Who are home/work labs for?

An enterprise-grade lab, whether a home lab or work lab, enables individuals to learn new technologies. However, there is a large time commitment, and self-learning is not for everyone. But does building a lab have to be self-taught? Are labs only for elitists or those with “passion”? This blog attempts to answer the who, what, and why behind building out an enterprise-grade lab.

I believe enterprise-grade labs are fit for anyone in information technology. However, I do not believe everyone is a fit for an enterprise-grade lab. I mean that individuals need to have a motivating factor that encourages them to take time and build out a lab. The question “what is in it for me” helps identify who should consider building a lab. Motivation may be as granular as needing to learn a specific technology to complete a work project. However, if that is the motivation, then the lab is targeted to a single goal. Once that goal is complete, the concept of a lab is no longer necessary. In this blog, I will explore more broad motivation factors and how they change based on where you are in your career.

What are key Motivation Factors?

Below is a list of common motivation factors. Each individual’s motivation factors will be different. It is unlikely you will match every factor.

Passion

Unfortunately, lab environments are commonly associated with those with a passion for IT. Why do I consider this unfortunate? Because it is one of the major causes of labeling and imposter syndrome around building an enterprise-grade lab. I included individuals who have extensive lab environments because we enjoy building and destroying things over and over.

In a way, labs to those with passion reflect the adult version of Legos (nothing wrong if you still play with Legos, they are for adults as well). When my young children build a cool Lego set, what do they do? They show it off to mom and dad. They are proud of what they built. They should be. This pride does not translate well in the real-world for adults. I don’t know how often fellow co-workers or clients thought I was bragging and boasting about my lab. When I stop to look back on how I worded my sentences, I realize… maybe I was. Or maybe the way I communicated came off that way. Add to this, some individuals are cocky and boastful, and “passion” gets mislabeled as elitist or beyond the mass populace. Thus, imposter syndrome blocks individuals from public speaking and makes them feel that a lab environment is above them. Please… don’t feel this way. If I ever caused you to feel that way, I’m sorry. For those of you who build things out of passion, congratulations. You are in the minority. Keep that passion, and make sure you constructively share your passion.

Reason for motivation: We love building and destroying things.
Caution: Be careful not to boast or bring others down. You have a cool lab. Others may not. Encourage, don’t brag.

Money

Money is the root of all evil. Wrong. The pursuit of money is. Does that mean that learning and building out a lab to make more money is evil? No, it is smart. You may have a family to feed, need to put food on the table, and should be considering retirement. Working to the point of death does not make sense. But putting in the effort now so you can get a raise, a promotion, or a new job/first job is something that pays dividends throughout your lifetime.

Promotions and Raises

How does building a lab out help you gain money? Building a lab can help you learn specific technologies to help with your company goals if you already in IT. In turn, this can lead to a promotion or raise. Keep in mind, it is not unreasonable to ask your employer to pay for hardware or software to use for the lab. Employers, it would help if you were willing to do so and even provide an hour here and there for your employees to grow. It pays dividends. Don’t tell me there’s not enough time. I’ve hired and employed many individuals. I know without a shadow of a doubt that a little bit of training provides a lot of results. It’s like putting money into retirement. It isn’t fun as I’d rather use the money now, but putting money into retirement late in the game can short change someone hundreds of thousands of dollars.

Professional Services

If you do professional services, having a lab provides the ability to branch out into new contracts. If you are an organization, having the knowledge you build in a lab can help you build a side hustle. I had side hustles most of my career. The extra income was always appreciated.

If you own your own company, a lab has the bonus of building new processes or service offerings. My staff at H & A Security Solutions LLC are constantly learning or coming up with new things. They make the company more money, which makes me want to pay them more and increase their bonuses. Everyone wins, including the clients.

Getting a Job

Arguably, one of the best benefits of building an enterprise-grade lab is getting a job, whether your first IT job or a new one. The best way I know to translate this is with an analogy. Let’s say you are hiring for an information security position. You have 100 resumes to pick from. If you’ve ever been a hiring manager, you know how hard this task is.

On paper, you see college degrees, certifications, and years of job experience. The reality is that 20 years of experience does not mean 20 years of continued knowledge gathering or any level of mastery. College degrees often result in a theoretical understanding of a topic but not a practical application (whatever happened to apprenticeships – different topic). Certifications, well where to begin? I’ve got sixty-one certifications. Does that mean I am a master of all things and that every topic I have certification on that I’m truly an expert? I’m not sure if that’s true or not. Certification simply means someone knows a bare minimum knowledge to pass an exam or has a mastery at understanding and interpreting test questions and answers. I believe having certifications is better than not having certifications. However, I would not hire someone just off certifications as I’ve learned that they are not sufficient to prove knowledge.

So of the 100, how can I narrow it down? Assume that I start interviewing individuals. Questions I may ask would look like below.

• “I see you have experience with intrusion detection sensors. Can you explain how that works?”
• “On your resume, you mentioned you are fluent in Docker and Kubernetes. Can you explain where the technology does a great job and where it does not?”
• “Wow. That’s great that you have the GIAC Certified Windows Security Administrator. How have you used that in your career? Do you have hands-on experience? Have you practically used that skillset?”

These three simple questions are often enough to dismiss 75%+ of job applicants. On paper, things look great. But upon asking questions, there is a complete lack of applied skills and practical, first-hand knowledge. Now, let’s assume I ask the same questions but get the responses below.

• Interviewer – “I see you have experience with intrusion detection sensors. Can you explain how that works?”
• Applicant – “While I currently have not deployed IDS in a real-world environment, I have deployed multiple IDS sensors such as Snort or Suricata in my home lab. I’ve used tools like Security Onion and pulled pork to manage rules centrally and have even taken the time to learn to tune the rules to eliminate false positives. The other day I even followed a YouTube video on how-to replay malware or benign PCAPs to evaluate rule signatures. I’m not sure I’m an expert, but I do have a decent amount of time playing with the technologies.”
• Interviewer – “On your resume, you mentioned you are fluent in Docker and Kubernetes. Can you explain where the technology does a great job and where it does not?”
• Applicant – “I started playing with containers because I understood virtual machines, but I was confused as to the difference between a container and a virtual machine. I was shocked at how simple they were to deploy and maintain. There’s not really an underlying OS to patch as only the bare minimum OS files are within a container’s image. You just deploy the service, which is why they are considered microservices. While I haven’t deployed containers in a production environment, I have some containers running at home that act as my open source SIEM and proxy services. They are great because they require less time to patch and maintain so long as the host kernel is patched. Containers may not be a fit for services that running them as a container can become overly complex such as database services or applications that require GUI interaction.”
• Interviewer – “Wow. That’s great that you have the GIAC Certified Windows Security Administrator. How have you used that in your career? Do you have hands-on experience? Have you practically used that skillset?”
• Applicant – “In my current job, I do not get to interact with our Windows environment. However, I was fortunate enough to pick up the SANS SEC505 course. I’ve replicated much of the content in a home lab where I’ve deployed Active Directory domain controllers and even an AD-integrated Public Key Infrastructure. I have automatically enrolled certificates that can be used for IPSec, multifactor authentication, and hardening of TLS services such as RDP. I’ve also applied hardening policies via group policy and am familiar with PowerShell and PowerShell Remote Management. I’ve even taken the time to setup Windows Event Forwarding and Collection, which was way easier than I thought it would be. Again, I have not done any of these in a production environment, but I have set them up before.

In all three of the above questions, the applicant has stated they have no production experience or even “I’m not sure I’m an expert.” If you were a hiring manager, what would you think? I’ve interviewed many, many individuals. The individuals who have worded responses as above were on my immediate shortlist, most of whom I have hired. Of hundreds of interviews, I can count on my fingers the individuals who had labs or equivalent hands-on experience (real-world experience counts). When I’ve asked other hiring managers, I get the same response, especially in the Cyber Defense realm of information security.

The moral of this analogy is that having hands-on experience with a lab can profoundly impact your interviews and capability to get hired. Please note, you still have to make it past HR’s initial resume scan. Therefore, college degrees, years of experience, and certifications still are helpful.

Personal Satisfaction

Like passion, some individuals benefit from a home lab simply out of their enjoyment. For example, scholars find joy in the pursuit of knowledge. It becomes a path or journey where that journey is more important than any of the individual steps. In this case, a lab environment provides continuous learning. Continuous, not out of fear of being obsolete, but out of the joy of constantly being challenged.

For others, a lab environment brings a sense of accomplishment. The result is the brain releasing dopamine and biological happiness. How is this possible? Are you an individual that loves playing crossword puzzles, sudoku, etc.? Completing a challenge feels good. The same concept applies in a lab. You have a challenge. You do not win until you figure out the answer. In a lab, that is trying to get something to work properly. Sometimes it’s an easy win. Others, it is super challenging and maybe even a bit frustrating. But once you have it working, you jump in the air with a “Yes!!!”.

Product Selection

Lab environments also help take the guesswork out of product selection. If you take the time to deploy various products in a lab or cloud environment, you effectively get to perform a bake-off. Without doing this, you are asking a clearly biased vendor for best practices. What happens if vendor A has a superior product, yet your staff cannot figure out how to use those “better features”? I’ve had products that had vastly better capabilities but were so hard to use that my team would have been better off purchasing vendor B’s “inferior” product. Had I taken the time to do a proof of concept, I would have figured that out. Instead, I wasted CapEx on a product and OpEx with the team’s labor trying to maintain vendor A’s product.

Summary

A lab environment is far more uncommon than it should be. Who benefits from a lab environment? Everyone. Who is willing to take the time to build one out? Hopefully, you are. Where do you start?

Let me help you with that. H & A Security Solutions LLC will be posting a series of videos on YouTube showing you how to build a home lab. The video series will include:

1. Hardware and software recommendations (and how to keep costs down)
2. Numerous how-tos with step-by-step instructions (such as deploying an Active Directory domain, SIEM, NSM, TLS inspection, proxies, cloud services, etc.)
3. PROs and CONs of solutions and where they work well or fail
4. Professional stories and experiences

To follow along, subscribe to our YouTube series here:

https://www.youtube.com/channel/UCm_mbQiaK2_a6iuhcMpoNIQ/

We are also considering turning these free videos into a low-cost (thinking around $249) commercial course with around 40 to 60 hours of formal training and even more hands-on learning. If you would be interested in such as course, please let us know at [email protected] If the course is built, early subscribers will be given a discount.