Detection at Scale

In our recent special Hot Ones-style episode of Detection at Scale, Panther CEO Will Lowe and Founder & CTO Jack Naglieri sit down to taste hot sauces and talk hot topics in the field of cybersecurity. Jack shares his evolution from security professionals to founders, emphasizing the importance of experience and understanding attacker profiles.  Jack also gives his insights on the foundational skills to becoming a detection engineer, including building detection engineering functions and having war room experience. He also discusses the evolving role of AI in the security field, such as its usefulness in generating code for detection programs.  Topics discussed: Jack’s transition from practitioner to company founder, emphasizing the importance of saying yes to opportunities and keeping an open mind. Building detection engineering functions with a focus on understanding what needs to be detected and why. The significance of measurement in detection engineering and the importance of a growth mindset for continuous improvement. The importance of understanding the experiences of security practitioners and software engineers. The role of war room experience in understanding attacker profiles and the importance of incident response strategies to prepare for a role as a detection engineer. The importance of sharing knowledge and experiences within the cybersecurity community.  Resources Mentioned: Jack Naglieri’s Substack

In a recent episode of the Detection at Scale podcast recorded at the RSA conference, Jack chats with Corey Quinn, Chief Cloud Economist at The Duckbill Group, an AWS cost-management agency. They talked about the intersection of security and billing in the context of AWS environments, highlighting the significance of observability through billing data to enhance security measures.  Corey also discussed key offenders in AWS services for security and highlighted the challenges companies face in determining optimal investments in security services. Throughout our discussion, Corey offers valuable takeaways on navigating the evolving landscape of AWS security practices and optimizing billing strategies for enhanced cloud security. Topics discussed: The importance of observability via billing data to bolster AWS security measures and optimize investments in security services. How to identify key security offenders in AWS services to enhance cloud security practices and mitigate potential breaches. The challenges in determining optimal security investments within AWS environments. Detecting potential breaches through AWS billing insights and the significance of understanding billing intricacies for security enhancements. The impact of billing data on identifying security vulnerabilities and navigating the AWS security landscape with enhanced strategies. The role of services like Route 53 in bolstering security measures and considerations for AWS spending on security services.  Resources Mentioned:  Corey Quinn on LinkedIn The Duckbill Group website 

In this episode, Jack Naglieri speaks to Jeff Bollinger, Director of Incident Response and Detection Engineering at LinkedIn, who shares valuable insights on his journey in security, key technological shifts he's witnessed, and his approach to threat intelligence, incident response, and monitoring.  Jeff highlights the importance of contextual understanding in security operations and emphasized the critical role of human intuition, adaptability, and creativity in addressing security challenges. He also discussed the need for a balanced team with diverse skill sets and his views on the evolving role of AI in security operations. Topics discussed: Technological shifts in the field of incident response and detection engineering, from the Y2K era to the present. The nuances of monitoring behaviors and moving towards higher-level monitoring: it’s useful but imperfect because humans can be unpredictable. Automation in security operations and how human analysts are still important and relevant because they have intuition that AI does not. Incorporating threat intelligence effectively in security programs: knowing what your scale is and what threats correspond to it. Building effective incident response programs and key considerations in security operations. 

In this episode, Jack Naglieri speaks to Josh Liburdi, Staff Security Engineer at Brex. Josh explains the process of developing their new security data pipeline toolkit, Substation and how it has been working. He also discusses the importance of quality data, highlighting the impact of data transformation.  Josh also shares his insights on the value of human analysis in SecOps and modern incident response strategies, from handling alerts to understanding program gaps.  Topics discussed: The development process of Substation, a security data pipeline toolkit to enhance log collection and data quality for threat detection The importance of quality data in security operations and how sometimes it is helpful to collect it even if you don’t analyze it right away. The data transformation process and its impact on threat detection, as well as how it’s made the team at Brex more efficient. Enhancing the ability to write better rules after implementing Substation. Josh's advice for security practitioners: it’s ok to seek help and “soft skills” are important. 

Matthew Valites, Director of Threat Detection & Operational Strategy at SAP, discusses the best threat detection approaches, using detection as code, and the role of GenAI in the future security landscape. He also shares actionable lessons from his book, 'Crafting the Infosec Playbook'.

Meta's Justin Anderson discusses how they built a detection platform treating it like software code, gauging risk using TTPs, and taking a shift-left approach. They emphasize the need for strong engineering and investigation skills, AI limitations in detection, and advice for building a security program.

On this week's episode of the Detection at Scale podcast, Jack talks with Charles Anderson, Director, Global SOC at Sony. They discuss better approaches to risk-based alerting that leverage metadata, how they fine tune detections across a global organization, and what factors to use when determining thresholds. They also talk about how to use Time to Detect to improve your strategies, how LLMs can help with baseline detection, and why it's key to not lose sight of risk in pursuit of threat. Topics discussed: A better way to approach risk-based alerting by leveraging metadata to connect the dots. Which factors to consider when determining your thresholds for alerting. How Sony is using machine learning and why applying a single model to the entire organization doesn't work. Why organizations are targets of opportunity and accidental exposure more than they are of planned attack. The process Sony's SOC uses to fine tune their detections and how it has to be different across the globe. How to use Time to Detect to tell the story of what you're covering and what you're missing. Advice to other security professionals that includes not losing sight of risk in pursuit of threat.

In this discussion, Jason Craig, the Director of Threat Detection & Response at Remitly, dives into the TTPs of threat actors like Lapsus$. He advocates for hardware-backed authentication over SMS MFA for stronger identity management. Craig emphasizes the importance of a solid asset inventory and understanding organizational threats before crafting effective threat models. He also offers valuable insights on risk-based approaches to protecting sensitive data and the necessity for behavioral profiling to filter out irrelevant noise in security.

On this week's episode of the Detection at Scale podcast, Jack talks with Drew Gatchell, Director, Detection Engineering at AppOmni. They discuss how to overcome the challenges to detection on SaaS platforms and how they're building strategies upon alerting and detection frameworks. They also talk about how generative AI can help with normalizing inputs, the benefits of data lakes for D&R, and why it's key to have a measurable plan for detection. Topics discussed: How AppOmni is tackling the challenges of detection in SaaS platforms and auto-logs, especially when it comes to varied latency. What frameworks Drew is working with and how he's building upon them for better detection. How signal creation starts with a hypothesis that can be turned into a plan, and why it's important to include signal redundancy. What techniques AppOmni takes to address security in real time. How they're using AI to normalize their inputs and create additional content on top of the detection rules. The benefits of data lakes and how they're a tremendous asset to D&R. Advice for security leaders on having a measurable plan for detection, why detection should be layered, and the need to continuously validate your capabilities.

On this week's episode of the Detection at Scale podcast, Jack talks with Emanueal Mulatu, Senior Engineering Manager - Detection & Response at Block. Together, they discuss what success means in security, the most rewarding things about security, and how to address and prevent one of the biggest challenges today: burnout. They also talk about ways to increase productivity through automation, the potential for AI and large language models, and why creating a great workplace starts with a healthy work-life balance. Topics discussed: The most rewarding things about security — like the relationships and trust you build — and the biggest challenges facing security today. The value of building relationships across departments as well as with your customers. How to recognize the root causes of burnout and address it through meaningful initiatives like fitness or reading challenges. Why having a culture of writing can help with problem solving and collaboration. Why automation is the biggest initiative that's increasing productivity and morale, and the opportunities that AI and LLMs will bring. Advice for security leaders on how to build better workplaces focused on psychological safety and continuous learning. How to define security success, especially through the eyes of the C suite.