The Detection at Scale Podcast is dedicated to helping security practitioners and their teams succeed at managing and responding to threats at a modern, cloud scale. Every episode is focused on actionable takeaways to help you get ahead of the curve and prepare for the trends and technologies shaping the future.
Episodes
4 days ago
4 days ago
In this episode of Detection at Scale, Jack speaks to Roger Allen, Senior Director, Global Head of Detection and Response at Sprinklr, to explore the complexities of running a modern SOC. Roger shares his expertise on prioritizing alerts with contextual understanding, the importance of crafting a robust data strategy, and preventing team burnout.
From integrating adversary testing to ensuring team alignment with organizational goals, Roger also offers actionable insights and practical advice for enhancing cybersecurity defenses.
Topics discussed:
- The importance of understanding adversaries' TTPs (Tactics, Techniques, and Procedures) and leveraging them to improve detection and response capabilities.
- Discussing the critical role of adversary simulation and testing in writing effective detection rules and enhancing overall security posture.
- Strategies for prioritizing alerts based on contextual understanding and the sequence of events, moving beyond mere alert volume.
- The necessity of a well-defined data strategy, including standardizing logging formats and implementing data enrichment techniques to improve incident response.
- Addressing team burnout by ensuring balanced workloads, regular reviews, and meaningful conversations to align team goals with organizational objectives.
- The role of integration and unit testing in validating security rules and ensuring their effectiveness from multiple perspectives.
- How security teams can bridge the gap between understanding the tech stack and the business objectives, ensuring security measures align with business priorities.
- The importance of bringing in relevant data for incident response and the collaboration needed between different security functions to optimize data usage.
Tuesday Jul 09, 2024
WP Engine’s Christopher Watkins on Cost-Effective Threat Hunting Strategies
Tuesday Jul 09, 2024
Tuesday Jul 09, 2024
In this episode of Detection at Scale, Jack welcomes Christopher Watkins, Senior Staff Cloud Security Engineer at WP Engine, to discuss innovative logging solutions and efficient data management across multiple cloud platforms. Chris reveals how WP Engine leverages native tools and robust API gateways to streamline logging processes.
He shares strategies for cost-effective threat hunting, such as optimizing large-scale queries through table partitioning. Chris also emphasizes the importance of mental and physical well-being, and the role of community support in maintaining a sustainable career in cybersecurity.
Topics discussed:
- How WP Engine uses native tools and robust API gateways to manage logging across multiple cloud platforms efficiently.
- Strategies for optimizing large-scale queries, such as table partitioning and avoiding costly operations, to maintain efficiency and reduce expenses.
- Techniques for moving data efficiently across different cloud services, ensuring consistency and reliability in data management.
- The importance of partitioning tables and being selective with queries to enhance threat detection and incident response efforts.
- The role of a well-designed schema in speeding up threat detection by understanding key value pairs frequently used in security data.
- Leveraging best practices from data teams to optimize queries and improve security use cases.
- Ensuring human oversight with two-person reviews of scripts and dry runs to maintain accuracy and reliability in automated processes.
- The importance of mental, physical, and spiritual health routines to manage the stress of incident response and avoid burnout.
- The role of community and trusted conversations in sharing experiences about breaches, vulnerabilities, and other challenges in the cybersecurity field.
- How WP Engine's mantra of "detection as code" and "pipelines as code" extends to response workflows for increased efficiency and effectiveness.
Resources Mentioned:
- Chris Watkins on LinkedIn
- WP Engine website
Tuesday Jun 25, 2024
Tuesday Jun 25, 2024
In this episode of Detection at Scale, Jack Naglieri chats with Darren LaCasse, Director of Threat Intelligence, Incident Response, & Threat Detection at Elastic. Darren offers insights into the innovative project around detection as code, shedding light on the methodologies Elastic employs to enhance security operations.
Darren touches on the challenges of managing massive amounts of data, the importance of prioritization in security tasks, and how automation has revolutionized their response strategies. He also shares practical advice on conducting gap analyses to focus on what truly matters.
Topics discussed:
- The importance of prioritizing security tasks to focus on critical business-impacting elements, ensuring a resilient security framework.
- Strategies for handling and analyzing large volumes of security data to maintain effective monitoring and response capabilities.
- How automation has halved alert volumes, freeing analysts from repetitive tasks and enhancing overall productivity.
- Conducting regular gap analyses and attack path discussions to visualize vulnerabilities and direct security efforts effectively.
- The role of tagging and context-aware responses in streamlining security operations and making analysts' lives easier.
- Prioritizing security efforts based on the criticality of vendors and data, focusing first on restricted and critical vendors.
- The importance of conducting at least annual reviews to reassess and improve security controls and monitoring strategies.
- Using metrics to measure the effectiveness of security measures and guide continuous improvement efforts.
Resources Mentioned:
- Darren LaCasse on LinkedIn
- Elastic Security Solution website
Tuesday Jun 11, 2024
Tuesday Jun 11, 2024
In this episode of the Detection at Scale podcast, Jack speaks to Daniel Wiley, Head of Threat Management and Chief Security Advisor at Check Point Software, to discuss the intricacies of balancing technology and human analytics in cybersecurity.
Daniel shares his experiences in building three successful internal startups at Check Point and emphasizes the importance of continuous learning throughout one’s career. He also touches on effective incident response strategies for small- to medium-sized businesses, and the vital role of adaptable data schemas in managing large-scale security operations.
Topics discussed:
- The highs and lows experienced in the cybersecurity startup journey, including the importance of quick decision-making and team-building.
- Strategies for developing effective IR playbooks tailored for small- to medium-sized businesses to handle security threats efficiently.
- The integration of machine analytics and human expertise to manage and interpret large volumes of cybersecurity data.
- Managing 24/7 global SOCs, including the challenges of shift rotations and ensuring analysts are not overloaded.
- Techniques for determining which data is crucial for cybersecurity efforts and how to handle terabytes of data per second.
- The necessity of ongoing education and staying updated with the latest in cybersecurity to maintain effectiveness in the field.
- The significance of hiring the right team from the start and making swift, decisive personnel changes when necessary.
- Check Point's focus on maintaining high operational margins and its impact on the business's success and sustainability.
Resources Mentioned:
- Daniel Wiley on LinkedIn
- Check Point Software website
- The Hard Thing About Hard Things by Ben Horowitz
- Cyber for Builders by Ross Haleliuk
Tuesday May 28, 2024
Tuesday May 28, 2024
In our latest episode of Detection at Scale, Jason Waits, CISO at Inductive Automation, shares insights learned in his journey from network administration to cybersecurity and the importance of SCADA systems.
He dives into the value of automation, ML, and AI in security operations, highlighting the need for asking the right questions for efficient data analysis. Jason also discusses building a security team with a focus on detection and response, leveraging automation for faster investigations.
Topics discussed:
- The role of SCADA systems in various industries and the importance of security in OT environments.
- The challenges and strategies in building a security program for scale, focusing on automation and infrastructure as code.
- The impact of IT-OT convergence on security issues and the need for enhanced controls and monitoring in interconnected systems.
- Embracing automation in security operations, including detection engineering and automating response actions for efficiency and scalability.
- Utilizing enrichment techniques for contextual data analysis and the significance of data sources for effective security investigations.
- The use of ML and AI in security operations, particularly in natural language querying and data analysis for actionable insights.
- Jason's advice on building a successful security team, emphasizing automation, staying informed on industry trends, and fostering collaboration with engineering teams.
Resources Mentioned:
Tuesday May 21, 2024
Tuesday May 21, 2024
In our recent special Hot Ones-style episode of Detection at Scale, Panther CEO Will Lowe and Founder & CTO Jack Naglieri sit down to taste hot sauces and talk hot topics in the field of cybersecurity. Jack shares his evolution from security professionals to founders, emphasizing the importance of experience and understanding attacker profiles.
Jack also gives his insights on the foundational skills to becoming a detection engineer, including building detection engineering functions and having war room experience. He also discusses the evolving role of AI in the security field, such as its usefulness in generating code for detection programs.
Topics discussed:
- Jack’s transition from practitioner to company founder, emphasizing the importance of saying yes to opportunities and keeping an open mind.
- Building detection engineering functions with a focus on understanding what needs to be detected and why.
- The significance of measurement in detection engineering and the importance of a growth mindset for continuous improvement.
- The importance of understanding the experiences of security practitioners and software engineers.
- The role of war room experience in understanding attacker profiles and the importance of incident response strategies to prepare for a role as a detection engineer.
- The importance of sharing knowledge and experiences within the cybersecurity community.
Resources Mentioned: Jack Naglieri’s Substack
Tuesday May 14, 2024
Tuesday May 14, 2024
In a recent episode of the Detection at Scale podcast recorded at the RSA conference, Jack chats with Corey Quinn, Chief Cloud Economist at The Duckbill Group, an AWS cost-management agency. They talked about the intersection of security and billing in the context of AWS environments, highlighting the significance of observability through billing data to enhance security measures.
Corey also discussed key offenders in AWS services for security and highlighted the challenges companies face in determining optimal investments in security services. Throughout our discussion, Corey offers valuable takeaways on navigating the evolving landscape of AWS security practices and optimizing billing strategies for enhanced cloud security.
Topics discussed:
- The importance of observability via billing data to bolster AWS security measures and optimize investments in security services.
- How to identify key security offenders in AWS services to enhance cloud security practices and mitigate potential breaches.
- The challenges in determining optimal security investments within AWS environments.
- Detecting potential breaches through AWS billing insights and the significance of understanding billing intricacies for security enhancements.
- The impact of billing data on identifying security vulnerabilities and navigating the AWS security landscape with enhanced strategies.
- The role of services like Route 53 in bolstering security measures and considerations for AWS spending on security services.
Resources Mentioned:
Tuesday May 07, 2024
Tuesday May 07, 2024
In this episode, Jack Naglieri speaks to Jeff Bollinger, Director of Incident Response and Detection Engineering at LinkedIn, who shares valuable insights on his journey in security, key technological shifts he's witnessed, and his approach to threat intelligence, incident response, and monitoring.
Jeff highlights the importance of contextual understanding in security operations and emphasized the critical role of human intuition, adaptability, and creativity in addressing security challenges. He also discussed the need for a balanced team with diverse skill sets and his views on the evolving role of AI in security operations.
Topics discussed:
- Technological shifts in the field of incident response and detection engineering, from the Y2K era to the present.
- The nuances of monitoring behaviors and moving towards higher-level monitoring: it’s useful but imperfect because humans can be unpredictable.
- Automation in security operations and how human analysts are still important and relevant because they have intuition that AI does not.
- Incorporating threat intelligence effectively in security programs: knowing what your scale is and what threats correspond to it.
- Building effective incident response programs and key considerations in security operations.
Tuesday Apr 23, 2024
Josh Liburdi on Brex's Innovative Approach to Data Quality in SecOps
Tuesday Apr 23, 2024
Tuesday Apr 23, 2024
In this episode, Jack Naglieri speaks to Josh Liburdi, Staff Security Engineer at Brex. Josh explains the process of developing their new security data pipeline toolkit, Substation and how it has been working. He also discusses the importance of quality data, highlighting the impact of data transformation.
Josh also shares his insights on the value of human analysis in SecOps and modern incident response strategies, from handling alerts to understanding program gaps.
Topics discussed:
- The development process of Substation, a security data pipeline toolkit to enhance log collection and data quality for threat detection
- The importance of quality data in security operations and how sometimes it is helpful to collect it even if you don’t analyze it right away.
- The data transformation process and its impact on threat detection, as well as how it’s made the team at Brex more efficient.
- Enhancing the ability to write better rules after implementing Substation.
- Josh's advice for security practitioners: it’s ok to seek help and “soft skills” are important.
Tuesday Apr 09, 2024
SAP's Matthew Valites on Why He Is a Proponent of Detection as Code
Tuesday Apr 09, 2024
Tuesday Apr 09, 2024
On this week's episode of the Detection at Scale podcast, Jack talks with Matthew Valites, Director of Threat Detection & Operational Strategy at SAP. They discuss which threat detection approach works the best, what metrics Matthew uses to gauge his programs, and why Matthew is a proponent of using detection as code.
Matthew also looks to the future and gives his prediction on what role technology such as GenAI will play in the security landscape. They close out their conversation with some actionable lessons from Matthew's book, Crafting the Infosec Playbook.
Topics discussed:
- Which threat-detection approach works the best (hint: it's usually the one that provides the most visibility).
- How Matthew manages the different logic in different environment using tailored macros.
- What metrics Matthew uses to gauge his programs and how he keeps track of those metrics.
- Why Matthew is a huge proponent of using detection as code, including the CIDC element it brings.
- What makes GenAI so exciting, and what its role might be in the future.
- How Matthew tries to take care of his team's mental and physical health.
- Actionable lessons from the book Matthew co-authored, “Crafting the Infosec Playbook”, such as espousing the values of a service-based approach.