Detection at Scale

In this episode, Jack speaks with David Seidman, Head of Detection and Response at Robinhood. David has worked for large tech companies like Google, Microsoft, and Salesforce in a variety of D&R roles. 

During this episode, David shares his tactical advice on how his team is building the pipes and engines of security at Robinhood, his top tools to improve fidelity of detections, and what he’s learned in his career that’s made him a better practitioner and leader. 

Topics discussed: 

• The ‘unusual strategies’ and hypothesis on the kill chain model David has not shared before publicly 
• His top five tools to use to improve the fidelity of your detections 
• How David has seen composite detection be effective in practice and why it is most effective when it’s analyst driven 
• His experience working on Google Cloud's Event Threat Detection 
• What a mature IR process look like today and how to train staff that’s run IR in the past
• A big challenge and growth area in the industry that doesn’t get enough attention 
• The new frontier of what the detection and response stack will look like in the future
• David’s keys to an effective IR program, such as regular exercises, communications plan, having access and permissions to data, strong controls, and more.  
• The three actionable takeaways David learned from his roles at Google, Microsoft, Salesforce, and now Robinhood that make him a better practitioner and leader today

In this episode, Jack chats with Christopher Witter (aka Witter), Engineering Manager, Detection & Response at Spotify and a founding member and former lead for Crowdstrike’s Falcon OverWatch managed hunting service. 

Witter has nearly two decades of experience in incident response and information security, holding leadership roles on computer security and incident response teams (CSIRT) with both a top five global bank and a top ten defense contractor. 

During this episode, Witter shares his behind the scenes experiences helping build the Falcon Overwatch Team at Crowdstrike, why it’s critical to measure queries in seconds, not minutes, his tips on running highly effective D&R teams at scale, and more! 

Topics discussed:

• Witter’s experience as one of the first 100 people on the Falcon Overwatch Team at Crowdstrike 
• Why the Overwatch team didn’t follow traditional SOC mentalities 
• The various data sources Witter uses to improve accuracy and gather context 
• How D&R is like going to court – telling the story around Who, What, Where, Why, How, to prove beyond a reasonable doubt that this incident happened
• Why Witter measures in seconds, not minutes and why timescale is critical 
• Why it could be a mistake to choose cybersecurity tools based on financial capability and budget and what criteria should be considered instead
• Why Witter still believes in custom systems 
• Witter’s rule of thumb that if a human does the same thing 10x manually, it should be automated  
• Managing a remote D&R team and building psychological safety
• Witter’s advice for how others can get involved in the D&R community 
• His 3 pieces of advice to build a high-performing D&R team at scale, including a focus on ‘Jack of all trades’ people, avoiding distractions, and why it’s critical to capture everything to improve search. 

In this episode, Jack Naglieri speaks to Kelly Jackson Higgins, Editor-in-Chief at Dark Reading. During the episode, they share their thoughts about how cyber threats have changed over the years. 

Topics discussed:

• Kelly offers fascinating insights into how cybersecurity journalism has evolved to keep pace with the ever-changing industry.
• She offers an example of why choosing to patch systems is not always an easy decision for security teams.
• Jack and Kelly talk about how perceptions around which organizations are likely targets have changed over the years.
• Kelly shares some of the crazier threat actor trends she has observed during her career covering cybersecurity.
• She offers three pieces of valuable advice for security teams.

In this episode of the Detection at Scale, Jack speaks with Michael Hanley, Chief Security Officer and SVP of Engineering at GitHub. He also spent five years at Duo Security building their security program, and is passionate about making security easy and accessible for everyone.

Topics include: 

• How to think about managing in a dual role as both head of security and engineering, and what success looks like for both.
• What some of the synergies are between security and engineering, and why the two should work as closely as possible.
• The security strategy of retaining the integrity of the world's important projects at GitHub.
• The importance of democratizing security, and making it accessible for everyone.
• The mentality of baking software development into security.
• When to introduce a security team into an organization, how to build a SecOps team, and the evolution of security within companies.
• Actionable steps for security leaders to take regarding professional development, culture, and sharing notes.  

Resources: 

• Michael's favorite open source security tools: Stream Alert, Cloud Mapper, SiLK Suite
• Keep in touch with Michael Hanley on LinkedIn

Adeel Saeed is VP of Technology Strategy and Execution Management at Kyndryl and is a former CISO/CIO at large financial services companies, aviation companies, and more. 

Adeel is an experienced technology strategist and digital transformation leader with extensive hands-on technology and information security management experience and has led multiple large-scale complex technology transformation projects. 

Topics include: 

• How enabling your internal clients with the right tools and tech empowers them to serve their customer-base easier 
• Tool consolidation, risk metrics, reporting analytics, and more of what Adeel is focusing on in the risk management environment
• The experience that taught Adeel the most about practical security 
• Why experience and exposure are the ultimate teachers 
• Actionable steps to going from reactive to proactive in threat detection and response 
• The benefits of fine-tuned threat intelligence tools to better make risk-based judgments 
• Why security is not an ivory tower, it’s part of the business
• How security can better partner with business versus just being a component of it
• Why gamification can be a great tool to engage the executive team
• Standardization of all the data and the fundamental data problem 
• What Adeel has been paying attention to in the market around detection
• What true secure data governance looks like 
• Adeel's biggest challenge as a CISO, CSO, and overall security technology strategy leader 
• How Covid helped shape business security and where it should be embedded 
• Why it’s critical to position yourself as a business partner to your company 
• Adeel's tips for security leaders to succeed in the future of threat detection and response 

Resources: 

Keep in touch with Adeel on LinkedIn:  https://www.linkedin.com/in/adeelsaeed/

Chris Hodson is the CISO at Contentful, which helps digital teams assemble content and deliver experiences, faster. Prior to Contentful, Chris was at Zscaler and Tanium and also busy writing a book called Cyber Risk Management: Prioritize Threat, Identify Vulnerabilities, and Apply Controls. 

Chris builds and runs cybersecurity organizations that manage technology risks and helps product teams develop security solutions that work. As comfortable in the server room as the board room, he tailors cybersecurity strategy to organizational risk appetite and business objectives. 

Topics include: 

• Chris’s hottest security take on the role of a CISO 
• How Chris started developing the skills that better enabled him as a better technical CISO 
• How Chris works more closely with DevOps teams
• How his team gets smart about what to detect
• How to work with application developers to get more useful data
• Prioritize the services that are most sensitive, so things that are touching customer data get the most attention 
• The application signals Chris typically cares about 
• Building out tools internally to send telemetry to a single source
• The organization of cross-functional security team and the focus on security engineers 
• The Kubernetes 4Cs - Code, Container, Clusters, Cloud
• The importance of organizational-specific context to succeed in fixing symptoms at the cause 
• Chris’s advice that he’d give to detection teams living in a cloud-based world 

Resources: 

• Keep in touch with Chris on LinkedIn: https://www.linkedin.com/in/christopherjhodson/?originalSubdomain=uk
• Learn more about Chris’s book here: https://cybersecuritymattersdotblog.wordpress.com/my-books/
• Kubernetes 4Cs: https://www.enterprisedb.com/blog/4cs-security-model-kubernetes

Thomas Owen is CISO at Grafana and an advisor to startups who helped build the security team at Snyk and is especially excited about fostering conversations around ethics, sustainability, mental health, and inclusivity. 

A cloud-native, innovative and strategic security leader with a blend of people, policy and technical experience and a strong product affinity, Thomas and Jack discuss how to build a team from the ground up, the attributes of a modern security team, how to gauge value of security, and his advice for practitioners around basic hygiene. 

Topics include: 

• How Thomas builds functions from the ground up 
• How to think about functional areas from very early on in the team 
• Practical applications of using GRF for security and the elements that should be looked at 
• The three biggest challenges with modern data security
• The pros, cons, and use cases of open source in security at scale 
• The difference between engineers building features and products solving problems 
• Modern security: telemetry, analysis, and what do you do about it
• The ROI of security and how to gauge value 
• Latest trends in high-scale monitoring 
• Why ‘enabled autonomy’ is critical in a modern security team  
• 3 pieces of actionable advice for practitioners looking to succeed at detection at scale 

Keep in touch with Thomas on LinkedIn: https://www.linkedin.com/in/thomas-rhys-owen/?originalSubdomain=uk

Mike Saxton is Technical Director of Defensive Cyber Operations at Booz Allen Hamilton. His primary focus is on implementing technical solutions to protect against vulnerabilities, exploit software or hardware, data threats and other emerging risks that may threaten critical system operations. 

Not only an endurance athlete and classically trained musician, Mike is a long time proponent of detections as code and in today's episode he and Jack discuss everything from getting started on your detection journey, to broader cloud security adoption, the use of open source in government, and more! 

Topics include: 

• How Mike went from the healthcare field to cybersecurity 
• Where the government is in their shift to the cloud 
• The zero-trust model and broader security adoption in the cloud space  
• Where Mike thinks most teams start in their detection journey
• Mike’s positive thoughts on closing the cybersecurity skills gap and how interviews for detection at scale competency  
• The usage of open source there is in government 
• How acquisition and new leadership is changing cybersecurity products and frameworks in government 
• Why it’s critical to find a niche when working in cybersecurity 
• His advice to get outside your comfort zone and not just push yourself, but push the industry as a whole

Keep in touch with Mike on LinkedIn at: https://www.linkedin.com/in/mikesaxton/

JJ Agha is the CISO at Compass, the largest real estate brokerage in the US, and previously spent over four years as VP of InfoSec at WeWork, along with time as a security engineer at Vimeo and Priceline. 

Having worked for and advised for multiple startups and Fortune 500 companies he enjoys the challenge of building security teams and maturing programs and disciplines within an organization while embracing and learning new technologies.

In today’s episode, Jack and JJ discuss how he builds his team, buy vs build, what he expects from a modern SIEM, and more! 

Topics include: 

• How JJ went from changing his degree nine times, to a help desk analyst to discovering cybersecurity and entering the industry with Northrop Grumman and Edgecast 
• How JJ thinks about the human element of security when it comes to running a team and being a CISO 
• What Ikigai is and how the mindset can empower security professionals 
• Building vs buying and the projects JJ’s security team is working on 
• What JJ is looking for in a modern SIEM 
• JJ’s focus on Relentless Iteration and his mission to constantly improve and iterate security programs 
• How JJ balances the cost of his detection program with the needs of his security team 

Keep in touch with JJ on LinkedIn at: https://www.linkedin.com/in/jonathanagha/

Kathy Wang is the CISO at Discord, an internationally-recognized malware expert who has researched, developed, evaluated, and operationalized various solutions for detecting and preventing client-side attacks used by advanced persistent threats (APT). 

As a security executive and leader, Kathy has a strong background in project management, research, and business development. She has worked in government, commercial, and technology startup environments, and currently advises security services/products startup companies.

In today’s episode, Jack and Kathy discuss the talent pool in cybersecurity.

Topics discussed in this episode:

• What made Kathy want to go from researcher to security leader 
• The impact remote work and remote teams has had on cybersecurity teams 
• What Kathy looks for when hiring security professionals 
• Why transparency and multi-modal communication is mission critical for cybersecurity teams 
• How attacks have changed in the past 5 years 
• The tools Kathy is paying most attention to 
• What she enjoys most about working in security 
• Kathy’s advice for security professionals, especially early in their career 

Keep in touch with Kathy on LinkedIn at: https://www.linkedin.com/in/kathywang/