in, in the SOC ecosystem? Are you guys contracted to be the monitoring arm and the kind of setup and consulting?

[00:13:26] Quinn Varcoe: So we're more focused on consulting. So people will come to me and say, Hey, I have. 3000 endpoints that I need to set up a soc to monitor this. Does it make sense to bring it in-house?

And if so, how would you do it? That's part of it. We also staff those SOCs if they would prefer to work with a contracting company we can hire people at Blueberry to work there. To reduce some of the risk of hiring new people. And then we also do SOC as a service. So some of those clients may deter, determine after they've done consulting that they don't wanna bring it internal and they wanna do SOC as a service.

And then that's when we have those discussions more of. If they cannot afford to do it themselves, then we have that open.

[00:14:12] Mikey Pruitt: So you're almost a managed service provider in that way? A little bit,

[00:14:15] Quinn Varcoe: yeah. In some ways.

[00:14:17] Mikey Pruitt: Do you have

[00:14:17] Quinn Varcoe: any

[00:14:18] Mikey Pruitt: managed service providers as customers?

[00:14:22] Quinn Varcoe: Yeah so actually like the majority of our, our work is done through partners. So usually virtual CISOs or MSPs, maybe they don't wanna do the SOC as a service component and they, but they wanna work with a consultant who does SOC or or they need a recommendation for a SOC as a service provider. And that's when we work with them.

[00:14:42] Mikey Pruitt: Very cool. That's good to know. For the for the audience, if you're looking for consulting and soc help, Quinn is your gal. And also I was curious threats are coming in all day. Some of them are low value, as you said, some of them are high value. How do you as a, soc entrepreneur, I guess would be a good word.

How do you stay up on the threat landscape? What's coming in, what is important to know about what is meaningless and can be ignored?

[00:15:13] Quinn Varcoe: So for me, I try to hire really good people who stay on top of those things. So I guess there's two ways to look at this question. One is, how does the organization as a whole generate, detections that fight active threats and that's gonna be done through like your threat detection and threat intelligence team. So the way it works for us is we have somebody who's doing that threat intelligence research and they're working to turn those into alerts. But for the other part of the question that, and this might be more of what you meant, how do you stay on top of current cyber threats in terms of reading the news, staying up to date?

So the, like I said, the people I hired very intelligent, they read the news all the time. I tend to view what's what comes up in my LinkedIn feed a lot. But there's also. Tons and tons of different news sources, especially for the purpose of threat intelligence. A lot of people will use like Feedly.

[00:16:12] Mikey Pruitt: Yeah. It's so challenging to stay on top of all the things that's coming in. It's it's definitely like we DNSFilter. We have a whole labs team and all they do is figure out what is the new thing that came out today or this morning, or. The last five minutes. Luckily our data gives us a bit of some clues about malicious domains that are happening in real time.

So that's very cool. It's hard to stay up on, it's good to have a team behind you doing that. What are, I think I've heard you talk about this before, but like you're, you've had a good bit of experience in various roles in the soc and now you are an entrepreneur in the space. How do you, what do you think is the best strategy for someone else to break into the cyber industry and potentially be an entrepreneur of some sort in the future?

[00:17:01] Quinn Varcoe: Don't give up. I think that's the biggest one. So I broke into the cybersecurity at 18 with no degree experience or certification. And the way I did that was I just walked into like office buildings and I was like, can I work here? I'll do anything. I'll do an unpaid internship. I was just begging people for work.

And actually, like literally the first place that I walked into they said, so I walked into my first place and the CEO came out and I shook his hand. I didn't know it was the CEO, and I was like, is there somebody I can talk to about a job? Like I'll do anything for an unpaid internship?

And he goes, it's, yeah. And he goes we don't do unpaid internships, but we'll interview you for a full-time position. I didn't know what a sock was. So I walked into that interview. I did terrible on the interview. I had no idea what I was interviewing for, but they had somebody who had, who got food poisoning, who worked night shift.

And so he was like not able to work, which came in perfect for me because they wanted to have redundancy on night shift and they needed somebody to start immediately. And that was me.

[00:18:01] Mikey Pruitt: You're like I can start right now. Yeah, you're hired. That's awesome. So you Tenacity, I would say is what got you in with, and so I was actually thinking what about like certs versus college?

And it sounds like those don't matter. E, like E, that doesn't matter. What matters is persistence, skill,

[00:18:22] Quinn Varcoe: skills. Yeah. So I think that like initially getting my foot in the door, and I'll tell this to everybody, getting your foot in the door. You just need like your security plus, and then you need to go beg for a job because that's, it's just cold calling someone.

Maybe you'll get a 1% response rate, but eventually you'll find somebody who will take you on. As far as like technical stuff, I think degree is. Not important. I think college degrees are often ignored, at least in, in this specifically in and incident response. I. Certifications too. But there's a few, like very well respected ones like the GCIH from sans, the Incident handler certification.

That one's good. I have a ton of certifications with sans 'cause I ended up going back to college at SANS to get certifications. It was easier that way. But I think don't focus too much on certifications and yeah, focus on skill that's more important.

[00:19:20] Mikey Pruitt: How do you how would you recommend showcase Connect that skill?

[00:19:25] Quinn Varcoe: So I would, so on my resume, I still have a one page resume. I tell everybody, make a one page resume. And literally it's should be just your experience. And then if you. Have some stuff you've done that's not on your job history. Then you should make like a project section where you can talk about like projects you did to gain that experience or projects you did that showcase very specifically.

What makes you a good fit for the new job that you're looking for.

[00:19:55] Mikey Pruitt: Do you have any type of home lab or any type of, do you do any like testing or like on cloud servers? Yeah,

[00:20:01] Quinn Varcoe: Originally when I was getting into this stuff I had a big home lab. I had a malware lab and then I had a separate network to, to detonate malware on and I had a whole bunch of crazy stuff.

I don't have that anymore. 'Cause I moved and I wanted to thin. My equipment. So we actually now at Blueberry Security, we actually have a testing subnet where we actually have all the same stuff available and it's all virtualized, which is really nice 'cause all of my employees can touch it as well and they can play with it and set up new things and mess around and see what works.

[00:20:35] Mikey Pruitt: Yeah. So you still have it, but you don't have to maintain it, which is way better. Yeah. You're like, oh, blew up the lap. Sorry guys. Somebody can fix that. Yeah, somebody wipe that subnet and let's make a new one. That's very cool. So now you're like the accidental entrepreneur, and you had mentioned that you had been on this big marketing push.

What do you think has been like the most difficult thing starting your own business?

[00:21:00] Quinn Varcoe: The most difficult thing is having enough money to start your own business. It is incredibly expensive. Everybody says that, but the amount of like costs I did not expect that came up last minute.

And it's oh my God, I have to spend more money. I don't have, I don't have any more. Like that just keeps happening. So consider getting an investor early if that's the way you wanna go or find, try to not necessarily write out a business plan. So I didn't write a business plan, I just started doing it, and I think that's better, but.

Try to budget and track your spending and just because something seems like a good idea at that time, don't forget that you can always drop it later and do not spend money just because. You decided too earlier, you can always stop that service.

[00:21:49] Mikey Pruitt: Yeah, like the sunk calls fallacy oh, I thought Google Azure was gonna be the thing, except now I'm $5,000 deep and I've got one lead or whatever.

So I'm just, cut it off. It's fine. Just say failure like no next. Yeah. Just like you would in, network security, you'd be like, no, that, that was wrong. Let's do something else.

[00:22:05] Quinn Varcoe: Well, and I think something important too is that. When you start looking into marketing, you need to look at the cost per lead, and that's the only thing that matters.

How much money am I spending to generate one customer? And then of course, your question is, how big is that customer and how much money will I make from them? But the real, the reality is that like Google Ads was not a good fit for me, but thought leadership was because thought leadership was.

Not only was it free, but I was really good at it and I generated like a hundred leads from 10 minutes of work. Yeah. And that's way better. So it's gonna depend on you, but I think in this industry the two things that I settled on was I built an outbound sales team, and then I also I still do thought leadership.

I appear on podcasts. Try to be visible.

[00:22:54] Mikey Pruitt: Yeah. Yeah. A lot of people are like, but I don't want to be on camera. And it's it's a lot it's easier than you think. 'Cause because everyone has an opinion. Like you and I, we both have opinions and if you just put a camera on us, we'll say something, you

[00:23:09] Quinn Varcoe: know?

Yeah. I agree with that. I am also scared of the camera, but you just gotta show up.

[00:23:15] Mikey Pruitt: One last question. Your first name Quinn is Quinlan. And your last name together, Quinlan Barca, which to me sounds like the perfect super villain name. So I'm just very surprised that you're on, the white hat hacker side of the game, blue teaming versus being a bad guy.

Did that ever strike you? Like your name is oh, I should be a bad guy. Totally.

[00:23:39] Quinn Varcoe: It's funny. No, I so when I got into cybersecurity, I was, living in Europe on doing like foreign exchange in high school. And I was hanging out with the identity thieves and I ki I just started getting into cyber crime and and I,

[00:23:55] Mikey Pruitt: that's how I wanna get started in tech.

It's something pretty much illegal.

[00:23:59] Quinn Varcoe: Yeah, so that happened and I was like, I need to find a way to make sure I'm secure because there are terrible people out there. And I know some of them. Exactly.

[00:24:13] Mikey Pruitt: All right. We'll see you on a episode of Dark Net Diaries real soon.

[00:24:17] Quinn Varcoe: Maybe.

[00:24:19] Mikey Pruitt: Thank you for showing up Quinn and giving us some kind of details on the sock.

It was very interesting for me to learn and I hope the audience gets some value as well. Thank you.

[00:24:28] Quinn Varcoe: Yeah, no problem. Thanks for having me on.