| Contact | Info |
|---|---|
recruit@breed.org |
|
| voice | +1 (661)RBR-EED1 |
| github | github.com/ryanbreed |
linkedin.com/in/ryanbreed |
Seasoned professional with 23 years of deep technical experience with red/blue security operations and consulting. I have a track record for developing excellence in security operations organizations, a knack for researching novel security analytic techniques, and a penchant for building automated workflow support that can increase both tempo and accuracy.
- University of Texas at Austin LBJ School of Public Affairs - Global Policy Studies (2012–2014)
- University of Rochester - Bachelor of Science in Molecular Genetics (1997)
- Triage, investigate, and respond to suspected security incidents according to organizational policy and procedure
- Develop new alert analytics for threat actor TTPs identified in existing event load
- Create workflow automation to streamline and simplify triage, investigation, and operator actions
- Organize existing alert content into forward-maintainable architecture with CI/CD tooling for testing and deployment
- Developed and implemented modular content abstractions for automated alerts running in Splunk Cloud ESS
- Develop ThetaPoint Security Reference Architecture for Security Operations Centers
- Publish original research in security operations and present findings through speaking engagements
- Analyze relative strengths and weaknesses of SIEM, SIP, and SOAR solutions for clients
- Published blog series on Reference Architecture:
bit.ly/tp-sra-framework - Presented monitoring/response use case for secret leakage in the git source code management system.
- Presented overview on hardware security keys, OATH, HSMs, and PIV to Austin DFIR and OWASP.
- Developed aggregation/ingest pipeline for macOS Unified Logging and BSM Audit events.
- Process intelligence reports on emerging threats and implement detection content
- Automate harvesting of exploit samples from public datasets and generation of detection content
- Instrument security content quality and performance across back-end and sensor fleet
- Research historical data to develop novel analytics and identify threat actor activity
- Automated SIEM/correlation testing with CloudFormation and migrated test environment to AWS.
- Presented "Advanced Snort Authoring and Detection Internals" workshop to Cloud Austin meetup.
- Developed containerized plaform to test detection content across Snort and Suricata.
- Senior incident commander for critical incidents
- Develop opportunities for securing and improving grid and market systems with business stakeholders
- Prioritize intelligence projects and develop strategic plans for threats to grid and market systems
- Perform outreach to public and private sector via ISO/RTO council and DHS CISCP
- Developed GridExIII scenario and training injects. Implemented cyber simulator in development SIEM environment with integrated ChatOps platform for use during exercise play. Operators participated in exercise play by handling incidents in the SIEM development environment.
- Automated real-time integration of CMDB, IPAM, access control, and vulnerability model data into SIEM for rules, reports, and dashboards.
- Automated defensive countermeasures to automatically quarantine compromised endpoints for incidents qualified by corresponding SIEM content.
- Implemented TAXII endpoint to ingest STIX and propagate indicators to control surfaces. Automatically created SIEM content to flag events and correlated incidents matching high quality Indicators of Compromise.
- Developed automated security testing harness with Bamboo and Nexpose. Automated distribution of priority findings to asset owners.
- Manage a team of 9 security analysts
- Plan and manage operational budgets and capital project portfolio
- Lead cybersecurity audit response team for NERC CIP and SAS70 compliance programs
- Maintain SECRET clearance under DHS Private Sector Clearance Program and attend classified threat briefings
- Proposed and implemented multi-year user endpoint security program.
- Implemented proactive security advisory/bulletin monitoring infrastructure to feed SIEM-based workflows.
- Participated in cooperative threat actor monitoring program with DOE.
- Represented Electricity Subsector in classified threat workshops for intelligence community.
- Perform security monitoring, incident response, and investigations using SIEM, EnCase forensics environment, and full-content network traffic capture.
- Architect and deploy SIEM infrastructure, rule content, and supporting case management workflows
- Administer ArcSight SIEM components; perform controlled changes, maintenance and BCP procedures. Troubleshoot operational stability issues and implement corrective measures.
- Architected and deployed 2 major iterations of ArcSight SIEM and supporting event ingest.
- Developed tooling to extract, analyze, and safely detonate malicious JavaScript, VBScript, PHP, and win32 PE binaries.
- Developed full-content packet capture repository to save and index PCAP data.
- Perform client-facing penetration tests and risk assessments. Write and present post-engagement reports to clients
- Develop collateral to support pre-sales and standardize engagement delivery
- Administer local SOC systems and assess security across global ZFS infrastructure
- Lead global PKI and security monitoring teams
- Perform client-facing penetration test and infrastructure implementation projects
- Serve as final point of escalation for all security consultants
- Conduct first shift firewall operations for internal NYSE/GSCC perimeters
- Perform Y2K readiness assessments and testing
- Perform client-facing security assessments
- Support pre-sales discovery and develop responses to customer solicitations
- ERCOT - Team Player Award (Mar 2016), Core Value Award for Expertise (Apr 2014), Team Player Award (Apr 2014), Exceptional Performer Award (Jan 2014), Certificate of Recognition: Principal (Dec 2012), Team Player Award (Jul 2011)
- Mercedes AMG Driving Academy - 1st place Team Autocross (Jun 2015)
- Idaho National Laboratory NSTB Advanced SCADA Security Training - Team Captain and Winning Team (Nov 2008)
- Operator Training for Apache Kafka - Confluent, Inc. (2018)
- Completion of Advanced Training - Mercedes AMG Driving Academy (2015)
- Leadership Skills for Managers Certificate Program - University of Texas at Austin Professional Development Center (2011)
- Certified SCADA Security Architect - Digital Bond, Inc. (2006)
- SANS - Microsoft Windows Security (SANS-505), Reverse-engineering Malware (SANS-610), PowerShell (SANS-537), Identifying and Removing Malware (SANS-537)
- HP Enterprise - ArcSight ESM 6.5 Security Administrator and Analyst (HPE-00924200)