24 Sep Humans, Dogs, and Cyber Threat Intelligence
Sherrod DeGrippo talks about working tirelessly with her team to protect Proofpoint customers
–Di Freeze, Managing Editor
Northport, N.Y. – Sep. 24, 2019
Sherrod DeGrippo, senior director of Threat Research and Detection at Proofpoint, has loved computers since she was 14 and joined her first BBS (Bulletin Board System) in the early 1990s. “It was a BBS hosted by Thrasher magazine,” she recalled.
When she was 19 and in college, she saw a job posted on campus to work AT&T doing database administration. She took it and later went to work at a commercial ISP as a system administrator.
“In 2003, there wasn’t much of an ‘infosec’ industry like there is today,” she said. “At that ISP, one of our customers was breached, and I decided I’d work the breach and do the incident response.”
It ended up being a customer who installed a vulnerable version of phpBB (Internet forum package in the PHP scripting language).
“It was hacked by a group called ‘Hacking Team’ based in Turkey,” she said. “They installed a bunch of animated gifs and autoplay .wav files on the site. Quite the sensory experience! It was an easy case, but it was fun.”
From there, DeGrippo went to work at the National Nuclear Security Administration (NNSA) as a security analyst.
“That was a role that I really enjoyed,” she said. “I worked with some amazing people who I again work with today in my current role. At NNSA, we were tasked with protecting the technology that powers our nation’s nuclear weapons stockpile. I assisted NNSA sites and US national labs with improving their information security posture, understanding potential cyber threats and monitoring their network activity.”
DeGrippo enjoyed that work, including learning a lot about counterintelligence threats to technology and systems. She later worked for SecureWorks as a senior security consultant and Symantec as senior solutions engineer. Through her roles with those companies, she developed her love of security services.
“Working in customer environments to deliver managed services and professional services to security clients is something I grew to love and feel comfortable with,” she said. “Information security vendors are a great place to work because you have exposure to so many different environments and people. Plus, you’re able to apply what you learn to protect hundreds or thousands of organizations all at once. Vendor work has allowed me to have impact at scale with my efforts and see protections have mass effect across a multi-enterprise customer base.”
In her role as senior director of the threat research and detection team at Proofpoint, DeGrippo leads a large, international team of “highly talented threat researchers and intelligence analysts who work tirelessly to protect and inform Proofpoint customers.”
“They all have their own different focus and specialty, but we work to the same mission — protect and inform,” she said. “They do this generally by looking at individual threats as they come across email or network vectors. Once they’ve got enough samples and data, they’ll create a detection and deploy it, or write up an intelligence brief. The team does a lot of pulling down malware samples and getting to know them inside and out, then using what they’ve learned to help our customers be better protected. This is the most talented, smartest and most caring group of people I have ever worked with. They’re also hilarious and help keep us all in good spirits when we’re working on stressful projects.”
DeGrippo has worked remotely for about 11 years, including leading remote teams for about 7, and talks about how she does it successfully.
“For me, communicating with my team means using the method they’re most comfortable with whenever possible,” she said. “Some like to jump on a zoom video call, and others like to chat via text. Occasionally they’ll use email. I try to match my style and medium to the one they prefer most. We also do video meetings frequently with the whole group. It’s fun to see their workspaces and occasional pet. I once was on a video meeting with 4 humans and 5 dogs on camera. That was probably my favorite meeting.”
Her team is spread across time zones from Europe to the U.S.’s West Coast, which means being careful about schedule. “It’s not hard to start early for Europe and then end late with the West Coast,” she said. “I try to be available via chat as much as possible and then schedule meetings that allow me to get the most communication with the teams live. I try to only start early or work late and not do both, but it can be hard if something unexpectedly comes up.”
DeGrippo says she’s typically in 8-10 video meetings a day, so travel is a very productive time for her. “A few hours on a plane is a great time for me to catch up on email, read through documents or polish up deliverables I’m working on. I typically don’t purchase Wi-Fi and put Outlook in ‘offline mode’ to power through as much as possible with no distractions. Then when I land, I sync my outbox and start over again.”
DeGrippo doesn’t hesitate when it comes to answering what she likes best about her present role. “I love my team and our team culture. It’s a really fascinating group of people, and our team group chats have a lot of opportunity for showing absurd threat lures, weird network activity, mysterious malware behaviors, etc. It’s a constant scroll of what’s happening on the internet threat landscape with the occasional hilarious comment or gif.”
One of the things she loves is when her team finds a crazy lure and tags her in group chat to check it out. “For example, we saw a steganography image that used Super Mario brothers — but only in Italy. That same actor used Supreme and other designer clothing logos for Japan-targeted campaigns.”
She said the data they have is vast considering they have more than 6,400 enterprise customers. “Looking through that data and finding trends is one of my favorite things to do at work. I start to see patterns in certain verticals being attacked, then in certain regions, then I see the specific people being attacked and I can put the threat campaign in context. As an example, retailers in Germany being targeted, but only their store managers. That’s interesting stuff! Then we start looking at the email lures they’re using or the other parts of the campaign that make it unique. Threat actor psychology is something I’m fascinated by, so I like to research the targets and understand why they might have been chosen for the attack.
After working at quite a few information security vendors — LURHQ, Secureworks, Symantec, Nexum and now Proofpoint — she explains why working in “vendorland” is somewhat of a different working style than being in security operations at a single organization.
“Vendors protect multiple organizations with their products and services so the amount of impact that our work has is massive. I like that feeling of knowing that we’re focused on one thing. Proofpoint wants to protect our customers. That’s the goal of the business and if we execute well on that, we are successful. It’s not just my team but the entire company who is focused on protecting customers. That focus is unique to security vendors who have security as the most important goal for the whole company. No distractions, no other focus — protect and inform.”
DeGrippo’s team is mostly male researchers. She has some advice for anyone, including women, who want to get into information security. “Start now!” she says. “Join the mailing lists, read the blog posts, grab the samples and start analyzing. Find a piece of it that you love and learn everything about it that you possibly can. Whether it’s a protocol, an application, an attack style, anything. Start learning it now. Don’t wait to find yourself employed in that role to do what you want to do. Investigate and work on it now. Then take that experience with you to your next interview.”
She said that her team is very fortunate to be a part of Proofpoint’s intern and new college graduate programs. “We have interns and new grads on the team and that’s one of the things we look for in our candidates. We know people early in their career won’t have years of experience. But they may have a deep interest in botnets or breaking DNS. If they can talk about that and their interest in it and what they’ve done to investigate it, it’s a big sign they’ll be successful on the team.”
DeGrippo said there are so many people she looks up to in the industry, including many of her current and former co-workers. “BBSs also had a huge impact on me and allowed me to learn a lot in a safe environment with minimal judgement,” she said. “While I don’t know them personally, the mailing list discussions between Darren Reed and Theo de Raadt were a huge influence on me when I was younger. Watching the interplay between Free and Open BSD and how they each decided to implement security controls in the OS informed a lot of my security philosophy.”
Something that really makes DeGrippo happy is to see empathy for the user being adopted across the information security community. “In infosec, we are charged with protecting information and systems,” she said. “Ultimately we are charged with protecting people and their access to those systems as well. Threat actors are attacking people far more than they’re attacking systems. We have to be able to understand the people side of the threat landscape and partner with our users and colleagues to protect them in the way that is most effective and least painful. Making infosec accessible and practical for everyone is very important, and to do that we need to see things from the point of view of our users and colleagues. Empathy for our users is key to a successful infosec program.”
DeGrippo’s empathy doesn’t stop with humans. She is a volunteer with Angels Among Us Pet Rescue in Atlanta. “I’ve fostered about 15 dogs so far,” she says. “I love animals, but I’m a dog person to my core.”
When DeGrippo’s dog of 16 years died, she decided to foster instead of getting another dog of her own right away. “It has been very rewarding to see homeless dogs come out of shelters or bad situations, and then after a few weeks they get adopted to their new family and are so happy,” she said. “Fostering is a safe transition to a successful adoption for dogs who have found themselves without a home.”
One of DeGrippo’s fosters ended up as a “foster failure” — she couldn’t part with a 2-year-old black lab mix and signed adoption papers. “We named her Sunshine,” she said. “Now she gets to play with the new fosters who come to stay with us, and she loves that.”
Sherrod DeGrippo is featured in “Women Know Cyber: 100 Fascinating Females Fighting Cybercrime.” To learn about more women fighting cybercrime, pick up a copy of the book.