August 5, 2025 • 36 mins
What does cybersecurity look like when you're protecting the world's largest streaming service and content studio? Jason Chan, who built and led Netflix's security team for over a decade, takes us behind the scenes of securing one of the most transformative companies in modern history.
From Netflix's humble beginnings as a DVD-by-mail service to its evolution into a global streaming behemoth operating in 200+ countries with hundreds of millions of subscribers, Jason shares the security journey that paralleled this remarkable business transformation. At the heart of Netflix's approach was strategic storytelling—creating a clear picture for both technical and non-technical stakeholders about not just what needed protection, but who the company needed protection from.
The threats Netflix faced were as unique as its business model. Account takeover schemes where compromised credentials were resold on international black markets. Content protection challenges to prevent pre-release leaks of shows and even physical-digital security concerns around protecting high-profile people like the Obamas. Through it all, Jason's team developed a pragmatic approach focused on preventing the most catastrophic outcomes: service unavailability and data breaches.
Perhaps most remarkable was Netflix's commitment to open-source security. At a time when most companies guarded their security practices closely, Netflix released groundbreaking tools that shaped today's security landscape—including Security Monkey (the first cloud security posture management tool) and Fido (an early security orchestration platform). As Jason explains: "We're not going to compete on security, we're going to compete on entertaining the world."
Whether you're building a security program from scratch or leading a mature team, Jason's insights on prioritization, vendor partnerships, and community collaboration offer a masterclass in effective security leadership. Subscribe now to hear the full conversation about securing one of the world's most innovative companies during its remarkable transformation.
Thanks for tuning in! If you found this episode valuable, don’t forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn Group: Cyber Threat Intelligence Podcast—we’d love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Jason Chan (00:00):
I think we really do need to focus, when we are sort
of telling our stories onsecurity, right, it's not just
about what we're protecting, butwho we're protecting it from.
Rachael Tyrell (00:08):
Hello and welcome to Episode 12, season 1,
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of season one,our host, pedro Kurtzman, will
chat with Jason Chan, who hasover 20 years of experience in
(00:34):
cybersecurity and is especiallypassionate about large-scale
systems, cloud security andimproving security in modern
engineering organizations.
Jason built and led thesecurity team at Netflix for
over a decade.
His team at Netflix was knownfor its contributions to the
security community, includingover 30 open source security
releases and dozens ofconference presentations.
He also previously led thesecurity team at VMware and
spent most of his earlier careerin security consulting.
(00:57):
Over to you, pedro.
Pedro Kertzman (00:59):
Jason.
Wow, being a fan for so manyyears now that I think it's just
fair to say that I'm beyondexcited to have you on the show.
Thanks a lot for coming.
Jason Chan (01:09):
Oh, thanks, Pedro.
Thanks for having me.
I'm glad to be here.
Pedro Kertzman (01:11):
Amazing If maybe we can jump right in.
Would you mind sharing yourperspective like a general CISO
view of CTI?
It could be related to assetsexposure threats, you name it.
Jason Chan (01:24):
It could be related to assets, exposures, threats,
you name it, I think, from theCISOs perspective or security
leaders perspective.
I mean, obviously they'rerunning the security
organization, to which threatintelligence is a big part.
But I think most of what we'retrying to do is at the executive
level.
The leadership level thisincludes your peers and
technical executives.
Non-techn level the leadershiplevel.
This includes, you know, yourpeers and technical executives.
(01:45):
Non-technical the board.
You're really trying to create ashared understanding of the
security environment that thecompany is facing.
So, I would, you know, I triedto keep that simple when I was
doing those kinds ofcommunications and it was really
about you know, what are wetrying to protect?
Right, and and I don't mean youknow the specific assets, but
(02:07):
it's like we're trying to makesure this service remains
available.
Um, you're trying to make suredata remains protected, and then
you're you're trying to, you'retrying to think, well, what are
the negative events that couldaffect those, those things
you're trying to protect?
And then, finally, you knowwhat are the threats like, who
are the adversaries?
Right, and I think that's wherecti comes in is you want to be
(02:29):
able to reason about who, who isactually coming after you?
And, of course, as we know.
You know, the adversary doesn'treally make a habit of letting
you know when they're comingafter you or how they're going
to do it or when, but you knowwhich is what, to me, is what
what threat intelligence is allabout.
So, yeah, I think about it atthat level.
Is you're going to do it orwhen?
But you know which is what, tome, is what threat intelligence
is all about.
So, yeah, I think about it atthat level, as you're trying to
do some storytelling, you'retrying to paint a picture of
(02:50):
what the threat environment islike with as much information
and detail as possible.
Pedro Kertzman (02:55):
That's amazing.
I love how you put thestorytelling part, and also to
the non-technical, let's say,audience.
So that's an interesting pointany insights on how to properly
fine-tune that message to thataudience?
Jason Chan (03:10):
oh yeah, I mean, I I'd like to think of it really
in terms of um, and I think thisis pretty common in threat
intel.
You're really trying to likethink about um, maybe not
necessarily specific um, likeadversary groups of threat
actors, but the way at least theway I categorized them when I
was at Netflix is we sort ofwould talk about uh, like groups
, right, like who's actuallycoming after us and um, you know
(03:34):
, at Netflix, we, we were, youcould kind of think of of it as
almost like two really large andcomplicated businesses that are
kind of working together.
One is on the on the streamingside.
It's this, it's the world'slargest streaming subscription
platform, right.
So you have, you know, 200 andsomething million members, 200
or so countries.
So you know, you, you have kindof threats that are pretty
(03:57):
common to running a large-scaleconsumer internet service.
And then, in addition to that,you have the studio which is
creating all the content thatgoes on Netflix, and, again,
it's the world's largest studio.
So, at least about the time Iretired in 2021, we were doing
about a thousand productions ayear.
And you know production is a,you know it's a stand up comedy
(04:19):
or it's, you know, an animatedseries, it could be a movie and
whereas, like most other studiosare doing about 50 to 100 a
year.
So really really large scale.
So really with that, we'retrying to like create a
understanding about like, well,who, who from the adversary side
is interested in that, and wewould kind of put them into
buckets right.
(04:39):
So you have, on the more kindof, if you think about like a
spectrum or a continuum ofadversary that goes from, say,
kind of commodity or general tomore specific.
And I don't mean in terms ofskill, I'm not talking about
script kitty to APT, I'mthinking about what's a general
threat versus more specific.
(04:59):
And the general threats forNetflix were, as I mentioned,
right, you're running a largescale consumer internet service,
so you're going to see a lot ofthings like credential stuffing
and account takeover.
We had, you know, a lot ofcases where, of course, you know
, people tend to reuse theirpasswords and their accounts get
taken over, and there werecertainly cases where the access
(05:22):
to an account would be resold.
So we want to understand, okay,well, who, who are the, who are
the threat actors, who are theadversaries that are seeking to
take over netflix accounts sothey can monetize resale of
those accounts.
Um, we would also look on onthe streaming side.
We would think about, um,content protection, right.
So, um, because you knowwhether, I guess, regardless of
(05:43):
how you, how you may personallythink about things like content
protection and piracy anddigital rights management, you
know, to be able to put thatkind of content on the internet
and, working with these studiosand these creatives, they have
certain security requirements.
So we, we obviously implementedall kinds of interesting
content protection and digitalrights management.
(06:03):
But you know, we, there were aseparate set of adversaries you
might even consider themresearchers or, you know, like
old school hackers that theywere basically trying to break
content protection, they weretrying to break DRM.
So there you also have to kindof pay attention to what's
happening, like what's the stateof the art in breaking DRM and
breaking content protection.
(06:25):
And then you know, on thestudio side, you know, as you
can imagine, you're dealing witha bunch of you know you're
making content, you're workingwith a lot of celebrities, a lot
of really well-known people orunique part, because you really
(06:46):
start to have this uh, likecyber, physical crossover where
you have you're trying toprotect, you know, a-list talent
and celebrities.
Right, we were working withpeople like, you know, michelle
and barack obama, and these arepeople.
Obviously they're, they're um,they have their own kind of uh
protection and things like that.
But we also we need to be ableto protect the kind of digital
assets that pertain to, forexample, where a certain
(07:06):
celebrity is going to be on acertain date, or or where
filming is going to be for aparticular series.
So, you know, I would say, um,sorry for for rambling there,
but you know, kind of a longstory short in terms of that
storytelling you're trying tocreate.
Like, without going into theweeds about any, any specific
thing, you're trying to say, heylook, these are kind of like
(07:28):
the four or five main categoriesof adversary that we're really
thinking about, and, of course,that doesn't mean that there
might, you know, not be somebodynew next year or next week.
But if you want to have along-term, you know, sustained
kind of program, you have tokind of, you know, do some
reasoning about who you'reactually, um, working against,
(07:49):
and it's not just some sort oflike, you know, gray and shady,
you know unknowns.
Pedro Kertzman (07:53):
You have to be able to put some, some kind of
personas to those folks thatthat's amazing and it's a very,
really unique, let's say, listof assets and, uh, if I'm not
mistaken, I think I can rememberfrom the top of my head any
content if you will breach orlike a new uh series or
something like that beingexposed before the real release
(08:16):
date.
And I do remember from manyother studios.
So I would say you guys, uh,did a, you know, really good job
on keeping that stuff private.
Jason Chan (08:26):
Yeah, we did have one issue.
I'm trying to remember whatyear it was, maybe 2016, 2015.
We had a series of one of ouroriginal series called Orange is
the New Black.
We had the new series.
Some of those episodes wereleaked by.
It was a fourth party vendor,so they were kind of an audio
(08:49):
vendor from the studio that wehad worked with to create that
series.
So yeah, it happened and to methat kind of is to some degree
the nature of the sort ofdistributed nature of content
production is you know you havea lot of third parties involved
and fourth parties of contentproduction is is you know you
have a lot of third partiesinvolved in fourth party.
So the studio that you, thatyou work with, they have their
own, you know, ecosystem ofsuppliers, um yeah yeah and so
(09:13):
and that, but it was um, youknow another.
I remember um kind of speakingabout executive communications
is.
I remember around that time, youknow, we we had to really do a
lot of education with our um,with our folks, because a lot of
the really traditional, likefolks that have worked in
traditional studios, a lot ofwhat you're trying to protect is
(09:34):
that opening box office weekendright, because that's when,
that's when everybody's buyingtheir tickets, right, we just
saw, you know, missionimpossible just came out right,
so you really got to take careto not have that get leaked
because otherwise people are notgoing to get tickets.
So you know, the difference ison a streaming platform like
(09:54):
Netflix, where you're reallyjust paying one price and you
get all the content is, you know, part of really what we were
trying to do as a business isyou're trying to create a
service that is good enough interms of the technology and the
content so that people don'treally bother with piracy or
trying to see things.
You know, a couple days early.
So you know we we did a lot ofcommunication about hey,
(10:17):
obviously we don't want contentto be leaked, but it's a just a
fundamentally different businessmodel than the traditional
studio and traditionalentertainment releases.
Pedro Kertzman (10:25):
Fair enough and I think, at least to me, one of
the mind-blowing things is thescale that you're mentioning,
where guys are operating inseveral countries, the amount of
users and all that and all that, but also how disruptive from a
(10:51):
never seen before type oftechnology you had to leverage
to be able to deliver thatcontent on that scale and I
imagine the security was justkind of uh, enabling business at
that point right.
So you had to work hand in handto be able to securely deliver
that content at that scale.
Any challenges around that,especially if it relates to cti
(11:14):
at any at any point yeah, I mean, I would say I think you
captured it well.
Jason Chan (11:19):
Right, you're trying to create a new business.
Right, you're trying to createa subscription video.
Right, you're trying to createa subscription video service,
which you know Netflix's history?
Its origin was really a DVD bymail service, right?
So you would go to the websiteand we would mail you DVDs, and
so you know a lot of the ways Iwould characterize my time at
Netflix.
You know, I spent a little overa decade there was.
(11:41):
There was basically a constantchange.
So the business was changingfrom DVD by mail to streaming.
We were changing the content wewere providing, from licensing
other studios' content tocreating our own.
And then, you know, going fromlike US only to global.
And then, on the tech side youmentioned tech we were going
from a company that was prettymuch run out of its own data
(12:04):
center to being really probablythe first large enterprise to go
full scale into the publiccloud.
We started the journey into AWSin, I think, about 2008.
When I started in 2011, it wasquite early on, and it was quite
early on.
But I mean, you know, I thinknowadays, if you were going to
(12:24):
create a new company, it wouldbe kind of a no-brainer, to be
like, yeah, of course we'regoing to use, you know, aws or
GCP, but you know, back then itwas pretty unheard of to be that
far in.
But the reason why I meanbeyond any kind of specific
technical features is we werereally trying to focus the
business right, because whenyou're trying to create a new
(12:46):
kind of business, you reallyneed your people to focus on
that and not focus on thingslike managing data centers and
running networks and, you know,storage and all this kind of
stuff.
So that was really like a partof the key of the company's
culture was like, let's letpeople focus.
And I would say we did the samething with security.
Right, we were trying to createsolutions that made it easy for
(13:07):
developers to work withsecurity.
Um, you know, on the threatintel side you mentioned, you
know I one of the first.
You know we were um, we didquite a lot of open source at
netflix and you know one of ourearliest projects, uh was this
was a system called scumbler andyou know really what it did and
you know, I think this hasbecome fairly common nowadays,
(13:28):
but we released it I think in2014 or so.
Was you basically, you know,set up this system to kind of go
out and look at various placeson the web whether it was, you
know, twitter or pastebin andyou're trying to find
intelligence.
Right, you're trying to find,hey, is there anybody there,
anybody out there, you know,talking about Netflix, talking
about Netflix users,vulnerabilities, those kinds of
(13:48):
things.
This was really like in theearly days of when you could
procure something like, you know, managed threat intelligence
and you could get feeds.
But to get, you know, morestructured intelligence or more
kind of like higher level work,it was a little bit more, a
little more hard to come by.
So, yeah, and it was.
You know, we built that whenthe team was still pretty small.
(14:09):
It was probably, you know, fiveor six of us total.
So we didn't, you know, you'renot able to dedicate full-time
resources to just, you know,looking to see what might be out
there of interest.
So, you know, you create toolsand you create automation, you
create pipelines that allow youto go out and look for that
information, bring it in, youknow disposition and do what you
may with it.
Pedro Kertzman (14:28):
That's amazing.
What you made with it, that'samazing.
And so you're mentioning theshift on the business, uh, the
business side, right from dvdshipping uh up until like
large-scale streaming.
How was the uh cti alsoevolving with that uh shift?
I imagine, like the threatactors tt you name, it will be
(14:49):
fairly different, like thethreat actors targeting that
specific way of doing businessup until like a large scale
attack surface I cannot evenimagine the size of the attack
surface at the point Netflix isnowadays.
So how's that shift fromadversary understanding
(15:14):
standpoint throughout thoseyears?
Jason Chan (15:18):
Yeah, it's kind of funny because I would say most,
at least when we got startedwith what I probably call a CTI,
we may have bucketed it more interms of customer trust or
fraud and abuse.
Um, you know, that's reallywhere where we started to focus,
because you're trying to figureout how are people trying to
(15:38):
misuse the service, right?
So you know, on the dvd side,it was fairly straightforward,
like sometimes you would havepeople sign up and you know they
give you a fake physicaladdress and you know you would
so, because they're trying to toget DVDs that they never have
to return, or you know,certainly, things like credit
card fraud and then when youwent to streaming, there were
(16:01):
the same thing kind of in thatbucket of customer trust or you
know, abuse, and I did a talk onthis.
I think you know Facebook had akind of spam at scale
conference back in 2016 or soand I kind of went through some
of the different kind of abusescenarios and how we thought
(16:21):
about protecting against each ofthose and really the most
common one and it was sort ofcame from different areas but
was just, you know it wasaccount takeover of came from
different areas but was just,you know it was, it was account
takeover, it was, it was throughwhether it was credential
stuffing, you know passwordreuse, you know info stealers,
whatever it might be.
There were people, there wereyou know, in fact, somewhat some
(16:42):
pretty large and geographicallydistributed and fairly
sophisticated threat actors thatwould gain access to netflix
member accounts for the purposeof reselling those.
Because you know you could,especially in you know, we found
quite a lot in latin america,quite a lot in southeast asia,
where you know you would, youwould see, we actually have like
(17:03):
pictures of like billboards andstuff where people would be
selling, hey, here's netflix fortwo dollars a month, and of
course it's not, like you know,legitimate net.
But basically what they weredoing was reselling access to an
account that had beencompromised.
So, yeah, so we really had toshift from that, you know, the
kind of physical, kind of creditcard fraud, to more of like how
(17:25):
are people going to abuse theservice, how are people going to
abuse our members?
And that was really kind of howwhat got us started down down
the road of a more formal kindof cti program awesome.
Pedro Kertzman (17:37):
You know we got the program started.
Uh, any learnings or thingsworth mentioning how you matured
?
Uh, that program within thosenext few years having like a
established cti program yeah,it's, it's um.
Jason Chan (17:55):
You know I would say similar to you.
Know, I mentioned this idea ofdoing like using the public
cloud as a means of creatingfocus for your business, and we
would, we did the same thing, Iwould say with um, not just cti,
but you know, to use that as anexample.
Is you think about, okay, ifyou want to create a program to
(18:16):
allow you to better understandyour adversary, like a CTI
program, what do you decide todo yourself?
What do you decide to outsourceor use a vendor for?
And, frankly, even above andbeyond all that, what are you
going to decide to do versus notdo?
Because I always, you know,I've said many times is like
(18:37):
it's really about what you'renot going to do.
Right, because if you hadunlimited time and resources,
you'd say, yeah, sure, just doit all, but nobody has, nobody
has the time or resources to doall that.
So you have to be reallystrategic about absolutely
saying, look, these are thethings we're going to focus on.
We're going to maybe lean on avendor to do some of these other
things, and then these otherthings we're just going to be.
(18:58):
You know, we're not sayingthey're not important, but as of
right now we're not going to dothose.
So, you know, we really wereally worked in a way of of you
know, kind of going back to thebeginning when I was talking
about storytelling, and kind ofyou know what are the big
buckets of adversary groups?
We really focused there to belike, hey, who are the?
You know what are the and thisis kind of more from a
(19:20):
quantitative perspective.
It's like what are the threatscenarios that we're most
worried about, that we think canhave the biggest impact?
And then you sort of match upokay, well, what are the
adversary groups that couldactually enact those threats
scenarios?
And that's really where you'dwant to focus.
And you know, again, for us it'slike most of when you think
about how can things really gowrong for a large scale internet
(19:43):
service?
There's really kind of two mainthings that can go wrong, right
.
One is your service cannot beavailable, right, like, somehow
it's whether it's ddos or anyother any other reason that your
service goes down and people,paying users can't use it.
And then you can you know youcan lose data, right, you, you,
you have some kind of databreach or things like that.
So really for most, uh,large-scale consumer internet
(20:05):
services.
Those are the two main thingsyou're trying to protect.
So that's really where we beganfocusing our Threat and Tail
program was about.
How do we make sure that we areinvesting to preserve those two
primary functions, whether it'skeeping the service available,
protecting customer data andthen kind of work out from there
to your adversaries and thingslike that.
Pedro Kertzman (20:27):
That's amazing.
I really love the way you putit from a priority standpoint.
I see a lot of people kind ofoverwhelmed already just by
thinking about a CTI program,the magnitude, the amount of
information, telemetry from allover the place.
But it's just, you don't needto embrace the whole thing.
(20:49):
You can use it just todetermine risk, for example,
likelihood, impact and stuff andthen take decisions based on
that, maybe not doing anything.
It's a decision as well.
The way you put it.
It's really good because itjust feels that if you don't
want to look into it, then it'slike a dangerous spot to be.
(21:13):
Like go do some research andthat's okay.
If after that you come to theconclusion I can take that risk.
Jason Chan (21:24):
It's all good.
Yeah, you know, I think youcover two really important
topics there, right?
One is a lot of people can beoverwhelmed with getting a
program going or going, kind ofgoing from zero to one right,
like people would do with people.
And we had that failure mode,you know, a number of times, uh,
in the team, you know I'm notsaying necessarily specific to
(21:44):
CTI, but where you kind of yousort of want somebody to be the
first hire in an area and theywould have trouble getting that
function off the ground becausethey kind of felt like geez, how
can I do this as one person anddo that?
And it's like, well, again,it's about what are you not
going to do?
What are you specifically?
Because you know I would, Iwould try to support them and be
like, hey look, you know, onetime many years ago, like I was
(22:06):
the first person working on thisat Netflix and it was just me
and you know, I kind of knowyou're the only person.
Then you know you should beable to then figure out, okay,
how am I going to spend my timemost effectively?
So I think that's a key thingis, you have to have a certain
type of person who can feelcomfortable, kind of going from
(22:27):
zero to one and being the firstperson and not having a team,
right, is it just being you andthen the second one in terms of
like what, what you're not goingto do?
I think?
I think there's somethingrelatively unique to security
people where we we feel like ifwe know about something like
whether it's a vulnerability, orwe feel very uncomfortable not
(22:48):
doing anything about it.
Right, we're like, oh geez, well, I know this, this problem
exists.
So, you know, I, I need to dosomething about it.
But it's like I think peopleneed to really start from kind
of the opposite end.
Right, it's like, hey, I needto have a really good reason to
actually to of what I'm workingon.
Right, knowing that you knowthere's, if you think about it
(23:09):
any given day.
Right, you have an infinitenumber of things you could
choose to do.
It's like, well, how are yougoing to choose those few things
that you are going to do?
And you know we're human, right?
So a lot of times we're like,oh well, what's the shiny thing?
What that seems interesting,let me go work on that.
And then you know, in yourheart of hearts you might say,
oh, it's not actually the mostimportant thing, but it just
seems fun.
So, oh, geez, I need to have,you know, this super mature
(23:30):
program on day one.
And then being like, hey, yeah,there might be, you know, 100
things I'd like to get done, butyou know, in reality I'm only
going to be able to do six ofthose, right?
So, people.
I think it just can make peoplereally uncomfortable to make
those kinds of decisions.
(23:51):
Yeah, that's, true, and you werementioning also about vendor
collaboration as well, anyinsights around that, how to
better utilize that extra pairof hands to bring some extra
value to the team or theorganization.
What is important for us to doourselves and be great at,
(24:14):
versus what could somebody elseprobably do better than us?
And especially if it's like areally undifferentiated service.
And I think probably the firstone that comes to mind is kind
of is like phishing, takedowns,right, and phishing sites and
things like that.
Is that that's such a commonproblem across the Internet,
like we would have a program tosort of sort of um to to
(24:37):
potentially do takedowns andthings like that.
But most of that was done byvendors who are going out, you
know, finding the fishing kitsand doing the analysis.
They're doing the cease anddesist right.
There's no value in us doingthat ourselves.
So I think that was a great uh,a great case for kind of
outsourcing Um.
And then the other one was youknow I mentioned this kind of
markets for resale of Netflixaccounts and you know there's
(25:01):
also forums and things like thatwhere people talk about how do
you break, you know, digitalrights management, how do you
break copy protection, contentprotection, a lot of hardware
research.
So for us, like you know, tokind of create a persona, to
kind of sit in those forums andunderstand what's going on, to
do like controlled purchases ofcompromised accounts it's like
(25:21):
we would leverage vendors to dothat for us, because it's like
it's not really, you know, tokind of set up the
infrastructure to do those kindsof long term campaigns.
It's not a ton of value indoing that yourselves, whereas,
like you, have plenty ofcompanies who, like that's what
they do 24-7.
I would always use, you knowthis is not specifically around
CTI, but you know things likereverse engineering, malware.
(25:43):
You know malware analysis.
It's like you know, mostcompanies.
It doesn't make sense to havethat skill set on, you know, on
staff, right, because you justgo talk to, you know, mandiant
or whoever, whoever, and theycan kind of do it for you
because that's all they do.
It's the same thing where, ifyou think about a lot of what
we've, what we've learned,outsourcing the security world,
like think about penetrationtesting, right it's.
(26:05):
You know, sure, there's,there's some teams that have
internal pen testers.
But you know, you go and you goto vendors and like that's,
that's all they do.
They're looking at applicationsand they're breaking them, you
know, constantly, yeah, and so Ithink the same way around,
threat intelligence is likewhat's really, really
specialized that we want to workon and we want to get great at,
(26:25):
and that's going to be like thehighest touch work, and then,
and it's and it's not thatthat's, like, you know, harder,
easier, it's not really aboutthat.
Pedro Kertzman (26:33):
It's just about what are the things, the tasks
that are going to be the mostspecific to the company versus
you know, what are the thingslike, say, phishing, takedown,
that just they apply to everyone, so just better to use a
service for that going backmaybe to that topic of the, the
open source tools, um, thatnetflix that your Netflix team
(26:55):
was putting out there, anycollaboration, special
collaboration or tool thingsworth mentioning that you saw
some extra success from thatparticular tool ended up being,
I don't know, amalgamated onanother platform or other
frameworks, so on and so forthyeah, no, we, I would say, um,
(27:17):
maybe like stepping back, justkind of like introducing, um, I
think, open source.
Jason Chan (27:22):
Uh, you know, at netflix and specifically to
netflix security, um, reallyearly on, we decided almost
really at like a strategic levelthat you know, we really looked
at security as kind of acommunity kind of thing, right,
it's like so we would lean intosharing rather than trying to
keep it private.
I remember, you know, when Istarted early in my career, like
(27:43):
in the late 90s, it was verymuch of a like people didn't
really talk about security,right, because they felt like
they were going to givesomething away.
And we really, I would say,took a much different approach.
We were like, hey, we're notgoing to really compete on
security, we're going to competeon entertaining the world.
That's what Netflix needs todegrade at.
Security is part of that.
(28:03):
So we really leaned into thisidea of sharing and some of that
was through open source andsome of that was through
peer-to-peer collaborations withother companies, doing things
like conference talks and thingslike that.
So we were very, I would say,bullish on all those kinds of
investments and, yeah, I wouldsay we had some really, really,
(28:25):
you know, part of the advantageof being in a really
fast-growing company that's sortof doing something new, you
know doing, you know, being veryearly in the public cloud was
that, you know, back then, rightwhen I started 2011, there
wasn't a market for cloudsecurity right.
That didn't really exist.
There were maybe some vendorsthat were like, hey, let me
(28:46):
create a virtual appliance forthis firewall, but you know,
it's mostly just all garbage,right.
So pretty much we had to createour own solutions.
So we created things likeSecurity Monkey, right, which
was, you know, really, lookingback, was really the first CSPM.
Right, it was CSPM before thatacronym existed.
You know, looked at our AWSenvironment and kind of found
(29:09):
issues.
We created Fido, which was, youknow, the first SOAR program,
soar platform.
It was kind of SOAR before SOARexisted.
And then Scumbler earlier on,which was really our kind of our
thread, intel kind of.
You know, basically go out andlook on the web for things that
you might care about andcertainly, like, I think, any of
(29:31):
those things.
You know, if we had wanted to,you probably could create a
company around those things, butwe were, you know, ultimately
we were just trying to protectthe company, so we didn't, you
know, we didn't go down thatroute, but yeah, so it was.
You know, we certainly learneda lot.
Mostly what we were trying to dowith open source, especially in
the kind of cloud securityspace, was we were basically
(29:52):
saying hey look, everybody isnew at this, right, so this is
our way of tackling this problem, like let's get feedback, like
maybe it's helpful to you, butmaybe you've developed a
different way, and I think it'skind of nice to see now that, in
sort of 2025, it's much morecommon for, you know, companies
(30:15):
to open source security products, or for companies, you know,
defenders working at largecorporations or even small
corporations, to go toconferences and talk about
defending right.
Because when I started insecurity, you'd go to
conferences like you know, notjust Black Hat, but any of them.
You're only ever talking aboutoffensive stuff.
You're talking aboutvulnerability research, you're
talking about attacking, and nowit's like there's tons and tons
(30:40):
of talks on defense, and Ithink part of it was, you know,
companies like netflix reallykind of leaning into that that's
amazing and uh any like apeer-to-peer collaboration or
maybe even like facebook threatexchange that you saw advantages
of leveraging from a maybe acti standpoint as well yeah,
yeah, we, we did get involvedwith a few sharing programs like
(31:04):
threat exchange, um that youknow they were like, I mean, I
wouldn't say they were useless,but they were probably a little
more trouble than at least inthe early days when we were
involved.
um, then it was worth anythingkind of like formal.
What I sort of found was likeprobably less valuable and what
you really had value out of wasthe informal conversation.
(31:24):
So we did a lot of um,peer-to-peer, you know, you know
how it is right, there's somany like discords and slacks
out there that were securitypeople gather and they talk
about stuff and like again, eveneven now, right, like that's
such, it's such a huge advantage, right, like, if you think
about, can you go and lean onsomebody and say, hey, have you
(31:45):
seen this before, have you seenthis kind of activity before?
Like, what would you do here?
And you know people, that's oneof the things I've loved about
the security community and youknow why I've been in it for
pretty much my entire career isthat people they care, they care
about what they're doing, theycare about protecting their
organizations and they also aregenerally in it to help them,
(32:06):
want to help other peoplebecause they recognize that you
know it's hard to just protectanything in isolation, really
have to create a safeenvironment, a safe environment
in isolation.
Really have to create a safeenvironment, a safe interconnect
.
So, yeah, I think I've had, youknow, really, really good sex,
good success on the informalside, whether it's sharing with
other cissos or you know othersecurity engineers, um, where
you know people are just morethan willing to share their to,
(32:28):
to give their time and energy tohelping other people okay, no,
that's perfect.
Pedro Kertzman (32:33):
And uh, from like learning cti standpoint,
not necessarily you know, iocsor things like that, but how the
industry is moving, how thingsare now shaping and and all that
any new, uh interestingfavorite sources, books, blogs,
people, anybody to follow orlearn from yeah, I would say you
(32:55):
know, since retiring I'm alittle bit, I'm less plugged in,
right, so I don't do as muchfollowing.
Jason Chan (33:00):
But I think you know there's a saying in security,
and especially in an incidentresponse, right, you never
really want to waste.
You know a crisis, right, andespecially if it's somebody
else's crisis.
So I think looking at incidentreports to me is like such a
great way of learning andlooking at you know the
different reports companiescreate around.
(33:21):
You know tracking differentadversaries.
I think those are.
Those are great because you canreally understand.
You know I'm not going to Itend not to name names, but when
you look at big breaches, youknow cause.
I would say one of the things Iwould always tell people is you
know they would ask me hey, well, you know how do you prepare
for a board meeting, or you knowwhat's your slide president.
I'm like I don't.
(33:42):
I don't really, you know theprep I do is is I try to
anticipate the questions they'regoing to ask, because it was
always about what happenedrecently, like, oh, this company
had a compromise, or what doyou think about this?
Or like, could this affect us?
And those are really reallygood learning experiences
because, you know, frankly, theyhappen to somebody else.
But some of that information isavailable, um, you know so, of
(34:06):
course.
And then there's there's thingslike the, you know, verizon's
dbir.
Um, I think you know I'm not ontwitter anymore, but, um, you
know one, one person you know Iwould say is just a great follow
and I I get the newsletter now,but this is a gruck.
So I mean, he's just been beenin it for you know decades and
just always has really, reallyinteresting um, things to call
(34:27):
out.
So, yeah, get his, get hisemail newsletter.
He probably has a sub stack ina medium that's amazing.
Pedro Kertzman (34:33):
Any final thoughts, any last things to
share?
Jason Chan (34:37):
no, I think I appreciate the time, appreciate
the conversation.
I think, um, you're sort oftying it back to the beginning,
it's like.
I think I think we we really doneed to focus when we are sort
of telling our stories onsecurity right, it's not just
about what we're protecting butwho we're protecting it from
right and really think about howyou can kind of put those
together.
It.
It makes it much more,certainly much more compelling
(34:58):
storytelling, but I think it's alittle bit easier to connect to
people as well If they can kindof, you know, understand what
are motivations, what aretechniques and really like, why
are we putting in thisinvestment to protection?
Pedro Kertzman (35:08):
That's perfect, Jason.
Thank you so very much forcoming to the show.
I really appreciate yourwillingness to share your
knowledge with us and I hopeI'll see you around.
Jason Chan (35:18):
Yeah, my pleasure.
Thanks, pedro, Appreciate it.
Pedro Kertzman (35:21):
Thank you
Rachael Tyrell (35:24):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
Until next time, stay sharp andstay secure.
(35:46):
We'll be right back.
I think we really do need to focus, when we are sort
of telling our stories onsecurity, right, it's not just
about what we're protecting, butwho we're protecting it from.
Rachael Tyrell (00:08):
Hello and welcome to Episode 12, season 1,
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of season one,our host, pedro Kurtzman, will
chat with Jason Chan, who hasover 20 years of experience in
(00:34):
cybersecurity and is especiallypassionate about large-scale
systems, cloud security andimproving security in modern
engineering organizations.
Jason built and led thesecurity team at Netflix for
over a decade.
His team at Netflix was knownfor its contributions to the
security community, includingover 30 open source security
releases and dozens ofconference presentations.
He also previously led thesecurity team at VMware and
spent most of his earlier careerin security consulting.
(00:57):
Over to you, pedro.
Pedro Kertzman (00:59):
Jason.
Wow, being a fan for so manyyears now that I think it's just
fair to say that I'm beyondexcited to have you on the show.
Thanks a lot for coming.
Jason Chan (01:09):
Oh, thanks, Pedro.
Thanks for having me.
I'm glad to be here.
Pedro Kertzman (01:11):
Amazing If maybe we can jump right in.
Would you mind sharing yourperspective like a general CISO
view of CTI?
It could be related to assetsexposure threats, you name it.
Jason Chan (01:24):
It could be related to assets, exposures, threats,
you name it, I think, from theCISOs perspective or security
leaders perspective.
I mean, obviously they'rerunning the security
organization, to which threatintelligence is a big part.
But I think most of what we'retrying to do is at the executive
level.
The leadership level thisincludes your peers and
technical executives.
Non-techn level the leadershiplevel.
This includes, you know, yourpeers and technical executives.
(01:45):
Non-technical the board.
You're really trying to create ashared understanding of the
security environment that thecompany is facing.
So, I would, you know, I triedto keep that simple when I was
doing those kinds ofcommunications and it was really
about you know, what are wetrying to protect?
Right, and and I don't mean youknow the specific assets, but
(02:07):
it's like we're trying to makesure this service remains
available.
Um, you're trying to make suredata remains protected, and then
you're you're trying to, you'retrying to think, well, what are
the negative events that couldaffect those, those things
you're trying to protect?
And then, finally, you knowwhat are the threats like, who
are the adversaries?
Right, and I think that's wherecti comes in is you want to be
(02:29):
able to reason about who, who isactually coming after you?
And, of course, as we know.
You know, the adversary doesn'treally make a habit of letting
you know when they're comingafter you or how they're going
to do it or when, but you knowwhich is what, to me, is what
what threat intelligence is allabout.
So, yeah, I think about it atthat level.
Is you're going to do it orwhen?
But you know which is what, tome, is what threat intelligence
is all about.
So, yeah, I think about it atthat level, as you're trying to
do some storytelling, you'retrying to paint a picture of
(02:50):
what the threat environment islike with as much information
and detail as possible.
Pedro Kertzman (02:55):
That's amazing.
I love how you put thestorytelling part, and also to
the non-technical, let's say,audience.
So that's an interesting pointany insights on how to properly
fine-tune that message to thataudience?
Jason Chan (03:10):
oh yeah, I mean, I I'd like to think of it really
in terms of um, and I think thisis pretty common in threat
intel.
You're really trying to likethink about um, maybe not
necessarily specific um, likeadversary groups of threat
actors, but the way at least theway I categorized them when I
was at Netflix is we sort ofwould talk about uh, like groups
, right, like who's actuallycoming after us and um, you know
(03:34):
, at Netflix, we, we were, youcould kind of think of of it as
almost like two really large andcomplicated businesses that are
kind of working together.
One is on the on the streamingside.
It's this, it's the world'slargest streaming subscription
platform, right.
So you have, you know, 200 andsomething million members, 200
or so countries.
So you know, you, you have kindof threats that are pretty
(03:57):
common to running a large-scaleconsumer internet service.
And then, in addition to that,you have the studio which is
creating all the content thatgoes on Netflix, and, again,
it's the world's largest studio.
So, at least about the time Iretired in 2021, we were doing
about a thousand productions ayear.
And you know production is a,you know it's a stand up comedy
(04:19):
or it's, you know, an animatedseries, it could be a movie and
whereas, like most other studiosare doing about 50 to 100 a
year.
So really really large scale.
So really with that, we'retrying to like create a
understanding about like, well,who, who from the adversary side
is interested in that, and wewould kind of put them into
buckets right.
(04:39):
So you have, on the more kindof, if you think about like a
spectrum or a continuum ofadversary that goes from, say,
kind of commodity or general tomore specific.
And I don't mean in terms ofskill, I'm not talking about
script kitty to APT, I'mthinking about what's a general
threat versus more specific.
(04:59):
And the general threats forNetflix were, as I mentioned,
right, you're running a largescale consumer internet service,
so you're going to see a lot ofthings like credential stuffing
and account takeover.
We had, you know, a lot ofcases where, of course, you know
, people tend to reuse theirpasswords and their accounts get
taken over, and there werecertainly cases where the access
(05:22):
to an account would be resold.
So we want to understand, okay,well, who, who are the, who are
the threat actors, who are theadversaries that are seeking to
take over netflix accounts sothey can monetize resale of
those accounts.
Um, we would also look on onthe streaming side.
We would think about, um,content protection, right.
So, um, because you knowwhether, I guess, regardless of
(05:43):
how you, how you may personallythink about things like content
protection and piracy anddigital rights management, you
know, to be able to put thatkind of content on the internet
and, working with these studiosand these creatives, they have
certain security requirements.
So we, we obviously implementedall kinds of interesting
content protection and digitalrights management.
(06:03):
But you know, we, there were aseparate set of adversaries you
might even consider themresearchers or, you know, like
old school hackers that theywere basically trying to break
content protection, they weretrying to break DRM.
So there you also have to kindof pay attention to what's
happening, like what's the stateof the art in breaking DRM and
breaking content protection.
(06:25):
And then you know, on thestudio side, you know, as you
can imagine, you're dealing witha bunch of you know you're
making content, you're workingwith a lot of celebrities, a lot
of really well-known people orunique part, because you really
(06:46):
start to have this uh, likecyber, physical crossover where
you have you're trying toprotect, you know, a-list talent
and celebrities.
Right, we were working withpeople like, you know, michelle
and barack obama, and these arepeople.
Obviously they're, they're um,they have their own kind of uh
protection and things like that.
But we also we need to be ableto protect the kind of digital
assets that pertain to, forexample, where a certain
(07:06):
celebrity is going to be on acertain date, or or where
filming is going to be for aparticular series.
So, you know, I would say, um,sorry for for rambling there,
but you know, kind of a longstory short in terms of that
storytelling you're trying tocreate.
Like, without going into theweeds about any, any specific
thing, you're trying to say, heylook, these are kind of like
(07:28):
the four or five main categoriesof adversary that we're really
thinking about, and, of course,that doesn't mean that there
might, you know, not be somebodynew next year or next week.
But if you want to have along-term, you know, sustained
kind of program, you have tokind of, you know, do some
reasoning about who you'reactually, um, working against,
(07:49):
and it's not just some sort oflike, you know, gray and shady,
you know unknowns.
Pedro Kertzman (07:53):
You have to be able to put some, some kind of
personas to those folks thatthat's amazing and it's a very,
really unique, let's say, listof assets and, uh, if I'm not
mistaken, I think I can rememberfrom the top of my head any
content if you will breach orlike a new uh series or
something like that beingexposed before the real release
(08:16):
date.
And I do remember from manyother studios.
So I would say you guys, uh,did a, you know, really good job
on keeping that stuff private.
Jason Chan (08:26):
Yeah, we did have one issue.
I'm trying to remember whatyear it was, maybe 2016, 2015.
We had a series of one of ouroriginal series called Orange is
the New Black.
We had the new series.
Some of those episodes wereleaked by.
It was a fourth party vendor,so they were kind of an audio
(08:49):
vendor from the studio that wehad worked with to create that
series.
So yeah, it happened and to methat kind of is to some degree
the nature of the sort ofdistributed nature of content
production is you know you havea lot of third parties involved
and fourth parties of contentproduction is is you know you
have a lot of third partiesinvolved in fourth party.
So the studio that you, thatyou work with, they have their
own, you know, ecosystem ofsuppliers, um yeah yeah and so
(09:13):
and that, but it was um, youknow another.
I remember um kind of speakingabout executive communications
is.
I remember around that time, youknow, we we had to really do a
lot of education with our um,with our folks, because a lot of
the really traditional, likefolks that have worked in
traditional studios, a lot ofwhat you're trying to protect is
(09:34):
that opening box office weekendright, because that's when,
that's when everybody's buyingtheir tickets, right, we just
saw, you know, missionimpossible just came out right,
so you really got to take careto not have that get leaked
because otherwise people are notgoing to get tickets.
So you know, the difference ison a streaming platform like
(09:54):
Netflix, where you're reallyjust paying one price and you
get all the content is, you know, part of really what we were
trying to do as a business isyou're trying to create a
service that is good enough interms of the technology and the
content so that people don'treally bother with piracy or
trying to see things.
You know, a couple days early.
So you know we we did a lot ofcommunication about hey,
(10:17):
obviously we don't want contentto be leaked, but it's a just a
fundamentally different businessmodel than the traditional
studio and traditionalentertainment releases.
Pedro Kertzman (10:25):
Fair enough and I think, at least to me, one of
the mind-blowing things is thescale that you're mentioning,
where guys are operating inseveral countries, the amount of
users and all that and all that, but also how disruptive from a
(10:51):
never seen before type oftechnology you had to leverage
to be able to deliver thatcontent on that scale and I
imagine the security was justkind of uh, enabling business at
that point right.
So you had to work hand in handto be able to securely deliver
that content at that scale.
Any challenges around that,especially if it relates to cti
(11:14):
at any at any point yeah, I mean, I would say I think you
captured it well.
Jason Chan (11:19):
Right, you're trying to create a new business.
Right, you're trying to createa subscription video.
Right, you're trying to createa subscription video service,
which you know Netflix's history?
Its origin was really a DVD bymail service, right?
So you would go to the websiteand we would mail you DVDs, and
so you know a lot of the ways Iwould characterize my time at
Netflix.
You know, I spent a little overa decade there was.
(11:41):
There was basically a constantchange.
So the business was changingfrom DVD by mail to streaming.
We were changing the content wewere providing, from licensing
other studios' content tocreating our own.
And then, you know, going fromlike US only to global.
And then, on the tech side youmentioned tech we were going
from a company that was prettymuch run out of its own data
(12:04):
center to being really probablythe first large enterprise to go
full scale into the publiccloud.
We started the journey into AWSin, I think, about 2008.
When I started in 2011, it wasquite early on, and it was quite
early on.
But I mean, you know, I thinknowadays, if you were going to
(12:24):
create a new company, it wouldbe kind of a no-brainer, to be
like, yeah, of course we'regoing to use, you know, aws or
GCP, but you know, back then itwas pretty unheard of to be that
far in.
But the reason why I meanbeyond any kind of specific
technical features is we werereally trying to focus the
business right, because whenyou're trying to create a new
(12:46):
kind of business, you reallyneed your people to focus on
that and not focus on thingslike managing data centers and
running networks and, you know,storage and all this kind of
stuff.
So that was really like a partof the key of the company's
culture was like, let's letpeople focus.
And I would say we did the samething with security.
Right, we were trying to createsolutions that made it easy for
(13:07):
developers to work withsecurity.
Um, you know, on the threatintel side you mentioned, you
know I one of the first.
You know we were um, we didquite a lot of open source at
netflix and you know one of ourearliest projects, uh was this
was a system called scumbler andyou know really what it did and
you know, I think this hasbecome fairly common nowadays,
(13:28):
but we released it I think in2014 or so.
Was you basically, you know,set up this system to kind of go
out and look at various placeson the web whether it was, you
know, twitter or pastebin andyou're trying to find
intelligence.
Right, you're trying to find,hey, is there anybody there,
anybody out there, you know,talking about Netflix, talking
about Netflix users,vulnerabilities, those kinds of
(13:48):
things.
This was really like in theearly days of when you could
procure something like, you know, managed threat intelligence
and you could get feeds.
But to get, you know, morestructured intelligence or more
kind of like higher level work,it was a little bit more, a
little more hard to come by.
So, yeah, and it was.
You know, we built that whenthe team was still pretty small.
(14:09):
It was probably, you know, fiveor six of us total.
So we didn't, you know, you'renot able to dedicate full-time
resources to just, you know,looking to see what might be out
there of interest.
So, you know, you create toolsand you create automation, you
create pipelines that allow youto go out and look for that
information, bring it in, youknow disposition and do what you
may with it.
Pedro Kertzman (14:28):
That's amazing.
What you made with it, that'samazing.
And so you're mentioning theshift on the business, uh, the
business side, right from dvdshipping uh up until like
large-scale streaming.
How was the uh cti alsoevolving with that uh shift?
I imagine, like the threatactors tt you name, it will be
(14:49):
fairly different, like thethreat actors targeting that
specific way of doing businessup until like a large scale
attack surface I cannot evenimagine the size of the attack
surface at the point Netflix isnowadays.
So how's that shift fromadversary understanding
(15:14):
standpoint throughout thoseyears?
Jason Chan (15:18):
Yeah, it's kind of funny because I would say most,
at least when we got startedwith what I probably call a CTI,
we may have bucketed it more interms of customer trust or
fraud and abuse.
Um, you know, that's reallywhere where we started to focus,
because you're trying to figureout how are people trying to
(15:38):
misuse the service, right?
So you know, on the dvd side,it was fairly straightforward,
like sometimes you would havepeople sign up and you know they
give you a fake physicaladdress and you know you would
so, because they're trying to toget DVDs that they never have
to return, or you know,certainly, things like credit
card fraud and then when youwent to streaming, there were
(16:01):
the same thing kind of in thatbucket of customer trust or you
know, abuse, and I did a talk onthis.
I think you know Facebook had akind of spam at scale
conference back in 2016 or soand I kind of went through some
of the different kind of abusescenarios and how we thought
(16:21):
about protecting against each ofthose and really the most
common one and it was sort ofcame from different areas but
was just, you know it wasaccount takeover of came from
different areas but was just,you know it was, it was account
takeover, it was, it was throughwhether it was credential
stuffing, you know passwordreuse, you know info stealers,
whatever it might be.
There were people, there wereyou know, in fact, somewhat some
(16:42):
pretty large and geographicallydistributed and fairly
sophisticated threat actors thatwould gain access to netflix
member accounts for the purposeof reselling those.
Because you know you could,especially in you know, we found
quite a lot in latin america,quite a lot in southeast asia,
where you know you would, youwould see, we actually have like
(17:03):
pictures of like billboards andstuff where people would be
selling, hey, here's netflix fortwo dollars a month, and of
course it's not, like you know,legitimate net.
But basically what they weredoing was reselling access to an
account that had beencompromised.
So, yeah, so we really had toshift from that, you know, the
kind of physical, kind of creditcard fraud, to more of like how
(17:25):
are people going to abuse theservice, how are people going to
abuse our members?
And that was really kind of howwhat got us started down down
the road of a more formal kindof cti program awesome.
Pedro Kertzman (17:37):
You know we got the program started.
Uh, any learnings or thingsworth mentioning how you matured
?
Uh, that program within thosenext few years having like a
established cti program yeah,it's, it's um.
Jason Chan (17:55):
You know I would say similar to you.
Know, I mentioned this idea ofdoing like using the public
cloud as a means of creatingfocus for your business, and we
would, we did the same thing, Iwould say with um, not just cti,
but you know, to use that as anexample.
Is you think about, okay, ifyou want to create a program to
(18:16):
allow you to better understandyour adversary, like a CTI
program, what do you decide todo yourself?
What do you decide to outsourceor use a vendor for?
And, frankly, even above andbeyond all that, what are you
going to decide to do versus notdo?
Because I always, you know,I've said many times is like
(18:37):
it's really about what you'renot going to do.
Right, because if you hadunlimited time and resources,
you'd say, yeah, sure, just doit all, but nobody has, nobody
has the time or resources to doall that.
So you have to be reallystrategic about absolutely
saying, look, these are thethings we're going to focus on.
We're going to maybe lean on avendor to do some of these other
things, and then these otherthings we're just going to be.
(18:58):
You know, we're not sayingthey're not important, but as of
right now we're not going to dothose.
So, you know, we really wereally worked in a way of of you
know, kind of going back to thebeginning when I was talking
about storytelling, and kind ofyou know what are the big
buckets of adversary groups?
We really focused there to belike, hey, who are the?
You know what are the and thisis kind of more from a
(19:20):
quantitative perspective.
It's like what are the threatscenarios that we're most
worried about, that we think canhave the biggest impact?
And then you sort of match upokay, well, what are the
adversary groups that couldactually enact those threats
scenarios?
And that's really where you'dwant to focus.
And you know, again, for us it'slike most of when you think
about how can things really gowrong for a large scale internet
(19:43):
service?
There's really kind of two mainthings that can go wrong, right
.
One is your service cannot beavailable, right, like, somehow
it's whether it's ddos or anyother any other reason that your
service goes down and people,paying users can't use it.
And then you can you know youcan lose data, right, you, you,
you have some kind of databreach or things like that.
So really for most, uh,large-scale consumer internet
(20:05):
services.
Those are the two main thingsyou're trying to protect.
So that's really where we beganfocusing our Threat and Tail
program was about.
How do we make sure that we areinvesting to preserve those two
primary functions, whether it'skeeping the service available,
protecting customer data andthen kind of work out from there
to your adversaries and thingslike that.
Pedro Kertzman (20:27):
That's amazing.
I really love the way you putit from a priority standpoint.
I see a lot of people kind ofoverwhelmed already just by
thinking about a CTI program,the magnitude, the amount of
information, telemetry from allover the place.
But it's just, you don't needto embrace the whole thing.
(20:49):
You can use it just todetermine risk, for example,
likelihood, impact and stuff andthen take decisions based on
that, maybe not doing anything.
It's a decision as well.
The way you put it.
It's really good because itjust feels that if you don't
want to look into it, then it'slike a dangerous spot to be.
(21:13):
Like go do some research andthat's okay.
If after that you come to theconclusion I can take that risk.
Jason Chan (21:24):
It's all good.
Yeah, you know, I think youcover two really important
topics there, right?
One is a lot of people can beoverwhelmed with getting a
program going or going, kind ofgoing from zero to one right,
like people would do with people.
And we had that failure mode,you know, a number of times, uh,
in the team, you know I'm notsaying necessarily specific to
(21:44):
CTI, but where you kind of yousort of want somebody to be the
first hire in an area and theywould have trouble getting that
function off the ground becausethey kind of felt like geez, how
can I do this as one person anddo that?
And it's like, well, again,it's about what are you not
going to do?
What are you specifically?
Because you know I would, Iwould try to support them and be
like, hey look, you know, onetime many years ago, like I was
(22:06):
the first person working on thisat Netflix and it was just me
and you know, I kind of knowyou're the only person.
Then you know you should beable to then figure out, okay,
how am I going to spend my timemost effectively?
So I think that's a key thingis, you have to have a certain
type of person who can feelcomfortable, kind of going from
(22:27):
zero to one and being the firstperson and not having a team,
right, is it just being you andthen the second one in terms of
like what, what you're not goingto do?
I think?
I think there's somethingrelatively unique to security
people where we we feel like ifwe know about something like
whether it's a vulnerability, orwe feel very uncomfortable not
(22:48):
doing anything about it.
Right, we're like, oh geez, well, I know this, this problem
exists.
So, you know, I, I need to dosomething about it.
But it's like I think peopleneed to really start from kind
of the opposite end.
Right, it's like, hey, I needto have a really good reason to
actually to of what I'm workingon.
Right, knowing that you knowthere's, if you think about it
(23:09):
any given day.
Right, you have an infinitenumber of things you could
choose to do.
It's like, well, how are yougoing to choose those few things
that you are going to do?
And you know we're human, right?
So a lot of times we're like,oh well, what's the shiny thing?
What that seems interesting,let me go work on that.
And then you know, in yourheart of hearts you might say,
oh, it's not actually the mostimportant thing, but it just
seems fun.
So, oh, geez, I need to have,you know, this super mature
(23:30):
program on day one.
And then being like, hey, yeah,there might be, you know, 100
things I'd like to get done, butyou know, in reality I'm only
going to be able to do six ofthose, right?
So, people.
I think it just can make peoplereally uncomfortable to make
those kinds of decisions.
(23:51):
Yeah, that's, true, and you werementioning also about vendor
collaboration as well, anyinsights around that, how to
better utilize that extra pairof hands to bring some extra
value to the team or theorganization.
What is important for us to doourselves and be great at,
(24:14):
versus what could somebody elseprobably do better than us?
And especially if it's like areally undifferentiated service.
And I think probably the firstone that comes to mind is kind
of is like phishing, takedowns,right, and phishing sites and
things like that.
Is that that's such a commonproblem across the Internet,
like we would have a program tosort of sort of um to to
(24:37):
potentially do takedowns andthings like that.
But most of that was done byvendors who are going out, you
know, finding the fishing kitsand doing the analysis.
They're doing the cease anddesist right.
There's no value in us doingthat ourselves.
So I think that was a great uh,a great case for kind of
outsourcing Um.
And then the other one was youknow I mentioned this kind of
markets for resale of Netflixaccounts and you know there's
(25:01):
also forums and things like thatwhere people talk about how do
you break, you know, digitalrights management, how do you
break copy protection, contentprotection, a lot of hardware
research.
So for us, like you know, tokind of create a persona, to
kind of sit in those forums andunderstand what's going on, to
do like controlled purchases ofcompromised accounts it's like
(25:21):
we would leverage vendors to dothat for us, because it's like
it's not really, you know, tokind of set up the
infrastructure to do those kindsof long term campaigns.
It's not a ton of value indoing that yourselves, whereas,
like you, have plenty ofcompanies who, like that's what
they do 24-7.
I would always use, you knowthis is not specifically around
CTI, but you know things likereverse engineering, malware.
(25:43):
You know malware analysis.
It's like you know, mostcompanies.
It doesn't make sense to havethat skill set on, you know, on
staff, right, because you justgo talk to, you know, mandiant
or whoever, whoever, and theycan kind of do it for you
because that's all they do.
It's the same thing where, ifyou think about a lot of what
we've, what we've learned,outsourcing the security world,
like think about penetrationtesting, right it's.
(26:05):
You know, sure, there's,there's some teams that have
internal pen testers.
But you know, you go and you goto vendors and like that's,
that's all they do.
They're looking at applicationsand they're breaking them, you
know, constantly, yeah, and so Ithink the same way around,
threat intelligence is likewhat's really, really
specialized that we want to workon and we want to get great at,
(26:25):
and that's going to be like thehighest touch work, and then,
and it's and it's not thatthat's, like, you know, harder,
easier, it's not really aboutthat.
Pedro Kertzman (26:33):
It's just about what are the things, the tasks
that are going to be the mostspecific to the company versus
you know, what are the thingslike, say, phishing, takedown,
that just they apply to everyone, so just better to use a
service for that going backmaybe to that topic of the, the
open source tools, um, thatnetflix that your Netflix team
(26:55):
was putting out there, anycollaboration, special
collaboration or tool thingsworth mentioning that you saw
some extra success from thatparticular tool ended up being,
I don't know, amalgamated onanother platform or other
frameworks, so on and so forthyeah, no, we, I would say, um,
(27:17):
maybe like stepping back, justkind of like introducing, um, I
think, open source.
Jason Chan (27:22):
Uh, you know, at netflix and specifically to
netflix security, um, reallyearly on, we decided almost
really at like a strategic levelthat you know, we really looked
at security as kind of acommunity kind of thing, right,
it's like so we would lean intosharing rather than trying to
keep it private.
I remember, you know, when Istarted early in my career, like
(27:43):
in the late 90s, it was verymuch of a like people didn't
really talk about security,right, because they felt like
they were going to givesomething away.
And we really, I would say,took a much different approach.
We were like, hey, we're notgoing to really compete on
security, we're going to competeon entertaining the world.
That's what Netflix needs todegrade at.
Security is part of that.
(28:03):
So we really leaned into thisidea of sharing and some of that
was through open source andsome of that was through
peer-to-peer collaborations withother companies, doing things
like conference talks and thingslike that.
So we were very, I would say,bullish on all those kinds of
investments and, yeah, I wouldsay we had some really, really,
(28:25):
you know, part of the advantageof being in a really
fast-growing company that's sortof doing something new, you
know doing, you know, being veryearly in the public cloud was
that, you know, back then, rightwhen I started 2011, there
wasn't a market for cloudsecurity right.
That didn't really exist.
There were maybe some vendorsthat were like, hey, let me
(28:46):
create a virtual appliance forthis firewall, but you know,
it's mostly just all garbage,right.
So pretty much we had to createour own solutions.
So we created things likeSecurity Monkey, right, which
was, you know, really, lookingback, was really the first CSPM.
Right, it was CSPM before thatacronym existed.
You know, looked at our AWSenvironment and kind of found
(29:09):
issues.
We created Fido, which was, youknow, the first SOAR program,
soar platform.
It was kind of SOAR before SOARexisted.
And then Scumbler earlier on,which was really our kind of our
thread, intel kind of.
You know, basically go out andlook on the web for things that
you might care about andcertainly, like, I think, any of
(29:31):
those things.
You know, if we had wanted to,you probably could create a
company around those things, butwe were, you know, ultimately
we were just trying to protectthe company, so we didn't, you
know, we didn't go down thatroute, but yeah, so it was.
You know, we certainly learneda lot.
Mostly what we were trying to dowith open source, especially in
the kind of cloud securityspace, was we were basically
(29:52):
saying hey look, everybody isnew at this, right, so this is
our way of tackling this problem, like let's get feedback, like
maybe it's helpful to you, butmaybe you've developed a
different way, and I think it'skind of nice to see now that, in
sort of 2025, it's much morecommon for, you know, companies
(30:15):
to open source security products, or for companies, you know,
defenders working at largecorporations or even small
corporations, to go toconferences and talk about
defending right.
Because when I started insecurity, you'd go to
conferences like you know, notjust Black Hat, but any of them.
You're only ever talking aboutoffensive stuff.
You're talking aboutvulnerability research, you're
talking about attacking, and nowit's like there's tons and tons
(30:40):
of talks on defense, and Ithink part of it was, you know,
companies like netflix reallykind of leaning into that that's
amazing and uh any like apeer-to-peer collaboration or
maybe even like facebook threatexchange that you saw advantages
of leveraging from a maybe acti standpoint as well yeah,
yeah, we, we did get involvedwith a few sharing programs like
(31:04):
threat exchange, um that youknow they were like, I mean, I
wouldn't say they were useless,but they were probably a little
more trouble than at least inthe early days when we were
involved.
um, then it was worth anythingkind of like formal.
What I sort of found was likeprobably less valuable and what
you really had value out of wasthe informal conversation.
(31:24):
So we did a lot of um,peer-to-peer, you know, you know
how it is right, there's somany like discords and slacks
out there that were securitypeople gather and they talk
about stuff and like again, eveneven now, right, like that's
such, it's such a huge advantage, right, like, if you think
about, can you go and lean onsomebody and say, hey, have you
(31:45):
seen this before, have you seenthis kind of activity before?
Like, what would you do here?
And you know people, that's oneof the things I've loved about
the security community and youknow why I've been in it for
pretty much my entire career isthat people they care, they care
about what they're doing, theycare about protecting their
organizations and they also aregenerally in it to help them,
(32:06):
want to help other peoplebecause they recognize that you
know it's hard to just protectanything in isolation, really
have to create a safeenvironment, a safe environment
in isolation.
Really have to create a safeenvironment, a safe interconnect
.
So, yeah, I think I've had, youknow, really, really good sex,
good success on the informalside, whether it's sharing with
other cissos or you know othersecurity engineers, um, where
you know people are just morethan willing to share their to,
(32:28):
to give their time and energy tohelping other people okay, no,
that's perfect.
Pedro Kertzman (32:33):
And uh, from like learning cti standpoint,
not necessarily you know, iocsor things like that, but how the
industry is moving, how thingsare now shaping and and all that
any new, uh interestingfavorite sources, books, blogs,
people, anybody to follow orlearn from yeah, I would say you
(32:55):
know, since retiring I'm alittle bit, I'm less plugged in,
right, so I don't do as muchfollowing.
Jason Chan (33:00):
But I think you know there's a saying in security,
and especially in an incidentresponse, right, you never
really want to waste.
You know a crisis, right, andespecially if it's somebody
else's crisis.
So I think looking at incidentreports to me is like such a
great way of learning andlooking at you know the
different reports companiescreate around.
(33:21):
You know tracking differentadversaries.
I think those are.
Those are great because you canreally understand.
You know I'm not going to Itend not to name names, but when
you look at big breaches, youknow cause.
I would say one of the things Iwould always tell people is you
know they would ask me hey, well, you know how do you prepare
for a board meeting, or you knowwhat's your slide president.
I'm like I don't.
(33:42):
I don't really, you know theprep I do is is I try to
anticipate the questions they'regoing to ask, because it was
always about what happenedrecently, like, oh, this company
had a compromise, or what doyou think about this?
Or like, could this affect us?
And those are really reallygood learning experiences
because, you know, frankly, theyhappen to somebody else.
But some of that information isavailable, um, you know so, of
(34:06):
course.
And then there's there's thingslike the, you know, verizon's
dbir.
Um, I think you know I'm not ontwitter anymore, but, um, you
know one, one person you know Iwould say is just a great follow
and I I get the newsletter now,but this is a gruck.
So I mean, he's just been beenin it for you know decades and
just always has really, reallyinteresting um, things to call
(34:27):
out.
So, yeah, get his, get hisemail newsletter.
He probably has a sub stack ina medium that's amazing.
Pedro Kertzman (34:33):
Any final thoughts, any last things to
share?
Jason Chan (34:37):
no, I think I appreciate the time, appreciate
the conversation.
I think, um, you're sort oftying it back to the beginning,
it's like.
I think I think we we really doneed to focus when we are sort
of telling our stories onsecurity right, it's not just
about what we're protecting butwho we're protecting it from
right and really think about howyou can kind of put those
together.
It.
It makes it much more,certainly much more compelling
(34:58):
storytelling, but I think it's alittle bit easier to connect to
people as well If they can kindof, you know, understand what
are motivations, what aretechniques and really like, why
are we putting in thisinvestment to protection?
Pedro Kertzman (35:08):
That's perfect, Jason.
Thank you so very much forcoming to the show.
I really appreciate yourwillingness to share your
knowledge with us and I hopeI'll see you around.
Jason Chan (35:18):
Yeah, my pleasure.
Thanks, pedro, Appreciate it.
Pedro Kertzman (35:21):
Thank you
Rachael Tyrell (35:24):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
Until next time, stay sharp andstay secure.
(35:46):
We'll be right back.
Popular Podcasts
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com