detection and response

Guests:

• John Stoner, Principal Security Strategist, Google Cloud Security

• Dave Herrald, Head of Adopt Engineering, Google Cloud Security

Topics:

• In your experience, past and present, what would make clients trust vendor detection content?

• Regarding “canned”, default or “out-of-the-box” detections, how to make them more production quality and not merely educational samples to learn from?

• What is more important, seeing the detection or being able to change it, or both?

• If this is about seeing the detection code/content, what about ML and algorithms?

• What about the SOC analysts who don't read the code?

• What about “tuning” - is tuning detections a bad word now in 2023?

• Everybody is obsessed about “false positives,” what about the false negatives? How are we supposed to eliminate them if we don’t see detection logic?

Resources:

• Video (Linkedin, YouTube)

• Github rules for Chronicle

• DetectionEngineering.net by Zack Allen

• “On Trust and Transparency in Detection” blog

• “Detection as Code? No, Detection as COOKING!” blog

• EP64 Security Operations Center: The People Side and How to Do it Right

• EP108 How to Hunt the Cloud: Lessons and Experiences from Years of Threat Hunting

• EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

• Why is Threat Detection Hard?

• Detection Engineering is Painful — and It Shouldn’t Be (Part 1, 2, 3, 4, 5)

Guest: 

• David Seidman, Head of Detection and Response @ Robinhood

Toipics:

• Tell us about joining Robinhood and prioritizing focus areas for detection in your environment?

• Tim and Anton argue a lot about what kind of detection is best - fully bespoke and homemade, or scalable off-the-shelf. First, does our framework here make sense, and second, looking at your suite of detection capabilities, how have you chosen to prioritize detection development and detection triage?

• You're operating in AWS: there are a lot of vendors doing detection in AWS, including AWS themselves. How have you thought about choosing your detection approaches and data sources?

• Finding people with as much cloud expertise as you can't be easy: how are you structuring your organization to succeed despite cloud detection and response talent being hard to find? What matters more: detection skills or cloud skills?

• What has been effective in ramping up your D&R team in the cloud?

• What are your favorite data sources for detection in the cloud?

Resources:

• “Detection as Code? No, Detection as COOKING!”

• “On Threat Detection Uncertainty”

• “Radical Candor” by Kim Scott

• “Daring Greatly” by Brene Brown

• “Extreme Ownership” by Jocko Willink

• “Drive” by Daniel Pink

Guest:

• Mike Sinno, Security Engineering Director, Detection and Response  @ Google

Topics:

• You recently were featured in “Hacking Google” videos, can you share a bit about this effort and what role you played?
• How long have you been at Google? What were you doing before, if you can remember after all your time here? What brought you to Google?
• We hear you now focus on insider threats. Insider threat is back in the news, do you find this surprising?
• A classic insider question is about “malicious vs well-meaning insiders" and which type is a bigger risk. What is your take here?
• Trust is the most important thing when people think about Google, we protect their correspondence, their photos, their private thoughts they search for. What role does detection and response play in protecting user trust?
• One fun thing about working at Google is our tech stack. Your team uses one of our favorite tools in the D&R org! Can you tell us about BrainAuth and how it finds useful things?
• We talked about Google D&R (ep 17 and ep 75) and the role of automation came up many times. And automation is a key topic for a lot of our cloud customers. What do you automate in your domain of D&R?

Resources:

• “Hacking Google” videos  (EP00 with Mike)
• The Secure Reliable Systems book
• The CERT Guide to Insider Threats book
• Common Sense Guide to Mitigating Insider Threats book
• Insider Threats (Cornell Studies in Security Affairs)
• Foreign Espionage in Cyberspace from the NCSC
• “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75)
• “Modern Threat Detection at Google” (ep17)

Guest:

• Tim Nguyen, Director of Detection and Response @ Google

Topics:

• I know we don’t like to say “SOC” here, so why don’t we talk about the role of automation in detection and response (D&R) at Google?
• One SRE concept we found useful in security operations is “toil” - How do we squeeze toil out of D&R practice at Google?
• A combined analyst and engineer role (just like an SRE) was critical for both increasing automation and reducing toil, how hard was it to put this into practice? Tell us about that journey?
• How do we automate security signal analysis, can you give us a few examples?
• D&R metrics have been a big pain point for many organizations, how does SRE thinking of SLOs and SLIs (and less about SLAs) helps us in our “not SOC”?
• How do we avoid falling into the “time to respond” trap that rewards fast response, sometimes at the cost of good?

Resource:

• SRE book, Chapter 5 - Eliminating Toil
• SRE book, Chapter 4 - Service Level Objectives
• “Building Secure and Reliable Systems” book
• “Achieving Autonomic Security Operations: Automation as a Force Multiplier”
• “Achieving Autonomic Security Operations: Reducing toil”
• “Taking an autonomic approach to security operations” video
• “Modern Threat Detection at Google” (ep17)

Guest:

• Erik Bloch,  Senior Director of Detection and Response at Sprinklr

Topics:

• You recently coined a concept of “output-driven Detection and Response” and even perhaps broader “output-driven security.” What is it and how does it work?
• Detection and response is alive (obviously), but sometimes you say SOC is dead, what do you mean by that?
• You refer to a federated approach for Detection and Response”  (“route the outcomes to the teams that need them or can address them”), but is it workable for any organization? 
• What about the separation of duty concerns that some raise in response to this? What about the organizations that don’t have any security talent in those teams?
• Is the approach you advocate "cloud native"? Does it only work in the cloud? Can a traditional, on-premise focused organization use it?
• The model of “security team as a decision-maker, not an implementer” has a bit of a painful history, as this is what led to “GRC-only teams” who lack any technical knowledge. Why will this approach work this time?

Resources:

• “RIP SOC. Hello D-IR”
• “Kill your SOC with a D-IR model”
• “Security De-Engineering: Solving the Problems in Information Risk Management” book
• “A SOCless Detection Team at Netflix” 
• “Achieving Autonomic Security Operations: Automation as a Force Multiplier” 
• “Start with Why: How Great Leaders Inspire Everyone to Take Action“ book
• “Think Like a Monk: The Secret of how to Harness the Power of Positivity and be Happy Now” book
• “On “Output-driven” SIEM”
• “SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond” (ep58)