Tales from the SOC: The cybercriminal who really wanted to help | S1 Ep001

Tales from the SOC: The cybercriminal who really wanted to help | S1 Ep001

Paul Ducklin
Paul Ducklin
16 min read
Share this article:

Join Paul Ducklin and SolCyber CTO David Emerson as they talk about the human element in cybersecurity in the first episode of our new podcast TALES FROM THE SOC.

Get insights into the opportunity cost of managing your own SOC, the importance of intent focus in security, and more.

Don’t miss this wisdom-filled podcast from the cybersecurity experts at SolCyber:

Tales from the SOC: The cybercriminal who really wanted to help | S1 Ep001 - SolCyber


Find Tales from the SOC on Audible, Spotify, Podbean, or via our RSS feed if you run your own podcatcher app.

You can also download this episode as an MP3 file and listen offline in any audio or video player.




ETHEREAL VOICE.  Hello, caller.

Get ready for “Tales from the SOC”.


DUCK.  Hello, everybody, I am Paul Ducklin.

I am joined today by David Emerson, who is the CTO at SolCyber.

And this podcast isn’t quite “Tales from the SOC”, which David runs, but “Tales about a SOC.”

So David, let’s start by hearing about SolCyber and how the company came about, and most importantly, why it is like it is, rather than just copying everybody else.

DAVID.  Sure.

I’m CTO at SolCyber, and at SolCyber, CTO is a bit of a mismatched title.

It’s technical in nature, but also I run operations.

The remit we were given in 2021 was to build something practical, to build something that really could be used by small and medium enterprises, or by companies of all sizes that didn’t have a core competence in cybersecurity, to basically make themselves safe.

DUCK.  And even if you’re good at cybersecurity and have a small IT team, unless you’re a cybersecurity company, you don’t really want to be spending all that time looking after things that could be handled by specialists much more efficiently and much more proactively.

DAVID.  Right, our business is cybersecurity; our customers’ business is almost certainly not.

And beyond that, there is some work that requires intimate knowledge of one’s business, right?

If you’re a textile factory, you know a lot more about your textiles than we do.

Our work lifts a commodity burden that is unrelated, likely, to your core business, but will impact your core business if it is done improperly.

And so that’s really what we’re trying to provide.

My team and I have done this numerous times at enterprises where we’ve worked.

We’ve built this kind of an organization many times over, and what we’re trying to do at SolCyber is fundamentally recreate that as a service.

You know, recreate that pragmatic enterprise level security, as a service that’s accessible to more companies that may not be able to do the same themselves.

DUCK.  And a critical difference between SolCyber and some of the big names in cybersecurity (we’ll avoid mentioning them – everyone knows who they are) is that you don’t make the products.

You don’t build the anti-virus, and build the threat detection, and build the intrusion prevention.

You choose best of breed products, perhaps from several different stables, and put them together in a way that means the customer doesn’t have to go through that difficult decision of trying to work out which really is best-of-breed…

And isn’t faced with what you might call the other-side-of-the-coin problem where they think, “Oh, well, I’ll just buy everything from one shop, and hope that it really is as good as they claim, and that I really can get all the bits to work together.”

DAVID.  Yes, we don’t build our own tools, for the most part.

There are exceptions to that, but for the most part, we don’t build them for a couple of reasons.

You build your own tools when you’re either trying to exploit the profit margin intrinsic to building your own and subsequently selling it.

Or when you are building something esoteric; when you’re building something that really can’t be done by anything on the market at the time.

And so our theory is, honestly, that nothing we’re doing is esoteric.

The good in our pragmatic outlook is that the thing done competently and regularly is the thing which will be done well from a security perspective.

And so we believe that regularly applying principles that are competent is a really, really strong defense in itself.

We don’t actually believe in starting somewhere esoteric with most of our company’s efforts, including our own stack.

And so we see no shame in basically buying best-of-breed technologies, fundamental technologies, and where necessary sprinkling in the tools that may fill small technical niches that are not covered by those large technologies.

But, for the most part, we stay away from the game of esoteric things that are either to inflate our own margins or to inflate our capabilities in a way inappropriate to a pragmatic market.

So we don’t, and we have no shame in saying that we don’t, build our own tools.

We do build our own service.

And that service, again, it’s the security department you didn’t need to hire.

It’s the project risk you didn’t need to incur.

It’s the integration risk that you didn’t need to incur in making sure that all the things that you picked, whether best-of-breed or not, actually work together and can be implemented in your environment.

That’s what we bring to the table.

It’s not some kind of malware detection that you’ve never heard of and probably don’t actually need.

Because there are plenty of competent malware engines out there… you just need to use them.

DUCK.  Yes, and it’s surprising, when you look at the range of products available, how much of those products is done through cross-licensing anyway.

It’s always been quite an amusement to me when you look at things like test results.

And you see two products that you know, for example, have the same threat detection engine, and somehow they manage to get different results scanning the same zoo collection of malware.

And you think, “How can that work?”

I think that ties into the problem that many people have…

They imagine that it’s pretty easy to determine which is the right security product for them.

But the time taken to actually dig into cybersecurity software can be enormous, can’t it?

It can be just as difficult as using it correctly once you’ve bought it.

And SolCyber takes away the need for a customer to do that.

DAVID.  I think of that as the project or program risk.

It is true, that effort is tremendous.

And I think the legacy of that effort is borne out in many companies’ portfolios of products they haven’t actually implemented, or have unsuccessfully implemented, or have partially implemented, or which are islands of data unto themselves if fully implemented.

That’s something that we attempt to de-risk significantly by doing that testing, but also by providing that experienced, integrated product.

It’s not that you can’t do this yourself.

Certainly, if you hire people like our team in-house, then you can build a lab that would be capable of testing some of the products out on the market.

But that effort would very quickly distract and drain resources from what is likely to be your core competency as a business.

DUCK.  Absolutely!

If you’re a bakery, you should be baking rolls, and croissants, and baguettes, and loaves, or whatever it is that you bake… cakes!

You shouldn’t really be messing around with cybersecurity.

DAVID.  Yes.

DUCK.  And it isn’t like going out and test-driving two or three cars when the time comes and your lease is up.

You think, “I’ll get a new car; I’ll go and try a few of them out.”

It’s much more complicated than that, isn’t it?

Because you’re actually buying lots of moving parts that you have to fit together.

DAVID.  Yes!

DUCK.  It’s almost like you’re actually trying to build your own gearbox, which is a much more complicated problem.

DAVID.  Oh, it’s boundless; yes, it’s crazy.

DUCK.  Now, SolCyber’s website has a little catchphrase that I just happen to like.

Big letters on the front page.

It says, “Stop the insanity.”

Tales from the SOC: The cybercriminal who really wanted to help | S1 Ep001 - SolCyber

Cybersecurity has become one of those industries where the better we get, apparently, at doing it, the more complicated it all becomes.

And so we have more and more and more tools, more gears in the gearbox, more shafts, more cogs.

Now, SolCyber aims to take that problem away and to bring back the human angle.

SolCyber is a company that’s run by humans for humans.

DAVID.  Well, we emphasize the human angle because I think that’s the value we bring to any given engagement.

I don’t really think there’s much special about any given set of tooling out there.

It’s selected for a reason; it’s presumably fit for the purpose intended.

We ensure that our tools are both, but at the end of the day, a human being is a much more flexible entity than any given tool.

So I really don’t believe that even the advent of AI obviates the need for human design of systems accommodating strategies, business strategies.

AI is not going to tell you what tools to cobble together to do what you want to do, or what vision is in your mind, or to enable your business to keep turning out croissants.

That’s not something that AI is going to be able to do for you at this point.

DUCK.  I agree with you there, because I think that where AI works really well in cybersecurity is removing the parts that are not just drudgery, but that are very time consuming and can be reliably automated.

Like filtering through 17,000 malware samples and going, “You know what? These are the three that we need to concentrate on,” if you’re a threat researcher, for example.

But when it comes to actually dealing with real-world threats, and coaching people through problems that they may be having or through fears that they’re facing that aren’t caused by cybersecurity but feel like they are…

Then that human-to-human contact is extra-super important!

DAVID.  Yes, that’s one aspect of it.

I also think just the “service area” of any given incident, which is nearly boundless and often untrainable…

You’re not going to learn by rote, or program into a process, or document, every kind of incident that is going to occur among our customers.

You know, the details are important and that’s something that requires a human understanding of what this company is trying to do with their money; what this company is intending to do with their product; where they’re based; who they are; and how they like to solve problems.

All of these things are significantly more interpersonal than I think is acknowledged by services that attempt to just template everything.

We do certainly template some things… you can’t run a business to scale without that.

But, at the end of the day, our value and what we promote as important to ourselves and to our customers, is the humans that provide that service, and their ability to be flexible.

DUCK.  Absolutely.

Do you want to be 728th in the queue to hear the same answer that everyone else will hear?

DAVID.  I think it’s how to become undifferentiated, for sure!

It’s one of the reasons we never established a call center.

Everybody is expected to be professionally competent, to be personally responsible for the decisions they make, to be transparent, and to be technically skilled.

There is no such thing as calling SolCyber and getting someone who’s just going to automatically pass you on to someone else.

That isn’t permitted.

DUCK.  [LAUGHS] Yes, I’ve never understood that… what people call first-line support.

Often, it’s just an opportunity to practice what you’re going to say so that when that person closes the call to meet their KPIs, and hands you on to second-level support, you can say exactly the same thing all over again.

Why don’t they just start you with the person who knows how to answer the question?

DAVID.  Well, because it’s expensive.

I mean [LAUGHS], there are definitely some reasons that you might prefer an approach that simulates skill earlier on.


DAVID.  I have to say, I don’t like it either, but I can see why it happens, and we just try to avoid that.

Fundamentally, we feel like the culture in the company is better when people are personally accountable and professionally able.

And we also feel like the customer response to, “I called and I got a real person,” or “I emailed and I got a real person,” or “I know someone there”…

That kind of paradigm is just significantly easier to market to customers, and to see customers appreciate, both through its technical achievements and just through the interpersonal experience.

DUCK.  And it just feels to me that it must be safer, because if you think about how the cybercriminals are doing a lot of their attacks these days…

Whenever there’s a need to contact the crooks, like if they somehow feed you a rogue phone number, you can bet your boots that when you call that number, someone will answer pretty jolly quickly, and they’ll be all the things that the automated level-one support people in the rest of your life aren’t.

And if the crooks are doing that, it kind of suggests that it probably works quite well.

DAVID.  Yes, it’s really funny you bring that up.

This is just a totally random anecdote, but it’s genuine…

I actually worked with a company once that I helping to get through a loss of product.

It was a breach where they had basically discovered their extremely esoteric product in the wild.

They developed a cybersecurity solution that was watermarked at every build.

And so you knew, if a particular build that was sold to a particular person got out in the world…

You didn’t necessarily know how, but it was traceable.

DUCK.  [LAUGHS] Oh, you say you could tell who the “naughty boy” was?

DAVID.  You could tell who the naughty customer was, but you couldn’t necessarily tell how many hands it went through to get there.

The point of the story is that as part of my investigation to help them, I purchased this software that had been stolen from a person who was conducting a black-market operation on Telegram.

This product was esoteric; it really was poorly documented; it was not a common kind of cybersecurity product, but necessary; something that was prized by the people who needed it.

So I bought this off of them in cryptocurrency.

And as part of the transaction, they asked me if I needed instructions to install it, to use this product.

And I just declined because really I wanted it so that I could understand what package this was, and what hands it had been in on its way back to me.

Basically, this individual who was selling it to me just absolutely encouraged me to take them up on their free offer of assistance.

So, out of curiosity and much encouragement from them, I did.

And all they were genuinely trying to do was help.

DUCK.  [LAUGHS] Oh, dear!

DAVID.  They gave me a series of PDF documents in which they had developed screenshots and step-by-step install instructions on how to use it.

And basically, they were saying, “This product is terrible. The documentation on the website is terrible, but I fixed it for you. I want you to be a happy customer, and here are your docs. If you have any questions, let me know.”

It was an embarrassment to the original vendor, to the person who had hired me.

Fundamentally, they didn’t give their customers support like this on a product that honestly needed it.

Their installer was terrible; their product was esoteric and strange… and that’s something that even the operator of a criminal market in this product could see plainly and was willing to overcome.

They were willing to basically produce a set of documents that if they’d been made by the actual vendor themselves would have been sufficient.

I mean, the criminals know what sells.

And they’re probably a better indicator than a lot of commercial entities of what it is you need to operate a product in your environment.

DUCK.  And the big thing these days, of course, is human-led attacks, isn’t it, or “hands-on-keyboard” attacks?

The crooks may rely on vastly automated techniques to send out millions of emails, to try and get thousands of people on the hook, and figure that hundreds of them are actually worth attacking, and ten of them float to the top of the list.

Then they go out of their way to find their way into and around that network.

To the point that in many cases, they’ll end up with a better map of your network than you’ve got yourself.

DAVID.  Yes, probably!

So I do think automation has a place.

When I espouse this notion of, “Do things regularly and competently and they will be successful; your protection will be sufficient”…

I believe that automation’s a big part of that.

And so I actually do think that there is a role for automation.

But I think, at the end of the day, that the reason a hands-on-keyboard attacker is able to pick at your environment or discover your environment in ways that you might not yourself be able to is because their motives are purer.

I’m not speaking morally when I say their motives are purer.


DAVID. But you know, they have a purer focus.

DUCK.  Exactly.

DAVID.  They have essentially an intent that is bounded much, much more tightly than yours probably is.

And all of that’s to say that you need to have some automation to overcome the noise that is your daily life, and that is preventing you from being able to achieve that sort of tightly-bounded pure intent.

So, when you have SolCyber, there are some things you need to do that are very automatable.

You need to deploy agents on many of your machines.

Those agents need to be effective; they need to be on; they have to have policies applied or running on them.

We help you with much of this, but at the end of the day, if you don’t deploy a solution, it will not be effective.

You have to have constant analysis of the data that those agents are turning out.

So if you have an anti-malware agent that you’ve rolled out to all of your install base, you need to have some kind of a SOC that is actually going to respond to incidents that it raises.

And we provide that.

DUCK.  And running your own SOC is not an enterprise to be entered into lightly, is it?

Even if you’ve got the time and the expertise and the right number of people to do it, if that’s not your business, you should probably be using that time and expertise on the thing that is your business, like making the croissants.

DAVID.  Absolutely!

I mean, for a single shift…

To run it humanely, and that’s single-threaded, you’re talking seven people.

I don’t know a lot of businesses that think seven headcount is just no problem at all.

And even if your business is one of those, do you think 14 headcount is no big deal?

Because that’s what it’s going to take to have anybody want to take a sick day, or have a little bit of time off, or maybe just have an unusual schedule shift around holidays.

So, getting into the SOC business?

It really is rare that a company that requires 24/7 security can actually provide themselves 24/7 security in the form of analytics.

DUCK.  And if they try, there’s a huge opportunity cost for them in doing that, isn’t there?

There’s all the other stuff that’s directly relevant to their business that they can’t do because they’re doing what SolCyber could do for them.

DAVID.  Oh, tremendous.

Those seven headcount could have been bakers at the patisserie, or whatever.

It’s something that absolutely is an opportunity cost to any business that isn’t a cybersecurity business.

Then you get into the matter of automation versus human flexibility.

DUCK.  David, I think that’s a great high point on which to end when it comes to the whole idea of “run by humans for humans.”

DAVID.  At the end of the day, regardless of whether you go with SolCyber or not, what you need to do is something that is repeatable, competent, preferably packaged and integrated…

And that’s what we provide.

DUCK.  And trying to buy the bits of the jigsaw and and put it together yourself…

It’s probably possible, but it’s almost certainly going to take an awful lot longer than you thought.

DAVID.  It’s possible.

We’ve done it, my team has done it, many times at other organizations, both for that enterprise and for enterprises adjacent to their direct enterprise.

But it’s millions of dollars; it’s head count; and it’s a distraction from your core competency, which presumably is not cybersecurity.

So find me on LinkedIn, ping me… I’ll get you to the right person.

DUCK.  And it’s a lot easier to do it right when you’re doing it for the 12th or the 24th time, isn’t it?

DAVID.  Absolutely!

Even as a human, even when it’s not all as automated as we might imagine, it is absolutely easier to do it when practiced.

DUCK.  That’s a lovely way to put it, David.

Thank you so much for joining me on this podcast.

If you’d like to know more, simply head to SolCyber.com.

And if you’d like to read some of the technical and business articles that SolCyber publishes, you can find that content at SolCyber.com/blog.

Thanks for listening, everybody, and until next time, stay secure.

Catch up now, or subscribe to find out about new episodes as soon as they come out. Find us on Audible, Spotify, Podbean, or via our RSS feed if you run your own podcatcher app.

Paul Ducklin
Paul Ducklin
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

The world doesn’t need another traditional MSSP or MDR or XDR.
What it requires is practicality and reason.

And security that won’t let you down. It's time to put an end to the cyber insanity once and for all.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more juggling multiple technologies and contracts.

Follow us!


Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

SolCyber. All rights reserved
Made with
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo