Guest:

• Adam Bateman, Co-founder and CEO, Push Security

Topics:

• What is Identity Threat Detection and Response (ITDR)? How do you define it?

• What gets better at a client organization once ITDR is deployed?

• Do we also need “ISPM” (parallel to CDR/CSPM), and what about CIEM?

• Workload identity ITDR vs human identity ITDR? Do we need both? Are these the same?

• What are the alternatives to using ITDR? Can’t SIEM/UEBA help - perhaps with browser logs?

• What are some of the common types of identity-based threats that ITDR can help detect?

• What advice would you give to organizations that are considering implementing ITDR?

Resources:

• ITDR Definition

• ITDR blog by Push / solve problem

Guest:

• Zack Allen, Senior Director of Detection & Research @ Datadog, creator of Detection Engineering Weekly

Topics:

• What are the biggest challenges facing detection engineers today?

• What do you tell people who want to consume detections and not engineer them?

• What advice would you give to someone who is interested in becoming a detection engineer at her organization?

• So, what IS a detection engineer? Do you need software skills to be one? How much breadth and depth do you need?

• What should a SOC leader whose team totally lacks such skills do?

• You created Detection Engineering Weekly. What motivated you to start this publication, and what are your goals for it? What are the learnings so far?

• You work for a vendor, so how should customers think of vendor-made vs customer-made detections and their balance?

• What goes into a backlog for detections and how do you inform it?

Resources:

• Video (LinkedIn, YouTube)

• Zacks’s newsletter: https://detectionengineering.net

• EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

• EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?

• The SRE book

• “Detection Spectrum” blog

• “Delivering Security at Scale: From Artisanal to Industrial” blog (and this too)

• “Detection Engineering is Painful — and It Shouldn’t Be (Part 1)” blog series

• “Detection as Code? No, Detection as COOKING!” blog

• “Practical Threat Detection Engineering: A hands-on guide to planning, developing, and validating detection capabilities” book

• SpecterOps blog

Guests:

• Mitchell Rudoll, Specialist Master, Deloitte

• Alex Glowacki, Senior Consultant, Deloitte

Topics:

• The paper outlines two paths for SOCs: optimization or transformation. Can you elaborate on the key differences between these two approaches and the factors that should influence an organization's decision on which path to pursue?

• The paper also mentions that alert overload is still a major challenge for SOCs. What are some of the practices that work in 2024 for reducing alert fatigue and improving the signal-to-noise ratio in security signals?

• You also discuss the importance of automation for SOCs. What are some of the key areas where automation can be most beneficial, and what are some of the challenges of implementing automation in SOCs? Automation is often easier said than done…

• What specific skills and knowledge will be most important for SOC analysts in the future that people didn’t think of 5-10 years ago?

• Looking ahead, what are your predictions for the future of SOCs? What emerging technologies do you see having the biggest impact on how SOCs operate?

Resources:

• “Future of the SOC: Evolution or Optimization —Choose Your Path” paper and highlights blog

• “Meet the Ghost of SecOps Future” video based on the paper

• EP58 SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond

• The original Autonomic Security Operations (ASO) paper (2021)

• “New Paper: “Future of the SOC: Forces shaping modern security operations” (Paper 1 of 4)”

• “New Paper: “Future of the SOC: SOC People — Skills, Not Tiers” (Paper 2 of 4)”

• “New Paper: “Future Of The SOC: Process Consistency and Creativity: a Delicate Balance” (Paper 3 of 4)”

Guests:

• Robin Shostack, Security Program Manager, Google

• Jibran Ilyas, Managing Director Incident Response, Mandiant, Google Cloud

Topics:

• You talk about “teamwork under adverse conditions” to describe expedition behavior (EB). Could you tell us what it means?

• You have been involved in response to many high profile incidents, one of the ones we can talk about publicly is one of the biggest healthcare breaches at this time. Could you share how Expedition Behavior played a role in our response?

• Apart from during incident response which is almost definitionally an adverse condition, how else can security teams apply this knowledge?

• If teams are going to embrace an expeditionary behavior mindset, how do they learn it? It’s probably not feasible to ship every SOC team member off to the Okavango Delta for a NOLS course. Short of that, how do we foster EB in a new team?

• How do we create it in an existing team or an under-performing team?

Resources:

• EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

• “Take a few of these: Cybersecurity lessons for 21st century healthcare professionals” blog

• Getting More by Stuart Diamond book

• Who Moved My Cheese by Spencer Johnson book

Guest:

• Brandon Wood, Product Manager for Google Threat Intelligence

Topics:

• Threat intelligence is one of those terms that means different things to everyone–can you tell us what this term has meant in the different contexts of your career? What do you tell people who assume that “TI = lists of bad IPs”?

• We heard while prepping for this show that you were involved in breaking up a human trafficking ring: tell us about that!

• In Anton’s experience, a lot of cyber TI is stuck in “1. Get more TI 2. ??? 3. Profit!” How do you move past that?

• One aspect of threat intelligence that’s always struck me as goofy is the idea that we can “monitor the dark web” and provide something useful. Can you change my mind on this one?

• You told us your story of getting into sales, you recently did a successful rotation into the role of Product Manager,, can you tell us about what motivated you to do this and what the experience was like?

• Are there other parts of your background that inform the work you’re doing and how you see yourself at Google?

• How does that impact our go to market for threat intelligence, and what’re we up to when it comes to keeping the Internet and broader world safe?

Resources:

• Video

• EP175 Meet Crystal Lister: From Public Sector to Google Cloud Security and Threat Horizons

• EP128 Building Enterprise Threat Intelligence: The Who, What, Where, and Why

• EP112 Threat Horizons - How Google Does Threat Intelligence

• Introducing Google Threat Intelligence: Actionable threat intelligence at Google scale

• A Requirements-Driven Approach to Cyber Threat Intelligence

Guests:

• Omar ElAhdan, Principal Consultant, Mandiant, Google Cloud

• Will Silverstone, Senior Consultant, Mandiant, Google Cloud

Topics:

• Most organizations you see use both cloud and on-premise environments. What are the most common challenges organizations face in securing their hybrid cloud environments?

• You do IR so in your experience, what are top 5 mistakes organizations make that lead to cloud incidents?

• How and why do organizations get the attack surface wrong? Are there pillars of attack surface?

• We talk a lot about how IAM matters in the cloud. Is that true that AD is what gets you in many cases even for other clouds?

• What is your best cloud incident preparedness advice for organizations that are new to cloud and still use on-prem as well?

Resources:

• Next 2024 LIVE Video of this episode / LinkedIn version (sorry for the audio quality!)

• “Lessons Learned from Cloud Compromise” podcast at The Defender’s Advantage

• “Cloud compromises: Lessons learned from Mandiant investigations” in 2023 from Next 2024

• EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework

• EP103 Security Incident Response and Public Cloud - Exploring with Mandiant

• EP162 IAM in the Cloud: What it Means to Do It 'Right' with Kat Traxler

Guest:

• Seth Vargo, Principal Software Engineer responsible for Google's use of the public cloud, Google

Topics:

• Google uses the public cloud, no way, right? Which one? Oh, yeah, I guess this is obvious: GCP, right?

• Where are we like other clients of GCP? Where are we not like other cloud users?

• Do we have any unique cloud security technology that we use that others may benefit from?

• How does our cloud usage inform our cloud security products?

• So is our cloud use profile similar to cloud natives or traditional companies?

• What are some of the most interesting cloud security practices and controls that we use that are usable by others?

• How do we make them work at scale?

Resources:

• EP12 Threat Models and Cloud Security (previous episode with Seth)

• EP66 Is This Binary Legit? How Google Uses Binary Authorization and Code Provenance

• EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

• EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics

• IAM Deny

• Seth Vargo blog

• “Attention Is All You Need” paper (yes, that one)

Guest:

• Crystal Lister, Technical Program Manager, Google Cloud Security

Topics:

• Your background can be sheepishly called “public sector”, what’s your experience been transitioning from public to private? How did you end up here doing what you are doing?

• We imagine you learned a lot from what you just described – how’s that impacted your work at Google?

• How have you seen risk management practices and outcomes differ?

• You now lead Google Threat Horizons reports, do you have a vision for this? How does your past work inform it?

• Given the prevalence of ransomware attacks, many organizations are focused on external threats. In your experience, does the risk of insider threats still hold significant weight? What type of company needs a dedicated and separate insider threat program?

Resources:

• Video on YouTube

• Google Cybersecurity Action Team Threat Horizons Report #9 Is Out!

• Google Cybersecurity Action Team site for previous Threat Horizons Reports

• EP112 Threat Horizons - How Google Does Threat Intelligence

• Psychology of Intelligence Analysis by Richards J. Heuer

• The Coming Wave by Mustafa Suleyman

• Visualizing Google Cloud: 101 Illustrated References for Cloud Engineers and Architects