Detection at Scale

In this episode of Detection at Scale, Jack speaks with Jacob DePriest, VP of Security/CISO at 1Password, who shares insights from his 15-year journey from the NSA to leading security at GitHub through his current role. Jacob discusses his framework for assessing security programs with fresh eyes, emphasizing business objectives first, then addressing risks, and finally implementing the right security measures.  He also explores how generative AI can enhance security operations while maintaining that human expertise remains essential for understanding threat intent. As 1Password transforms from a password manager to a multi-product security platform, Jacob outlines his approach to scaling security through engineering partnerships and automation, while offering practical leadership advice on building relationships, maintaining work-life balance, and aligning security initiatives with business goals. Topics discussed: Transitioning from engineering to security leadership and how that technical background provides empathy when implementing security controls. Approaching security program assessment by first understanding business objectives, then identifying risks, and finally implementing appropriate measures. Exploring 1Password's evolution from a password management product to a multi-product security company with extended access management. Balancing generative AI's capabilities with human expertise in security operations, recognizing AI's limitations in understanding intent. Leveraging AI to enhance incident response through automated summaries and context gathering to speed up triage processes. Implementing AI applications in GRC functions like vendor reviews and third-party questionnaires to increase efficiency and reduce tedium. Building sustainable security operations by ensuring security tools have proper access to data through education and partnership. Addressing the varying security postures across the vendor landscape through a risk-based approach focusing on access and visibility. Scaling security teams by clearly connecting their work to business objectives and ensuring team members understand why their tasks matter. Three pillars of security leadership: building a trusted network, establishing sustainable work-life balance, and connecting security to business goals. Listen to more episodes:  Apple  Spotify  YouTube Website

In this episode of Detection at Scale, Matthew Martin, Founder of Two Candlesticks, shares practical approaches for implementing AI in security operations, particularly for smaller companies and those in emerging markets. Matthew explains how AI chatbots can save analysts up to 45 minutes per incident by automating initial information gathering and ticket creation. Matthew's conversation with Jack explores critical implementation challenges, from organizational politics to data quality issues, and the importance of making AI decisions auditable and explainable.  Matthew emphasizes the essential balance between AI capabilities and human intuition, noting that although AI excels at analyzing data, it lacks understanding of intent. He concludes with valuable advice for security leaders on business alignment, embracing new technologies, and maintaining human connection to prevent burnout. Topics discussed: Implementing AI chatbots in security operations can save analysts approximately 45 minutes per incident through automated information gathering and ticket creation. Political challenges within organizations, particularly around AI ownership and budget allocation, often exceed technical challenges in implementation. Data quality and understanding are foundational requirements before implementing AI in security operations to ensure effective and reliable results. The balance between human intuition and AI capabilities is crucial, as AI excels at data analysis but lacks understanding of intent behind actions. Security teams should prioritize making AI decisions auditable and explainable to ensure transparency and accountability in automated processes. Generative AI lowers barriers for both attackers and defenders, requiring security teams to understand AI capabilities and limitations. In-house data processing and modeling are preferable for sensitive customer data, with clear governance frameworks for privacy and security. Future security operations will likely automate many Tier 1 and Tier 2 functions, allowing analysts to focus on more complex issues. Security leaders must understand their business thoroughly to build controls that align with how the company generates revenue. Technology alone cannot solve burnout issues; leaders must understand their people at a human level to create sustainable efficiency improvements.  

The security automation landscape is undergoing a revolutionary transformation as AI reasoning capabilities replace traditional rule-based playbooks. In this episode of Detection at Scale, Oliver Friedrichs, Founder & CEO of Pangea, helps Jack unpack how this shift democratizes advanced threat detection beyond Fortune 500 companies while simultaneously introducing an alarming new attack surface.  Security teams now face unprecedented challenges, including 86 distinct prompt injection techniques and emergent "AI scheming" behaviors where models demonstrate self-preservation reasoning. Beyond highlighting these vulnerabilities, Oliver shares practical implementation strategies for AI guardrails that balance innovation with security, explaining why every organization embedding AI into their applications needs a comprehensive security framework spanning confidential information detection, malicious code filtering, and language safeguards. Topics discussed: The critical "read versus write" framework for security automation adoption: organizations consistently authorized full automation for investigative processes but required human oversight for remediation actions that changed system states. Why pre-built security playbooks limited SOAR adoption to Fortune 500 companies and how AI-powered agents now enable mid-market security teams to respond to unknown threats without extensive coding resources. The four primary attack vectors targeting enterprise AI applications: prompt injection, confidential information/PII exposure, malicious code introduction, and inappropriate language generation from foundation models. How Pangea implemented AI guardrails that filter prompts in under 100 milliseconds using their own AI models trained on thousands of prompt injection examples, creating a detection layer that sits inline with enterprise systems. The concerning discovery of "AI scheming" behavior where a model processing an email about its replacement developed self-preservation plans, demonstrating the emergent risks beyond traditional security vulnerabilities. Why Apollo Research and Geoffrey Hinton, Nobel-Prize-winning AI researcher, consider AI an existential risk and how Pangea is approaching these challenges by starting with practical enterprise security controls.   Check out Pangea.com  

In this special episode of Detection at Scale, Jack welcomes back Matt Jezorek, Panther's new CISO, for an insightful conversation about effective security strategies. Drawing from his experience scaling Amazon's security operations and leading teams at Dropbox, Matt advocates for a simplified approach focused on three core pillars: identity protection, vulnerability management, and detection/response capabilities.  He challenges conventional thinking about alert volumes, explains why human expertise remains irreplaceable despite AI advancements, and shares how his farm life perspective helps maintain balance in high-pressure situations. Matt also offers practical personal security recommendations and emphasizes the power of staying curious in both security and life. Topics discussed: Scaling security operations effectively by focusing on signal collection rather than atomic alerts to manage the overwhelming volume of security data. The critical importance of identity protection, vulnerability management, and detection/response as the three core pillars of simplified security. Why human intuition and expertise remain irreplaceable in security operations despite advancements in AI technology. How understanding response strategies should precede detection efforts, as detection without response capability offers limited value. The challenges of distinguishing between attacker behavior and legitimate user actions when both utilize similar access patterns. Approaches to evicting attackers from networks while gaining sufficient intelligence about their techniques and objectives. Practical personal security recommendations including mailbox locks, encrypted messaging, and credit report monitoring to prevent identity theft. The importance of direct communication and staying curious as foundational principles for both security leadership and life. Listen to more episodes:  Apple  Spotify  YouTube Website

Managing security for a device that can autonomously interact with third-party services presents unique orchestration challenges that go beyond traditional IoT security models. In this episode of Detection at Scale, Matthew Domko, Head of Security at Rabbit, gives Jack an in-depth look at building security programs for AI-powered hardware at scale.   He details how his team achieved 100% infrastructure-as-code coverage while maintaining the agility needed for rapid product iteration. Matt also challenges conventional approaches to scaling security operations, advocating for a serverless-first architecture that has fundamentally changed how they handle detection engineering. His insights on using private LLMs via Amazon Bedrock to analyze security events showcase a pragmatic approach to AI adoption, focusing on augmentation of existing workflows rather than wholesale replacement of human analysis.  Topics discussed: How transitioning from reactive SIEM operations to a data-first security approach using AWS Lambda and SQS enabled Rabbit's team to handle complex orchestration monitoring without maintaining persistent infrastructure.  The practical implementation of LLM-assisted detection engineering, using Amazon Bedrock to analyze 15-minute blocks of security telemetry across their stack.  A deep dive into security data lake architecture decisions, including how their team addressed the challenge of cost attribution when security telemetry becomes valuable to other engineering teams.  The evolution from traditional detection engineering to a "detection-as-code" pipeline that leverages infrastructure-as-code for security rules, enabling version control, peer review, and automated testing of detection logic while maintaining rapid deployment capabilities. Concrete examples of integrating security into the engineering workflow, including how they use LLMs to transform security tickets to match engineering team nomenclature and communication patterns. Technical details of their data ingestion architecture using AWS SQS and Lambda, showing how two well-documented core patterns enabled the team to rapidly onboard new data sources and detection capabilities without direct security team involvement. A pragmatic framework for evaluating where generative AI adds value in security operations, focusing on specific use cases like log analysis and detection engineering where the technology demonstrably improves existing workflows rather than attempting wholesale process automation.  Listen to more episodes:  Apple  Spotify  YouTube Website

What does AI in security operations actually look like at scale? In this episode of Detection at Scale, Mor Levi, VP of Detection, Analysis, & Response at Salesforce, shares her team's hands-on experience with Agent Force — from achieving 90% automation in initial case triage to setting ambitious goals for full automation.  Her conversation with Jack goes deep into the practical realities: integrating AI with existing tools, evolving analyst roles, and why human creativity matters more than ever. Through candid discussion and real-world examples, Mor shares both the successes and challenges of bringing AI into enterprise security, offering valuable lessons for teams at any stage of their AI journey. Topics discussed: Implementing generative AI agents for security operations, achieving 90% automation in initial triage while maintaining effectiveness and reliability. Securing LLM implementations through comprehensive threat modeling, focusing on data access controls and potential abuse scenarios. Integrating AI agents with existing SOAR platforms to create powerful automation workflows while maintaining operational control. Evolution of security analyst roles as AI handles routine tasks, emphasizing strategic thinking and hypothesis development. Importance of data quality and systematic implementation in training effective security-focused AI agents. Strategies for maintaining consistency and reliability in AI-driven security operations through proper prompt engineering. Building effective guardrails and controls for AI systems while enabling powerful automation capabilities. Balancing automation with human oversight to ensure security effectiveness and maintain operational integrity. Future trends in AI-driven security operations and the increasing importance of creative problem-solving skills. Practical advice for implementing AI in security operations, emphasizing focused use cases and clear success criteria.  

In this episode of Detection at Scale, Jack speaks to Brandon Kovitz, Senior Manager of Detection & Response at Outreach, shares his insights on the evolving landscape of cybersecurity. He discusses the critical role of generative AI in enhancing detection and response capabilities, emphasizing the importance of understanding data to maximize security tools' effectiveness.    Brandon also highlights the balance between human intuition and AI, noting that while AI can analyze vast amounts of data, it lacks the nuanced understanding of intent that only humans can provide. Tune in to learn how organizations can leverage AI while maintaining essential human oversight in their security strategies!    Topics discussed: The importance of operationalizing detection and response capabilities to enhance security posture in a cloud-native, SaaS-first environment.   Leveraging generative AI to improve data analysis and streamline detection processes, ultimately enabling faster responses to emerging cyber threats.   The critical balance between AI capabilities and human intuition, emphasizing that human expertise is essential for understanding intent behind actions in cybersecurity.   Understanding the data landscape is vital for maximizing the effectiveness of security tools and ensuring a strong return on investment.   The role of automation in reducing the noise from tier one and tier two security alerts, allowing teams to focus on complex issues.   Insights on building a detection-as-code pipeline to facilitate rapid implementation of security measures in response to emerging vulnerabilities.   The significance of collaboration between security teams and privacy experts to ensure compliance and protect customer data in AI initiatives.   The future of cybersecurity operations, including the potential for AI to automate many routine tasks and enhance overall operational efficiency.   The necessity for ongoing education and adaptation in the cybersecurity field to keep pace with technological advancements and evolving threats.     Resources Mentioned:  Brandon Kovitz on LinkedIn Outreach website

In this episode of Detection at Scale, Jack speaks to JJ Tang, CEO and Co-founder of Rootly, about revolutionizing incident management in tech organizations. JJ shares his journey from practitioner to founder and emphasizes the importance of viewing incident management as a cultural and collaborative effort rather than just a tooling issue.    JJ touches on breaking down silos between security and other teams to enhance communication and reliability, and empowering security practitioners to take on educator roles within their organizations. He also offers actionable insights on creating a culture of reliability and improving incident response strategies!    Topics discussed: The importance of viewing incident management as a cultural shift rather than just a tooling problem, focusing on people and processes.   Strategies for breaking down silos between security teams and other departments to foster collaboration and improve incident response effectiveness.   The role of security practitioners as educators, helping other teams understand best practices and the importance of security in incident management.   The significance of collecting and analyzing data on repeat incidents to identify root causes and prevent future occurrences.   Insights on how to create a culture of reliability within organizations, making incident management a shared responsibility across teams.   The challenges faced during the transition from a practitioner role to a founder and CEO in the tech industry.   The impact of AI and automation on incident management, including how these technologies can improve response times and learning from incidents.   The necessity of having a clear governance framework in place to ensure data privacy and security during incident management processes.     Resources Mentioned:  JJ Tang on LinkedIn Rootly website

In this episode of Detection at Scale, Jack speaks to Thijn Bukkems, Threat Hunting Lead at Grammarly. Thijn shares his expertise on building a robust security intelligence program, emphasizing the importance of leveraging existing resources and adapting current tools to enhance threat detection.    Thijn discusses the value of working backwards from response strategies to design effective detection mechanisms. He also highlights the necessity of collaboration across teams, urging listeners to avoid silos in decision-making to uncover unexpected insights.    Topics discussed: The importance of utilizing current tools and knowledge, adapting them to enhance threat detection rather than starting from scratch. The value of designing detection mechanisms by first understanding how to respond to potential threats, ensuring proactive preparedness. The need to avoid silos in decision-making, as insights from various teams can lead to significant improvements in security measures. The critical aspects of security intelligence, focusing on assessing risks and anticipating potential attacks. The finite nature of security engineering time and the importance of prioritizing tasks effectively. How internal threat modeling helps in identifying vulnerabilities and understanding potential attack vectors within the organization. The balance between analytical research and production-ready work, including the need for code-oriented solutions in security. The iterative process of collecting and analyzing data to answer broad security questions and develop actionable plans. The role of automation in optimizing data collection and analysis, improving efficiency in addressing security concerns. How the security intelligence team provides strategic insights to guide the business in prioritizing security efforts effectively.  Resources Mentioned:  Thijn Bukkems on LinkedIn

In this episode of Detection at Scale, Jack speaks with Saksham Tushar, Head of Security Operations & Threat Detection Engineering at CRED, about the challenges of compliance in a high-growth environment. Saksham shares their strategy for automating security processes and enriching data to enhance threat detection.  He emphasizes the importance of verifying automated outcomes to ensure accuracy. Saksham also covers how CRED uses Python libraries for efficient incident response and the significance of contextual understanding in security incidents. With a focus on streamlining compliance and leveraging intelligence, Saksham provides valuable insights into building a robust security operations framework in a rapidly evolving landscape.   Topics discussed: How CRED distilled complex compliance requirements into a manageable set of common standards to streamline processes. The importance of correlating various log sources to create a comprehensive view of security incidents. How automation has transformed security processes, making them more efficient and effective. The use of threat intelligence and how it is centralized and automated to provide actionable insights for security teams. The development of internal Python libraries that facilitate quick data queries for incident investigations. The importance of understanding the context around security incidents to better inform responses and strategies. How using notebooks for investigations aids in communication and auditing, allowing for clear documentation of processes. How to organize a team to maintain agility while ensuring diverse skill sets are leveraged effectively. The necessity of verifying automated processes to ensure they yield accurate and actionable outcomes. Resources Mentioned:  Saksham Tushar on LinkedIn CRED website

In this special episode of Detection at Scale, Jack welcomes security experts Dan Cao, Engineering Manager of Security Incident and Response at Netflix, and returning guest Josh Liburdi, Staff Security Engineer at Brex. They discuss the rise of developer-centric security solutions and the ongoing balance between utilizing big platforms like CrowdStrike and bespoke tools — the build versus buy dilemma.  They highlight the importance of fundamental skills and critical thinking in security engineering, emphasizing the need for continual learning and adaptability. Dan and Josh also share insights on building effective security teams and the significance of mentorship and team culture in fostering innovation and resilience in an evolving tech landscape.    Topics discussed: The shift towards security operations and incident response that prioritize developer involvement and custom coding solutions. How to effectively integrate large security platforms like Crowdstrike with tailored, in-house security tools. The need for critical and abstract thinking skills in security engineering to solve complex problems. Strategies for leveraging team strengths and addressing skill gaps to create robust security teams. The role of mentorship and a positive team culture in fostering growth and innovation within security teams. The importance of mastering the basics of technology and cybersecurity as a foundation for advanced problem-solving. The need for security professionals to stay adaptable and continually update their skills in a rapidly evolving tech landscape. The difficulties small security teams face when managing and integrating diverse security tools and platforms. The effectiveness and limitations of using commercial security solutions for large and small organizations. Resources Mentioned:  Dan Cao on LinkedIn Josh Liburdi on LinkedIn

In this episode of Detection at Scale, Jack speaks to Alessio Faiella, Director of Security Engineering & Security Operations at ThoughtSpot, to discuss building forward-looking security programs for 2024.  Alessio dives into the dynamic and ephemeral nature of modern security environments and the importance of understanding the nuances of the product and user base. He also highlights how ThoughtSpot leverages AI to enhance detection and response capabilities. Additionally, Alessio shares insights on codifying playbooks and prioritizing core focuses to ensure a robust cybersecurity posture.    Topics discussed: The importance of defining clear goals and laying strong foundations for scalable security programs. Emphasizing the need for security teams to deeply understand the product they are defending and the behaviors of its user base. The significance of developing and prioritizing detailed playbooks to guide detection and response efforts effectively. How AI can assist in real-time response, log data parsing, and providing actionable recommendations during security incidents. Identifying and focusing on critical areas like persistence, lateral movement, and data exfiltration to optimize security efforts with limited resources. Techniques for evaluating the success of security playbooks and ensuring they align with the organization's goals and infrastructure. Combining automated processes with human oversight to enhance the efficiency and accuracy of security operations. The difficulties in gathering and integrating data from various sources to enable quick and informed security responses. Crafting security rules that are tailored to the specific needs and priorities of the organization's environment. Advice on maintaining focus and ensuring foundational security practices are in place for a strong and resilient cybersecurity posture.

In this episode of Detection at Scale, Jack speaks to Roger Allen, Senior Director, Global Head of Detection and Response at Sprinklr, to explore the complexities of running a modern SOC. Roger shares his expertise on prioritizing alerts with contextual understanding, the importance of crafting a robust data strategy, and preventing team burnout.  From integrating adversary testing to ensuring team alignment with organizational goals, Roger also offers actionable insights and practical advice for enhancing cybersecurity defenses.   Topics discussed: The importance of understanding adversaries' TTPs (Tactics, Techniques, and Procedures) and leveraging them to improve detection and response capabilities. Discussing the critical role of adversary simulation and testing in writing effective detection rules and enhancing overall security posture. Strategies for prioritizing alerts based on contextual understanding and the sequence of events, moving beyond mere alert volume. The necessity of a well-defined data strategy, including standardizing logging formats and implementing data enrichment techniques to improve incident response. Addressing team burnout by ensuring balanced workloads, regular reviews, and meaningful conversations to align team goals with organizational objectives. The role of integration and unit testing in validating security rules and ensuring their effectiveness from multiple perspectives. How security teams can bridge the gap between understanding the tech stack and the business objectives, ensuring security measures align with business priorities. The importance of bringing in relevant data for incident response and the collaboration needed between different security functions to optimize data usage. 

In this episode of Detection at Scale, Jack welcomes Christopher Watkins, Senior Staff Cloud Security Engineer at WP Engine, to discuss innovative logging solutions and efficient data management across multiple cloud platforms. Chris reveals how WP Engine leverages native tools and robust API gateways to streamline logging processes.    He shares strategies for cost-effective threat hunting, such as optimizing large-scale queries through table partitioning. Chris also emphasizes the importance of mental and physical well-being, and the role of community support in maintaining a sustainable career in cybersecurity.    Topics discussed: How WP Engine uses native tools and robust API gateways to manage logging across multiple cloud platforms efficiently. Strategies for optimizing large-scale queries, such as table partitioning and avoiding costly operations, to maintain efficiency and reduce expenses. Techniques for moving data efficiently across different cloud services, ensuring consistency and reliability in data management. The importance of partitioning tables and being selective with queries to enhance threat detection and incident response efforts. The role of a well-designed schema in speeding up threat detection by understanding key value pairs frequently used in security data. Leveraging best practices from data teams to optimize queries and improve security use cases. Ensuring human oversight with two-person reviews of scripts and dry runs to maintain accuracy and reliability in automated processes. The importance of mental, physical, and spiritual health routines to manage the stress of incident response and avoid burnout. The role of community and trusted conversations in sharing experiences about breaches, vulnerabilities, and other challenges in the cybersecurity field. How WP Engine's mantra of "detection as code" and "pipelines as code" extends to response workflows for increased efficiency and effectiveness. Resources Mentioned:  Chris Watkins on LinkedIn WP Engine website

In this episode of Detection at Scale, Jack Naglieri chats with Darren LaCasse, Director of Threat Intelligence, Incident Response, & Threat Detection at Elastic. Darren offers insights into the innovative project around detection as code, shedding light on the methodologies Elastic employs to enhance security operations.  Darren touches on the challenges of managing massive amounts of data, the importance of prioritization in security tasks, and how automation has revolutionized their response strategies. He also shares practical advice on conducting gap analyses to focus on what truly matters.    Topics discussed: The importance of prioritizing security tasks to focus on critical business-impacting elements, ensuring a resilient security framework. Strategies for handling and analyzing large volumes of security data to maintain effective monitoring and response capabilities. How automation has halved alert volumes, freeing analysts from repetitive tasks and enhancing overall productivity. Conducting regular gap analyses and attack path discussions to visualize vulnerabilities and direct security efforts effectively. The role of tagging and context-aware responses in streamlining security operations and making analysts' lives easier. Prioritizing security efforts based on the criticality of vendors and data, focusing first on restricted and critical vendors. The importance of conducting at least annual reviews to reassess and improve security controls and monitoring strategies. Using metrics to measure the effectiveness of security measures and guide continuous improvement efforts.   Resources Mentioned:  Darren LaCasse on LinkedIn Elastic Security Solution website

In this episode of the Detection at Scale podcast, Jack speaks to Daniel Wiley, Head of Threat Management and Chief Security Advisor at Check Point Software, to discuss the intricacies of balancing technology and human analytics in cybersecurity.  Daniel shares his experiences in building three successful internal startups at Check Point and emphasizes the importance of continuous learning throughout one's career. He also touches on effective incident response strategies for small- to medium-sized businesses, and the vital role of adaptable data schemas in managing large-scale security operations.  Topics discussed: The highs and lows experienced in the cybersecurity startup journey, including the importance of quick decision-making and team-building. Strategies for developing effective IR playbooks tailored for small- to medium-sized businesses to handle security threats efficiently. The integration of machine analytics and human expertise to manage and interpret large volumes of cybersecurity data. Managing 24/7 global SOCs, including the challenges of shift rotations and ensuring analysts are not overloaded. Techniques for determining which data is crucial for cybersecurity efforts and how to handle terabytes of data per second. The necessity of ongoing education and staying updated with the latest in cybersecurity to maintain effectiveness in the field. The significance of hiring the right team from the start and making swift, decisive personnel changes when necessary. Check Point's focus on maintaining high operational margins and its impact on the business's success and sustainability. Resources Mentioned:  Daniel Wiley on LinkedIn Check Point Software website The Hard Thing About Hard Things by Ben Horowitz Cyber for Builders by Ross Haleliuk

In our latest episode of Detection at Scale, Jason Waits, CISO at Inductive Automation, shares insights learned in his journey from network administration to cybersecurity and the importance of SCADA systems.  He dives into the value of automation, ML, and AI in security operations, highlighting the need for asking the right questions for efficient data analysis. Jason also discusses building a security team with a focus on detection and response, leveraging automation for faster investigations.  Topics discussed: The role of SCADA systems in various industries and the importance of security in OT environments. The challenges and strategies in building a security program for scale, focusing on automation and infrastructure as code. The impact of IT-OT convergence on security issues and the need for enhanced controls and monitoring in interconnected systems. Embracing automation in security operations, including detection engineering and automating response actions for efficiency and scalability. Utilizing enrichment techniques for contextual data analysis and the significance of data sources for effective security investigations. The use of ML and AI in security operations, particularly in natural language querying and data analysis for actionable insights. Jason's advice on building a successful security team, emphasizing automation, staying informed on industry trends, and fostering collaboration with engineering teams. Resources Mentioned:  Jason Waits on LinkedIn Inductive Automation website  Detection Engineering Weekly newsletter

In our recent special Hot Ones-style episode of Detection at Scale, Panther CEO Will Lowe and Founder & CTO Jack Naglieri sit down to taste hot sauces and talk hot topics in the field of cybersecurity. Jack shares his evolution from security professionals to founders, emphasizing the importance of experience and understanding attacker profiles.  Jack also gives his insights on the foundational skills to becoming a detection engineer, including building detection engineering functions and having war room experience. He also discusses the evolving role of AI in the security field, such as its usefulness in generating code for detection programs.  Topics discussed: Jack's transition from practitioner to company founder, emphasizing the importance of saying yes to opportunities and keeping an open mind. Building detection engineering functions with a focus on understanding what needs to be detected and why. The significance of measurement in detection engineering and the importance of a growth mindset for continuous improvement. The importance of understanding the experiences of security practitioners and software engineers. The role of war room experience in understanding attacker profiles and the importance of incident response strategies to prepare for a role as a detection engineer. The importance of sharing knowledge and experiences within the cybersecurity community.  Resources Mentioned: Jack Naglieri's Substack

In a recent episode of the Detection at Scale podcast recorded at the RSA conference, Jack chats with Corey Quinn, Chief Cloud Economist at The Duckbill Group, an AWS cost-management agency. They talked about the intersection of security and billing in the context of AWS environments, highlighting the significance of observability through billing data to enhance security measures.  Corey also discussed key offenders in AWS services for security and highlighted the challenges companies face in determining optimal investments in security services. Throughout our discussion, Corey offers valuable takeaways on navigating the evolving landscape of AWS security practices and optimizing billing strategies for enhanced cloud security. Topics discussed: The importance of observability via billing data to bolster AWS security measures and optimize investments in security services. How to identify key security offenders in AWS services to enhance cloud security practices and mitigate potential breaches. The challenges in determining optimal security investments within AWS environments. Detecting potential breaches through AWS billing insights and the significance of understanding billing intricacies for security enhancements. The impact of billing data on identifying security vulnerabilities and navigating the AWS security landscape with enhanced strategies. The role of services like Route 53 in bolstering security measures and considerations for AWS spending on security services.  Resources Mentioned:  Corey Quinn on LinkedIn The Duckbill Group website 

In this episode, Jack Naglieri speaks to Jeff Bollinger, Director of Incident Response and Detection Engineering at LinkedIn, who shares valuable insights on his journey in security, key technological shifts he's witnessed, and his approach to threat intelligence, incident response, and monitoring.  Jeff highlights the importance of contextual understanding in security operations and emphasized the critical role of human intuition, adaptability, and creativity in addressing security challenges. He also discussed the need for a balanced team with diverse skill sets and his views on the evolving role of AI in security operations. Topics discussed: Technological shifts in the field of incident response and detection engineering, from the Y2K era to the present. The nuances of monitoring behaviors and moving towards higher-level monitoring: it's useful but imperfect because humans can be unpredictable. Automation in security operations and how human analysts are still important and relevant because they have intuition that AI does not. Incorporating threat intelligence effectively in security programs: knowing what your scale is and what threats correspond to it. Building effective incident response programs and key considerations in security operations. 

In this episode, Jack Naglieri speaks to Josh Liburdi, Staff Security Engineer at Brex. Josh explains the process of developing their new security data pipeline toolkit, Substation and how it has been working. He also discusses the importance of quality data, highlighting the impact of data transformation.  Josh also shares his insights on the value of human analysis in SecOps and modern incident response strategies, from handling alerts to understanding program gaps.  Topics discussed: The development process of Substation, a security data pipeline toolkit to enhance log collection and data quality for threat detection The importance of quality data in security operations and how sometimes it is helpful to collect it even if you don't analyze it right away. The data transformation process and its impact on threat detection, as well as how it's made the team at Brex more efficient. Enhancing the ability to write better rules after implementing Substation. Josh's advice for security practitioners: it's ok to seek help and “soft skills” are important. 

On this week's episode of the Detection at Scale podcast, Jack talks with Matthew Valites, Director of Threat Detection & Operational Strategy at SAP. They discuss which threat detection approach works the best, what metrics Matthew uses to gauge his programs, and why Matthew is a proponent of using detection as code.  Matthew also looks to the future and gives his prediction on what role technology such as GenAI will play in the security landscape. They close out their conversation with some actionable lessons from Matthew's book, Crafting the Infosec Playbook.  Topics discussed: Which threat-detection approach works the best (hint: it's usually the one that provides the most visibility). How Matthew manages the different logic in different environment using tailored macros. What metrics Matthew uses to gauge his programs and how he keeps track of those metrics. Why Matthew is a huge proponent of using detection as code, including the CIDC element it brings. What makes GenAI so exciting, and what its role might be in the future. How Matthew tries to take care of his team's mental and physical health. Actionable lessons from the book Matthew co-authored, “Crafting the Infosec Playbook”, such as espousing the values of a service-based approach.

On this week's episode of the Detection at Scale podcast, Jack talks with Justin Anderson, Security Engineering Manager, Detection & Response at Meta. They discuss how Meta has built its detection engineering program, how it treats detection-as-code like software, and how it gauges risk by assessing the TTPs applicable to the environment. They also talk about where AI is able to help out in development, the greater need for engineering and investigation skills, and three things to remember when building a security program. Topics discussed: How Meta gauges risk by assessing the TTPs applicable to the environment and measuring coverage across those TTPs. How they built out their detection platform on a custom infrastructure and treat detection-as-code like software. Why they take a shift left approach to detection, starting with TTPs hypotheses and then eliminating as much noise as possible. How taking a page from the vulnerability management playbook helps reduce noise around detections. AI's current limitations in detection and response, yet how it helps with writing code and speeding up development times. Why there's a greater need for stronger engineering and investigation skills, in addition to coding skills. Advice to security professionals to focus on understanding, identifying, and executing when building out their program. 

On this week's episode of the Detection at Scale podcast, Jack talks with Charles Anderson, Director, Global SOC at Sony. They discuss better approaches to risk-based alerting that leverage metadata, how they fine tune detections across a global organization, and what factors to use when determining thresholds. They also talk about how to use Time to Detect to improve your strategies, how LLMs can help with baseline detection, and why it's key to not lose sight of risk in pursuit of threat. Topics discussed: A better way to approach risk-based alerting by leveraging metadata to connect the dots. Which factors to consider when determining your thresholds for alerting. How Sony is using machine learning and why applying a single model to the entire organization doesn't work. Why organizations are targets of opportunity and accidental exposure more than they are of planned attack. The process Sony's SOC uses to fine tune their detections and how it has to be different across the globe. How to use Time to Detect to tell the story of what you're covering and what you're missing. Advice to other security professionals that includes not losing sight of risk in pursuit of threat.

On this week's episode of the Detection at Scale podcast, Jack talks with Jason Craig, Director - Threat Detection & Response at Remitly. They discuss the common TTPs of threat actors and how organizations can better protect against them by adopting hardware-backed authentication, a risk-based approach to logging, and building their threat modeling. They also talk about why organizations should move away from cellular MFA, the need for more behavioral profiling, and advice for security professionals. Topics discussed: The common TTPs of threat actors and conglomerates like Lapsus$ and what organizations need to know to protect themselves against them. Why enterprises should rely on hardware-backed authentication rather than SMS MFA on cellular. How to take a better approach to identity management by using hardware-backed authentication and behavioral profiling that eliminates background noise. Why threat modeling begins with knowing what you do as an organization and what you have that's valuable to an attacker. How to take a risk-based approach to understanding which user data or sensitive information to protect first. Why an accurate asset inventory is a precursor to detection and response. Advice to security professionals and organizations on "knowing thyself" and codifying adversary tracking.

On this week's episode of the Detection at Scale podcast, Jack talks with Drew Gatchell, Director, Detection Engineering at AppOmni. They discuss how to overcome the challenges to detection on SaaS platforms and how they're building strategies upon alerting and detection frameworks. They also talk about how generative AI can help with normalizing inputs, the benefits of data lakes for D&R, and why it's key to have a measurable plan for detection. Topics discussed: How AppOmni is tackling the challenges of detection in SaaS platforms and auto-logs, especially when it comes to varied latency. What frameworks Drew is working with and how he's building upon them for better detection. How signal creation starts with a hypothesis that can be turned into a plan, and why it's important to include signal redundancy. What techniques AppOmni takes to address security in real time. How they're using AI to normalize their inputs and create additional content on top of the detection rules. The benefits of data lakes and how they're a tremendous asset to D&R. Advice for security leaders on having a measurable plan for detection, why detection should be layered, and the need to continuously validate your capabilities.

On this week's episode of the Detection at Scale podcast, Jack talks with Emanueal Mulatu, Senior Engineering Manager - Detection & Response at Block. Together, they discuss what success means in security, the most rewarding things about security, and how to address and prevent one of the biggest challenges today: burnout. They also talk about ways to increase productivity through automation, the potential for AI and large language models, and why creating a great workplace starts with a healthy work-life balance. Topics discussed: The most rewarding things about security — like the relationships and trust you build — and the biggest challenges facing security today. The value of building relationships across departments as well as with your customers. How to recognize the root causes of burnout and address it through meaningful initiatives like fitness or reading challenges. Why having a culture of writing can help with problem solving and collaboration. Why automation is the biggest initiative that's increasing productivity and morale, and the opportunities that AI and LLMs will bring. Advice for security leaders on how to build better workplaces focused on psychological safety and continuous learning. How to define security success, especially through the eyes of the C suite.

On this week's episode of the Detection at Scale podcast, Jack talks with Dr. Anton Chuvakin, Senior Security Staff at the Office of the CISO at Google Cloud. They dig deeper into the conversation taking place online around decoupled SIEMs, which both Jack and Anton wrote about. They discuss what a decoupled SIEM is, the evolution of data platforms and security capabilities, if decoupled SIEMs will work broadly with current customer demands, and if having backend data lakes is the best solution for fast, real-time querying. Topics discussed: What is a decoupled SIEM, and why the broader discussion around whether security data lakes will replace SIEMs prompted Anton's Medium post. How this conversation is being driven by the fact that we're coming to the "end of the runway" on previous storage choices. The arguments around why decoupling may not work broadly, simply because customers want integrated SIEMs. The evolution of data storage platforms and how successful past attempts at integrating security capabilities were. Why there's not a straightforward solution to storage — and why it's a challenge that's taking years to solve. Why having a data lake on the backend is the best solution to fast querying and real-time detection. A discussion around OCSF and the benefits of log normalization.  Resources Mention:  “Decoupled SIEM: Brilliant or Stupid?” by Anton Chuvakin “The Transition from Monolithic SIEMs to Data Lakes for Security Monitoring” by Jack Naglieri

On this week's episode of the Detection at Scale podcast, Jack talks with Dhruv Majumdar, Director, Cyber Risk & Advisory at Deloitte. They discuss common challenges when transitioning from a traditional SOC to a detection and response program, what questions to ask when building a threat modeling strategy, and the benefits data lakes can unlock for D&R. They also talk about how LLMs are helping detect exfiltration and –the need for security controls, policies, and good partnerships. Topics discussed: The common challenges that organizations face today when evolving their detection and response programs, including moving away from SOC and managing big data. An overview of the maturity model and what organizations can follow to evolve their processes. Two critical questions to ask that will guide your threat modeling strategy. What big data "unlocks" for detection and response today, and what trade-offs there are in usability when moving to a data lake-backed architecture. How LLMs can surface patterns in data that simplify detecting exfiltrations and how it can help with automation to prevent burnout. Advice to security practitioners when transitioning to new strategies, including why you need "controls, controls, controls," and why you should take the simplest route to overcome a challenge.   

On this week's episode of the Detection at Scale podcast, Jack talks with Anton Chuvakin, Security Advisor at the Office of the CISO at Google Cloud, and Timothy Peacock, Senior Product Manager at Google. Together, they discuss some of the needs and trends in cybersecurity today, including how to know what level of D&R your organization needs, the use cases for AI today, and how LLMs and SIEMs will handle data at scale. They also talk about the need for more creative solutions to misconfiguration management, three things security practitioners can do to improve cloud security, and why cybersecurity is the "most intellectually stimulating profession on the planet." Topics discussed: What attracted Anton and Timothy to cybersecurity, what makes them stay, and why the intersection of humans and technology make it the “most intellectually stimulating profession on the planet.” How organizations can evaluate the level of security they need, why it's crucial to know whether you need to go from zero to one, or five, or a hundred, and how organizations with no detection and response strategies can get started. What use cases there will be for AI in cybersecurity, and while it may be good at summarizing, explaining complexity, and classifying, it may not be ready to create usable code. Why security practitioners need to think more about whether SIEMs can support planetary scale, and whether decentralization is the solution.  The role LLMs will play in helping to manage large data sets, and how it may change the way organizations use MDRs. Why the industry needs new, creative ways to solve the ongoing problem of cloud misconfigurations in order to break vicious cycles through shared faith.  Three pieces of advice to improve cloud security, including knowing your security needs, practicing, and making friends so you know you're note alone.

In this episode, Jack speaks with David Seidman, Head of Detection and Response at Robinhood. David has worked for large tech companies like Google, Microsoft, and Salesforce in a variety of D&R roles.  During this episode, David shares his tactical advice on how his team is building the pipes and engines of security at Robinhood, his top tools to improve fidelity of detections, and what he's learned in his career that's made him a better practitioner and leader.  Topics discussed:  The ‘unusual strategies' and hypothesis on the kill chain model David has not shared before publicly  His top five tools to use to improve the fidelity of your detections  How David has seen composite detection be effective in practice and why it is most effective when it's analyst driven  His experience working on Google Cloud's Event Threat Detection  What a mature IR process look like today and how to train staff that's run IR in the past A big challenge and growth area in the industry that doesn't get enough attention  The new frontier of what the detection and response stack will look like in the future David's keys to an effective IR program, such as regular exercises, communications plan, having access and permissions to data, strong controls, and more.   The three actionable takeaways David learned from his roles at Google, Microsoft, Salesforce, and now Robinhood that make him a better practitioner and leader today

In this episode, Jack chats with Christopher Witter (aka Witter), Engineering Manager, Detection & Response at Spotify and a founding member and former lead for Crowdstrike's Falcon OverWatch managed hunting service.  Witter has nearly two decades of experience in incident response and information security, holding leadership roles on computer security and incident response teams (CSIRT) with both a top five global bank and a top ten defense contractor.  During this episode, Witter shares his behind the scenes experiences helping build the Falcon Overwatch Team at Crowdstrike, why it's critical to measure queries in seconds, not minutes, his tips on running highly effective D&R teams at scale, and more!  Topics discussed: Witter's experience as one of the first 100 people on the Falcon Overwatch Team at Crowdstrike  Why the Overwatch team didn't follow traditional SOC mentalities  The various data sources Witter uses to improve accuracy and gather context  How D&R is like going to court – telling the story around Who, What, Where, Why, How, to prove beyond a reasonable doubt that this incident happened Why Witter measures in seconds, not minutes and why timescale is critical  Why it could be a mistake to choose cybersecurity tools based on financial capability and budget and what criteria should be considered instead Why Witter still believes in custom systems  Witter's rule of thumb that if a human does the same thing 10x manually, it should be automated   Managing a remote D&R team and building psychological safety Witter's advice for how others can get involved in the D&R community  His 3 pieces of advice to build a high-performing D&R team at scale, including a focus on ‘Jack of all trades' people, avoiding distractions, and why it's critical to capture everything to improve search. 

In this episode, Jack Naglieri speaks to Kelly Jackson Higgins, Editor-in-Chief at Dark Reading. During the episode, they share their thoughts about how cyber threats have changed over the years.  Topics discussed: Kelly offers fascinating insights into how cybersecurity journalism has evolved to keep pace with the ever-changing industry. She offers an example of why choosing to patch systems is not always an easy decision for security teams. Jack and Kelly talk about how perceptions around which organizations are likely targets have changed over the years. Kelly shares some of the crazier threat actor trends she has observed during her career covering cybersecurity. She offers three pieces of valuable advice for security teams.

In this episode of the Detection at Scale, Jack speaks with Michael Hanley, Chief Security Officer and SVP of Engineering at GitHub. He also spent five years at Duo Security building their security program, and is passionate about making security easy and accessible for everyone. Topics include:  How to think about managing in a dual role as both head of security and engineering, and what success looks like for both. What some of the synergies are between security and engineering, and why the two should work as closely as possible. The security strategy of retaining the integrity of the world's important projects at GitHub. The importance of democratizing security, and making it accessible for everyone. The mentality of baking software development into security. When to introduce a security team into an organization, how to build a SecOps team, and the evolution of security within companies. Actionable steps for security leaders to take regarding professional development, culture, and sharing notes.   Resources:  Michael's favorite open source security tools: Stream Alert, Cloud Mapper, SiLK Suite Keep in touch with Michael Hanley on LinkedIn

Adeel Saeed is VP of Technology Strategy and Execution Management at Kyndryl and is a former CISO/CIO at large financial services companies, aviation companies, and more.  Adeel is an experienced technology strategist and digital transformation leader with extensive hands-on technology and information security management experience and has led multiple large-scale complex technology transformation projects.  Topics include:  How enabling your internal clients with the right tools and tech empowers them to serve their customer-base easier  Tool consolidation, risk metrics, reporting analytics, and more of what Adeel is focusing on in the risk management environment The experience that taught Adeel the most about practical security  Why experience and exposure are the ultimate teachers  Actionable steps to going from reactive to proactive in threat detection and response  The benefits of fine-tuned threat intelligence tools to better make risk-based judgments  Why security is not an ivory tower, it's part of the business How security can better partner with business versus just being a component of it Why gamification can be a great tool to engage the executive team Standardization of all the data and the fundamental data problem  What Adeel has been paying attention to in the market around detection What true secure data governance looks like  Adeel's biggest challenge as a CISO, CSO, and overall security technology strategy leader  How Covid helped shape business security and where it should be embedded  Why it's critical to position yourself as a business partner to your company  Adeel's tips for security leaders to succeed in the future of threat detection and response  Resources:  Keep in touch with Adeel on LinkedIn:  https://www.linkedin.com/in/adeelsaeed/

Chris Hodson is the CISO at Contentful, which helps digital teams assemble content and deliver experiences, faster. Prior to Contentful, Chris was at Zscaler and Tanium and also busy writing a book called Cyber Risk Management: Prioritize Threat, Identify Vulnerabilities, and Apply Controls.  Chris builds and runs cybersecurity organizations that manage technology risks and helps product teams develop security solutions that work. As comfortable in the server room as the board room, he tailors cybersecurity strategy to organizational risk appetite and business objectives.  Topics include:  Chris's hottest security take on the role of a CISO  How Chris started developing the skills that better enabled him as a better technical CISO  How Chris works more closely with DevOps teams How his team gets smart about what to detect How to work with application developers to get more useful data Prioritize the services that are most sensitive, so things that are touching customer data get the most attention  The application signals Chris typically cares about  Building out tools internally to send telemetry to a single source The organization of cross-functional security team and the focus on security engineers  The Kubernetes 4Cs - Code, Container, Clusters, Cloud The importance of organizational-specific context to succeed in fixing symptoms at the cause  Chris's advice that he'd give to detection teams living in a cloud-based world  Resources:  Keep in touch with Chris on LinkedIn: https://www.linkedin.com/in/christopherjhodson/?originalSubdomain=uk Learn more about Chris's book here: https://cybersecuritymattersdotblog.wordpress.com/my-books/ Kubernetes 4Cs: https://www.enterprisedb.com/blog/4cs-security-model-kubernetes

Thomas Owen is CISO at Grafana and an advisor to startups who helped build the security team at Snyk and is especially excited about fostering conversations around ethics, sustainability, mental health, and inclusivity.  A cloud-native, innovative and strategic security leader with a blend of people, policy and technical experience and a strong product affinity, Thomas and Jack discuss how to build a team from the ground up, the attributes of a modern security team, how to gauge value of security, and his advice for practitioners around basic hygiene.  Topics include:  How Thomas builds functions from the ground up  How to think about functional areas from very early on in the team  Practical applications of using GRF for security and the elements that should be looked at  The three biggest challenges with modern data security The pros, cons, and use cases of open source in security at scale  The difference between engineers building features and products solving problems  Modern security: telemetry, analysis, and what do you do about it The ROI of security and how to gauge value  Latest trends in high-scale monitoring  Why ‘enabled autonomy' is critical in a modern security team   3 pieces of actionable advice for practitioners looking to succeed at detection at scale  Keep in touch with Thomas on LinkedIn: https://www.linkedin.com/in/thomas-rhys-owen/?originalSubdomain=uk

Mike Saxton is Technical Director of Defensive Cyber Operations at Booz Allen Hamilton. His primary focus is on implementing technical solutions to protect against vulnerabilities, exploit software or hardware, data threats and other emerging risks that may threaten critical system operations.  Not only an endurance athlete and classically trained musician, Mike is a long time proponent of detections as code and in today's episode he and Jack discuss everything from getting started on your detection journey, to broader cloud security adoption, the use of open source in government, and more!  Topics include:  How Mike went from the healthcare field to cybersecurity  Where the government is in their shift to the cloud  The zero-trust model and broader security adoption in the cloud space   Where Mike thinks most teams start in their detection journey Mike's positive thoughts on closing the cybersecurity skills gap and how interviews for detection at scale competency   The usage of open source there is in government  How acquisition and new leadership is changing cybersecurity products and frameworks in government  Why it's critical to find a niche when working in cybersecurity  His advice to get outside your comfort zone and not just push yourself, but push the industry as a whole Keep in touch with Mike on LinkedIn at: https://www.linkedin.com/in/mikesaxton/  

JJ Agha is the CISO at Compass, the largest real estate brokerage in the US, and previously spent over four years as VP of InfoSec at WeWork, along with time as a security engineer at Vimeo and Priceline.  Having worked for and advised for multiple startups and Fortune 500 companies he enjoys the challenge of building security teams and maturing programs and disciplines within an organization while embracing and learning new technologies. In today's episode, Jack and JJ discuss how he builds his team, buy vs build, what he expects from a modern SIEM, and more!  Topics include:  How JJ went from changing his degree nine times, to a help desk analyst to discovering cybersecurity and entering the industry with Northrop Grumman and Edgecast  How JJ thinks about the human element of security when it comes to running a team and being a CISO  What Ikigai is and how the mindset can empower security professionals  Building vs buying and the projects JJ's security team is working on  What JJ is looking for in a modern SIEM  JJ's focus on Relentless Iteration and his mission to constantly improve and iterate security programs  How JJ balances the cost of his detection program with the needs of his security team  Keep in touch with JJ on LinkedIn at: https://www.linkedin.com/in/jonathanagha/

Kathy Wang is the CISO at Discord, an internationally-recognized malware expert who has researched, developed, evaluated, and operationalized various solutions for detecting and preventing client-side attacks used by advanced persistent threats (APT).  As a security executive and leader, Kathy has a strong background in project management, research, and business development. She has worked in government, commercial, and technology startup environments, and currently advises security services/products startup companies. In today's episode, Jack and Kathy discuss the talent pool in cybersecurity.   Topics discussed in this episode: What made Kathy want to go from researcher to security leader  The impact remote work and remote teams has had on cybersecurity teams  What Kathy looks for when hiring security professionals  Why transparency and multi-modal communication is mission critical for cybersecurity teams  How attacks have changed in the past 5 years  The tools Kathy is paying most attention to  What she enjoys most about working in security  Kathy's advice for security professionals, especially early in their career    Keep in touch with Kathy on LinkedIn at: https://www.linkedin.com/in/kathywang/

Nir Rothenberg is the CISO at Rapyd, managing security and IT for the soaring Fintech company, on a mission to ensure that the future of financial services will be democratized and secure.  Prior to Rapyd, Nir led information security in NSO Group, a well known cyber-intelligence company, where he was charged with protecting a high profile and high risk enterprise. Before NSO Group, Nir worked as a consultant, helping with some of Israel's leading companies to reduce risk and improve information security. Nir is very active in Israel's cyber startup scene, advising and partnering with many of them.   In today's episode, Nir and Jack discuss lessons learned in transitioning from an on-prem environment to cloud infrastructure, building a modern team, scaling at Rapyd, and tips to help organizations build a modern security team that's capable of detection and response at scale.  Topics discussed: Nir's unconventional path to becoming a CISO. How Nir's mentality shifted in his transition from detection in an on-prem environment to cloud and the pivotal moment he realized he had to move to cloud or be left behind.  What Nir learned about threat detection at scale when he moved to Rapyd.  Why Nir is against SOCs and his alternate systems.  How Nir had to change his approach to detection at scale as Rapyd scaled. Cybersecurity nuances in the finance industry.  Three pieces of advice for leaders building a modern security team and who he sees succeed the most.  Keep in touch with Nir on LinkedIn at: https://www.linkedin.com/in/nir-rothenberg-5a6b48ba/

Joe Uchill is a Senior Reporter at SC Magazine — the leading trade publication for the cybersecurity industry. Prior to joining SC Magazine in 2020, Joe was a cybersecurity reporter at outlets including Axios and The Hill. Today's episode is the first in our mini-series dedicated to interviewing leading cybersecurity journalists. Cybersecurity reporting plays an important role for practitioners, leaders, and the general public to understand recent breaches, latest malware trends, and best practices that can help us all stay safe on the internet. Our goal with this series is to help our audience learn more about who these journalists are and what it's like to be a reporter in this fast-changing industry. Topics discussed: - How Joe began covering cybersecurity in 2015 and how the landscape has evolved over the past few years.  - Joe's favorite story he's covered since he began covering the space in 2015. - What motivates and excites Joe most about cybersecurity.  - How Joe feels about the responsibility journalists have when it comes to keeping the public and security community informed.  - What trends Joe feels people should be paying attention to when it comes to the future of cybersecurity. To keep up with Joe's latest reporting, join him on twitter at https://twitter.com/JoeUchill

Aaron Zollman is the CISO at Cedar — a patient payment and engagement platform for hospitals, health systems, and medical groups that elevates the patient experience. Prior to Cedar, Aaron spent time in security at companies like Bridgewater, Palantir, and MUFG Bank, Japan's largest bank.  In today's episode, Aaron and Jack discuss lessons and tips to help organizations build a modern security team that's capable of detection and response at scale.  Topics discussed: - What Aaron learned as he transitioned from the public sector to the private sector.  - How security tools have evolved over the time.  - How Aaron's background in software engineering contributes to his mindset when it comes to security. - Aaron's approach to building the security team from scratch at Cedar and how the strategy had to change in order to accommodate the growth of both data and employees. - Why Aaron created the conference Fwd:cloudsec - Three pieces of advice for leaders building a modern security team.  

Thomas Kinsella is the COO and co-founder of Tines — a no-code security automation platform that frees teams from manual work so they can focus on higher-value strategic work. In today's episode, Thomas and Jack explore what it's like to transition from a security practitioner to a startup founder and how tools like Tines and Panther can be used to transform the way security teams operate.  Topics discussed: - What Tines does (and what the name means).  - Reflecting on the stresses of dealing with major incidents while Thomas worked as a security practitioner at organizations like eBay and Docusign.  - Why frustration with the automation platforms available led Thomas and his co-founder to quitting their jobs to build the solution they wish they had.  - The risk of building — instead of buying security tools.  - The Tines use cases that Thomas finds the most surprising.  - How automation platforms and threat detection platforms should work together.  - What's next for Tines as a company and how they help security members get the most out of their platform.  - 3 pieces of advice for any security operator working at scale. 

What does it take to shape an early-stage security project into a product that solves real problems?  Understanding your customers is a key first step. Knowing the personas who can use your product and the leverage they can get out of it, it's what ultimately brings value to security teams and even other teams that can seize their benefits. We had a great conversation with Joren McReynolds who is the VP of Engineering, IT and Security at Panther Labs. In today's episode he shares the experiences and lessons over the course of his journey at Facebook, Airbnb, and how they shaped his knowledge on what building a great product takes. Topics discussed: - What led to the creation of osquery and why open source. - What the progression was to build that as an MVP. - Joren's approach to building the IR Team at Airbnb. - How different Airbnb's cloud-based environment was from Facebook's. - How Joren's past experience at Facebook influenced his work at Airbnb. - Joren's thought process around implementing security monitoring. - What inspired StreamAlert. - 3 pieces of actionable advice to security teams looking to excel in detection at scale.

Clint Gibler is the Head of Security Research for r2c, the company behind SEMGREP, a popular open-source static analysis security scanning tool used by teams all over the world. He joined r2c to help build and shape the future of AppSec; one that includes secure defaults along with lightweight enforcement of those defaults. In today's episode, Clint talks about SEMGREP, operationalization of tools for security teams, intersection between AppSec and D&R as well as tips to succeed in AppSec at scale.   More topics discussed in this episode: SEMGREP's origin story and benefits. The security startup creation pattern of recent years. Trend shift to developers operating security problems at scale. r2c's mission and products in addition to open source. How application logs are useful in detection and response. Type of vulnerabilities Clint is seeing more often. Application security developments he is most excited about. Other resources: tl;dr Sec Newsletter: tldrsec.com

Robin Smith is the Head of Cyber and Information Security at Aston Martin and he brings a fresh and unique voice to the security industry. He advocates for a lean, progressive security mindset where it's crucial thinking around processes to make sure that organizations are not unnecessarily wasting resources while committing to continuous improvement at the same time. Tune in to learn more about what lean security is, why Robin has always seen security as an asset, and how you can embed that value into your organization. Topic discussed in this episode: How Robin arrived in information security. Why he believes we need new voices in the industry. The time he wrote 'The Lean Information Management Toolkit'. Why he considers security as an asset and how to embed that value across an organization. What the concept of lean security implies. How lean security applies to security monitoring and detection. Desired outcomes for security detection platforms. Metrics for a lean security program. The approach of practicality when deploying technology. 3 Pieces of advice to succeed at effective detection at scale.

If you were building a detection program today, what would be your top resources to start with? As we head into a cloud-based future, the ability of handling increased data sets becomes crucial, teams need to have processes in place that cover the entire detection lifecycle, and develop skills necessary to help build, grow and improve a successful detection program. In today's episode, we had an insightful conversation with Snowflake's Global Threat Intelligence and Detection Engineering Leader, Haider Dost and Senior Security Engineer, Daniel Wyleczuk-Stern where we discovered why data and being able to query that data is a critical first step. Topics discussed in this episode: Haider's and Daniel's background in security. The precursors and skills necessary to becoming an engineer. A high level approach to building strong detection teams. The importance of collecting and correlating log sources for a proper incident response. How to be proactive when building your detection baseline. What a detection lifecycle process is and why every team should have one. What the biggest challenges of building a detection program are. Why it's critical that responders or analysts have a sense of ownership on the detections that are being built. How security teams at Fortune 500 and Silicon Valley companies differ from each other.

Have you ever thought you could find more assets in your network that you thought you would have? Do you have segments that haven't been scanned yet? Or maybe subnets that you have ignored? These and much more is what asset discovery brings to the table to any security team, helping to prevent the next big incident. In today's episode we sat down with Chris Kirsch, CEO and co-founder of Rumble and chatted about why covering the basics, like having a full inventory of your network with all the managed and unmanaged devices, is a best practice to secure any environment. Topics discussed in this episode: Rumble's founding story and background Why Rumble's engine is very benign to the network Where customers that migrate to Rumble come from Why vulnerability scanners don't tell much about what a particular asset is A two point approach for asset discovery in a cloud environment How customers use Rumble in a response style situation 3 Pieces of advice to succeed at asset management and device security in the future.

Why is SIEM an area of unease for so many security officers? To make detection and response successful, we need tools capable of upscaling the practitioners as well as equipping them to be successful. We need tools we can rely on. In today's episode, we had an inspiring conversation with J Wolfgang Goerlich, Advisory CISO at Cisco Secure. We discussed how trust is a determinant factor in building the security tools of the future, why so many CISOs lost trust over SIEMs and what we can do to rebuild it. Topics discussed in this episode: Wolf's role as advisory CISO. How we can use technology to solve business problems How CISOs perceive SIEMs today and security monitoring as a practice The investigative side versus the detection side of SIEMs How the detection personas have changed with the movement to the cloud Challenges of doing detection in the modern day The story of when Wolf worked in an open source project How Wolf advises CISOs on making a build versus buy decision How detection and response will evolve in the coming years 3 pieces of actionable advice to succeed with building effective detection programs at scale

Securing the environment and scaling operations of the world's leading streaming entertainment service is massive. Srinath Kuruvadi is the head of cloud infrastructure security at Netflix. Before Netflix, he spent more than 15 years building security solutions and leading teams at Google, Facebook, Snapchat, Lyft, and Mapbox. In today's episode, he shares how his leadership skills have evolved over time, where he puts his focus when approaching infrastructure security, and what he believes are the key ingredients any security team should have today. Topics discussed in this episode: How Srinath got his start in security and landed as head of infrastructure cloud security at Netflix  Lessons in leading a team that's 10+ years old ConsoleMe and why they built it  Srinath's unique approach to infrastructure security  Why ‘people challenges' carry more weight than ‘technical challenges' when it comes to infrastructure security  Why security teams should seek out the open source tools big tech companies use His take on trends and tools in the cloud security space  3 pieces of advice to succeed in detection at scale