George Werbacher, Head of Security Operations at Live Oak Bank, reviews the practical realities of implementing AI agents in security operations, sharing his journey from exploring tools like Cursor and Claude Code to building custom agents in-house. He also reflects on the challenges of moving from local development to production-ready systems with proper durability and retry logic. The conversation explores how AI is changing the security analyst role from alert analysis to deeper investigation work, why SOAR platforms face significant disruption, and how MCP servers enable natural language interactions across security tools. George offers pragmatic advice on cutting through AI hype, emphasizing that agents augment rather than replace human expertise while dramatically lowering barriers to automation and query language mastery. Through technical insights and leadership perspective, George illuminates how security teams can embrace AI to improve operational efficiency and mean time to detect without inflating budgets, while maintaining the critical human judgment that effective security demands. Topics discussed: Understanding AI's role in augmenting security analysts rather than replacing them, shifting roles toward investigation and threat hunting. Building custom AI agents using Python and exploring frameworks like LangChain to solve specific SecOps use cases. Managing moving agents from local development to production, including retry logic, failbacks, and durability requirements. Implementing MCP servers to enable natural language interactions with security tools, eliminating the need to learn multiple query languages. Navigating AI hype by focusing on solving specific problems and understanding what agents can realistically accomplish. Predicting SOAR platform disruption as agents take over enrichment, orchestration, and response with simpler automation approaches. Removing platform barriers by enabling analysts to use natural language rather than mastering specific tools or query languages. Exploring context management, prompt engineering, and conversation history techniques essential for building effective agentic systems. Adopting tools like Cursor and Claude Code to empower technical security professionals without deep coding backgrounds.  Listen to more episodes:  Apple  Spotify  YouTube Website

Andrew Casazza, AVP of Cyber Security Operations at Ochsner Health, explores how healthcare organizations navigate FDA-approved medical devices running on legacy operating systems, implement AI-powered security tools while maintaining HIPAA compliance, and respond to threats that now move from initial compromise to malicious action in seconds rather than hours.  Andrew gives Jack his insights on building effective security programs in heavily regulated industries, emphasizing the importance of visibility, automation with guardrails, and keeping humans in the loop for critical decisions while leveraging AI to handle the speed and scale of modern threats. Topics discussed: Unique security challenges in healthcare environments where medical devices run on legacy operating systems that cannot be easily updated. Strategies for monitoring and securing systems that cannot have traditional security agents installed due to FDA regulations and medical certification requirements. Leveraging AI and automation in security operations while navigating HIPAA regulations and protecting patient data from external training models. Implementing human-in-the-loop approaches where AI performs initial analysis and triage while escalating critical decisions to human analysts. Understanding the privacy and compliance implications of AI tools that may use customer data for model training and improvement. The dramatic reduction in threat-actor dwell time from hours or days to minutes or seconds. Building effective SOAR automation playbooks to handle repetitive cases and reduce noise while focusing attention on bigger threats. Establishing appropriate guardrails for AI-powered security tools to prevent unintended consequences while enabling automated response capabilities. The importance of being curious and maintaining broad knowledge across multiple domains to become more effective. Listen to more episodes:  Apple  Spotify  YouTube Website

Stephen Gubenia, Head of Detection Engineering for Threat Response for Cisco Meraki, shares his evolution from managing overwhelming alert volumes as a one-person security team to architecting sophisticated automated systems that handle everything from enrichment to containment.  Stephen discusses the organizational changes needed for successful AI adoption, including top-down buy-in and proper training programs that help team members understand AI as a productivity multiplier rather than a job threat.  The conversation also explores Stephen’s practical "crawl, walk, run" methodology for responsibly implementing AI agents, the critical importance of maintaining human oversight through auditable workflows, and how security teams can transition from reactive alert management to strategic agent supervision.  Topics discussed: Evolution from manual security operations to AI-powered agentic workflows that eliminate repetitive tasks and enable strategic focus. Implementation of the "crawl, walk, run" methodology for gradually introducing AI agents with proper human oversight and validation. Building enrichment agents that automatically gather threat intelligence and OSINT data instead of manual investigations. Development of reasoning models that can dynamically triage alerts, run additional queries, and recommend investigation steps. Automated containment workflows that can perform endpoint isolation and other response actions while maintaining appropriate guardrails. Essential foundations including proper logging pipelines, alerting systems, and detection logic required before implementing AI automation. Human-in-the-loop strategies that transition from per-alert review to periodic auditing and agent management oversight. Organizational change management including top-down buy-in, training programs, and addressing fears about AI replacing jobs. Future of detection engineering with AI-assisted rule development, gap analysis, and customized detection libraries. Learning recommendations for cybersecurity professionals to develop AI literacy through reputable sources and consistent daily practice. Listen to more episodes:  Apple  Spotify  YouTube Website

Dave Herrald, Global Head of Cybersecurity GTM at Databricks, tells Jack about transforming security operations through modern data lake architectures and strategic AI implementation. He discusses the practical benefits of separating storage from compute, giving security teams direct control over data retention while maintaining operational flexibility. The conversation explores how organizations can move beyond traditional SIEM limitations by leveraging cost-effective data lake storage with advanced analytics capabilities. They touch on AI agents in security, where Dave advocates for focused agents over broad analyst replacement approaches. He also addresses common concerns about hallucinations, framing them as engineering challenges rather than insurmountable obstacles, and shares real-world examples of successful agent implementations. Topics discussed: Moving from traditional SIEM architectures to modern data lake approaches for cost-effective security analytics and data control. Implementing focused AI agents for specific security tasks like context gathering rather than attempting broad analyst replacement. Leveraging graph analytics for security operations including CMDB visualization, breach scoping, and vulnerability prioritization across enterprise environments. Addressing AI hallucinations through prompt engineering and proper context management rather than avoiding AI implementation entirely. Building detection capabilities using SQL and Python for analytics that provide supersets of traditional SIEM query languages. Creating normalization frameworks using standards like OCSF to enable consistent data analytics across diverse security data sources. Developing career resilience in security through mission-focused thinking, continuous AI learning, and building practical skills. Comparing modern AI agents to traditional SOAR platforms for automation effectiveness and maintenance requirements. Establishing data governance and access controls in security data lakes while maintaining operational flexibility and cost effectiveness. Listen to more episodes:  Apple  Spotify  YouTube Website

Matt Muller, Field CISO at Tines, knows all about revolutionizing security operations through strategic AI integration and intelligent automation. In his conversation with Jack, Matt explores how traditional SOC models create problematic feedback loops where junior analysts make critical decisions while senior practitioners handle escalations, limiting learning and growth opportunities.  Instead, Matt envisions AI-assisted workflows where senior expertise gets encoded into intelligent systems that teach junior team members while they work, transforming security operations from reactive alert-chasing to proactive strategic defense. He also emphasizes communication skills, relationship building, and moving beyond being perceived as the team of no to become strategic enablers. Topics discussed: Evolution from banning ChatGPT to strategic AI integration in security operations, emphasizing augmentation over replacement strategies. Model Context Protocol implementation challenges and the importance of safe-by-default approaches when integrating emerging AI technologies into production. Traditional SOC tier models create problematic feedback loops where junior analysts make critical decisions but lack learning opportunities. AI-assisted workflows can transform security operations by encoding senior expertise into systems that teach while automating routine tasks. Practical approaches to AI adoption including demystification techniques, validation methods, and breaking complex problems into manageable components. Strategic implementation of AI agents in security workflows, particularly for non-deterministic tasks like phishing investigation and alert triage. Importance of maintaining human oversight and guardrails when deploying AI systems in critical security operations and incident response. Communication skills and relationship building as fundamental competencies for security practitioners working with both AI systems and human stakeholders. Safe experimentation with AI technologies through controlled environments and understanding system limitations before production deployment. Listen to more episodes:  Apple  Spotify  YouTube Website

In this episode of Detection at Scale, Jack speaks with Erik Bloch, VP of Security, Illumio, about why most security operations teams aren't ready for AI tools and what fundamental processes must be in place first. Erik challenges the industry's obsession with new technologies, sharing stories from his experience transforming underperforming security teams at major companies like Cisco, Salesforce, and Atlassian.  His conversation with Jack explores how to measure what actually matters in security operations, from team capacity utilization to business outcome dispositions, and why proper ticketing systems and actionable metrics are prerequisites for any advanced tooling to be effective. Topics discussed: The importance of establishing fundamental processes like ticketing systems and metrics before implementing AI tools in security operations. How to measure team capacity utilization and resource allocation to identify when security operations teams are operating beyond sustainable levels. Why traditional security metrics like mean time to detect are often vanity metrics that don't provide actionable business intelligence. The critical need for security leaders to communicate in business language with concrete data rather than anecdotal risk assessments. How managed service providers will likely be the first to successfully adopt AI tools due to their standardized processes. The challenge of proving AI tool effectiveness when most organizations lack baseline metrics to measure improvement against established benchmarks. Why security teams gravitate toward building custom tools and how this impacts their approach to adopting commercial AI solutions. The role of MCP in enabling security teams to create their own agents and integrate multiple tools. How AI should focus on eliminating routine tasks like phishing email analysis rather than trying to catch advanced persistent threats. The framework for implementing AI tools by starting with business outcomes, defining metrics, identifying capabilities, and then inserting automation.  Listen to more episodes: Apple  Spotify  YouTube Website

Drawing from his experience building enterprise SOCs and teaching thousands of security professionals, John Hubbard, Cyber Defense Curriculum Lead at SANS Institute and host of the Blueprint podcast, tells Jack about how AI is revolutionizing security operations centers, including balancing AI automation with fundamental analyst skills. They also explore practical AI applications in alert contextualization, team performance analysis, and the future vision of natural language interfaces for complex security tasks.  John emphasizes the importance of teaching both traditional methods and AI-enhanced approaches, ensuring security teams can leverage technology while maintaining critical thinking capabilities. He also discusses considerations around local versus cloud-based AI models and offers actionable advice for security professionals looking to future-proof their careers in an increasingly automated landscape.   Topics discussed: How AI transforms alert contextualization by dynamically incorporating business context and asset information for better triage decisions. The educational challenge of teaching both foundational security methods and AI-enhanced approaches to maintain analyst skills. Practical applications of AI in SOC operations, including automated phishing triage and mass analysis of analyst performance data. The evolution toward natural language interfaces that could enable complex security tasks like packet analysis through conversational commands. Custom agent development versus relying on vendor-provided AI solutions, including the technical challenges and coding requirements involved. Future SOC architecture predictions featuring interconnected agents, MCP protocols, and the abstraction of traditional security analyst tasks. Local versus cloud-based AI model considerations, including data privacy concerns, computational requirements, and trust implications. The critical question of oversight in automated security operations and who monitors AI agents in increasingly autonomous systems. Performance analysis capabilities enabled by AI's ability to process written text and logs at scale for team improvement insights. Practical advice for security professionals to embrace discomfort, invite AI into problem-solving, and establish mentoring relationships for career growth. Listen to more episodes:  Apple  Spotify  YouTube Website

Elliot Colquhoun, VP of Information Security + IT at Airwallex, has built what might be the most AI-native security program in fintech, protecting 1,800 employees with just 9 security engineers by building systems that think like the best security engineers. His approach to contextualizing every security alert with institutional knowledge offers a blueprint for how security teams can scale exponentially without proportional headcount growth. Elliot tells Jack his unconventional path from Palantir's deployed engineer program to leading security at a Series F fintech, emphasizing how his software engineering background enabled him to apply product thinking to security challenges. His insights into global security operations highlight the complexity of protecting financial infrastructure across different regulatory environments, communication platforms, and cultural contexts while maintaining unified security standards.   Topics discussed: The strategic approach to building security teams with 0.5% employee ratios through AI automation and hiring engineers with entrepreneurial backgrounds rather than traditional security-only experience. How to architect internal AI platforms that contextualize security alerts by analyzing historical incidents, documentation, and company-specific knowledge to replicate senior engineer decision-making at scale. The methodology for navigating global regulatory compliance across different jurisdictions while maintaining development velocity and avoiding the trap of building security programs that slow down business operations. Regional security strategy development that accounts for different communication platform preferences, cultural attitudes toward privacy, and varying attack vectors across global markets. The framework for continuous detection refinement using AI to analyze false positive rates, true positive trends, and automatically iterate on detection strategies to improve accuracy over time. Implementation strategies for mixing and matching frontier AI models based on specific use cases, from using Claude for analysis to O1 for initial assessments and Gemini for deeper investigation. "Big bet" security investments where teams dedicate 30% of their time to experimental projects that could revolutionize security operations if successful. How to structure data and human-generated content to support future AI use cases, including training security engineers to document their reasoning for model improvement. The transition from traditional security tooling to agent-based systems that can control multiple security tools while maintaining business-specific context and institutional knowledge. The challenge of preserving institutional knowledge as AI systems replace human processes, including considerations for direct AI-to-regulator communication and maintaining human oversight in critical decisions. Listen to more episodes:  Apple  Spotify  YouTube Website

In this episode of Detection at Scale, Jack speaks with Jacob DePriest, VP of Security/CISO at 1Password, who shares insights from his 15-year journey from the NSA to leading security at GitHub through his current role. Jacob discusses his framework for assessing security programs with fresh eyes, emphasizing business objectives first, then addressing risks, and finally implementing the right security measures.  He also explores how generative AI can enhance security operations while maintaining that human expertise remains essential for understanding threat intent. As 1Password transforms from a password manager to a multi-product security platform, Jacob outlines his approach to scaling security through engineering partnerships and automation, while offering practical leadership advice on building relationships, maintaining work-life balance, and aligning security initiatives with business goals. Topics discussed: - Transitioning from engineering to security leadership and how that technical background provides empathy when implementing security controls. - Approaching security program assessment by first understanding business objectives, then identifying risks, and finally implementing appropriate measures. - Exploring 1Password’s evolution from a password management product to a multi-product security company with extended access management. - Balancing generative AI’s capabilities with human expertise in security operations, recognizing AI’s limitations in understanding intent. - Leveraging AI to enhance incident response through automated summaries and context gathering to speed up triage processes. - Implementing AI applications in GRC functions like vendor reviews and third-party questionnaires to increase efficiency and reduce tedium. - Building sustainable security operations by ensuring security tools have proper access to data through education and partnership. - Addressing the varying security postures across the vendor landscape through a risk-based approach focusing on access and visibility. - Scaling security teams by clearly connecting their work to business objectives and ensuring team members understand why their tasks matter. - Three pillars of security leadership: building a trusted network, establishing sustainable work-life balance, and connecting security to business goals. Listen to more episodes:  Apple  Spotify  YouTube Website

In this episode of Detection at Scale, Matthew Martin, Founder of Two Candlesticks, shares practical approaches for implementing AI in security operations, particularly for smaller companies and those in emerging markets. Matthew explains how AI chatbots can save analysts up to 45 minutes per incident by automating initial information gathering and ticket creation. Matthew’s conversation with Jack explores critical implementation challenges, from organizational politics to data quality issues, and the importance of making AI decisions auditable and explainable.  Matthew emphasizes the essential balance between AI capabilities and human intuition, noting that although AI excels at analyzing data, it lacks understanding of intent. He concludes with valuable advice for security leaders on business alignment, embracing new technologies, and maintaining human connection to prevent burnout. Topics discussed: - Implementing AI chatbots in security operations can save analysts approximately 45 minutes per incident through automated information gathering and ticket creation. - Political challenges within organizations, particularly around AI ownership and budget allocation, often exceed technical challenges in implementation. - Data quality and understanding are foundational requirements before implementing AI in security operations to ensure effective and reliable results. - The balance between human intuition and AI capabilities is crucial, as AI excels at data analysis but lacks understanding of intent behind actions. - Security teams should prioritize making AI decisions auditable and explainable to ensure transparency and accountability in automated processes. - Generative AI lowers barriers for both attackers and defenders, requiring security teams to understand AI capabilities and limitations. - In-house data processing and modeling are preferable for sensitive customer data, with clear governance frameworks for privacy and security. - Future security operations will likely automate many Tier 1 and Tier 2 functions, allowing analysts to focus on more complex issues. - Security leaders must understand their business thoroughly to build controls that align with how the company generates revenue. - Technology alone cannot solve burnout issues; leaders must understand their people at a human level to create sustainable efficiency improvements.

The security automation landscape is undergoing a revolutionary transformation as AI reasoning capabilities replace traditional rule-based playbooks. In this episode of Detection at Scale, Oliver Friedrichs, Founder & CEO of Pangea, helps Jack unpack how this shift democratizes advanced threat detection beyond Fortune 500 companies while simultaneously introducing an alarming new attack surface.  Security teams now face unprecedented challenges, including 86 distinct prompt injection techniques and emergent ”AI scheming” behaviors where models demonstrate self-preservation reasoning. Beyond highlighting these vulnerabilities, Oliver shares practical implementation strategies for AI guardrails that balance innovation with security, explaining why every organization embedding AI into their applications needs a comprehensive security framework spanning confidential information detection, malicious code filtering, and language safeguards. Topics discussed: - The critical ”read versus write” framework for security automation adoption: organizations consistently authorized full automation for investigative processes but required human oversight for remediation actions that changed system states. - Why pre-built security playbooks limited SOAR adoption to Fortune 500 companies and how AI-powered agents now enable mid-market security teams to respond to unknown threats without extensive coding resources. - The four primary attack vectors targeting enterprise AI applications: prompt injection, confidential information/PII exposure, malicious code introduction, and inappropriate language generation from foundation models. - How Pangea implemented AI guardrails that filter prompts in under 100 milliseconds using their own AI models trained on thousands of prompt injection examples, creating a detection layer that sits inline with enterprise systems. - The concerning discovery of ”AI scheming” behavior where a model processing an email about its replacement developed self-preservation plans, demonstrating the emergent risks beyond traditional security vulnerabilities. - Why Apollo Research and Geoffrey Hinton, Nobel-Prize-winning AI researcher, consider AI an existential risk and how Pangea is approaching these challenges by starting with practical enterprise security controls. Check out Pangea.com

In this special episode of Detection at Scale, Jack welcomes back Matt Jezorek, Panther’s new CISO, for an insightful conversation about effective security strategies. Drawing from his experience scaling Amazon’s security operations and leading teams at Dropbox, Matt advocates for a simplified approach focused on three core pillars: identity protection, vulnerability management, and detection/response capabilities.  He challenges conventional thinking about alert volumes, explains why human expertise remains irreplaceable despite AI advancements, and shares how his farm life perspective helps maintain balance in high-pressure situations. Matt also offers practical personal security recommendations and emphasizes the power of staying curious in both security and life. Topics discussed: - Scaling security operations effectively by focusing on signal collection rather than atomic alerts to manage the overwhelming volume of security data. - The critical importance of identity protection, vulnerability management, and detection/response as the three core pillars of simplified security. - Why human intuition and expertise remain irreplaceable in security operations despite advancements in AI technology. - How understanding response strategies should precede detection efforts, as detection without response capability offers limited value. - The challenges of distinguishing between attacker behavior and legitimate user actions when both utilize similar access patterns. - Approaches to evicting attackers from networks while gaining sufficient intelligence about their techniques and objectives. - Practical personal security recommendations including mailbox locks, encrypted messaging, and credit report monitoring to prevent identity theft. - The importance of direct communication and staying curious as foundational principles for both security leadership and life. Listen to more episodes:  Apple  Spotify  YouTube Website

Managing security for a device that can autonomously interact with third-party services presents unique orchestration challenges that go beyond traditional IoT security models. In this episode of Detection at Scale, Matthew Domko, Head of Security at Rabbit, gives Jack an in-depth look at building security programs for AI-powered hardware at scale.   He details how his team achieved 100% infrastructure-as-code coverage while maintaining the agility needed for rapid product iteration. Matt also challenges conventional approaches to scaling security operations, advocating for a serverless-first architecture that has fundamentally changed how they handle detection engineering. His insights on using private LLMs via Amazon Bedrock to analyze security events showcase a pragmatic approach to AI adoption, focusing on augmentation of existing workflows rather than wholesale replacement of human analysis.  Topics discussed: - How transitioning from reactive SIEM operations to a data-first security approach using AWS Lambda and SQS enabled Rabbit’s team to handle complex orchestration monitoring without maintaining persistent infrastructure.  - The practical implementation of LLM-assisted detection engineering, using Amazon Bedrock to analyze 15-minute blocks of security telemetry across their stack.  - A deep dive into security data lake architecture decisions, including how their team addressed the challenge of cost attribution when security telemetry becomes valuable to other engineering teams.  - The evolution from traditional detection engineering to a ”detection-as-code” pipeline that leverages infrastructure-as-code for security rules, enabling version control, peer review, and automated testing of detection logic while maintaining rapid deployment capabilities. - Concrete examples of integrating security into the engineering workflow, including how they use LLMs to transform security tickets to match engineering team nomenclature and communication patterns. - Technical details of their data ingestion architecture using AWS SQS and Lambda, showing how two well-documented core patterns enabled the team to rapidly onboard new data sources and detection capabilities without direct security team involvement. A pragmatic framework for evaluating where generative AI adds value in security operations, focusing on specific use cases like log analysis and detection engineering where the technology demonstrably improves existing workflows rather than attempting wholesale process automation.

What does AI in security operations actually look like at scale? In this episode of Detection at Scale, Mor Levi, VP of Detection, Analysis, & Response at Salesforce, shares her team's hands-on experience with Agent Force — from achieving 90% automation in initial case triage to setting ambitious goals for full automation.  Her conversation with Jack goes deep into the practical realities: integrating AI with existing tools, evolving analyst roles, and why human creativity matters more than ever. Through candid discussion and real-world examples, Mor shares both the successes and challenges of bringing AI into enterprise security, offering valuable lessons for teams at any stage of their AI journey. Topics discussed: Implementing generative AI agents for security operations, achieving 90% automation in initial triage while maintaining effectiveness and reliability. Securing LLM implementations through comprehensive threat modeling, focusing on data access controls and potential abuse scenarios. Integrating AI agents with existing SOAR platforms to create powerful automation workflows while maintaining operational control. Evolution of security analyst roles as AI handles routine tasks, emphasizing strategic thinking and hypothesis development. Importance of data quality and systematic implementation in training effective security-focused AI agents. Strategies for maintaining consistency and reliability in AI-driven security operations through proper prompt engineering. Building effective guardrails and controls for AI systems while enabling powerful automation capabilities. Balancing automation with human oversight to ensure security effectiveness and maintain operational integrity. Future trends in AI-driven security operations and the increasing importance of creative problem-solving skills. Practical advice for implementing AI in security operations, emphasizing focused use cases and clear success criteria.  

In this episode of Detection at Scale, Jack speaks to Brandon Kovitz, Senior Manager of Detection & Response at Outreach, shares his insights on the evolving landscape of cybersecurity. He discusses the critical role of generative AI in enhancing detection and response capabilities, emphasizing the importance of understanding data to maximize security tools’ effectiveness.  Brandon also highlights the balance between human intuition and AI, noting that while AI can analyze vast amounts of data, it lacks the nuanced understanding of intent that only humans can provide. Tune in to learn how organizations can leverage AI while maintaining essential human oversight in their security strategies!  Topics discussed: -The importance of operationalizing detection and response capabilities to enhance security posture in a cloud-native, SaaS-first environment.   -Leveraging generative AI to improve data analysis and streamline detection processes, ultimately enabling faster responses to emerging cyber threats.   -The critical balance between AI capabilities and human intuition, emphasizing that human expertise is essential for understanding intent behind actions in cybersecurity.   -Understanding the data landscape is vital for maximizing the effectiveness of security tools and ensuring a strong return on investment.   -The role of automation in reducing the noise from tier one and tier two security alerts, allowing teams to focus on complex issues.   -Insights on building a detection-as-code pipeline to facilitate rapid implementation of security measures in response to emerging vulnerabilities.   -The significance of collaboration between security teams and privacy experts to ensure compliance and protect customer data in AI initiatives.   -The future of cybersecurity operations, including the potential for AI to automate many routine tasks and enhance overall operational efficiency.   -The necessity for ongoing education and adaptation in the cybersecurity field to keep pace with technological advancements and evolving threats.

In this episode of Detection at Scale, Jack speaks to JJ Tang, CEO and Co-founder of Rootly, about revolutionizing incident management in tech organizations. JJ shares his journey from practitioner to founder and emphasizes the importance of viewing incident management as a cultural and collaborative effort rather than just a tooling issue.    JJ touches on breaking down silos between security and other teams to enhance communication and reliability, and empowering security practitioners to take on educator roles within their organizations. He also offers actionable insights on creating a culture of reliability and improving incident response strategies!    Topics discussed: The importance of viewing incident management as a cultural shift rather than just a tooling problem, focusing on people and processes.   Strategies for breaking down silos between security teams and other departments to foster collaboration and improve incident response effectiveness.   The role of security practitioners as educators, helping other teams understand best practices and the importance of security in incident management.   The significance of collecting and analyzing data on repeat incidents to identify root causes and prevent future occurrences.   Insights on how to create a culture of reliability within organizations, making incident management a shared responsibility across teams.   The challenges faced during the transition from a practitioner role to a founder and CEO in the tech industry.   The impact of AI and automation on incident management, including how these technologies can improve response times and learning from incidents.   The necessity of having a clear governance framework in place to ensure data privacy and security during incident management processes.     Resources Mentioned:  JJ Tang on LinkedIn Rootly website

In this episode of Detection at Scale, Jack speaks to Thijn Bukkems, Threat Hunting Lead at Grammarly. Thijn shares his expertise on building a robust security intelligence program, emphasizing the importance of leveraging existing resources and adapting current tools to enhance threat detection.  Thijn discusses the value of working backwards from response strategies to design effective detection mechanisms. He also highlights the necessity of collaboration across teams, urging listeners to avoid silos in decision-making to uncover unexpected insights.  Topics discussed: The importance of utilizing current tools and knowledge, adapting them to enhance threat detection rather than starting from scratch. The value of designing detection mechanisms by first understanding how to respond to potential threats, ensuring proactive preparedness. The need to avoid silos in decision-making, as insights from various teams can lead to significant improvements in security measures. The critical aspects of security intelligence, focusing on assessing risks and anticipating potential attacks. The finite nature of security engineering time and the importance of prioritizing tasks effectively. How internal threat modeling helps in identifying vulnerabilities and understanding potential attack vectors within the organization. The balance between analytical research and production-ready work, including the need for code-oriented solutions in security. The iterative process of collecting and analyzing data to answer broad security questions and develop actionable plans. The role of automation in optimizing data collection and analysis, improving efficiency in addressing security concerns. How the security intelligence team provides strategic insights to guide the business in prioritizing security efforts effectively.

In this episode of Detection at Scale, Jack speaks with Saksham Tushar, Head of Security Operations & Threat Detection Engineering at CRED, about the challenges of compliance in a high-growth environment. Saksham shares their strategy for automating security processes and enriching data to enhance threat detection.  He emphasizes the importance of verifying automated outcomes to ensure accuracy. Saksham also covers how CRED uses Python libraries for efficient incident response and the significance of contextual understanding in security incidents. With a focus on streamlining compliance and leveraging intelligence, Saksham provides valuable insights into building a robust security operations framework in a rapidly evolving landscape. Topics discussed: - How CRED distilled complex compliance requirements into a manageable set of common standards to streamline processes. - The importance of correlating various log sources to create a comprehensive view of security incidents. - How automation has transformed security processes, making them more efficient and effective. - The use of threat intelligence and how it is centralized and automated to provide actionable insights for security teams. - The development of internal Python libraries that facilitate quick data queries for incident investigations. - The importance of understanding the context around security incidents to better inform responses and strategies. - How using notebooks for investigations aids in communication and auditing, allowing for clear documentation of processes. - How to organize a team to maintain agility while ensuring diverse skill sets are leveraged effectively. - The necessity of verifying automated processes to ensure they yield accurate and actionable outcomes.

In this special episode of Detection at Scale, Jack welcomes security experts Dan Cao, Engineering Manager of Security Incident and Response at Netflix, and returning guest Josh Liburdi, Staff Security Engineer at Brex. They discuss the rise of developer-centric security solutions and the ongoing balance between utilizing big platforms like CrowdStrike and bespoke tools — the build versus buy dilemma.  They highlight the importance of fundamental skills and critical thinking in security engineering, emphasizing the need for continual learning and adaptability. Dan and Josh also share insights on building effective security teams and the significance of mentorship and team culture in fostering innovation and resilience in an evolving tech landscape.  Topics discussed: The shift towards security operations and incident response that prioritize developer involvement and custom coding solutions. How to effectively integrate large security platforms like Crowdstrike with tailored, in-house security tools. The need for critical and abstract thinking skills in security engineering to solve complex problems. Strategies for leveraging team strengths and addressing skill gaps to create robust security teams. The role of mentorship and a positive team culture in fostering growth and innovation within security teams. The importance of mastering the basics of technology and cybersecurity as a foundation for advanced problem-solving. The need for security professionals to stay adaptable and continually update their skills in a rapidly evolving tech landscape. The difficulties small security teams face when managing and integrating diverse security tools and platforms. The effectiveness and limitations of using commercial security solutions for large and small organizations.

In this episode of Detection at Scale, Jack speaks to Alessio Faiella, Director of Security Engineering & Security Operations at ThoughtSpot, to discuss building forward-looking security programs for 2024.  Alessio dives into the dynamic and ephemeral nature of modern security environments and the importance of understanding the nuances of the product and user base. He also highlights how ThoughtSpot leverages AI to enhance detection and response capabilities. Additionally, Alessio shares insights on codifying playbooks and prioritizing core focuses to ensure a robust cybersecurity posture.    Topics discussed: The importance of defining clear goals and laying strong foundations for scalable security programs. Emphasizing the need for security teams to deeply understand the product they are defending and the behaviors of its user base. The significance of developing and prioritizing detailed playbooks to guide detection and response efforts effectively. How AI can assist in real-time response, log data parsing, and providing actionable recommendations during security incidents. Identifying and focusing on critical areas like persistence, lateral movement, and data exfiltration to optimize security efforts with limited resources. Techniques for evaluating the success of security playbooks and ensuring they align with the organization's goals and infrastructure. Combining automated processes with human oversight to enhance the efficiency and accuracy of security operations. The difficulties in gathering and integrating data from various sources to enable quick and informed security responses. Crafting security rules that are tailored to the specific needs and priorities of the organization’s environment. Advice on maintaining focus and ensuring foundational security practices are in place for a strong and resilient cybersecurity posture.