The Detection at Scale Podcast is dedicated to helping security practitioners and their teams succeed at managing and responding to threats at a modern, cloud scale.
Every episode is focused on actionable takeaways to help you get ahead of the curve and prepare for the trends and technologies shaping the future.
Google Cloud’s Anton Chuvakin on Decoupled SIEMs and the Future of Data Platforms and Security
On this week's episode of the Detection at Scale podcast, Jack talks with Dr. Anton Chuvakin, Senior Security Staff at the Office of the CISO at Google Cloud. They dig deeper into the conversation taking place online around decoupled SIEMs, which both Jack and Anton wrote about. They discuss what a decoupled SIEM is, the evolution of data platforms and security capabilities, if decoupled SIEMs will work broadly with current customer demands, and if having backend data lakes is the best solution for fast, real-time querying.
What is a decoupled SIEM, and why the broader discussion around whether security data lakes will replace SIEMs prompted Anton's Medium post.
How this conversation is being driven by the fact that we’re coming to the "end of the runway" on previous storage choices.
The arguments around why decoupling may not work broadly, simply because customers want integrated SIEMs.
The evolution of data storage platforms and how successful past attempts at integrating security capabilities were.
Why there's not a straightforward solution to storage — and why it's a challenge that's taking years to solve.
Why having a data lake on the backend is the best solution to fast querying and real-time detection.
A discussion around OCSF and the benefits of log normalization.
“Decoupled SIEM: Brilliant or Stupid?” by Anton Chuvakin
“The Transition from Monolithic SIEMs to Data Lakes for Security Monitoring” by Jack Naglieri
Deloitte’s Dhruv Majumdar on How to Mature Your Detection and Response
On this week's episode of the Detection at Scale podcast, Jack talks with Dhruv Majumdar, Director, Cyber Risk & Advisory at Deloitte. They discuss common challenges when transitioning from a traditional SOC to a detection and response program, what questions to ask when building a threat modeling strategy, and the benefits data lakes can unlock for D&R. They also talk about how LLMs are helping detect exfiltration and –the need for security controls, policies, and good partnerships.
The common challenges that organizations face today when evolving their detection and response programs, including moving away from SOC and managing big data.
An overview of the maturity model and what organizations can follow to evolve their processes.
Two critical questions to ask that will guide your threat modeling strategy.
What big data "unlocks" for detection and response today, and what trade-offs there are in usability when moving to a data lake-backed architecture.
How LLMs can surface patterns in data that simplify detecting exfiltrations and how it can help with automation to prevent burnout.
Advice to security practitioners when transitioning to new strategies, including why you need "controls, controls, controls," and why you should take the simplest route to overcome a challenge.
Google’s Anton Chuvakin and Timothy Peacock on How to Take Your D&R Efforts from 0 to 1 — or 5, or 100
On this week's episode of the Detection at Scale podcast, Jack talks with Anton Chuvakin, Security Advisor at the Office of the CISO at Google Cloud, and Timothy Peacock, Senior Product Manager at Google. Together, they discuss some of the needs and trends in cybersecurity today, including how to know what level of D&R your organization needs, the use cases for AI today, and how LLMs and SIEMs will handle data at scale. They also talk about the need for more creative solutions to misconfiguration management, three things security practitioners can do to improve cloud security, and why cybersecurity is the "most intellectually stimulating profession on the planet."
What attracted Anton and Timothy to cybersecurity, what makes them stay, and why the intersection of humans and technology make it the “most intellectually stimulating profession on the planet.”
How organizations can evaluate the level of security they need, why it's crucial to know whether you need to go from zero to one, or five, or a hundred, and how organizations with no detection and response strategies can get started.
What use cases there will be for AI in cybersecurity, and while it may be good at summarizing, explaining complexity, and classifying, it may not be ready to create usable code.
Why security practitioners need to think more about whether SIEMs can support planetary scale, and whether decentralization is the solution.
The role LLMs will play in helping to manage large data sets, and how it may change the way organizations use MDRs.
Why the industry needs new, creative ways to solve the ongoing problem of cloud misconfigurations in order to break vicious cycles through shared faith.
Three pieces of advice to improve cloud security, including knowing your security needs, practicing, and making friends so you know you're note alone.
David Seidman of Robinhood Talks Tools, Strategies, & Advice for Improving Detections at Scale
In this episode, Jack speaks with David Seidman, Head of Detection and Response at Robinhood. David has worked for large tech companies like Google, Microsoft, and Salesforce in a variety of D&R roles.
During this episode, David shares his tactical advice on how his team is building the pipes and engines of security at Robinhood, his top tools to improve fidelity of detections, and what he’s learned in his career that’s made him a better practitioner and leader.
The ‘unusual strategies’ and hypothesis on the kill chain model David has not shared before publicly
His top five tools to use to improve the fidelity of your detections
How David has seen composite detection be effective in practice and why it is most effective when it’s analyst driven
His experience working on Google Cloud's Event Threat Detection
What a mature IR process look like today and how to train staff that’s run IR in the past
A big challenge and growth area in the industry that doesn’t get enough attention
The new frontier of what the detection and response stack will look like in the future
David’s keys to an effective IR program, such as regular exercises, communications plan, having access and permissions to data, strong controls, and more.
The three actionable takeaways David learned from his roles at Google, Microsoft, Salesforce, and now Robinhood that make him a better practitioner and leader today
EP 29: Chris Witter on Leading D&R Teams for Both Cloud and Enterprise at Spotify
In this episode, Jack chats with Christopher Witter (aka Witter), Engineering Manager, Detection & Response at Spotify and a founding member and former lead for Crowdstrike’s Falcon OverWatch managed hunting service.
Witter has nearly two decades of experience in incident response and information security, holding leadership roles on computer security and incident response teams (CSIRT) with both a top five global bank and a top ten defense contractor.
During this episode, Witter shares his behind the scenes experiences helping build the Falcon Overwatch Team at Crowdstrike, why it’s critical to measure queries in seconds, not minutes, his tips on running highly effective D&R teams at scale, and more!
Witter’s experience as one of the first 100 people on the Falcon Overwatch Team at Crowdstrike
Why the Overwatch team didn’t follow traditional SOC mentalities
The various data sources Witter uses to improve accuracy and gather context
How D&R is like going to court – telling the story around Who, What, Where, Why, How, to prove beyond a reasonable doubt that this incident happened
Why Witter measures in seconds, not minutes and why timescale is critical
Why it could be a mistake to choose cybersecurity tools based on financial capability and budget and what criteria should be considered instead
Why Witter still believes in custom systems
Witter’s rule of thumb that if a human does the same thing 10x manually, it should be automated
Managing a remote D&R team and building psychological safety
Witter’s advice for how others can get involved in the D&R community
His 3 pieces of advice to build a high-performing D&R team at scale, including a focus on ‘Jack of all trades’ people, avoiding distractions, and why it’s critical to capture everything to improve search.
EP 28: Kelly Jackson Higgins Discusses The Evolution of Cybersecurity
In this episode, Jack Naglieri speaks to Kelly Jackson Higgins, Editor-in-Chief at Dark Reading. During the episode, they share their thoughts about how cyber threats have changed over the years.
Kelly offers fascinating insights into how cybersecurity journalism has evolved to keep pace with the ever-changing industry.
She offers an example of why choosing to patch systems is not always an easy decision for security teams.
Jack and Kelly talk about how perceptions around which organizations are likely targets have changed over the years.
Kelly shares some of the crazier threat actor trends she has observed during her career covering cybersecurity.
She offers three pieces of valuable advice for security teams.
It’s obvious Jack puts extraordinary effort in covering salient topics and finding guests that are authentic and truly care about being a positive force in this space - the insights they bring to bear are mind-blowing every. single. time.
High scale threat detection is such a unique problem that more and more struggle with every day - so great to see someone focusing on helping us practitioners solve this. Thanks to Jack and the team for doing this. You’ve got yourself a listener!