SlideShare a Scribd company logo

Powering Prevention: Lessons Learned from Building a Global Security Response Team

Christopher Clark
Christopher Clark

The document discusses lessons learned from building a global security response team. It emphasizes stakeholder engagement, strategic hiring to acquire key skills and expertise, prioritizing mission and culture over metrics, using communication and collaboration tools to reduce duplication and expand coverage, balancing research and operational response, and maximizing automation. The team identified 250 million+ attacks, helped over 31,000 customers, conducted over 10,000 engagements, and identified more than 600 threats in under 12 months.

Leadership & Management
1 of 39
Powering Prevention Lessons Learned from Building a Global Security Response Team Christopher Clark – Director, GSRT
Powering Prevention Lessons Learned from Building a Global Security Response Team Christopher Clark – Director, GSRT
Many Brilliant People, Many Small Silos Rapid organic growth in products and customers Effort duplication, inconsistencies, and internal focus
Connect the dots and deliver holistic prevention Proactively detect and respond to threat evolutions Develop countermeasures, reporting, and technical solutions
Faster, Better, and Globally Impactful Define Mission, Build Processes, Hire Team and Internalize Response in <12 months 250m+ Attacks, 31k+ Customers, 10k+ Engagements, 600+ Threats Identified
Agenda Building a Global Security Response Team Stakeholder Empowerment Strategic Hiring Mission over Metrics Communication & Collaboration
Research & Response Automation, Automation, Automation! Questions? FINISH
Stakeholder Empowerment
Proactively Engage Everyone Seek out, Sit down (in person), and LISTEN Understand the current reality and pain points Access stakeholder resources and capabilities Plan for unknown unknowns (then double it!)
Education is the MOST important job Skip the details, tell the story Be a trusted resource and teach up, down, left and right
Know the “NO” Monster Leverage expertise to prioritize security resource expenditure Identify fires before they start and protect the team
Strategic Hiring
Strategic Talent Capture Start at the core and identify key functional areas Acquire and empower proven leaders
Functional Teams with Matrixed Deliverables 88 Vulnerability and Exploit Unit Provide Actionable Vulnerability and Exploit Intelligence. Coverage for delivery Methods and Hack / Post Exploitation tools. Tools and Technology Develop and Enhance Collection, Analysis, and Detection Capabilities, as well as DevOps support for existing tools. Threat Analysis Unit First line of triage, Conducting Analysis of Adversaries, Campaigns, and TTPs Malware and Countermeasures Unit Provide Actionable Malcode Analysis and Deployable Countermeasures
Security Operations Malware Analysis Scripting and Development Penetration Testing Identify and Ensure Critical Skillsets Improved communication and operational efficacy Eliminate single points of failure Career progression and cross training
Team Member Critical Skillset Continuum Threat Researcher Security Operations 80 % Malware Analysis 50 % Scripting & Development 40 % Malware Researcher Vulnerability and Exploit Researcher Automation Engineer Penetration Testing 40 % Security Operations 40 % Malware Analysis 80 % Scripting & Development 40 % Penetration Testing 20 % Security Operations 50 % Malware Analysis 40 % Scripting & Development 40 % Penetration Testing 80 % Security Operations 30 % Malware Analysis 30 % Scripting & Development 90 % Penetration Testing 30 %
Regional Threat Expertise Cultural and Linguistic Knowledge Improved Response Speed and Quality
Mission over Metrics
Metrics are an indicator, not the goal Progress is achieved through failure Culture is the key
PASSION: believe in the mission and what you can do
CAPACITY: learn. share. ask for help
INNOVATION: rules are a finite construct
AGILITY: change is constant, be multi-disciplinary
HUMILITY: ego-less execution - Bryson Bort, CEO
Communication & Collaboration
Great Communication is required for Great Security “Remote by default” ensures expansion, flexibility, and data retention Trust is formed in person and grows through transparency
Remove (or Connect) Data and Operational Silos Normalize processes and remove effort duplication Transparent and accessible data and deliverables
Vertical and Horizontal Status Reports Deliver regular status reports on both research and response goals Ensure broad delivery to all team members and stakeholders
Research & Response
Encourage Research and Response from All Diversity of experience drives new approaches Innovation is born from operations
Research and Response Mix 80% 20% Response Research 60% 40% Response Research 40% 60% Response Research 20% 80% Response Research Junior Researcher Researcher Senior Researcher Principal Researcher
Response must be efficient, Research must be impactful Publications (Reports or Code), Presentations, or Products
Security Innovation is Distilled Threat Intelligence Prevention is driven by heuristics refined through research Targeted research is made possible by intelligent response
Automation, Automation, Automation!
Automation is critical to efficacy and scale POC by researchers, maturation and upkeep by automation engineers “Do it three times? Automate it!”
Enable and Liberate Researchers Centralize response tool stack and maximize data density Ensure complete auditable transparency
Develop Integrations and Orchestration Connecting existing detection, analysis, workflow and collaboration platforms
Powering Prevention - Review Building a Global Security Response Team Stakeholder Enablement Actively engage with all stakeholders, understand their needs. Educate non-security teams, and protect your resources. Strategic Hiring Identify required talent and proactively recruit it. Ensure all team members possess key skills. Mission Over Metrics Culture is the most important part of the team, never compromise on fit and ensure Metrics are a guide not a target. Communication & Collaboration Leverage technology to expand coverage, improve efficacy, and reduce effort duplication. Research & Response Ensure staff is focused on short and long term research projects as well as operational triage. Automation! Dedicate resources to automating processes and tools once they have been proven.
Questions? cclark@paloaltonetworks.com https://www.linkedin.com/in/cybersec

Recommended

Myth-busting in Application Security
Myth-busting in Application SecurityMyth-busting in Application Security
Myth-busting in Application Security
DevOps.com
 
Risk managementslides
Risk managementslidesRisk managementslides
Risk managementslides
Abhilash Jha
 
How to Do a Formal Risk Assessment
How to Do a Formal Risk AssessmentHow to Do a Formal Risk Assessment
How to Do a Formal Risk Assessment
Praveen Vackayil
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cyber Solutions
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test
bugcrowd
 
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ... Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Skybox Security
 
Purple team strategy_lascon_2016
Purple team strategy_lascon_2016Purple team strategy_lascon_2016
Purple team strategy_lascon_2016
Trupti Shiralkar, CISSP
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wanted
Cyphort
 

Recommended

Myth-busting in Application Security
Myth-busting in Application SecurityMyth-busting in Application Security
Myth-busting in Application Security
DevOps.com
 
Risk managementslides
Risk managementslidesRisk managementslides
Risk managementslides
Abhilash Jha
 
How to Do a Formal Risk Assessment
How to Do a Formal Risk AssessmentHow to Do a Formal Risk Assessment
How to Do a Formal Risk Assessment
Praveen Vackayil
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cyber Solutions
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test
bugcrowd
 
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ... Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Skybox Security
 
Purple team strategy_lascon_2016
Purple team strategy_lascon_2016Purple team strategy_lascon_2016
Purple team strategy_lascon_2016
Trupti Shiralkar, CISSP
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wanted
Cyphort
 
OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced Attack
Ivanti
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced Attack
Ivanti
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams
Cigital
 
Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times
Denise Bailey
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
bugcrowd
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security Program
Cigital
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
Michael Lines
 
Assessment Of Risk Mitigation
Assessment Of Risk MitigationAssessment Of Risk Mitigation
Assessment Of Risk Mitigation
Eneni Oduwole
 
Risk Management Metrics That Matter
Risk Management Metrics That MatterRisk Management Metrics That Matter
Risk Management Metrics That Matter
Ed Bellis
 
Risk Estimator PowerPoint Presentation Slides
Risk Estimator PowerPoint Presentation SlidesRisk Estimator PowerPoint Presentation Slides
Risk Estimator PowerPoint Presentation Slides
SlideTeam
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
Eoin Keary
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
randalje86
 
Top 25 Cyber Security Blogs You Should Be Reading
Top 25 Cyber Security Blogs You Should Be ReadingTop 25 Cyber Security Blogs You Should Be Reading
Top 25 Cyber Security Blogs You Should Be Reading
DDoS Mitigation
 
Navigating Your Career in Cyber Security - Steve Santini & Drew Fearson
Navigating Your Career in Cyber Security - Steve Santini & Drew FearsonNavigating Your Career in Cyber Security - Steve Santini & Drew Fearson
Navigating Your Career in Cyber Security - Steve Santini & Drew Fearson
Christopher Clark
 
Why HubSpot
Why HubSpotWhy HubSpot
Why HubSpot
Justin Theng
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations Center
Komand
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
Guiding the Organizational Change Journey
Guiding the Organizational Change JourneyGuiding the Organizational Change Journey
Guiding the Organizational Change Journey
Arturo J. Bencosme, PhD
 
Michael Heipel Concept & Consulting: Overview of services
Michael Heipel Concept & Consulting: Overview of servicesMichael Heipel Concept & Consulting: Overview of services
Michael Heipel Concept & Consulting: Overview of services
Michael Heipel
 
State of digital ad fraud 2017 by augustine fou
State of digital ad fraud 2017 by augustine fouState of digital ad fraud 2017 by augustine fou
State of digital ad fraud 2017 by augustine fou
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EE
Docker, Inc.
 

More Related Content

What's hot

OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced Attack
Ivanti
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced Attack
Ivanti
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams
Cigital
 
Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times
Denise Bailey
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
bugcrowd
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security Program
Cigital
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
Michael Lines
 
Assessment Of Risk Mitigation
Assessment Of Risk MitigationAssessment Of Risk Mitigation
Assessment Of Risk Mitigation
Eneni Oduwole
 
Risk Management Metrics That Matter
Risk Management Metrics That MatterRisk Management Metrics That Matter
Risk Management Metrics That Matter
Ed Bellis
 
Risk Estimator PowerPoint Presentation Slides
Risk Estimator PowerPoint Presentation SlidesRisk Estimator PowerPoint Presentation Slides
Risk Estimator PowerPoint Presentation Slides
SlideTeam
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
Eoin Keary
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
randalje86
 

What's hot (13)

OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced Attack
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced Attack
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams
 
Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security Program
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
 
Assessment Of Risk Mitigation
Assessment Of Risk MitigationAssessment Of Risk Mitigation
Assessment Of Risk Mitigation
 
Risk Management Metrics That Matter
Risk Management Metrics That MatterRisk Management Metrics That Matter
Risk Management Metrics That Matter
 
Risk Estimator PowerPoint Presentation Slides
Risk Estimator PowerPoint Presentation SlidesRisk Estimator PowerPoint Presentation Slides
Risk Estimator PowerPoint Presentation Slides
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 

Viewers also liked

Top 25 Cyber Security Blogs You Should Be Reading
Top 25 Cyber Security Blogs You Should Be ReadingTop 25 Cyber Security Blogs You Should Be Reading
Top 25 Cyber Security Blogs You Should Be Reading
DDoS Mitigation
 
Navigating Your Career in Cyber Security - Steve Santini & Drew Fearson
Navigating Your Career in Cyber Security - Steve Santini & Drew FearsonNavigating Your Career in Cyber Security - Steve Santini & Drew Fearson
Navigating Your Career in Cyber Security - Steve Santini & Drew Fearson
Christopher Clark
 
Why HubSpot
Why HubSpotWhy HubSpot
Why HubSpot
Justin Theng
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations Center
Komand
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
Guiding the Organizational Change Journey
Guiding the Organizational Change JourneyGuiding the Organizational Change Journey
Guiding the Organizational Change Journey
Arturo J. Bencosme, PhD
 
Michael Heipel Concept & Consulting: Overview of services
Michael Heipel Concept & Consulting: Overview of servicesMichael Heipel Concept & Consulting: Overview of services
Michael Heipel Concept & Consulting: Overview of services
Michael Heipel
 
State of digital ad fraud 2017 by augustine fou
State of digital ad fraud 2017 by augustine fouState of digital ad fraud 2017 by augustine fou
State of digital ad fraud 2017 by augustine fou
Dr. Augustine Fou - Independent Ad Fraud Researcher
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EE
Docker, Inc.
 
26 Disruptive & Technology Trends 2016 - 2018
26 Disruptive & Technology Trends 2016 - 201826 Disruptive & Technology Trends 2016 - 2018
26 Disruptive & Technology Trends 2016 - 2018
Brian Solis
 

Viewers also liked (10)

Top 25 Cyber Security Blogs You Should Be Reading
Top 25 Cyber Security Blogs You Should Be ReadingTop 25 Cyber Security Blogs You Should Be Reading
Top 25 Cyber Security Blogs You Should Be Reading
 
Navigating Your Career in Cyber Security - Steve Santini & Drew Fearson
Navigating Your Career in Cyber Security - Steve Santini & Drew FearsonNavigating Your Career in Cyber Security - Steve Santini & Drew Fearson
Navigating Your Career in Cyber Security - Steve Santini & Drew Fearson
 
Why HubSpot
Why HubSpotWhy HubSpot
Why HubSpot
 
When and How to Set up a Security Operations Center
When and How to Set up a Security Operations CenterWhen and How to Set up a Security Operations Center
When and How to Set up a Security Operations Center
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Guiding the Organizational Change Journey
Guiding the Organizational Change JourneyGuiding the Organizational Change Journey
Guiding the Organizational Change Journey
 
Michael Heipel Concept & Consulting: Overview of services
Michael Heipel Concept & Consulting: Overview of servicesMichael Heipel Concept & Consulting: Overview of services
Michael Heipel Concept & Consulting: Overview of services
 
State of digital ad fraud 2017 by augustine fou
State of digital ad fraud 2017 by augustine fouState of digital ad fraud 2017 by augustine fou
State of digital ad fraud 2017 by augustine fou
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EE
 
26 Disruptive & Technology Trends 2016 - 2018
26 Disruptive & Technology Trends 2016 - 201826 Disruptive & Technology Trends 2016 - 2018
26 Disruptive & Technology Trends 2016 - 2018
 

Similar to Powering Prevention: Lessons Learned from Building a Global Security Response Team

Cybersecurity
Cybersecurity Cybersecurity
Cybersecurity
BernardinoMelgar1
 
Grupo 4 - TEMA II.pptx
Grupo 4 - TEMA II.pptxGrupo 4 - TEMA II.pptx
Grupo 4 - TEMA II.pptx
BernardinoMelgar1
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management II
zapp0
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
Eric Jernigan MSIA, CISSP, CISM, CRISC
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Mark Simos
 
II Security At Microsoft
II Security At MicrosoftII Security At Microsoft
II Security At Microsoft
Mark J. Feldman
 
What is Managed Detection and Response (MDR) Security Services?
What is Managed Detection and Response (MDR) Security Services?What is Managed Detection and Response (MDR) Security Services?
What is Managed Detection and Response (MDR) Security Services?
SafeAeon Inc.
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackWebinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Aujas
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
robbiesamuel
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
Matthew Rosenquist
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key Considerations
Sirius
 
Embracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionEmbracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your Decision
Cylance
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
SurfWatch Labs
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017
zapp0
 
Corporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses LinkedinCorporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses Linkedin
Steve Phelps
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security Operations
Priyanka Aash
 
CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat Management
Mighty Guides, Inc.
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
JustinBrown267905
 
Penetration Testing Guide
Penetration Testing GuidePenetration Testing Guide
Penetration Testing Guide
Badawy Abd El-Aziz
 

Similar to Powering Prevention: Lessons Learned from Building a Global Security Response Team (20)

Cybersecurity
Cybersecurity Cybersecurity
Cybersecurity
 
Grupo 4 - TEMA II.pptx
Grupo 4 - TEMA II.pptxGrupo 4 - TEMA II.pptx
Grupo 4 - TEMA II.pptx
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management II
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
II Security At Microsoft
II Security At MicrosoftII Security At Microsoft
II Security At Microsoft
 
What is Managed Detection and Response (MDR) Security Services?
What is Managed Detection and Response (MDR) Security Services?What is Managed Detection and Response (MDR) Security Services?
What is Managed Detection and Response (MDR) Security Services?
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackWebinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key Considerations
 
Embracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionEmbracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your Decision
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017
 
Corporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses LinkedinCorporate Security Intelligence Just Got Smarter All Courses Linkedin
Corporate Security Intelligence Just Got Smarter All Courses Linkedin
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security Operations
 
CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat Management
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Penetration Testing Guide
Penetration Testing GuidePenetration Testing Guide
Penetration Testing Guide
 

Recently uploaded

Colby Hobson: Residential Construction Leader Building a Solid Reputation Thr...
Colby Hobson: Residential Construction Leader Building a Solid Reputation Thr...Colby Hobson: Residential Construction Leader Building a Solid Reputation Thr...
Colby Hobson: Residential Construction Leader Building a Solid Reputation Thr...
dsnow9802
 
Stuart Wilson the teams I have led - 2024
Stuart Wilson the teams I have led - 2024Stuart Wilson the teams I have led - 2024
Stuart Wilson the teams I have led - 2024
stuwilson.co.uk
 
Resource-mobilization-guide-for-community-based-organizations1.pdf
Resource-mobilization-guide-for-community-based-organizations1.pdfResource-mobilization-guide-for-community-based-organizations1.pdf
Resource-mobilization-guide-for-community-based-organizations1.pdf
FeteneA
 
Enriching engagement with ethical review processes
Enriching engagement with ethical review processesEnriching engagement with ethical review processes
Enriching engagement with ethical review processes
strikingabalance
 
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
William (Bill) H. Bender, FCSI
 
Impact of Effective Performance Appraisal Systems on Employee Motivation and ...
Impact of Effective Performance Appraisal Systems on Employee Motivation and ...Impact of Effective Performance Appraisal Systems on Employee Motivation and ...
Impact of Effective Performance Appraisal Systems on Employee Motivation and ...
Dr. Nazrul Islam
 
Ganpati Kumar Choudhary Indian Ethos PPT.pptx
Ganpati Kumar Choudhary Indian Ethos PPT.pptxGanpati Kumar Choudhary Indian Ethos PPT.pptx
Ganpati Kumar Choudhary Indian Ethos PPT.pptx
GanpatiKumarChoudhar
 
Credit Management training seminar power point presentation
Credit Management training seminar power point presentationCredit Management training seminar power point presentation
Credit Management training seminar power point presentation
bernanbumatay1
 
Sethurathnam Ravi: A Legacy in Finance and Leadership
Sethurathnam Ravi: A Legacy in Finance and LeadershipSethurathnam Ravi: A Legacy in Finance and Leadership
Sethurathnam Ravi: A Legacy in Finance and Leadership
Anjana Josie
 
Employment Practices Regulation and Multinational Corporations
Employment Practices Regulation and Multinational CorporationsEmployment Practices Regulation and Multinational Corporations
Employment Practices Regulation and Multinational Corporations
RoopaTemkar
 
Credit-Management seminar for cooperative power point presentation
Credit-Management seminar for cooperative power point presentationCredit-Management seminar for cooperative power point presentation
Credit-Management seminar for cooperative power point presentation
bernanbumatay1
 
Chart--Time Management.pdf How to time is spent
Chart--Time Management.pdf How to time is spentChart--Time Management.pdf How to time is spent
Chart--Time Management.pdf How to time is spent
spandane
 
innovation in nursing practice, education and management.pptx
innovation in nursing practice, education and management.pptxinnovation in nursing practice, education and management.pptx
innovation in nursing practice, education and management.pptx
TulsiDhidhi1
 
Make it or Break it - Insights for achieving Product-market fit .pdf
Make it or Break it - Insights for achieving Product-market fit .pdfMake it or Break it - Insights for achieving Product-market fit .pdf
Make it or Break it - Insights for achieving Product-market fit .pdf
Resonate Digital
 
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
tdt5v4b
 
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
tdt5v4b
 
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
tdt5v4b
 
Conflict resololution,role of hr in resolution
Conflict resololution,role of hr in resolutionConflict resololution,role of hr in resolution
Conflict resololution,role of hr in resolution
Dr. Christine Ngari ,Ph.D (HRM)
 
Comparing Stability and Sustainability in Agile Systems
Comparing Stability and Sustainability in Agile SystemsComparing Stability and Sustainability in Agile Systems
Comparing Stability and Sustainability in Agile Systems
Rob Healy
 
在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
tdt5v4b
 

Recently uploaded (20)

Colby Hobson: Residential Construction Leader Building a Solid Reputation Thr...
Colby Hobson: Residential Construction Leader Building a Solid Reputation Thr...Colby Hobson: Residential Construction Leader Building a Solid Reputation Thr...
Colby Hobson: Residential Construction Leader Building a Solid Reputation Thr...
 
Stuart Wilson the teams I have led - 2024
Stuart Wilson the teams I have led - 2024Stuart Wilson the teams I have led - 2024
Stuart Wilson the teams I have led - 2024
 
Resource-mobilization-guide-for-community-based-organizations1.pdf
Resource-mobilization-guide-for-community-based-organizations1.pdfResource-mobilization-guide-for-community-based-organizations1.pdf
Resource-mobilization-guide-for-community-based-organizations1.pdf
 
Enriching engagement with ethical review processes
Enriching engagement with ethical review processesEnriching engagement with ethical review processes
Enriching engagement with ethical review processes
 
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
W.H.Bender Quote 66 - ServPoints Sequence of Service™ should be Identified fo...
 
Impact of Effective Performance Appraisal Systems on Employee Motivation and ...
Impact of Effective Performance Appraisal Systems on Employee Motivation and ...Impact of Effective Performance Appraisal Systems on Employee Motivation and ...
Impact of Effective Performance Appraisal Systems on Employee Motivation and ...
 
Ganpati Kumar Choudhary Indian Ethos PPT.pptx
Ganpati Kumar Choudhary Indian Ethos PPT.pptxGanpati Kumar Choudhary Indian Ethos PPT.pptx
Ganpati Kumar Choudhary Indian Ethos PPT.pptx
 
Credit Management training seminar power point presentation
Credit Management training seminar power point presentationCredit Management training seminar power point presentation
Credit Management training seminar power point presentation
 
Sethurathnam Ravi: A Legacy in Finance and Leadership
Sethurathnam Ravi: A Legacy in Finance and LeadershipSethurathnam Ravi: A Legacy in Finance and Leadership
Sethurathnam Ravi: A Legacy in Finance and Leadership
 
Employment Practices Regulation and Multinational Corporations
Employment Practices Regulation and Multinational CorporationsEmployment Practices Regulation and Multinational Corporations
Employment Practices Regulation and Multinational Corporations
 
Credit-Management seminar for cooperative power point presentation
Credit-Management seminar for cooperative power point presentationCredit-Management seminar for cooperative power point presentation
Credit-Management seminar for cooperative power point presentation
 
Chart--Time Management.pdf How to time is spent
Chart--Time Management.pdf How to time is spentChart--Time Management.pdf How to time is spent
Chart--Time Management.pdf How to time is spent
 
innovation in nursing practice, education and management.pptx
innovation in nursing practice, education and management.pptxinnovation in nursing practice, education and management.pptx
innovation in nursing practice, education and management.pptx
 
Make it or Break it - Insights for achieving Product-market fit .pdf
Make it or Break it - Insights for achieving Product-market fit .pdfMake it or Break it - Insights for achieving Product-market fit .pdf
Make it or Break it - Insights for achieving Product-market fit .pdf
 
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
在线办理(Murdoch毕业证书)莫道克大学毕业证电子版成绩单一模一样
 
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
原版制作(CDU毕业证书)查尔斯达尔文大学毕业证PDF成绩单一模一样
 
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
原版制作(澳洲WSU毕业证书)西悉尼大学毕业证文凭证书一模一样
 
Conflict resololution,role of hr in resolution
Conflict resololution,role of hr in resolutionConflict resololution,role of hr in resolution
Conflict resololution,role of hr in resolution
 
Comparing Stability and Sustainability in Agile Systems
Comparing Stability and Sustainability in Agile SystemsComparing Stability and Sustainability in Agile Systems
Comparing Stability and Sustainability in Agile Systems
 
在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
在线办理(UVic毕业证书)维多利亚大学毕业证录取通知书一模一样
 

Powering Prevention: Lessons Learned from Building a Global Security Response Team

  • 1. Powering Prevention Lessons Learned from Building a Global Security Response Team Christopher Clark – Director, GSRT
  • 2. Powering Prevention Lessons Learned from Building a Global Security Response Team Christopher Clark – Director, GSRT
  • 3. Many Brilliant People, Many Small Silos Rapid organic growth in products and customers Effort duplication, inconsistencies, and internal focus
  • 4. Connect the dots and deliver holistic prevention Proactively detect and respond to threat evolutions Develop countermeasures, reporting, and technical solutions
  • 5. Faster, Better, and Globally Impactful Define Mission, Build Processes, Hire Team and Internalize Response in <12 months 250m+ Attacks, 31k+ Customers, 10k+ Engagements, 600+ Threats Identified
  • 6. Agenda Building a Global Security Response Team Stakeholder Empowerment Strategic Hiring Mission over Metrics Communication & Collaboration
  • 9. Proactively Engage Everyone Seek out, Sit down (in person), and LISTEN Understand the current reality and pain points Access stakeholder resources and capabilities Plan for unknown unknowns (then double it!)
  • 10. Education is the MOST important job Skip the details, tell the story Be a trusted resource and teach up, down, left and right
  • 11. Know the “NO” Monster Leverage expertise to prioritize security resource expenditure Identify fires before they start and protect the team
  • 13. Strategic Talent Capture Start at the core and identify key functional areas Acquire and empower proven leaders
  • 14. Functional Teams with Matrixed Deliverables 88 Vulnerability and Exploit Unit Provide Actionable Vulnerability and Exploit Intelligence. Coverage for delivery Methods and Hack / Post Exploitation tools. Tools and Technology Develop and Enhance Collection, Analysis, and Detection Capabilities, as well as DevOps support for existing tools. Threat Analysis Unit First line of triage, Conducting Analysis of Adversaries, Campaigns, and TTPs Malware and Countermeasures Unit Provide Actionable Malcode Analysis and Deployable Countermeasures
  • 15. Security Operations Malware Analysis Scripting and Development Penetration Testing Identify and Ensure Critical Skillsets Improved communication and operational efficacy Eliminate single points of failure Career progression and cross training
  • 16. Team Member Critical Skillset Continuum Threat Researcher Security Operations 80 % Malware Analysis 50 % Scripting & Development 40 % Malware Researcher Vulnerability and Exploit Researcher Automation Engineer Penetration Testing 40 % Security Operations 40 % Malware Analysis 80 % Scripting & Development 40 % Penetration Testing 20 % Security Operations 50 % Malware Analysis 40 % Scripting & Development 40 % Penetration Testing 80 % Security Operations 30 % Malware Analysis 30 % Scripting & Development 90 % Penetration Testing 30 %
  • 17. Regional Threat Expertise Cultural and Linguistic Knowledge Improved Response Speed and Quality
  • 19. Metrics are an indicator, not the goal Progress is achieved through failure Culture is the key
  • 20. PASSION: believe in the mission and what you can do
  • 21. CAPACITY: learn. share. ask for help
  • 22. INNOVATION: rules are a finite construct
  • 23. AGILITY: change is constant, be multi-disciplinary
  • 24. HUMILITY: ego-less execution - Bryson Bort, CEO
  • 26. Great Communication is required for Great Security “Remote by default” ensures expansion, flexibility, and data retention Trust is formed in person and grows through transparency
  • 27. Remove (or Connect) Data and Operational Silos Normalize processes and remove effort duplication Transparent and accessible data and deliverables
  • 28. Vertical and Horizontal Status Reports Deliver regular status reports on both research and response goals Ensure broad delivery to all team members and stakeholders
  • 30. Encourage Research and Response from All Diversity of experience drives new approaches Innovation is born from operations
  • 31. Research and Response Mix 80% 20% Response Research 60% 40% Response Research 40% 60% Response Research 20% 80% Response Research Junior Researcher Researcher Senior Researcher Principal Researcher
  • 32. Response must be efficient, Research must be impactful Publications (Reports or Code), Presentations, or Products
  • 33. Security Innovation is Distilled Threat Intelligence Prevention is driven by heuristics refined through research Targeted research is made possible by intelligent response
  • 35. Automation is critical to efficacy and scale POC by researchers, maturation and upkeep by automation engineers “Do it three times? Automate it!”
  • 36. Enable and Liberate Researchers Centralize response tool stack and maximize data density Ensure complete auditable transparency
  • 37. Develop Integrations and Orchestration Connecting existing detection, analysis, workflow and collaboration platforms
  • 38. Powering Prevention - Review Building a Global Security Response Team Stakeholder Enablement Actively engage with all stakeholders, understand their needs. Educate non-security teams, and protect your resources. Strategic Hiring Identify required talent and proactively recruit it. Ensure all team members possess key skills. Mission Over Metrics Culture is the most important part of the team, never compromise on fit and ensure Metrics are a guide not a target. Communication & Collaboration Leverage technology to expand coverage, improve efficacy, and reduce effort duplication. Research & Response Ensure staff is focused on short and long term research projects as well as operational triage. Automation! Dedicate resources to automating processes and tools once they have been proven.

Editor's Notes

  1. WORDS ABOUT SILOS AND PANW BEFORE GSRT, multiple orgs/groups/tools and support/sales teams etc.
  2. Destilled version of Mission (will relate similarities to all CIRTS (product/state/fortune500) Global Security Response Team Mission: Serve as the frontline for PANW customers and proactively respond to global security events. Directly support and empower TAC, CE, SE, and PM teams. Respond with platform wide countermeasures, threat analysis reporting, and technical solutions. Develop and mature threat intelligence products and AutoFocus content. Expand globally providing regional threat expertise, multi-lingual support, and 24/7 hour response capabilities.
  3. Do it better, faster and with more impact than previously accomplished. (12 months, 31,000 customers, Millions of files, etc) 300-400 Mission Critical Manual Analysis Tasks Weekly (2911 in Q3) 10-20 Deep Dive Malware and Exploit reports Weekly 100+ Yara Rules Developed for Detection 100+ WF Behaviors and IPS Signatures from ITW Threats 600+ AutoFocus Heuristic Malware Family Tags aiding TAC/CE/SE 3000+ Security Reports and 300,000+ IOC’s databases for TAC/CE/SE/PM reference. Direct Collaboration and Communication channels created with front line PANW support exponentially decreasing communications overhead and time to resolution for FP/FN cases.
  4. Seek out, Sit Down, ( In Person ), and LISTEN Understand “Now” and ask how you can help, Know your resources and per-task LOE before committing to ANYTHING
  5. Teach up, down, left and right. Be the trusted SME for security operations and response. Skip the details, tell the story.
  6. Use your knowledge to prioritize resource expenditure to protect _______ (the world?) Stewardship of resources No is a starting point.
  7. Zero Unemployment Recruiters are worthless (Zero Sourcing!) Identify the organizations who do (or have done) what you do. Hire the best (or pay the price) top down and empower them to build.
  8. Ensures elasticity of function (scale for increased or decreased volume) Ensures career path and challenges Fosters cross team collaboration (Required to complete research tasks) Allows 100% accountability for operational response/triage responsibilities
  9. Regional Threat Expertise Linguistics and cultural advantages Quicker Response by following the sun Regional Leads Responsible for Operational Deliverables, without HR/Mgmt concerns
  10. All blacks, haka – best rugby team. “no d***heads” rule - which stresses the team ethic above talented but erratic individuals - and insists on humility and calmness under pressure from its star players. “A focus on continual improvement, the creation of a continual learning environment, and a willingness to spill blood for the jersey was at the core of All Black culture.”
  11. Remote by default allows for expansion, flexibility, retention (….and extreme gains in coverage for free) Slack + Jira + Bitbucket + Zoom + Custom Dev
  12. Open and connect existing silos Do not allow the formation of further barriers to knowledge Normalize and remove effort duplication (exponential efficacy gains!, don’t tell finance)
  13. Deliver regular status reports both up AND across the organization, to every possible stakeholder and team member.
  14. Discuss Research & Response ---> Product innovation -> Research and response feedback loop.
  15. MOST critical team! Automation comes AFTER successful process implementation. Humans are rare and very expensive. Rapid prototyping by analysts escalation to tools team for SDLC ”Do it three times? Automate It!” DevOps & Code Review
  16. Centralization of toolstack and infra Removes code maintaince and support Allows researchers to focus on operational needs Removes effort duplication
  17. FooS tools, Scripts, and COTS/SAAS system API’s Absolutely critical to scale operations team Enables 20 people to drive global content, coverage, and threat intel platform + Publications!!