Each month on the Detection at Scale podcast, we interview leaders and practitioners responsible for scaling their security operations programs.

In April, we spoke with Josh Liburdi (S02E09), a Staff Security Engineer at Brex. He shared what he learned from building and operating SIEMs in a cloud-native environment and discussed their homegrown security data pipeline tool, Substation.

I really enjoyed Josh’s defender mentality of “making our jobs easier while not letting the bad guys off easily.”

Check out the five quick hits below, a link to the full episode, and subscribe to get these posts delivered to your Inbox weekly!

Quick Hits from Josh

With commentary…

1. “Modern response should be boring and highly automated.”

   1. Automate the rote tasks and focus on more important tasks.

   2. Be prepared and ready for the most likely attack scenarios.

   3. Opt for a low-code approach to quickly build and iterate.

2. “Make your SIEM rules simpler by pre-processing in the pipeline.”

   1. Use pipelines to transform logs, like flattening complex data structures.

   2. Add enrichments on ingest time, such as org and team context.

   3. This results in elegant SIEM rules that are easier to understand.

3. “Match IoCs in the pipeline, too.”

   1. IoCs go out-of-date quickly, so enrich logs at a point in time.

   2. Matching in the pipeline makes downstream threat hunting efficient.

   3. Don’t try to threat hunt in the pipeline! Do it where the data lives.

4. “Don’t play MITRE ATT&CK bingo. Focus on the tactics that matter.”

   1. We don’t care that we’re getting scanned. It happens all the time.

   2. We should focus most on the tactics that cause the most damage.

   3. Coverage only matters in context.

5. “Collect high-volume, low-value logs. Don’t just throw them away.”

   1. Figure out how to cost-effectively store high-volume logs for a rainy day.

   2. This applies to datasets like VPC Flow. They are great for IR.

   3. Be strategic about cold storage and filtering.

Who Should We Interview Next?

We love referrals to other leaders in the space. If you have someone in mind, leave a comment, message, or contact us at press@panther.com.

Leave a comment

Cover photo by C D-X on Unsplash