Cyber Defense

Instructor Spotlight: John Hubbard, SOC Manager and SEC455 Co-Author



Meet John Hubbard. John is a dedicated blue-teamer and is driven to help develop defensive talent around the world. Through his years of experience as the SOC Lead for GlaxoSmithKline, he has real-world, first-hand knowledge of what it takes to defend an organization against advanced cyber-attacks and is eager to share these lessons with his students. As a SANS Cyber Defense curriculum instructor and course author of SEC455, John specializes in threat hunting, network security monitoring, SIEM design and optimization, and constructing defensive postures that allow organizations to protect their most sensitive data. Throughout class, he works with students to explain difficult concepts in relatable and clear language, illustrates important ideas with stories and demonstrations, and encourages students to push themselves beyond the limit of what they thought possible.

Our Industrials & Infrastructure team had a chance to sit down with John Hubbard (@SecHubb), GlaxoSmithKline SOC Manager, SANS Author and Instructor, and dedicated Blue Teamer.

SANS: What made you choose to work in tech/security?

John: I love this industry because there's always a fresh challenge to be solved. Attacks are constantly evolving, so defenders need to stay on their toes. When there's a bit of downtime, you can look to improve in other ways. For example, in our SOC, any time we find ourselves doing something repetitive, we write a tool to automate the painful or monotonous parts and leave only the interesting aspects to be done by the analysts. This has multiple benefits as it keeps people challenged to do new things, eliminates repetitive work, and frees us up to continue to build upon what we've already developed. Doing that keeps the group engaged and the team constantly reaching higher levels of capability and efficiency.


SANS: What was your first SANS course?

John: Apparently I like to jump in the deep end because the first SANS class I ever took was FOR610: Reverse-Engineering Malware. Taking that class and learning those skills launched my career as a SOC analyst at a speed I never thought possible. The course and certification test were intense, but it paid off in a big way. After that, I was hooked!


SANS: What course is on your wish list?

John: I'd love to take Micah Hoffman's new SEC487: Open Source Intelligence Gathering and Analysis class. The area is so interesting and hard to keep up with. The amount of freely available data about yourself and others has serious real-world implications. Knowing Micah and his passion for the topic, I'm sure it's an outstanding and informative class - just reading the summary makes me slightly paranoid.


SANS: What song is missing from the NetWars playlist? What would you add?

John: I always thought the C418 Remix of the Stranger Things theme song was a pretty good match for NetWars. ( Also, pretty much anything by The Glitch Mob is a good match for the NetWars vibe.


SANS: What SANS event are you looking forward to most this year?

John: For sure the Blue Team Summit! I'm excited to be teaching SEC555 there, and given the amazing experience we had with the defense crowd at the SIEM Summit last year, I expect this event to be right on course with that. Plus, it's in Louisville, and that's always a great time!

One of my constant pushes is trying to optimize blue team operations. Every time I go to a Summit, I learn about new and unique ways others have solved problems and how to improve our processes. Afterwards I'm always able to bring that info home and take my detection techniques and defensive knowledge to a new level.


SANS: How has security changed in your industry?

John: Security has changed the pharmaceutical industry in a lot of ways. Gone are the days that we can assume intellectual property will likely stay that way — and that manufacturing will work barring, mechanical failure. There are so many more threats and attack vectors that need to be considered now, we have to make sure everyone has a well thought out contingency plan, and that multiple safeguards are in place to ensure the continuity and integrity of business processes. Since peoples lives literally depend on our ability to do research and manufacture product, there's no option but to do everything we can to make sure it runs smoothly.


SANS: What do you want people to know about you?

John: Like most people in this industry, I'm a total tech nerd, but that extends to the realm of lower level hardware in my case. My degrees are in Electrical and Computer Engineering, so in the time that I'm not doing something related to InfoSec, I like to get into hardware and electronics. I'll look for any excuse I can to use an oscilloscope or logic analyzer, and I absolutely love soldering. I've also done a lot of car electronics work in the past including stereo installation, amplifier design and speaker building. I'm sort of all over the place in my hobbies, and can't figure out which I like most. As soon as I can figure out how to make a robot that will roast me fresh coffee every week, I'll be attempting that too. :)

Thanks, John, for taking the time to share more about your background and your role as a SOC Manager and SANS instructor. To learn more about John and where you can take his next course — visit his SANS bio page:


Post a Comment


* Indicates a required field.