Sign in

Security Architect

Toronto, ON, Canada
December 17, 2019

Contact this candidate


Boris Levit

Toronto, h: 416-***-****, c: 416-***-****, skype: bllevit,,

Information Systems Security Manager / Architect. CISSP (CN 96686).

20+ years of Security, Unix, Windows, Network, Applications Experience, DevSecOps.


InTunnel Monitor, Toronto, Canada. Security Architect. Main client is Ontario Securities Commission. 09/2017 – current

Develop monitoring of related controls (CTI, MITRE, etc.) for APT (Advanced Persistent Threat so-known as Cyber Kill Chain), insider and fraud activities, made TRA, used Burp Suite.

DevSecOps - Use bash, R-language, python, Google Cloud Platform, G Suite, Kubernetes, Docker, gcloud, Avanan, Netskope (CASB), OpenSuSe,Tails, Amazon EC2 Bare Metal Instances, OS365, Azure.

Work on SSL covert channel’s revealing project, develop eDiscovery tool.

Work on User Behavior Analysis, OpenText, ArcSight, LogRhythm, Palo Alto, Web Application Testing toolkits, Qualys, Okta, SAML 2, CyberArk, IBM Guardium, Symantec Endpoint Detection and Response (EDR) pr.

HP-HPE-DXC, Toronto SOC (MSSP) Security Incident Analyst 06/2015-08/2017

Used GrUD (Inventory Management System), Vigilance (Monitoring and Alerting System), ViTAL (Incident and Change Management), MSS Portal, ArcSight (SmartConnector, Logger, ESM), AD, TippingPoint (IPS/WAF), Akamai (WAF/ WWW proxy), Cisco Sourcefire (IDS), Juniper Pulse Secure, Damballa, F5, Securonix (ArcSight UBA), kiwi, docker, VMware, Cygwin, OS365, openSUSE, Kali, VB, PowerShell, python, R-language, RStudio, Checkpoint, Fortinet, Oracle Internet Directory, Microsoft AD, PAM, bash (including on Windows 10).

Worked with ArcSight Console, Activate Framework. Utilized event inspector. Wrote reports, trends, queries, bundle, etc. Configured active channels, filters, tools, etc. Made Use Cases Analysis and Logger search queries, log sanity, other content development.

Made security incident analysis and remediation. Created and maintained tickets and incident response playbooks. Presented recommendations to client's executives. Participated in Client Risk Management. Made presales support.

Acted as a lead and mentor for our Tier 1 Event Analysts Team and client's professionals.

Made packet analysis (pcap) using Wireshark as a part of network forensic process.

Facilitated eDiscovery. Performed Indicators of Compromise search on client's environment.

Processed JSON output from security sources using jq. Worked with STIX.

Investigated client's environment, market / technology trends, hacker techniques, etc.

Facilitated Data Behavior Analysis, including User Behavior Analysis and Big Data Analytic. Used Rattle (R Analytic Tool To Learn Easily) for data mining and classification.

Worked on DNS queries monitoring to detect DNS covert channel (dns tunneling) and Tor Pluggable Transports.

Developed security incident investigation and other operational procedures. Made Root Case Analysis (RCA) for several alerts in parallel. Participated in DevSecOps Automation efforts. Participated in Threat Risk Assesment, penetration testing and Vulnerability Assessment in our client's environment. Was responsible for some PKI. Made threat hunting. Worked with red team Mandiant.

Worked with regulations: SOX, ISO 27001, GDPR, PIPEDA, NIST CSF and 800-61.

Constantly learned hacker techniques tools and incident handling. Made educational presentations for team members. Worked with Network / Web Application Testing toolkits.

Supported banking software (T24), AML, KYC. Resolved Akamai configuration problems. Supported Tanium end point protection solution.

Metsuke, Toronto. Security Consultant / Architect. 02/2012-05/2015

Main clients were Deloitte, IBM, TD Bank, Seneca College, CM Inc.

Performed Vulnerability Assessment.

Designed next generation of SIEM, IAM projects.

Participated in IAM remediation after SOX audit. Audited LOB access systems, provisioning and de-provisioning. Interviewed LOB personnel to find out access management problems. Audit and forensic analysis of DB and applications. Worked with CyberArk, Centrify, Oracle, sqlplus, PL/SQL, MS SQL Studio, SQL Server 2012, WebSphere, SharePoint, AML.

Facilitated hacking incident investigation. Made forensic analysis & remediation, security gap analysis, IT Audit of huge university environment. Interviewed wide range of college personnel (technical workers, professors, college's executives, etc.).

Made monitoring for hardware keyloggers. Built PoC for sufficient defense against USB hardware keylogger threat.

Solved TRA, likelihood, impact, risk evaluation by using harmonized / OWASP risk rating methodology, used ITSG-33, 04.

Operated Vulnerability Assessments, WiFi Wardriving.

Made remediation recommendations (technical and policy including security incident investigation, change management and BYOD) as a part of Risk Management.

Designed Qradar and Splunk deployment.

Performed OWASP code analysis.

Investigated mobile and Oracle security.

Analyzed Modbus malicious traffic (SCADA project). Made Malware Reverse engineering.

DevSecOps - Used Redmine, R, Esper, python, scapy, FIDO, Apache, OpenSUSE, CentOS, Windows, Android, iOS, Novell ZENworks Endpoint Security Management, Xen, KVM, Vmware, Virtualbox, vagrant, packer, Ansible, AWS, Google Compute Engine, G Suite, Azure, TITUS Data Classification, lua, botbrew, adb, sqlmap, ruby, perl, sh, eclipse, jenkins, logstash, lapse+, WebInspect, Fortify, java, node.js, IDA Pro, VoIP.

Worked with Network / Web Application Testing toolkits, USB hardware keyloggers, USBDeview, udev, wireshark, tcpreplay, kbackup, zenmap, nessus, burpsuite, Wigle, Fortinet, rkhunter, Metasploit, Armitage, YaST, Tripwire, Oracle Application Access Controls, NERC, PCI 2 and 3, OSSTMM, OpenID, OAuth, TOGAF, Zachman, SABSA, Websphere, RSA Archer eGRC.

TD Bank, Toronto. Sr. Security Specialist, 08/2010 – 09/2011.

Participated in audit and legacy access system remediation after SOX / PCI audit. Resolved integrity and access control problems with server farm configuration. ETL tasks. Programmed on Perl, ksh, awk. Worked with CSV, XML, XSLT, COBIT, COSO.

Supported RSA enVision 4.0 SIEM implementation, analyzed configuration, data collection, SOX / PCI related issues, wrote and analyzed enVision Reports. Provided SIEM RSA enVision results to key stakeholders.

Facilitated eDiscovery. Worked on Suspicious Activity Reports, RBAC, File Integrity.

Repaired OS Hardening, server, storage, private cloud security, security policies / procedures, CyberArk.

Used AIX, HP-UX, Solaris, Windows XP, Vmware, OpenSuSe, Redhat, Remedy., Canada. Security Consultant / Team Lead, 01/2010- 02/2010.

Restructured ITIL and Company Security systems to accommodate Good Practice standards.

Managed distributed (overseas) sysadmin team.

Worked with AWS, AMI, Elasticfox.

Conducted E-Commerce risk assessment.

Configured iptables.

Analyzed PCI requirements. Reviewed PCI code / infrastructure (OWASP code review project, ReviewClipse plugin project), performed OWASP web application audit.

Massachusetts data protection regulation project.

Analyzed commercial (Imperva) and opensource tools for WAF project. Installed / configured ModSecurity (with Breach rule set) as a part of PCI Compliance Project.

Built Security awareness program and presented it on team meetings.

Worked with OpenSuSe, CentOS, RedHat, Vmware, Citrix, Xen, Puppet, Chef, MongoDB, java, java swing, jython, git, Eclipse, Hudson, Selenium, perl, shell. Used TOGAF for EPF (Eclipse Process Framework), GoToMeeting.

Dark Matter Development, Toronto, Security Consultant, 07/2009-12/2009.

Mitigated insider threat.

Redesigned Security / System Architecture, Video Management Solutions.

Wrote security policy.

Performed audit and forensic analysis, OWASP Threat Risk and Vulnerability Assessments. Searched for covert channels.

Analyzed botnet attacks.

Scanned for vulnerabilities by nmap 5, nessus 4 and webinspect, performed OWASP web application audit.

Used Windows Vista / 2008, ScreenOS 5.4 (Juniper), Mac OS X 10.6, iOS, OpenSuSe 11.1 / 11.2, FreeeBSD 7.2, Fedora, Simultaneous Dual-N Band Wireless Router, IP KVM, Brocade, Startech, Foundry Load Balancer, MySQL, Apache, Hadoop Distributed File System (HDFS), Pig, Hive, mediawiki, openldap, Open DS, OpenSSO, postfix, Cyrus imap, OWASP, THC-Hydra, burp suite professional v1.3, autopsy, munin, svn, yafic, dovecot, Time Machine, Xsan, AFP, skype.

Performed PCI compliance analysis, infrastructure / DB / private cloud / code review.

Created anti-spam project. Suggested IronPort+RSA as an anti-spam and DLP decision.

ACL project for FreeBSD and MacOS.

N-Dimension Solutions Inc., Canada. Sr. Security Architect, 07/2007-2/2009.

Had primary responsibility for projects management.

Led the design, testing, planning, and implementation of complex projects.

Led the development and implementation of a broad, coordinated set of plans and programs to meet the goals and priorities of the company.

Made the definition of project missions, goals, tasks, and resource requirements; resolve or assist in the resolution of conflicts within and between projects or functional areas; develop methods to monitor project or area progress; and provided corrective supervision if necessary. GO-ITS 24,25.

Participated in outside professional activities to maintain knowledge on developments in the field.

Continuously improved project management toolkits and methodologies.

Was responsible for project staff. Participated in interviewing and hiring process.

Used tools: Fedora c7, Gentoo r6, openSuSe 11, RedHat, Xen, Win2K/XP/Vista/2008, Redmine, System Center Configuration Manager (SCCM), lighttpd, Solaris 10, iptables, MySQL, SCADA, AGA-12, Modbus, DNP3, Perl, sh, bash, PHP, seagull, java, java swing, spring, javascript, APM, flex (lex), bison (yacc), SSL certificates (using openssl), umbrello, gnupg, C, C++, Eclipse, Hudson, cvs acl, bugzilla, cvs web, syslog-ng, snortalog, Nagios, Android, Nessus, HP WebInspect, N-Stalker, nikto, Paros, OWASP, Pantera, OVAL, SCAP, OpenVAS, SLAD, tiger, nessus plugins development (nasl2), nmap, zenmap, snort (Sourcefire), oinkmaster, ITSA v3.5, Wireshark v0.99.6, Metasploit framework 3.1, ruby, python, Burp Suite 1.1, MoinMoin Wiki, Drupal, Web Content Accessibility Guidelines, lua, NetIQ, Google Mail / Calendar / Docsc, Forensic Toolkit (FTK), etc.

Ruggedized (IEEE 1613 complaint) Platform Project. Used Schneider platform with flash memory drives.

Identity Management Project (AD, OpenSuSe LDAP, Fedora Directory Server, Sun Identity and Access Manager, Novell Identity Manager, WS-Security, SASL). Gentoo and Fedora pam_ldap implementation.

Executed Version Transformation (parsing and lexical analysis).

Wrote Modbus gateway on Android platform.

Participated in cloud computing project.

Performed Ethical Hacking and Vulnerability Scanning Project (Harmonized / OWASP Threat Risk and Vulnerability Assessments) including general purpose and web application vulnerabilities scanning, vulnerabilities analysis, hardening, SELinux. Produced NERC and PCI compliance reports using Nessus, N-Stalker, Webinspect and Burp Suite, performed OWASP web application audit. Participated in Risk Management.

Developed Snort SCADA signatures and Nessus vulnerability plugins.

Created Snort enhancement project: EMERALD, SnortSP, SnortSMS.

Contributed to snort reporting and syslog server projects based on complex message filtering, integrating, archiving and visualization made by syslog-ng, snortalog, perl. Facilitated eDiscovery.

Participated in NERC and other industry, Canadian and NIST standards for example ISO 27001/2, COBIT, OSSTMM, Domain Expert Working Groups (further NIST 7628), Compliance projects (OEB / NEB). Security Governance-Risk-Compliance (GRC).

Managed ARP Poisoning project. Wrote SOW, Project phases.

Initiated Security Information Event Management Project (analyzed SRI’s suggestion of EMERALD connected to ArcSight and opensource Squil)

SCADA Audit project.

Assisted in staff development and mentor colleagues as needed.

Used TOGAF, SABSA and Zachman framework.

Participated in Hydro One, Smart Meter / ZigBee / GO-ITS 51, High Availability (HA), HDFS (Hadoop Distributed File System), SDLC Projects.

Used Bugzilla Problem / Change Management. Architected ICT Technical Support Management based on moinmoin wiki.

Security Monitoring.

Third Brigade and OSSEC (Open Source Host Intrusion Detection and Prevention Project – HIDS / IPS)

As a part of projects support I created Network Infrastructure and Servers System Administration (Cisco, OpenSuse, Gentoo, Solaris, Fedora, RedHat, Windows NT/ 2003/ XP/ Vista/2008), Installation, System Configuration, Network and System tuning, hardening, scripting (sh, bash, tcsh, perl), NFS, SMTP, POP3, IMAP, HTTP, HTTPS, DNS, NTP, SNMP, etc.

Research In Motion, Canada. Incident / Security Analyst, 12/2005 - 06/2007

Service problems resolving. Facilitated eDiscovery. Made RCA. Worked with CIRT and CM.

Scripting: bash, Perl, PostgreSQL.

SPF (Sender Policy Framework) project.

Security Tools Installation and Configuration: Entrust, chkroot, rkhunter, The Sleuth Kit, Autopsy, EnCase, Cheops, John The Ripper, Nikto, Paros, OWASP, WebScarab, IPTraf, Ettercap, EtherApe, Nessus, HP Fortify 360, Nmap, Kismet, gkismet, Watchfire AppScan, Cenzic Hailstorm, Aircrack-ng, SecureAware, bastard, IDA Pro, ModSecurity, Joomla, Symantec, OpenText, Cisco ACE XML, TippingPoint, WebGUI, SSO, GlobalPlatform SCP02, etc.

Analysed / Redesigned System / Network / Security Architecture.

Enterprise Content Management / Facility Management / Business Objects Assessment Projects.

Anti-Spam Project. Participated in DLP project.

Business Continuity Planning Project.

Security incident response plan.

Forensic Analysis Project. Malware Reverse engineering.

IT Audit. Vulnerability Assessment/Management/Penetration Testing (Threat Risk and Vulnerability Assessments).

Prepared SOW, Project phases, Process Groups for BB Datacenters, etc.

Information security consultative support to all lines of business.

Vendor products evaluation process.

Supported BB e-mail directory service.

Made next projects: Identity Management, Tripwire, Security Governance-Risk-Compliance (GRC), Security Awareness, Security Monitoring Project.

Development an internal information security committee.

WiFi WarDriving Project. Bluetooth Rifle Project. UMTS/EDGE/GPRS WarDriving Project.

Application scanning / firewalling Project including PCI requirements.

0-day Vulnerability Assessment Project. Disk Encryption Project.

PCI Compliance Project.

TRA project, used OCTAVE / OWASP / Microsoft / Harmonized TRA methodologies.

Armor Technologies, Toronto. Sr System/Security Dev.10/2005 – 10/2005

Invision.Com, New York. Unix Group Manager. 6/2005 - 9/2005

Interdiction Solutions Inc., Toronto. Consultant. 04/2005 - 05/2005

ABBI Ontario. Project Architect. 03/2005 - 03/2005

Cisco Systems Inc., Sun Microsystems, San Jose, USA. 01/2005 - 02/2005

Q1 Labs (now IBM), Fredericton, Canada. Security Consultant. 04/2004 – 11/2004

Helped Q1 Labs to add new security feature to their QRadar product (NBAD and SIEM) - IPS.

Made resolvers for their Intrusion Prevention System. Wrote prototypes of TCP Reset, ARP Poisoning, Cisco Switch / PIX Resolvers. Department of Homeland Security liked the product.

Made Vulnerability Assessment Project, TRA.

Made ITIL project (Remedy ARS, ITSM). Used Knowledge - Artificial Intelligence technology designed by UNB.

Security Information and Event Management Project.

Analyzed project components security.

Different companies in different locations 1978 – 2004


Moscow Institute of Electronic Techniques 1978. MS Diploma evaluated by York University


December 2019, DevOps Foundations: Infrastructure as Code, LinkedIn

April 2019, Running Jenkins on AWS, LinkedIn

March 2019, Advanced Python, LinkedIn

January 2019, AWS for DevOps: Monitoring, Metrics, and Logging, LinkedIn

December 2018, DevSecOps: Integrating Security into DevOps, ISC2

December 2018, How to adapt the SDLC for DevSecOps, ISC2

December 2018, Learning Splunk, LinkedIn

August 2018, Google Cloud Platform Essential Training, LinkedIn

April 2018, Learning Kubernetes, LinkedIn

August 2017, DXC, Core Security, Damballa – Network Insight Technical Product Training, Canada.

April 2017, DXC, Tanium – VB, PowerShell and Containment Training, Canada.

November 2016, HPE, Tanium Incident Response Course, Canada.

January 2016, HPE, ArcSight SmartConnector Foundations and ToolKit, Canada.

January 2016, HPE, ArcSight ESM Administrator 6 CORR Engine (AEIA) (No Oracle DB). Toronto, Canada.

September – October 2015, HPE, ISO27001 Training and Awareness. Toronto, Canada.

September 2015, Company Security Officer Training, Outreach Division of Industrial Security Sector of Public Works and Government Services Canada. Toronto, Canada.

July 2015, ArcSight Logger Administration & Operations, ArcSight Console, HP, Canada.

December 2010, O’Reilly, Developing Android Applications with Java. P. 1 and 2

February-March 2008 Management 414 SANS Training Program for the CISSP Certification Exam, Toronto, Canada.

July 2006 IBM CISSP CBK Seminar, Toronto, Canada.

July 2006 Sun Fire X4500 / X4600 servers and Blade 8000 Modular System Seminar, Waterloo, Canada.

March 2006 Business Continuity, Waterloo, Canada.

March 2006 IBM Bladecenter Workshop (XTR14NCE), IBM Education and Training, Canada.

February 2006 Mirapoint E-mail Server, Mirapoint, Waterloo, Canada.

January 2006 Exploring GPRS and EDGE, Award Solutions, Waterloo, Canada.

December 2005 Blackberry Relay / BWC / BIS-X, RIM, Waterloo, Canada.

June 2004 Qradar, Q1 Labs, Fredericton, Canada.

May – June 2002 Business Training, JVS, Toronto, Canada.

June 2000 12th Annual FIRST Conference on Computer Security Incident Handling, Chicago.

February 2000 Sun Systems Fault Analysis Workshop (ST-350), Sun Educational Services, Toronto, Canada.

January 2000 Administering Security for Solaris (SC-300), Sun Educational Services, Toronto.

August 99 Enterprise Java Beans Implementation (Visual Age + WebSphere Environment) IBM Team, Toronto, Canada.

March 99 Solaris System Performance Management (SA-400), Sun Educational Services, Toronto, Canada.

99 Project Management. Manulife Financial, Toronto, Canada.

Nov.98 WebSphere Workshop, IBM WebSphere Developing Team, Toronto, Canada.

Oct.98 DB2 UDB EEE for UNIX Administration Workshop, IBM Education and Training, Toronto, Canada

Sept.98 A Technical Introduction to MQSeries, IBM Education and Training, Toronto, Canada

Apr.98 Gauntlet Administration, NAI, Toronto, Canada.

Work Case #1

Night shift of our Event Analysts (our Eyes On Glass) got an Vigilance alert about Web Application Attack against our banking client. They followed client agreement and procedure: created ticket and waked up client representative and his team.

Here let me make step aside and explain our ArcSight technological stack in simplified manner.

Security events are produced by sources - in this case it was IPS TippingPoint (BTW I have no idea why the vendor named it IPS. I would categorized the tool as a WAF – it looks like WAF and works like WAF). Events are collected, normalized and categorized by a connector which sends them to logger (for archiving and forensic search request processing purposes). A logger sends events further to ESM which has DB and content management framework which is processing security events. Among other things events come through aggregation, correlation and use-case-analysis. Use case analyses produces specific event types which looks like common events but they are picked by a portal. The Use Case concept is very important because there is managed security services providing as a business. Even internal SOC activity is a business (just between LOBs). So why company A should pay more then company B – just because of amount of data or amount of security alerts or quality of these alert or what? Could a farm produce same type / amount of security alert as an airport? The portal follows a procedures which reflect client agreements and could send use-case events to weekly / monthly reports or forward properly attributed use-case events to Vigilance. Vigilance has its own filter system and at the end shows these alerts (see – now we are speaking about alerts not events) to Eyes On Class (Event Analysts). Event Analyst (EA) following some policies, procedures and checks, clicked on the alert, created ticket (assigned to me), sent notification to a client and called a representative who waked up internal team which started their work.

I had no on-call policy (HP management saved money on it in opposite to RIM, Invision and Manulife Financial for example), slept well and was notified at the morning in the SOC room.

So first of all I carefully (be calm, fast, careful and ready to fight – rule #1 of a SOC worker) read the ticket, checked other alerts on Vigilance, open ArcSight Web Console, read the use case and related events and events around them. And immediately paid attention to “Actions Column” which contained action “Blocked”. At the moment one could think it was content software mistake but go to check Case #2 and you will see a content engineering team was right.

Then I went to the client environment (during the client adopting I had a battle because required the access to the client environment and now had the reason to thank myself) and found same “Blocked” on the TippingPoint console. Added details to the ticket (found something – add to a ticket), called the client, made them breath easy little bit.

Then I went to check the malicious packet source IP. Here is little explanation why. Any scenario (scenario is an important part of security incident investigation and even any troubleshooting procedure I developed) includes understanding on what was sent, why, where from and by whom. But there is one thing which attracted my attention (another investigation rule: multitask your investigation but prioritize them at the same time): small number of source IPs. What kind of hacker will attack a bank’s web site from 1-2 IP addresses? Even a hacker hacked some IP addresses before and provided attack from hacked ones why he did not care? Why a hacker attracts an attention to his location? It did not fit a bank hacking scenario.

Both name resolution and geolocation of source IP pointed to Akamai. Called to the client (actually to representative) and he “remembered” - they had the service (Why would not notify us before - during on-boarding procedure, ah? I did not ask – it was not my business). But we still had a questions – who sent the attack through the web proxy (Akamai), are we under fire, is it just a part of slow attack and how to react?

I spoke to Tipping Point's administrator and found the man made his work properly and the system wrote down all malicious packets.

So on the next step I downloaded the packet from the TippingPoint console. Deep packet analysis of the related HTTP headers gave me original source IP. (I made other works too but right now it does not matter). One more reverse name resolution and geolocation brought me to Symantec. I called to the client and he remembered that “yes” they had regular penetration test agreement with Symantec services...

I closed the ticket with resolution “false positive” after adding all details. I told to EAs how to act in such situation, took care they have access to the RELATED (only) environment and know how to use it including how to make deep packet analysis.

Work Case #2

A ticket was assigned to me for the same client and same type (actually PHP) of web attack as in Case #1. But now educated EAs made their job and checked source IPes which where from distributed Asian locations without even reverse name resolution.

Meeting with client technical team brought interesting result. The client infrastructure had hidden trail – out of Akamai, which appeared to be known to a hackers. So now the client was under the real threat. Thanks the Lord and administrator – TippingPoint made it work (so far) and blocked the attacks. But first of all the client immediately started to close the hidden trail. From my side I had to understand how dangerous for the client were these attacks. I downloaded the packets, made deep analysis, decoding (and then showed how to do it to our EAs), analyzed attacks, compared to the client environment and found it was not dangerous (a client used patched PHP which can not be effected by this specific attack). So the ticket was closed with resolution: true positive but the client was not impacted.

Work Case #3

A use case produced brute force alert for a client. Based events (click on correlated event on Event Editor Tab and see based ones) reported authentication brute force attack against SSH server. Source IP was internal one because of switching environment so I had to learn networking logs to resolve NAT enigma. With these results I participated in several client meetings and politely faced the client's network team to the problem: worldwide open ssh tunnel in their perimeter and zones firewalls. We had no hands on the client network change procedure so it took several months (and politely reminding on every meeting) before they closed the hole.

Work Case #4

A client had good network administrator which found time to run a tests in his environment expecting to get related security alerts. One test brought nothing and I was assigned to resolve the issue. Comparison of related to this unhappy use-case filters and data sent to connector by the client network devices and then appeared in a base event showed that the filter expected to get “ONE_STRING” and got in real “spaceONE_STRING”. The ticket was reassigned to our content developing team.

Work Case #5

A banking client environment’s analysis revealed a process name with a non-printing characters. For this analysis I used specially developed active channels (dashboard in ArcSight terminology), inline filters, local tools implanted into a console menu and other special methods. The process behavior was not correlated with known banking activities and was not mentioned in the documentation. At the same time gray hat source reported about Trojan with same name. The result was reported to the client and they started related procedures.

Work Case #6

During routine internet source analysis I found a gray hat service which aggregates more than 100 information sources (a week ago the count was 108) and gives information in JSON format. I wrote a program to convert the output into CSV file used to feed an active list which used in a filter. The filter run by a query and then by report. All was rolled up into a bundle for moving to another ESM

Work Case #7

This particular work case happened 11 years ago but still a good example of importance of accuracy in evidences’ assembling and analysis. I was assigned to implement SCADA related signatures developed for Snort IDS by a well known company. At the time I was asked to do the work we (our company) were late – the signatures were developed and distributed a year ago and whole world used them without a single complain. Instead of just implementing the signatures I made a virtual lab where I tried to recreate malicious Modbus traffic in hope to get related security alerts. I got most of expected security alerts but missed 3. Then I made deep investigation of these 3 unhappy signatures and found mistakes. I repaired signatures and we sent report to Sourcefire (Snort producer which had not yet bought by Cisco at that time) and to the company produced the signatures. The funny part of the story that we were first and only who reported about it despite the fact lot of other companies declared of the signatures use.

Work Case #8

Helped Q1 Labs to add new security feature to their QRadar product (NBAD and SIEM) – IPS. Made resolvers for their Intrusion Prevention System. Wrote prototypes of TCP Reset, ARP Poisoning, Cisco Switch / PIX Resolvers. Department of Homeland Security liked the product.

Work Case #9

Working for Circadence I invented 0-day web application vulnerability scanner. In two weeks my tool found more bugs then whole QA department in half year and I even got best employee award. It was year 2000 so I had no chance to use lot of easy to use VA, PT, SAST and other security tools but later I did not miss opportunity to work with saint, Retina, nmap, Nessus (with NASL2 plugins I wrote), Webinspect, Appscan, N-stalker, Burp Suite, Metaploit, Wireshark (with Lua extensions), etc.

Work Case #10

A huge network corporation “forgot” to patch and upgrade their servers …for 10 years. And “save” money on third-parties product support. So ones they drove into a situation when the server vendor stopped to support outdated servers, some applications vendors were disappeared and nobody could help them with the products, even some sources for internally developed applications were lost. Sometime market success cost more then mentioned in accounting papers. In less then 2 months I developed set of scripts which made reverse engineering, upgrade and migration.

Work Case #11

A corporation held international market in their sector but had no VA program. My attempts to establish such policy / program met aggressive opposition of network and system support teams. To keep me “busy” and far from the problem they made me to facilitate a hacked computer’s forensic analysis. During a meeting where I presented proper analysis results I additionally reported about previous file system status recovered by The Sleuth Kit and Autopsy. The recovered data shows that same teams which refused me to start VA program, used Nessus for their own purposes. As a result I’ve got green light

Contact this candidate