On Season 2, Episode 11 of the STEAM Boston Podcast, we speak with O’Shea Bowens, a cybersecurity enthusiast with a decade of information security experience. He is the founder of “Null Hat Security LLC”, which focuses on incident response, SOC training, and blue team engagements. O’Shea has worked and consulted for companies and clients in the space of the federal government, Fortune 500, and international firms.
O’Shea specializes in areas of incident response, network and systems security, security architecture and threat hunting. O’Shea founded Null Hat Security with the belief that a greater focus should be placed on personal engagements with defenders to fine-tune skill sets and knowledge of threats for best response efforts.
Follow O’Shea Bowen on Twitter: https://twitter.com/SirMuDbl00d
Check out Null Hat Security: https://nullhatsecurity.org/
Transcript of the Podcast:
Kunle Lawal:
Welcome to the STEAM Boston Podcast. My name is Kunle Lawal, the COO and cofounder of careerbyte. STEAM Boston Podcast provides dynamic and inspiring stories with students or professionals in STEAM fields.
Kunle Lawal:
Today we’re speaking with O’Shea Bowens, a cybersecurity enthusiast with a decade of information security experience. He is the founder of Null Hat Security LLC, which focuses on incident response, SOC training, and blue team engagements. O’Shea has worked and consulted with companies and clients in the space of the federal government, Fortune 500, and international firms.
Kunle Lawal:
O’Shea specializes in incident response, networking systems security, security architecture, and threat hunting. O’Shea founded Null Hat Security with the belief that a greater focus should be placed on personal engagements with defenders to fine-tune skill sets and knowledge of threats for best response efforts. He’s also the cofounder of the Intrusion Diversity System, a bimonthly hosted cybersecurity podcast. Stay tuned for more.
Kunle Lawal:
Start off by telling us a little bit about yourself.
O’Shea Bowen:
Yeah, sure. My name’s O’Shea Bowens. Currently located in Boston. I’ve been in Boston about three years, moved here from Sweden. I was in Stockholm before this and then New York, Vegas, and originally from Dallas.
Kunle Lawal:
Nice. So you moved here from Sweden?
O’Shea Bowen:
Yeah, correct.
Kunle Lawal:
That’s a pretty big jump.
O’Shea Bowen:
Yeah. My wife’s from here. We got pregnant while she was there, while we were in Sweden, so we ended up coming to Boston. The plan was to move to Boston even when we were living in Manhattan, but we just kind of had to streamline some of our plans. But it all worked out for the better.
Kunle Lawal:
Nice. Nice. So what are you passionate about?
O’Shea Bowen:
Pretty much, majority of my professional and personal focus lies in the areas like cybersecurity. So I’ve been employed and working in cybersecurity close to 10 or 11 years. Was introduced to security in the hacking community around 13 or 14 years old, so I followed that into kind of what I do now, really. Took a small break as I was in school. I studied fashion design, so the idea was to maybe move away from technology or maybe incorporate technology into something else. But ended up petty much coming right back into working in the field.
O’Shea Bowen:
And then, my personal life, it’s still in the cybersecurity space. I started a company, well, two companies here in Boston, Null Hat and Null Hat Labs. So Null Hat Security will serve as the nonprofit for reaching out to diverse communities, specifically people of color and underrepresented communities, and brings you more cybersecurity training and knowledge base and skills of challenges, and skills-building, really, around how you can potentially turn small bits of information that you may obtain through some of the courses we offer, and workshops, into an actual career in cyber.
Kunle Lawal:
Nice. So you kind of started at a very young age maybe like doing some hacking stuff. And then how did that feed into you get into an industry later on in the future?
O’Shea Bowen:
Yeah. Yeah, I’d say it was hacking, but I didn’t really have a clue most of the time what I was doing. It was kind of finding pieces of malware or finding malicious software viruses online, and really spreading those around through like chat rooms, and maybe before fishing was a thing, trying to find a way to email it to individuals at the time. A lot of individuals were on email in like ’98, ’99, 2000, it was mostly AOL stuff. And then unless you were on other bulletin boards or in other forums, you could send small things to people and hope that they click on. And then you finally see a connection on your end, so you’re like, “Oh,” and then you become immensely happy.
O’Shea Bowen:
It wasn’t really until I was maybe like 19, 20, where I really began to look at it as an actual career. I didn’t know that many people that were really making a living from it. Well, a legal of living from it. So I definitely wasn’t trying to go to jail, I’ll put it that way. So when I started to meet more individuals that were either working in the private sector or working in the public sector for the government, or different government agencies and defense contractors, what it did for me was pretty much kind of ignite this fire where you envision the possibilities of what you can potentially do with not only your career, but your life. And then you start planning… Or at least, I really didn’t start planning planning until I was like probably 28, around what’s going to happen over the next 10 years.
O’Shea Bowen:
I started to map out 10-year, 5-year, 10-year plans around my career and on my own personal development, which is something I still do today. Weekly goals, daily goals, and then yearly goals. Things along those lines. And the idea for me has always been soak in as much knowledge, become as best [crosstalk 00:05:45] Yeah, becomes a best cyber practitioner as I possibly can, then find a way to share that with others.
Kunle Lawal:
Yeah. What are some tools or technology you were starting to learn or train yourself in? Specific kind of cybersecurity work.
O’Shea Bowen:
Yeah, I mean, I think a lot of people focus on tools. I would focus on different practices or disciplines within like cybersecurity. Right? So like my initial interest in IT or technology was networking. I was really fascinated, especially at a young age, of how the internet worked. So I began researching that, speaking with different individuals in different chat rooms and forums, learning more around large internet cables that lay under different oceans that connect continent to continent. And then how those cables run into ISPs or run into massive data centers, and then how individuals like myself or you leverage an AT&T or a Verizon, or whoever it may be, to obtain internet connectivity. That was something that still is a fascination to me because it just keeps getting bigger and growing.
O’Shea Bowen:
But that was something that was of interest in me. So in order to understand how networking worked, I began to kind of research and become introduced to different tools to understand, hey, how do you read or how do you dissect network traffic? How do you understand what’s happening on your own network, and how do you determine what’s good and what’s bad? But mostly what’s normal, right? So there’s different tools, like the normal ones like Wireshark. Wiresharks are good. Packet analysis tools.
O’Shea Bowen:
So packet analysis essentially are the transmissions of communications for the internet to work, across the wire, whether it’s wireless or wired. So everything is transmitted in these small little packets, and I began to understand what makes a packet. Right? What does that consist of? And then from there, it moved from understanding network security to understanding different areas in system security and forensics and reverse engineering. But it was always moving from discipline to discipline.
O’Shea Bowen:
I think that’s a big misconception when it comes to cybersecurity, because people have this media or Hollywood glamour idea of like, oh, you get this tool and now you’re hacking.
Kunle Lawal:
Now you’re a hacker.
O’Shea Bowen:
Well, I mean, there are tools you can buy where you can literally just press go. A lot of the tools for the [inaudible 00:08:08] services or DDoS, those are literally tools you can purchase in different underground forums. And you literally just have to click go. You type in an IP address of someone you’re targeting or a website, and you just click the button and it does its thing. Of course, you can end up getting caught doing those things and you get federal time for those type of crimes now.
Kunle Lawal:
Yeah. I really admire the work cybersecurity people do, because I can remember when I was in college I studied computer science, and so we had to take classes in networking. And we’d use a ton of tools like Wireshark and the like, and I just couldn’t get it. It was like, seeing all the packets coming in, trying to sift through which information you need and which you don’t need, was so much… I don’t want to say headache.
O’Shea Bowen:
No, it can be.
Kunle Lawal:
Yeah. I was like, “Yeah, I just don’t get this.”
O’Shea Bowen:
No dude, I totally hear you. It took me a while to sniff through the noise. Even now when I have stuff I’m doing at work or consultancy engagements, you’re on networks that have 10, 20, 30, sometimes 45 people for different VLANs or different parts of the network and you’re trying to sift through that. Yeah, but over time you learn different techniques around, “Okay, I can disclude this piece of information. I don’t need that.” And now, that noise that seemed so big has been cut to like 90%. And then you get to the point of like, “Oh, I don’t need to see this because that’s not anything of concern.” You cut that 90% down to like 70%, and you keep going down until you start finding the interesting aspects of the traffic that you’re looking for from like an investigations perspective. And the longer you do it, like everything else, the better you get at it.
Kunle Lawal:
Yeah, the better you get. That kind of leads me to my next question. Whether it’s a client or a company, how do you assess how secure the infrastructure is?
O’Shea Bowen:
Yeah, I’d say it would be like a two-pronged approach of, one is really understanding what their current security landscape or security posture looks like. So one of the questions I initially ask is, “Well, what do you have in place for user management?” or “What do you have in place in regards to network controls?” If they can’t really answer questions around how they manage their network or how they can… As non-sexy as a word as it is, it’s how they audit their network. It’s not necessarily like do you have every single record tucked away for review every week, every month or quarterly, it’s really like, do you have the capability to tell me when something weird is going on? It’s not necessarily a hacker, it’s really just, “Hey, one of our guys is streaming movies.” When you stream movies online, Netflix or whatever it may be, you use a bit more bandwidth. So could you see that inside of your network? And when they start to say no to questions like that, I can kind of ascertain like, “Okay they’re in somewhat of a bad position.”
O’Shea Bowen:
Which isn’t horrible, because that keeps me employed and I can help them out. But when they’re sort of answering yes to questions like that around what type of controls do they have in place, or when is the last time that you had a penetration test, or some type of review of your network… A penetration test is essentially hiring authentic based security individuals, or “the good hackers” to attempt to penetrate your network. And then they present you with results that say, “Hey, we got in this way. We were able to access this server or upload this particular piece of malware this way. This is where you’re vulnerable, so this is what you need to fix.”
Kunle Lawal:
Gotcha. Let’s move on a little bit. Can you tell us a little bit more about Null Hat Security LLC and Intrusion Diversity System?
O’Shea Bowen:
Yeah, sure.
Kunle Lawal:
Let’s start off with Null Hat.
O’Shea Bowen:
Yeah, sure. Null Hat is the company that I started about two years ago. So there’s Null Hat Security and there’s Null Hat Labs. Null Hat Labs is where we do the consulting work and essentially the business side of where we’re housing the cyber range product that we’ll begin selling for skills assessment and gap analysis for people looking to move into cyber, or for organizations to test of their security practitioners. So the idea is to determine how strong your team actually is from a practical perspective and from a human perspective when they investigate weird stuff on the network, or security challenges, or potential intrusions.
O’Shea Bowen:
And then there’s Null Hat Security, where the nonprofit work is, where I go around and teach workshops. I’m going to an event for Blacks in Cyber of Virginia on Saturday to teach like a 50-person workshop on cyber defensive techniques. So that’s the, me traveling and speaking and committing to workshops, and helping other individuals pick up this knowledge and skills in different cyber arenas.
O’Shea Bowen:
IDS, or Intrusion Diversity System is a podcast that I started with another gentleman, Douglas Bryant, where we focus basically on surprise, surprise, cyber security. So it’s a lot of what’s happening in the news currently, what we’re up to in our jobs. And we typically have guests on that share their background, their expertise, and their opinion on kind of what the scene looks like from a security perspective.
Kunle Lawal:
Totally good. So you started that fairly recently?
O’Shea Bowen:
We’re in season two of IDS. We go live every second Thursday of the month. So we run this through like a Twitch streaming services, so people can chat with us while we’re speaking about different stories. And we can also showcase different tools that individuals may not have seen, or just kind of showcase what we’re working on. And we allow our guests the same capabilities. So if you’re working on something cool and you want to show it to a broad audience, we allow you to do that.
Kunle Lawal:
Very cool. Very cool. What advice would you give to students who are in the STEAM field that want to get into cybersecurity?
O’Shea Bowen:
Yeah, I would say look to local groups in your area first. I mean, find a good program at your school. I’d say don’t be totally reliant on what you learned just only in school. You should continuously look to challenge yourself outside of the academic area or the institution. So, are there capture the flag competitions going on in your area? Are there capture the flag competitions online that you can compete in? And there’s numerous amounts of those. But just keep up-skilling yourself. Find the area that you’re interested in and find someone else that maybe has a bit more knowledge and expertise, and really start pinging them. I say mentors lightly, because I think you shouldn’t base your success on someone else guiding you, but having someone you can turn to is an immense help, especially people that have been down that road before.
O’Shea Bowen:
And then also look into local groups, like local meetups. Like I’m an organizer for Boston Security meetup. That’s every third Thursday of the month and we usually have a pretty packed house of security practitioners, hackers, researchers, breakers, makers that show up. And there’s about two different lightning talks each session. Other than that, it’s us hanging out, just communicating with each other and networking, and just talking about what’s going on in our day to day lives and our professional lives. So I’d say those networking groups and those community groups are huge. In a city like Boston there’s no shortage of them for cybersecurity.
Kunle Lawal:
Yeah. Yeah. And what are your thoughts on sub-security certificates as opposed to like a four year college or any other method?
O’Shea Bowen:
Crap. Naturally, I’m not like anti-school. I think obviously going to school is a great thing. I place it into this bucket of, what’s your financial situation? If you’re one of those people that can afford it to go to a four year college or you’re willing to take on the debt, then go for it. But if there is another way, I would look into that. I’d look at like even community colleges. There’s community colleges like in Wesley that have good cybersecurity programs that are two years. They’re a lot cheaper and that can allow you to get work experience through internships. I didn’t graduate from school, and it’s not that I’m like advocating anyone to go that way. I got started fairly early and when I left school for a startup, I just kept working. And through networking and meeting other individuals I was able to grow my career.
O’Shea Bowen:
But I’ve seen it on both sides. I’ve seen individuals that are great that came out of school and I have nothing against that, and I’ve seen people that… The majority of the people I have worked with, honestly, did not finish school, and they’re some of the best security practitioners I know, and I’ve traveled the globe. I’ve been in a lot of places speaking. So it really just depends on how you learn, number one. If you’re one of those people that can be responsible for yourself, just having a degree and then having that added bit of knowledge from a certificate, is great. What I advise people, is broadcasting that you have this entry level cert, maybe sometimes that’s not the best thing. I see that a lot on different social media platforms, where people pass like the basic cert and then they kind of bolster and boast about it. It’s like, “Well, you’re pretty much just telling me that’s your only knowledge base.
Kunle Lawal:
Yeah, what are you actually using it for?
O’Shea Bowen:
Yeah, and that’s where the hindrance kicks in. Because I’ve literally interviewed and hired and trained tons and tons of people, and it does seem to be a commonality with some people that have the same amount of certs, their thought patterns and the way they think are fairly similar because that’s what they’ve learned. They haven’t pushed themselves beyond that. On the other hand, when you find someone that is very passionate, that’s learned on their own outside of the certificate, and then you add the certificates, that’s someone that’s an awesome person to work with. Because not only are they relying on the certificate, they’re putting in the work on their own.
O’Shea Bowen:
And those are the types of people I enjoy working with. I have nothing against the certs, but I don’t like to see… I’ve had this with former employees or people that reported to me was, they just wanted to go for certs, for certs. And it’s like, “Well, how are you going to use that here? I work with you from day to day and I barely trust what you’re doing.” So it’s like, why would you want me to pay for you to go get a cert when I have no idea how you’re even going to use it? It’s just because people like to add it to their name. So nothing against any student thing.
Kunle Lawal:
If you could go back and change or add one thing in your career journey, what would it be?
O’Shea Bowen:
Add a cert? Or add just a piece of experience?
Kunle Lawal:
A piece of experience, a piece of work, anything.
O’Shea Bowen:
I’d say it’s something that I’m working on now, and that’s becoming more familiar with ICS or industrial control systems. That’s one of my goals for 2020 is to ramp up on learning as much as I can for that landscape, because that’s essentially the future, ICS and IOT. ICS is essentially utilities companies or any type of auto manufacturing, things along those lines that actually have machines that are programmed to actually make either goods, or control services, like the flow of oil or the flow of gas or the flow of electricity, like that. As the world becomes more automated, those systems become more prevalent, and they’re a big target for hackers now. So that’d be something that I likely would have started like three or four years ago. The amount of individuals that have that knowledge even right now in security is still fairly small, so that’s something I would have looked at a while back. But I’m catching up now.
Kunle Lawal:
Okay. Any final words of wisdom to the community?
O’Shea Bowen:
No. I mean, I’d say stay curious. Follow your passion, stay curious. Look to individuals that can help. Don’t be afraid to ask for help. I have a big thing that I always tell especially younger individuals that are coming behind me, it’s like that old saying by your parents, “A closed mouth don’t get fed.” So if you’re not asking questions, you’re not going to get the knowledge that you’re looking for, right? So if you’re one of those people that are too proud to ask for help, you’re only setting yourself back, or slowing your learning curve.
Kunle Lawal:
Mm-hmm (affirmative). Thank you. I appreciate you talking to me tonight.
O’Shea Bowen:
Yeah, yeah, not a problem. Thanks for having me.
Kunle Lawal:
Thank you for tuning into this STEAM Boston Podcast. Be sure to follow careerbyte on LinkedIn, Twitter, Instagram, and Facebook for all updates. Also, be sure to go to steamboston.com to read more career advice and listen to stories like these from students and professionals in the STEAM field. Thanks again for tuning in.
