So what is your name and role?
My name is David Campo. I'm director of cybersecurity incident response for the state of Tennessee.
How long have you been working for the state?
19 1/2 years or so.
What can the daily life look like working for the state?
Pretty much anything. The best way I think I can answer this question for you, since I've been on the cybersecurity team since right around the 2015, 2016 timeframe, officially on the cybersecurity team. Cybersecurity has changed a lot. When I first joined the team back in 2016, it was really monitoring networks, monitoring antivirus alerts Maybe collecting VPN logs, collecting other types of log sources. But that has all changed because... And I'll kind of get to the point of what you're asking for in your question is cybersecurity includes the Internet of Things. Anything that is connected to the network is in scope of cybersecurity. And so it's... Everything is a cybersecurity issue these days And so with that, whether it's your phone that's connected to the network, whether that is, I'm talking about something personal, whether it's your thermostat that's connected to the network, your ring doorbell, whether it comes to your refrigerator that's connected to the network, it's all in scope of being a cybersecurity incident, if you will. Of course, here at the state of Tennessee, we're not monitoring refrigerators or ring doorbells. but anything that's on the state's network that we monitor is in scope for monitoring. My day-to-day can be anything dealing with the network, anything dealing with servers, anything dealing with applications, anything dealing even to phones, anything dealing with Wi-Fi. anything dealing with cloud technology. So, you know, now cloud is prevalent. So whether you're talking about Azure, whether you're talking about AWS, which we have a footprint in both, whether you're talking about Google GCP, we have a footprint there, whether you're talking about IBM's cloud, you have to be able to safeguard those assets in those clouds. And so, you know, my day-to-day can be anything from, Cloud technologies to endpoints, meaning workstations, desktops, to user accounts. So what I mean by that is that as a team, we're reacting to various cybersecurity events during the day. And though I don't deal with those cybersecurity events directly, I have a team that does those things. I'm constantly in watchful eye of how those things are being handled Also, tabletop exercises is another one that's a day-to-day that I'm keeping an eye on, my team handles. It's just a few things. It's hard to explain the A to Zs of cybersecurity, but in this day and age, it can hit you from any direction when it comes to information technology and cybersecurity. I hope that answers your question.
which security tools and technologies do you use for incident response?
so the tools that we're currently using today, I'll tell you the first one, when I came on board, we were using a SIEM. That's Security Incident Event Manager. EDR, of course, we were using antivirus when I first started with the in 2016, but right around 2019 is when we got EDR. In enterprise, you can't have antivirus without EDR, and EDR stands for Endpoint Detection and Response. You have to have EDR today for your enterprise. We also have content filtering. And so everybody accesses the internet. And so we do have a content filtering company that we use. I'll go ahead and tell you the name brand. It's called Zscaler. And so when, you know, Zscaler is on everybody's workstations and desktops. And so as they access the internet, it is man in the middle. It's a proxy is what it is. And so it's inspecting all the web pages, all the downloads that employees are doing through the day. That is a very, very important tool today, as well as antivirus and EDR. So those are three particular products that I've mentioned. I'll mention another one, and that is our email security gateway. You really can't have an enterprise without a multilayered approach to email security. So we use Proofpoint today. And so just a quick synopsis, just in case you don't know what it is. Proofpoint's actually looking at all the emails coming in and going out of the state. It's following all the URLs, and it's sandboxing all the attachments. So I shouldn't say all. The ones that are known, it just allows it to pass. The known URLs, it just allows it to pass. But if it's an unknown URL, unknown payload, it's going to detonate it in a sandbox and determine if it's malicious or not. And it has the ability to block attachments it has the ability to block URLs, has the ability to block e-mails. E-mail security gateways are important, and I'll mention another term too, and that's called defense in depth. We don't just depend on Proofpoint. Proofpoint is a great product for us because when you're talking about the number one attack surface in cybersecurity, it's the employee.And how do the attackers get to the employee? Well, that's through email. And so you have to have a good system in place that can monitor those emails and make pass block decisions. But where the defense in depth comes in is we have another layer. And that layer is Office 365. And so if Zscaler doesn't catch everything, Office 365 will catch some things that Proofpoint misses, you know, No system is perfect, but it's good to have an extra layer. And then as those emails come inbound, we've got a third layer, which is the employee. So another tool is our actual – we train employees in cybersecurity. So we have cybersecurity training that employees go through every year. And so that is a tool that we use to educate employees about on various cybersecurity issues, including phishing. So if that email gets to the user and they decide to click, then what's the next layer? So the next layer can be your antivirus CDR, and then the next layer can then be Zscaler, since it's inspecting everything going out to the internet. And so between all of these layers, we're trying to protect the employee and protect state assets from attackers. And trust me, they attack. 24 hours a day, seven days a week. You can look at the Proofpoint tool and look at the number of blocks of emails coming inbound, which also includes spam. But it's a large portion of the emails that come into the state of Tennessee are actually dropped, never actually make it to the state employee. That's because attackers are constantly trying different techniques, trying to do different things throughout the day and night. They are relentless, just put it that way. So we talked about the SIEM, which today we're using Keyrock. We're kind of migrating over to Splunk. We talked about Email Gateway. We also talked about EDR and antivirus, which we use CrowdStrike. That's the other tool that we're using today. So those are kind of the main tools. We have other tools as well, but those are the main ones that I think are good talking points.
can you explain how you approach the incidents? Like, if there was an attack, how you would approach it?
So approaching incidences is nothing new. So within an incident, there's actually a structure that the incident response team follows. And so really the first step of an incident is going to be research. And so as an incident responder, you're going to research that incident, right? So it could be a user that's calling into the help desk. It could be an alert that came in via a log or from EDR or from proof point. We also receive email alerts for incidences, right? The first step is to actually review that incident to determine if it's a true positive or a false positive. That's the first step. Let's just say, for example, it's a true positive. The next step is to make a determination of impact. That's usually the first question that you ask is, what's the impact here? Someone clicked, their machine has been compromised, what do we do? And in most cases, we'll isolate that workstation or that desktop if it's been compromised. From there, now in the past, what we used to do is we used to reimage the machine, reset all the passwords, including revoke all access tokens to a particular account. But today with CrowdStrike, not that they have a no reimage guarantee, but Any workstation that's been compromised, they're able to reverse engineer what's been done, and we can kick that workstation to the curb without having to send it in to be re-imaged, and that can be really a time saver. Since we've had CrowdStrike, we haven't had to do that yet, fortunately, or call on them to reverse engineer anything for us, but The technology that they use, they're able to reverse engineer anything that we get. Basically, what I'm trying to walk you through, Hunter, is you've got containment. You want to contain the issue, then you want to recover from the issue, and then you have lessons learned from a particular incident. You're looking back through the way that you've handled an incident, and you look at ways in which you can improve your cybersecurity incident response. And so things may come up like, well, we weren't able to contact a particular person within a period of time. Do you keep a contact list? Yes or no? No. Well, why don't we have a contact for this person? That could be kind of a process improvement thing. Or, you know, within a cybersecurity incident, depending on how big an incident is, it could be isolated to a particular account. It could be... It could potentially be an application. It could potentially be a server. It could potentially be larger than that. And so when you're going through a cybersecurity incident, lessons learned, you have to kind of look back at how you responded to an incident, how quickly you were able to respond, any problems you had in responding and containing a particular incident and recovering. You can uncover a lot of lessons learned Those steps that I've mentioned to you, Hunter, are actually documented in, I think it's NIST 863. Within that document, it lists out the proper steps of cybersecurity incident response. My team follows that cybersecurity incident response framework. And that's also based on one other document that we maintain, and that's called the Cybersecurity Incident Response Plan. So every organization should have a CERP or Cybersecurity Incident Response Plan that lays out how your cybersecurity incident response team is going to respond to an incident.
Is there any projects that you and your team are proud of?
I'm glad you asked that question because I do have a couple of them that we've recently are closing the books on that I'm very, very proud of. I'm not a project manager. My team's not a project management team. We're not an operational team. Cyber security, you know, your incident responders really shouldn't be on the operations side of things. But things change and we adjust and we adapt. as needed. Because when you're talking about the state of Tennessee, you're talking about 40,000 endpoints, 5,000, 6,000 servers, untold accounts and untold needs and cybersecurity needs. And recently, as I had mentioned, we moved from an old antivirus company, Symantec, that was being managed by another STS group. That's STS, the Strategic Technology Solutions, to which I'm a part of. Incident Response Team is a part of. But we had another group, Endpoint, that was taking care of semantic endpoint protection. And what we did was we migrated to CrowdStrike. And so my team was directly responsible. Your father sponsored the move to CrowdStrike.And my team was responsible for deploying CrowdStrike and removing semantic endpoint protection. We did that with the help of a lot of people within STS. My team alone didn't do it, but our team is ultimately responsible for that deployment and configuration of the CrowdStrike sensor, including EDR policies, firewall policies that was distributed throughout the state. And we did it. We're not an operation team, but we got dirty. We read the books. A particular team member that I have got certified in CrowdStrike, and we marched forward and deployed it to over 40,000 endpoints, over 4,000 or 5,000 servers. So that's one that I'm very proud of. And we're still wrapping it up now. We still have a few workstations. When you have 40,000 endpoints, there's always going to be a few that are hidden that still have Symantec on them. We're kind of cleaning that up now. But real quick, the second project that I'm really proud of is deploying Zscaler throughout the state of Tennessee. That was a project that a lot of people didn't think we'd be able to do or do successfully. And it was one thing that we needed to do. We had to change from another content provider. that we had using kind of an older technology and we went to a newer technology called zscaler and that was, that is not an easy project, but, um, you know, my team was responsible for deploying it throughout the state of Tennessee. We did it and we did it with minimal, uh, interruption. Um, and we're doing it today and so that is another, I have to say that i'm probably a little bit more proud of that one that i am crowdstrike because of just how many naysayers there were out there that said that we wouldn't be able to do it without causing a lot of interference, ruffling a lot of feathers, and causing a lot of problems. But we got through it. And so I'm very proud of the team, including we had a project manager for that one. But there were also a lot of other people within STS that assisted us in the deployment. But I have to say that that is probably a very proud achievement, is being able to do that project.
What would you say the most challenging part of your job is?
Not the technology. I'd say the most challenging part of my job. Let me think how am I going to word it more than anything else. I would have to say that when you're in cybersecurity, Most people want to work with you on cybersecurity issues, but a lot of people don't. A lot of people, they know better. For whatever reason, I guess the best way I can kind of just break it down without monologuing for too long is to say it's usually the people. Some employees are difficult to work with. Most employees are great and easy to work with, are amenable. And they just want to work with you to get things done. So the most challenging part of my job is, I'd say most of the time, it's working with other groups and accomplishing those things that you need to accomplish. Because not everybody's on the same page. Not everybody wants to be on the same page. And I have to continue to get better at my job role. And I have to continue to get better and learn how to work with difficult people better than what I do. So whether that be, you know, handling them different or handling those situations different with people, whether that be, you know, I don't always have to be the good guy. Sometimes I have to be the bad guy, whether it's learning how to do that. You know, I'm just trying to be honest with you, Hunter, and kind of a self-assessment there. I think sometimes I'm probably too nice. Or however it may be that I can handle things better to kind of get things done. I think working with other groups and sometimes working with others can be the most challenging part of this job. It's normally not technology, because usually technology works or it doesn't. And if you have a good support for whatever products it is that you are implementing, usually you can solve those problems. Those are usually not your day-to-day headaches. It's usually the other groups you have to work with.
what skills are essential for working in your position?
The skills that I believe, are essential are being able to work well with others. You know, having a good understanding of a lot of different types of technologies. I think that is a very important skill because if you have a good understanding of a lot of different technologies, you're more apt to be able to understand how to secure them. And then, being a director, what I like to do is look at things not from a micro level, but from a macro level and being able to identify, well, these are the things that we could be doing better. We can work with this technology or do that better, right? And so looking at things from a macro level is an essential skill. Not everybody can do that, A lot of people are micro, right? They view things micro, in a micro level. And so I'm not saying that people that are like that can't be successful. They can be. But I think it's helpful if you can look at things from a big picture standpoint and don't sweat the small things. Because the small things can drive you crazy. Understanding what's important and what's not important on your day-to-day is an important skill. The best way I could explain it to is that being an employee, because I was an employee for, I guess, 18 years, 17, 18 years, whatever the time frame was, my head was down and I was working, right? Well, now as a director, I get to lift my head up and actually look around and see what's going on around me, right? And I think an important skill is being able to... when you're looking around, identifying what those things are around you that are important and being able to focus on those things to get projects done. So I hope that those answers, I know they're not, I can't say, you know, hey, C-sharp's the most important thing or understanding SSH or remote desktop or being able to code are the most important things. Because those are important things when you have a team. You want to have an eclectic team, someone that's really good at Linux, someone that's really good at network, someone that's really good at Windows, someone that's really good at programming. Having an eclectic team is important to assemble so that, depending on the cybersecurity incident, you can cover them. But as a director, it's important to have a basic understanding of most of the technologies that are out there. I'd probably say that's pretty important. So I'm probably leaving a few things off of there, Hunter, but those are the things I can think of off the top of my head. Oh, yeah, being – here's another one, Hunter, for you. Being an effective writer. You know, a lot of people are good at talking. I blab at times myself. I can monologue. But it's very important to be able to be an effective writer, to be able to write down those ideas so that other people can read them. And to be able to convey messages effectively via writing is a very important skill. I'll tell you another skill. Keyboard is an important skill. You wouldn't think it'd be too important. I think kids these days naturally get it. But one of the best courses I ever took in high school, was something called keyboarding. We had a typewriter and we learned how to type. We learned home row and we learned how to type, and that has been probably the most effective skill throughout my IT career, has been able to know how to type effectively. I've been very fortunate. I've always scored really high in effective writing as being an effective writer. I think that that has really helped me are those two skills. So those are all the things I can think of without droning on too long about them.