Detection at Scale

In this episode, Jack Naglieri speaks to Josh Liburdi, Staff Security Engineer at Brex. Josh explains the process of developing their new security data pipeline toolkit, Substation and how it has been working. He also discusses the importance of quality data, highlighting the impact of data transformation. 

Josh also shares his insights on the value of human analysis in SecOps and modern incident response strategies, from handling alerts to understanding program gaps. 

Topics discussed:

• The development process of Substation, a security data pipeline toolkit to enhance log collection and data quality for threat detection
• The importance of quality data in security operations and how sometimes it is helpful to collect it even if you don’t analyze it right away.
• The data transformation process and its impact on threat detection, as well as how it’s made the team at Brex more efficient.
• Enhancing the ability to write better rules after implementing Substation.
• Josh's advice for security practitioners: it’s ok to seek help and “soft skills” are important. 

On this week's episode of the Detection at Scale podcast, Jack talks with Matthew Valites, Director of Threat Detection & Operational Strategy at SAP. They discuss which threat detection approach works the best, what metrics Matthew uses to gauge his programs, and why Matthew is a proponent of using detection as code. 

Matthew also looks to the future and gives his prediction on what role technology such as GenAI will play in the security landscape. They close out their conversation with some actionable lessons from Matthew's book, Crafting the Infosec Playbook. 

Topics discussed:

• Which threat-detection approach works the best (hint: it's usually the one that provides the most visibility).
• How Matthew manages the different logic in different environment using tailored macros.
• What metrics Matthew uses to gauge his programs and how he keeps track of those metrics.
• Why Matthew is a huge proponent of using detection as code, including the CIDC element it brings.
• What makes GenAI so exciting, and what its role might be in the future.
• How Matthew tries to take care of his team's mental and physical health.
• Actionable lessons from the book Matthew co-authored, “Crafting the Infosec Playbook”, such as espousing the values of a service-based approach.

On this week's episode of the Detection at Scale podcast, Jack talks with Justin Anderson, Security Engineering Manager, Detection & Response at Meta. They discuss how Meta has built its detection engineering program, how it treats detection-as-code like software, and how it gauges risk by assessing the TTPs applicable to the environment. They also talk about where AI is able to help out in development, the greater need for engineering and investigation skills, and three things to remember when building a security program.

Topics discussed:

• How Meta gauges risk by assessing the TTPs applicable to the environment and measuring coverage across those TTPs.
• How they built out their detection platform on a custom infrastructure and treat detection-as-code like software.
• Why they take a shift left approach to detection, starting with TTPs hypotheses and then eliminating as much noise as possible.
• How taking a page from the vulnerability management playbook helps reduce noise around detections.
• AI’s current limitations in detection and response, yet how it helps with writing code and speeding up development times.
• Why there's a greater need for stronger engineering and investigation skills, in addition to coding skills.
• Advice to security professionals to focus on understanding, identifying, and executing when building out their program. 

On this week's episode of the Detection at Scale podcast, Jack talks with Charles Anderson, Director, Global SOC at Sony. They discuss better approaches to risk-based alerting that leverage metadata, how they fine tune detections across a global organization, and what factors to use when determining thresholds. They also talk about how to use Time to Detect to improve your strategies, how LLMs can help with baseline detection, and why it's key to not lose sight of risk in pursuit of threat.

Topics discussed:

• A better way to approach risk-based alerting by leveraging metadata to connect the dots.
• Which factors to consider when determining your thresholds for alerting.
• How Sony is using machine learning and why applying a single model to the entire organization doesn't work.
• Why organizations are targets of opportunity and accidental exposure more than they are of planned attack.
• The process Sony's SOC uses to fine tune their detections and how it has to be different across the globe.
• How to use Time to Detect to tell the story of what you're covering and what you're missing.
• Advice to other security professionals that includes not losing sight of risk in pursuit of threat.

On this week's episode of the Detection at Scale podcast, Jack talks with Jason Craig, Director - Threat Detection & Response at Remitly. They discuss the common TTPs of threat actors and how organizations can better protect against them by adopting hardware-backed authentication, a risk-based approach to logging, and building their threat modeling. They also talk about why organizations should move away from cellular MFA, the need for more behavioral profiling, and advice for security professionals.

Topics discussed:

• The common TTPs of threat actors and conglomerates like Lapsus$ and what organizations need to know to protect themselves against them.
• Why enterprises should rely on hardware-backed authentication rather than SMS MFA on cellular.
• How to take a better approach to identity management by using hardware-backed authentication and behavioral profiling that eliminates background noise.
• Why threat modeling begins with knowing what you do as an organization and what you have that's valuable to an attacker.
• How to take a risk-based approach to understanding which user data or sensitive information to protect first.
• Why an accurate asset inventory is a precursor to detection and response.
• Advice to security professionals and organizations on "knowing thyself" and codifying adversary tracking.

On this week's episode of the Detection at Scale podcast, Jack talks with Drew Gatchell, Director, Detection Engineering at AppOmni. They discuss how to overcome the challenges to detection on SaaS platforms and how they're building strategies upon alerting and detection frameworks. They also talk about how generative AI can help with normalizing inputs, the benefits of data lakes for D&R, and why it's key to have a measurable plan for detection.

Topics discussed:

• How AppOmni is tackling the challenges of detection in SaaS platforms and auto-logs, especially when it comes to varied latency.
• What frameworks Drew is working with and how he's building upon them for better detection.
• How signal creation starts with a hypothesis that can be turned into a plan, and why it's important to include signal redundancy.
• What techniques AppOmni takes to address security in real time.
• How they're using AI to normalize their inputs and create additional content on top of the detection rules.
• The benefits of data lakes and how they're a tremendous asset to D&R.
• Advice for security leaders on having a measurable plan for detection, why detection should be layered, and the need to continuously validate your capabilities.

On this week's episode of the Detection at Scale podcast, Jack talks with Emanueal Mulatu, Senior Engineering Manager - Detection & Response at Block. Together, they discuss what success means in security, the most rewarding things about security, and how to address and prevent one of the biggest challenges today: burnout. They also talk about ways to increase productivity through automation, the potential for AI and large language models, and why creating a great workplace starts with a healthy work-life balance.

Topics discussed:

• The most rewarding things about security — like the relationships and trust you build — and the biggest challenges facing security today.
• The value of building relationships across departments as well as with your customers.
• How to recognize the root causes of burnout and address it through meaningful initiatives like fitness or reading challenges.
• Why having a culture of writing can help with problem solving and collaboration.
• Why automation is the biggest initiative that's increasing productivity and morale, and the opportunities that AI and LLMs will bring.
• Advice for security leaders on how to build better workplaces focused on psychological safety and continuous learning.
• How to define security success, especially through the eyes of the C suite.

On this week's episode of the Detection at Scale podcast, Jack talks with Dr. Anton Chuvakin, Senior Security Staff at the Office of the CISO at Google Cloud. They dig deeper into the conversation taking place online around decoupled SIEMs, which both Jack and Anton wrote about. They discuss what a decoupled SIEM is, the evolution of data platforms and security capabilities, if decoupled SIEMs will work broadly with current customer demands, and if having backend data lakes is the best solution for fast, real-time querying.

Topics discussed:

• What is a decoupled SIEM, and why the broader discussion around whether security data lakes will replace SIEMs prompted Anton's Medium post.
• How this conversation is being driven by the fact that we’re coming to the "end of the runway" on previous storage choices.
• The arguments around why decoupling may not work broadly, simply because customers want integrated SIEMs.
• The evolution of data storage platforms and how successful past attempts at integrating security capabilities were.
• Why there's not a straightforward solution to storage — and why it's a challenge that's taking years to solve.
• Why having a data lake on the backend is the best solution to fast querying and real-time detection.
• A discussion around OCSF and the benefits of log normalization. 

Resources Mention: 

• “Decoupled SIEM: Brilliant or Stupid?” by Anton Chuvakin
• “The Transition from Monolithic SIEMs to Data Lakes for Security Monitoring” by Jack Naglieri

On this week's episode of the Detection at Scale podcast, Jack talks with Dhruv Majumdar, Director, Cyber Risk & Advisory at Deloitte. They discuss common challenges when transitioning from a traditional SOC to a detection and response program, what questions to ask when building a threat modeling strategy, and the benefits data lakes can unlock for D&R. They also talk about how LLMs are helping detect exfiltration and –the need for security controls, policies, and good partnerships.

Topics discussed:

• The common challenges that organizations face today when evolving their detection and response programs, including moving away from SOC and managing big data.
• An overview of the maturity model and what organizations can follow to evolve their processes.
• Two critical questions to ask that will guide your threat modeling strategy.
• What big data "unlocks" for detection and response today, and what trade-offs there are in usability when moving to a data lake-backed architecture.
• How LLMs can surface patterns in data that simplify detecting exfiltrations and how it can help with automation to prevent burnout.
• Advice to security practitioners when transitioning to new strategies, including why you need "controls, controls, controls," and why you should take the simplest route to overcome a challenge. 

On this week's episode of the Detection at Scale podcast, Jack talks with Anton Chuvakin, Security Advisor at the Office of the CISO at Google Cloud, and Timothy Peacock, Senior Product Manager at Google. Together, they discuss some of the needs and trends in cybersecurity today, including how to know what level of D&R your organization needs, the use cases for AI today, and how LLMs and SIEMs will handle data at scale. They also talk about the need for more creative solutions to misconfiguration management, three things security practitioners can do to improve cloud security, and why cybersecurity is the "most intellectually stimulating profession on the planet."

Topics discussed:

• What attracted Anton and Timothy to cybersecurity, what makes them stay, and why the intersection of humans and technology make it the “most intellectually stimulating profession on the planet.”
• How organizations can evaluate the level of security they need, why it's crucial to know whether you need to go from zero to one, or five, or a hundred, and how organizations with no detection and response strategies can get started.
• What use cases there will be for AI in cybersecurity, and while it may be good at summarizing, explaining complexity, and classifying, it may not be ready to create usable code.
• Why security practitioners need to think more about whether SIEMs can support planetary scale, and whether decentralization is the solution. 
• The role LLMs will play in helping to manage large data sets, and how it may change the way organizations use MDRs.
• Why the industry needs new, creative ways to solve the ongoing problem of cloud misconfigurations in order to break vicious cycles through shared faith. 
• Three pieces of advice to improve cloud security, including knowing your security needs, practicing, and making friends so you know you're note alone.