March 17, 2025 • 53 mins
In this episode, we dive into the critical world of security data strategy with experts Aqsa Taylor and Justin Borland, authors of the upcoming book Applied Security Data Strategy: A Leader’s Guide. Justin, a veteran of the Equifax breach, shares firsthand lessons from one of the biggest security incidents in history, while Aqsa explores her journey from electrical engineering to cloud security and the role of governance in data management. Together, they unpack the challenges of handling massive security data, the power of real-time analytics, and how Abstract Security’s platform transforms data strategy with deduplication, normalization, and tiered storage. Perfect for CIOs, CSOs, and security pros looking to future-proof their organizations. Subscribe for more cybersecurity insights!
Key Points Covered:
Introduction to Aqsa Taylor and Justin Borland, emphasizing their expertise and new book.
Justin’s Equifax experience as a compelling narrative hook.
Aqsa’s background and insights on governance and cloud security.
Abstract Security’s innovative approach to data strategy (deduplication, real-time analytics, etc.).
Target audience callout (CIOs, CSOs, security professionals) and a subscription prompt.
Why this description? It’s concise, highlights the episode’s value, and uses action-oriented language to engage viewers. It balances technical appeal with accessibility for a broad cybersecurity audience.
Follow the Podcast on Social Media!
Tesla Referral Code: https://ts.la/joseph675128
YouTube: https://www.youtube.com/@securityunfilteredpodcast
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:01):
How's it going?
Aksa and Justin, it's great toget you guys on the podcast.
I think we've been workingtowards this for a while and I
know you guys have some reallyinteresting topics to bring up.
You guys are shortly herereleasing an e-book on it, on a
topic that I'm probably not aswell-versed in as I probably
should be, which is it's aninteresting side topic, but
(00:24):
how's it going?
Speaker 2 (00:26):
Going good.
Joe, thank you for having us.
I'm super excited and, knowingthat this is all just raw going
with the flow, I'm reallycurious and excited for this.
Speaker 1 (00:36):
It's interesting, people react differently to this
podcast format, right, I think.
A lot of podcasts out there,they probably offer up a lot of
podcasts out there, theyprobably like offer up, you know
, a lot of different questionsand they do a whole lot of
research and everything elselike that.
But I I feel, personally, ittakes away from the genuineness
of the podcast, right, like Ithink that there's a level of
(00:57):
authenticity that this formatcaptures where it's truly just
us having a conversation.
It's not, it's not scripted oranything like that.
You know, like I, I find thatwhenever I script something, I
do worse at it At least I feel Ido good at memorizing lines,
that's for sure, yeah.
Yeah, that's probably why Inever got into you know like
plays or speech, whatever thatwas like you know in high school
(01:20):
, know in high school, likenever did any of that and it was
.
It was literally the reading ofa script that was a part of.
It was like, okay, well, Ican't like react to this how I
would normally react more of anad lib guy myself yeah, yeah,
awesome.
Well, you know, first I'll startwith you know, you guys each
(01:41):
introducing yourselves.
You know we'll start with Alex.
So how did you get into IT?
How did you start to specializein security?
What made you go down that path?
Because you have a prettyinteresting background.
I think You're a bit of anauthor and security professional
, security expert.
So how did you start going downthis path?
Speaker 2 (02:05):
Yeah, good question.
I asked that to myself too.
So, interesting story I did mymaster's in electrical
engineering and you have to takean optional course outside of
your core, and so I took cloudcomputing as an optional course,
which kind of became my entirecareer journey since then.
So at that time when I wasdoing my master's, container
(02:27):
security was really the topicthat everyone was talking about,
and my professor wanted to mixquantum with container security,
cloud security.
So I got, I looked up companiesthat were doing it for my
research paper, got intoTwistlog, which got acquired by
Palo Alto Networks, and then Imoved to product management,
building these products forcustomers, for organizations
(02:49):
that are looking to strengthentheir cloud security, posture,
workload security and all.
And then came Abstract.
So I've been really fortunatein working with these startups,
successful startups andcompanies that are on the edge
of doing something new,something innovative, and I love
to write, so it was natural forme that when I learn something,
(03:11):
I learn it by writing or takingnotes.
So I thought what good way toshare the knowledge than in
books?
So my first book was ProcessMining Security Angle, and this
will be my second book, soon tobe released Applied Security
Data Strategy, a Leader's Guide,so pretty exciting.
Speaker 1 (03:31):
Wow, that's really fascinating.
And maybe, before I startdiving into your background a
little bit, justin, why don'tyou tell us a little bit about
your background, right, how yougot into IT?
What made you want to go downthe security rabbit hole?
Speaker 3 (03:50):
Yeah, sure.
So I was fortunate to start atAtomic Energy up in Canada and
so I had my secret clearancewhen I was in second year
college and so when I left thisis probably 17 years ago, when I
left college IT security wasstill pretty much in its infancy
.
A lot of places didn't have alot of mature programs and stuff
(04:11):
like that and so I went back toAtomic Energy and I started
building custom intrusiondetection systems snort boxes
back in the day and then I spentthe next probably 10 or 12
years building custom PCAPsystems.
I left Atomic Energy and wentto work at BlackBerry very much
in the heyday and built all ofthe custom packet capture
(04:34):
systems that we use on thecritical assets within there
Things like domain controllers,rsa servers, stuff like that.
I was building packet capturesystems and doing incident
response, malware reversing.
So I've had my Grem for I thinksomething like 15 years, like
Grem number 3300 and something.
(04:54):
So I've been doing that a very,very long time and doing
incident response.
Since then I had the opportunityto work at Equifax.
I ran their countermeasuresteam and then went to the Senate
for that incident.
My team found the breach.
My team built all the packetcapture systems there, and when
I left Equifax, we had rolledour own 80 gig per second
(05:18):
north-south in-house.
So we were building big packetcapture systems, writing, know,
writing a lot of IDS, ips rules,reversing malware finding
indicators, and you know I'vebeen very heavily involved in
the community for at least, atleast 15 years.
Just doing what I can becausethe bad folks tend to share
(05:40):
security data very well andthat's something that I've
always, you know, prided myselfon is trying to play a little
bit of open-handed poker withyour friends, letting people
know what works, what doesn'tand how we can sort of better
defend as a community.
Speaker 1 (05:55):
Yeah, that's really fascinating.
So, Axel, when you were in yourelectrical engineering program,
in your electrical engineeringprogram you decided to take a
(06:16):
cloud security course, which isinteresting because I didn't
have any semblance of cloudsecurity offering in my
bachelor's.
Going into it, did you thinkthat it would be an interesting
challenge for you compared tothe electrical engineering work
and it would work your brain inanother way?
I ask that because you saidthat you learn best when you
write things down.
Right, and I'm.
I'm the same way.
Actually, I have to write itdown, otherwise I'm not going to
figure it out.
I have to like at a minimum seea diagram, you know, and that's
(06:39):
how it kind of starts makingsense to me, and so I assume you
know in your you probablyfigured that out pretty quickly
if you didn't already know it.
Right, because you're not goingto be successful for sure in
electrical engineering if youdon't know how your brain works
to learn things.
Speaker 2 (06:55):
Yeah, so it's.
When they said optional course,I mean I didn't even think
about music and all the arts, Iguess.
Like psychology yeah, I guessthat's the Indian side of me,
but I knew that computerarchitecture something really
core I was anyways going tolearn as part of my electrical
(07:19):
engineering and computer coursesubjects.
So cloud computing that wasactually the first round of that
course in my college, in mybatch, during my batch.
So the professor was alsofiguring out like how to teach
cloud computing.
So I was like this is new.
There is no record of this inthe college.
It's also something that peopleare talking about in the
industry you know if you go onLinkedIn and so on so I thought
(07:42):
let's give it a try.
I mean, I don't know if it'sgoing to be super hard or super
easy, but either way, it's goingto challenge me to think
outside of my electricalengineering box.
So I was very happy that I didthat because it opened a lot of
opportunities for me.
I got to be a part of OCI, whichis like Open Cloud Institute
within UTSA for research, andthat's how I learned about
(08:05):
Dockers and containers, becauseDocker had just come out.
Docker was gaining traction atthis time like 2015, 2016.
So it was like there'sinnovation on every side in the
industry and with us and tryingto combine physics, concepts
like quantum computing and cloudcomputing together was also
(08:26):
quite interesting and unique.
So working on that as part ofmy thesis kind of opened my
brain on two different levelslike quantum and then cloud, and
so it was a really, really goodexperience for me.
I didn't reach everyone tosometimes think out of the box
For me.
I'd encourage everyone tosometimes think out of the box.
You know you might be a networkengineer or data engineer or
(08:49):
security engineer, but sometimesyou just have to touch boxes
outside of your routine and thatcan help you think about your
own core strategy in differentways, and I think that really
helped my career from thereforward, because I was like this
is what I really love and Iwant to do more of.
Speaker 1 (09:08):
Yeah, that is, you know, that's very true what you
said there, right, going outsideof your box and trying to, you
know, kind of, expand yourselfand see where it leads, right,
and so I've done that throughoutmy career personally, and I
typically, you know, somehow itcoincides with, like me, getting
a degree right.
(09:28):
So I got my master's got into,you know, cybersecurity and
cloud security, that sort ofthing.
Right Now I'm working on my PhDand actually earlier in the
week I finished up like the bulkmajority of my quantum security
section, right.
So I realized that I was likeexhausted from it when last
night I was like, okay, I'mgonna start on this satellite,
(09:49):
this communication satellitestuff, yeah, and I like couldn't
get past a sentence and I waslike I need a break, I'm gonna
give myself a break here, right.
So I just spent like a yearworking on the quantum stuff and
it is, um, I feel like I likescratched the surface, you know,
like not even coming close towhat it is, but having a broader
(10:11):
understanding of it, you know,kind of enables me to to provide
more value and more ways to,you know, the community, my
company and everything else,right.
So it's, um, it's definitelychallenging when you're going
through it yeah, yeah.
Speaker 2 (10:27):
On the day one, my professor started by saying
everything you learn in physics,throw it out of the box and you
have to like, start with anempty brain and start all over.
And it's like, what does hemean?
And then I was like, oh okay,this is what he means.
Because it's oh okay, this iswhat he means.
Speaker 1 (10:46):
Because, it's.
Yep, is difficult to then startsaying, okay, well, how is this
(11:10):
built off of quantum?
Right, because quantumimmediately starts, you know, in
several, several dimensions.
Right, it tears down everythingthat you used to know.
And the only way that you buildup, you know, or, I guess,
build up that foundation to theother side of physics is, by you
know, going all the way throughquantum.
(11:31):
That's the only way it makessense.
Speaker 2 (11:33):
I think it will be applicable to security sooner
than later.
I mean, we're already seeing,you know, the encryption models,
quantum key distributions andsuch concepts being more
relevant to the securityindustry, but that's not what
this podcast is about we can goa whole podcast episode on that
yeah, yeah, I'll bring you backon to talk an rsa thing that
(11:53):
dropped last week where it waslike you better use post quantum
stuff because it's as broken asyou think it is.
Speaker 1 (12:00):
Yeah, yeah, it is, so we can do like a two second
segue, right?
A part of you know the PhDright is that the industry
perceives migrating to quantumor post quantum encryption as
being like an extremely heavylift.
But what they don't understandis that 50% of that process is
already solved by what they callclassical encryption.
(12:24):
Right, so that's already thekey distribution.
That's a part of it.
Quantum is a layer ofabstraction on top of what we
already have, and so it's reallyjust adding in a new process,
procedure.
New.
You know any architecture andyou know physical.
You know like physical, youknow setups and whatnot.
(12:46):
Right, to actually make it work.
Speaker 2 (12:49):
Even that is funny.
I mean, there's experiments forquantum entanglement that are,
you know, proven for certaindistances.
People think quantum is justtheory, but I think it's like
it's happening.
Speaker 1 (13:01):
Yeah, yeah, I specifically I'm getting my PhD
in how to secure quantumcommunications from the ground
to communication satellites andthen across, right, and applying
zero trust to that, becausezero trust is just a framework.
So why don't we apply zerotrust to it?
It has to be zero trust withinthe actual satellite and then
between the satellites, withinthe architecture of that, right.
(13:24):
So in my research I actuallyfound two or three days ago that
China had been doing it andproved it all out and said that,
hey, this can actually work.
You just have to have relaysatellites between here and you
know 300,000 kilometers orwhatever it is you know, above
the Earth, right?
So that's the only way that itworks, because quantum is a
(13:45):
little bit more inefficient thelonger it goes and it's more
vulnerable to attack and whatnot.
Again, you know that's like nowwe're going.
Now we're going down a paththat, uh, you know we can easily
spend three hours on and noteven, not even get there right
second podcast episode yeah,yeah, absolutely.
I'll have both of you back onfor other podcasts, because I
(14:06):
definitely want to talk aboutEquifax with Justin, primarily
because I was working at a, acompetitor competitor to Equifax
, I won't I won't say the nameand when Equifax happened, we
got a blank check in securityand they said just do whatever
you need.
You know it's done.
And our security budget wentfrom you know a couple, a couple
(14:30):
hundred thousand to severalmillion, you know tens of
millions, overnight contracts tobring in new products and hire
people, like we were.
I can't remember how manyinterviews I actually did at the
bar, strictly because I justworked, you know 12 hours and
(14:52):
I'm like, okay, I can't, I can'tbe in this office anymore, like
let's just go across the street.
You know we'll do it over thereyeah, it's a mouth guard for
sure.
Speaker 3 (14:59):
I mean, there's a lot of people who work their entire
career and don't get to work.
Half the incidents that I'vegotten to, yeah, so I don't know
why that's, that's a me thingor that's the happenstance thing
, or maybe a little bit of both.
But, uh, I I've had a aninteresting career as it
pertains to incidents.
I've dealt with a ton of cnaptsince the 2010 era, 2009 era, so
(15:23):
I was just again very uh, Iguess fortunate from a dfir
perspective to have, you know,fun, cool, jammy incidents.
Is it stressful, for sure, andyou know, I got pulled into the
senate while on paternity leaveand and they gave me my own
counsel, right, so I was givenoutside, outside counsel, and a
(15:43):
lot of people again, they gotheir whole careers and they
don't have these types ofincidents that they get to work,
and so was it stressful, yeah,but it's something that you
can't take it away from me, it'sall up here.
There's a lot of stuff that thelessons learned happen when you
go through it and youunderstand what to do, what not
to do, how to make things better, faster, stronger.
(16:04):
You understand what to do, whatnot to do, how to make things
better, faster, stronger and anda lot of it is like making sure
, especially in threat detectionand and dfir and stuff like
survivability, and making surethat what you're doing is
defensible in the eyes of thelaw.
That means a lot and yeah, it's, it's again.
I could write a book just onthat, but yeah right after that,
(16:29):
I ended up open sourcing amalware analysis appliance, Um,
and so I had, uh, again my.
The malware game goes very,very deep with me.
But if you'd asked me when Iwas 25 or 26, what I wanted to
do is I'd want to catch spies, Iwant to catch bad people, and I
can tick that box yeah, that is, you know it's.
Speaker 1 (16:50):
It's interesting how life goes right, because I, I
feel, like you know, to be inthe seat that you're in, right,
the, the, you know, quoteunquote expert seat, to be able
to get there, which probablyeveryone wants to get there.
No one really wants to gothrough a situation like that.
I mean, they don't want to gothrough half of that.
You know and like, but you haveto cut your teeth somehow some
(17:14):
way.
You have to get that experienceand you can't read about it in
a book.
You know, you need no like the,the steering behind it.
You need no, maybe like a sayplan, you know, know, but when
you're going through that you're, you're reacting to more random
things than than you wouldexpect, right, sure.
Speaker 3 (17:34):
Bad in the unknown, unknowns, right so like,
especially when you're dealingwith the FIR stuff.
It's not what you read about inthe book last week.
It's about what the actors haveevolved into, and one of the
things that you have to be ableto do in order to stay ahead is
you have to be able to iterate,and the OODA loop is what wins
(17:54):
wars and what wins battles, andif you can evolve quicker than
your adversaries, then you'llwin the battle and then the war,
like that's.
It's sort of just that simple,like you are going to change.
A good countermeasure can go andcreate an evolution in an
adversary, and often you have tobe planning.
Do I put this countermeasure innow, or will that cause an
(18:17):
evolution that I'm not preparedto handle?
Right, sometimes it's better tounderstand and keep tabs on
your adversaries so you cantrack them better and then maybe
use that to scout ahead andthen get a lot more strategic in
how you're going and doing this, whether that's coordinated
takedowns or hypothesizing whatthey're going to do next.
(18:39):
It is a chess match.
It is very much a chess, andyou have to think about
countermeasures as moves and youhave to think about
countermeasures as moves and youhave to think two and three
steps ahead, if not more,because those evolutions not
only can you blind yourself,with that, you you can either
solve the problem or compound it.
(18:59):
Um, and, and it's uh.
You need to have a really goodfield of vision and understand
what tools you have at yourdisposal, how you can iterate
what you think they might bemoving to next.
That kind of thing want to saycompletely lessons learned, but
there are some tips and tricksthat definitely help set people
(19:25):
up for success, especially as itpertains to, like the rubber
hitting the road.
You know, because, again, thisis a lot of this stuff until you
go and experience it, it's hardto describe it, it's hard to
take it out of that textbook andmake it tangible and and have
have it be something that youreally viscerally understand,
(19:46):
right, because often it's thejourney that really helps shape
your thoughts on how you gotthere and where you're going,
right.
Speaker 1 (19:57):
So why don't we start with you know abstract security
, right, security, right.
So actually, why don't you tellus you know what abstract
security is, what we guysspecialize in, and kind of how
this book came about?
Speaker 2 (20:10):
Yeah, absolutely In a nutshell.
We saw that there was a problemwith the way data is handled by
organizations.
Data volume is growing, so youneed a strategy to help you do
more of the work in thebeginning, before your data
moves into the storage or itsdestinations.
(20:31):
Because what happens is a lotof times when you have direct
integration with your datasources and data destinations.
So, let's say, you have yourdata sources, like cloud
providers, you're trying to logthe audit trails for security
purposes, and then you say,logging is good, we need to log
everything, and you dumpeverything in a storage.
Well, now your storage sizesare increasing, that means the
(20:52):
query response times are longeror your cost is more and more.
But within that data, there isnoise, there are redundant
fields, there is no aggregation,there's nothing.
It's not manipulated enough tomake it compact for you, make it
useful for you, especially ifyou're looking for that needle
in the haystack like securityincidents and things that are
(21:14):
relevant to you.
Another side of it is it makesmigrations difficult, because if
you do point directintegrations, you learn the
query languages, whatever formatthe destination needs that data
, and you uniquely craft it tothat format and then, when you
want to do the migration toanother platform.
You have the heavy burden ofnow reformatting your
(21:38):
architecture and trying tomanage that scale, or trying to
bifurcate your data forcompliance purposes and other
purposes, right.
So that was the problem that wewanted to solve.
That's why Abstract came upwith this lightweight platform
where, instead of directlyintegrating with your
destinations, abstract'splatform becomes your helper in
(22:00):
the middle.
So we take the data from thedata sources, we remove the
noise or empty fields and thingsthat are not useful for you, we
aggregate the data, wededuplicate it, remove any
duplicate entries andessentially make that data
quality data, so that whatyou're storing is data that is
useful for you and you're payingfor what is useful instead of
(22:22):
unnecessary noise.
Not only that, not only do wemake the data better quality, we
also normalize the data in realtime, so that way, if you're
doing any migrations, it'seasier for you to switch.
As an example, amazon SecurityLake recently came up with hey,
you can now bring in your customsources outside of Amazon and
integrate with us, right, butyou have to normalize it into
(22:46):
OCSF format yourself.
So that's where abstract can belike.
Let us take that heavy liftingoff of your plate.
We will normalize the data tothe format and then you can
route it to any destinationwithout worrying about such
migration costs.
The second thing we do and Ithink is really unique to us, in
addition to the pipeliningfeatures that I mentioned, the
(23:06):
data pipeline telemetry featuresis live real-time security
analytics and Justin can talkmore about this.
He's an expert, he's actuallywritten content for it.
But just to give you ahigh-level overview, the problem
is when there is an incidentand you're storing it in a
storage, having all your data instorage, and then you're
querying against it.
(23:27):
It's post-index searches.
It takes longer time to getthose responses, but if you have
real-time streaming analyticswith Strat enrichments, then
it's faster results.
And also it's like the shiftleft moment for data strategy.
Just like the CNAP cloud nativeapplication platform had that
whole shift left fix yourvulnerabilities earlier in the
(23:50):
lifecycle kind of moment.
We're bringing that to datastrategy Like, hey, bring the
enrichments, bring thedetections more in the earlier
phases, so you are well-equipped, have faster mean time to
detect and mean time toremediate these forces.
And then our third module thatwe're working on is also the way
(24:10):
you store your data.
So, like I mentioned, there's aproblem of storage cost versus
retrieval or query speeds andretrieval speeds.
So the way we wanted to solveit is by giving you a tiered
storage model where you haveyour real-time storage, which is
faster responses, a higher costdisk, but for data that you
(24:31):
would query on a regular basis,like weekly metrics and so on.
But you also have somethinglike cold storage where you want
to store data for compliancepurposes that people not really
like weekly metrics and so onbut you also have something like
cold storage where you want tostore data for compliance
purposes that people not reallyretrieve or request queries for
too often, so they are a littlebit longer on query time, but
still you're saving costsbecause the storage is cheap.
So that's how we manage, likethe storage versus retrieval
(24:54):
speed, by bringing you thistiered model to make sure you're
getting the best of your datastretch.
Yeah, justin, why don't youtalk about our annual deployment
?
Speaker 3 (25:06):
Yeah, yeah.
So I'll just preface this bysaying I'm a rules guy, have
been for a very, very long time.
You know, I've been using Yarafor 15 years and Snort for
probably longer than that.
Sigma, for as soon as it cameout, I've written tens of
thousands of countermeasures andyou know the value of having a
(25:26):
really rock solid engine can'tbe understated enough or
overstated enough.
Rather, is your engine it is,it's how you go fast, it's how
you keep velocity and all ofthat fun stuff.
And so here at Abstract we havea lot of really cool features
that you know.
I'm a firm believer that a lotof these incident responders,
(25:47):
they're essentially datascientists.
It might be scoped a littlemore narrowly, but that's what
we're doing.
Right is data science.
You're finding the needles inthe haystack, you're finding the
outliers.
You're right is is data science.
You're finding the needles inthe haystack, you're finding the
outliers, you're doing what youcan to bring signal from the
noise.
And with our engine there's anumber of really, really cool
(26:07):
features that we have.
I've just released a number ofwhat we're calling abstract
amplify rules, which are thingswhere you know it will sort of
give you out of the boxcorrelation where we see, okay,
there were X number of lowalerts, but it was from a single
username.
Well, that's, that's now a,that's now a medium right, and
going and being able to see thatautomated bubbling up and and
(26:28):
having things sort of tell you,let the data tell you the story,
right, cause that's that's whatyou're doing.
You can't really force thatkind of thing.
But the other thing that I usequite heavily is this concept
that we have of models, andmodels are essentially an
(26:52):
in-memory database that can bepopulated dynamically by the
logs as they come in over thewire.
And so I'll give you an example.
Let's say you're an Okta shopand you have authentication data
and you want to go and keepthat authentication data in an
in-memory database so that youcan reference it from other
rules.
So then you can do things likestart doing really advanced
correlation, but on data that'sbeing dynamically populated.
(27:14):
So you want to go and enrichsomething.
Maybe your proxy logs don'thave the username on them, but
you get that from Okta, right?
Well, now you can go and say,all right, when, when this stuff
comes in over the wire, goahead and slap, enrich that
field onto something thatpreviously didn't have that data
.
Well, now you're going andempowering your analysts and
(27:36):
your engineers to go and dostuff that they couldn't do
before.
And the other one which I reallyreally like is the concept of
doing autonomic security.
So autonomic security is theidea of self-defending, and the
best example I can give of thatis if you have a series of
websites that your customers goto and they are logging into the
(28:00):
website because they have to dostuff and they need credentials
, well, you can then go and takea dynamically populated list of
people who have successfullyauthenticated to your platform
act.
You know, remote code execution, local file include, remote
file include.
If they start doing stuffthat's against the law and they
(28:21):
haven't logged in, there's nocustomer impact if I dynamically
block you, if my immune systemresponds and says whoa, whoa,
you, you didn't actually do whatyou were supposed to do and now
you're bringing a gun to theparty.
Uh, that's not how this works.
Right, like you, you have.
There's a.
There's a right way and a wrongway to do things.
And when you can build thesesystems such that you have those
(28:43):
checks and balances dynamicallypopulated and dynamically
leveraged, that's the kind ofstuff that's really going to
raise the cost of doing businessto your adversaries, right?
So now I'll give you a realworld example.
You've got pen testers orpeople that come in and they're
going to break in.
Pen testers and bad actorsRight.
But your pen testers, those arethe kind of people that you
(29:04):
want in a walled garden, right,you want to have to let them in
before they, you know, startdoing that really bad stuff.
And if your system canself-defend in real time or near
real time, now all of a suddenyour bad actors have to go and
burn infrastructure.
They came in, they got 10packets through, maybe even got
100 packets through, right.
(29:26):
But then they were dynamicallyblocked for seven days.
And then now they're going tohave to go and burn more IP
space.
And as they burn more IP space,you can start doing things like
seeing the patterns in who isattacking you.
So it takes these opportunisticattackers and it slams a door
(29:46):
on them, right, and it allowsyou to focus on the attackers
who are focusing on you, andthat's where you need to spend
your resources, right?
That's what a lot of people mayor may not understand.
It's not always the 12-year-oldor 16-year-old kid in the
basement who's doing this stuff.
But do you really want to bespending your tier three and
(30:07):
tier four IR cycles on somethingthat that person never had or
should have been able to throwremote code execution at your
website anyway.
That's something that shouldonly happen from a walled garden
, and so if you can startdetermining how you can go and
implement dynamic securitycontrols without impacting
(30:28):
business costs and withoutimpacting your customers, that's
incredibly powerful.
That is very much where we needto evolve to as industry.
Right, and some of us you knowthere's people out there who've
been doing this for a decadeplus, myself included that there
are ways to do this.
Historically speaking, it wasexpensive.
(30:50):
It cost you expensive queriesevery five minutes, every 10
minutes, going and boiling smalloceans or ponds and then going
and acting on that, when you cango and dynamically take this
data and funnel it to where youneed to to make those decisions
happen themselves.
Now your analysts and yourengineers they're focusing on
(31:11):
stuff that is more important.
The opportunistic attackers arenot doing the same kind of
damage in your environment.
Right, you're allowed to focuson the people who are focusing
on you.
You know, half of it wouldn'tbe an interview with me if I
didn't quote Sun Tzu, but youknow know thyself is is a very,
very big part of this.
And if you know your customers,why don't you act on that?
(31:32):
Why is that not something thatis dynamically happening in your
environment, where you canagain free up resources to do
harder tasks, to focus on theAPTs, to focus on the people who
are focusing on you, and that'sagain.
We have a really, really corefoundational building blocks
(31:53):
that are very powerful andadaptable to many different use
cases fraud, externalexploitation, right.
There's dozens of thesescenarios where the way I like
to think of it is if yourwebsite is a party and you tell
your friends not to step on yourlawn because you like your lawn
and someone steps on your lawnthey're not your friend, right
(32:16):
and you can say you know whatYou're not getting in the party.
You stepped on the lawn andthat's they're not your friend,
right, and you can say you knowwhat you're not getting in the
party.
You stepped on the lawn andthat's not how we do this, right
?
Or, better yet, you can startto do things which will take
that to the next level, andmaybe you put a sign on your
front door instead that says youknow what threat actor?
Go around back.
The entrance is actually aroundback right, and what you can
(32:38):
actually do is start redirectingresources and doing what we can
to make asymmetric warfarehappen to these threat actors.
So now, not only are you goingto be able to interdict them
more quickly, but you're goingto be able to get inside their
decision cycle and burn timewhich they can never get back
(32:59):
Right.
And so that's where we need toevolve to.
We need to get to the pointwhere, yeah, the system does
most of the work, but it does itbecause we know ourselves and
we've gone and said no, here'smy grass, and my friends know
where my grass is and they don'twalk on it in my grasses and
(33:19):
they don't walk on it.
Speaker 1 (33:20):
Yeah, that is that's fascinating, because it kind of
sounds like, you know, whatyou're describing is like the
next evolution of securitybecause, with, you know, with
the advent of the cloud, right,our data that we've been storing
and keeping and everything likethat, especially you know, with
the compliance requirements,right, I mean some of these
compliance requirements you haveto store, you know everything
that logs into a financial app,right, and so now we're in a
(33:41):
situation where it's like, yeah,we have petabytes of data,
right, like we have a wholebunch of data and I hope I never
have to query it because wedon't even have the data
scientists to query that data,right, like, because those are
not cheap resources and mostcompanies do not staff, you know
, data engineers, datascientists or anything like that
(34:05):
to actually pull it in, right,and so it's interesting because
it sounds like your solutionkind of it not only augments or
eliminates the need for thatresource, but it also builds in
security right from the verybeginning, right, and I think
that that's interesting and itkind of ties into you know what
(34:27):
you named, you know the book,right, security Data Strategy,
which is completely different,right, and you know you pointed
this out too, axel, before westarted is, you know, it's
security data strategy.
For a reason, right, normallyyou would think of it in terms
of data security strategy.
(34:47):
I have to have a strategy forsecuring my data.
Well, really, it's removing orshifting less.
You know where that security isactually applied, when it's
applied and things like that.
You know, really, that's theonly way to do it, because we're
moving into.
We're moving into likeuncharted territory, right?
Speaker 2 (35:11):
Yeah.
Speaker 1 (35:11):
We've never seen this amount of data, this amount of
resource before.
Right, and you're required todo something with it.
You're required to secure andensure the security of it, which
is always a challenge.
I was recently on a call Iwon't say the company, but it's
(35:31):
a financial sector company,right?
And they were telling me, ohyeah, we got rid of Splunk.
I said, okay, well, what didyou replace it with?
Because, right off the bat,that's the wrong answer, right.
And they were telling me, ohyeah, we got rid of Splunk.
So, okay, well, what'd youreplace it with?
Because, like, right off thebat, that's the wrong answer,
right, I got rid of Splunk.
Okay, now I'm worried, and youknow they said that they
basically replaced it with, youknow, an open source solution.
And so I asked, okay, howquickly do your logs roll over?
(35:54):
And they said, oh, we have, youknow, 10 tiers of logs and they
roll every couple minutes.
You know, every five to 15minutes.
These logs are rolling from a,you know, a high traffic
financial app, and so, you know,it started going down this
rabbit hole where, you know, youhave so much data that you
(36:16):
almost can't even afford thestorage costs of that data,
right, and so I bring that upbecause your solution sounds
like it's pretty unique.
Where it's able to, it's ableto really sift through these
vast amounts of data and say, ok, you need to pay attention to
this or you need to store thislong term right, exactly, it has
(36:39):
that built-in cost savingsfeature with it, which is really
interesting.
You don't see that normally.
Speaker 3 (36:46):
So I'll just jump in here.
Sorry, I didn't mean tointerrupt.
One of the things that I kindof think in my head is, like you
know, historically speaking,when you're doing this the
old-fashioned way, there's a busthat goes by, right, and
there's two people on the busthat are bad actors, right.
It's way harder to go back andchase that bus down and then
sift through everyone on the busthan it is to go and see people
(37:06):
walking down the street andpick them out and say, nope, do
not pass, go, do not collect$200, right.
And instead of having to go anddo the rework later on, the
streaming portion is obviouslyincredibly beneficial to getting
that signal out of the noise sothat you can go and do more
fancy stuff in real time.
(37:28):
Because, let's say, you go andsolve that problem and you go,
and you're not batch queryingand you're not doing this, and
you're not doing that, you'regoing to evolve.
You're going to go and hit theand you're not doing that,
you're going to evolve.
You're going to go and hit thebad guys where it hurts and then
they're going to evolve, right,and as they evolve, you have to
continually evolve, right, andthat's where people often forget
(37:50):
that, like you know, this is ajourney.
You're constantly evolving.
This isn't a set and forgetthing.
It never will be right.
No-transcript.
(38:20):
Historically speaking, yeah,they had data science teams that
often would hang off ofhome-brewed bifurcated data and
they would run custom tools.
I've been doing it for over adecade.
Right, we had a sim.
We also ran data analyticscomponents that were doing other
detection.
That was more involved becausewe had to do more advanced
(38:40):
correlation and stuff.
Well, there needs to be a toolto do that.
There needs to be somethingwhere you can go and build on
this stuff so that you candynamically steer data, so that
you can dynamically use thatdata.
And it opens doors thatpreviously were closed when it
comes to being able to evolvefaster than your adversary.
Speaker 1 (38:59):
That makes sense, Axel.
What were you going to bring upor mention?
Speaker 2 (39:04):
Yeah, I was going to say that's how industry itself
is evolving as well, joe,because you know CIO and CISO
roles are merging and people areunderstanding that.
Hey, when you look at data, youhave to merge the use cases
between security and the otheroperations, like analytics and
so on.
Now the security teams, as yourightly pointed out, may not
(39:26):
have data engineers or a wholeinvestment for data analysis,
but a lot of security needs relyon data logging and platforming
, just as much as other needsdata processing.
So this combination or thismerging is where we want to help
organizations move and that'swhat we talk about in the book
(39:47):
as well.
And if you see the cover page ofthe book, it shows data
governance is kind of like anumbrella over everything else,
all the different phases of datastrategy, and that's in line
with, if you see something likea NIST cybersecurity framework.
They say that governance ingeneral incorporates around
every other phase of yourorganization strategy for
(40:09):
cybersecurity maturity profile.
So just like that, I think,when it comes to data, what
we've learned with all the nineauthors, who are not even from
abstract but security industryexperts, is that when you are
thinking of strategy, you haveto think of volume, you have to
think of flexibility, becauseit's not going to stay the same,
(40:30):
it's going to scale, it's goingto evolve.
So you have to future-proofyour strategy.
So you have to think of that.
You have to think of how tomeasure it.
I mean, it's one thing to justsay in theory, like you have a
good strategy around it.
How good on a scale of one tosix, is it four, five, six, one,
two?
(40:50):
So we wanted to provide thatsecurity scale, maturity scale
for assessment as well, which ispart of the book, and then it's
are you thinking about securityand governance when you're
designing this?
So, throughout the phases,we're thinking about how do you
really make the most of the datathat's useful for security and
how do you combine dataanalytics with that in mind.
(41:13):
So it's something that, aswe're building the platform, we
are also trying to educate theindustry on that.
Security in data, or like youcan't separate the two and if
you want to make the most ofyour data strategy, security
leaders or CIO leaders or dataleaders need to work together to
get that effective strategy.
Speaker 1 (41:36):
Sure is yeah, it outage.
Speaker 3 (42:04):
And I had to do an RCA up to the president of the
Canada side and part of that wasmaking sure it never, ever
happened again.
And going and getting good atgovernance as you're doing
security operations is paramountright, governance, as you're
doing security operations isparamount.
(42:25):
Right Because if every time youhave to do something jammy,
you're stuck behind governance.
Then you're not going to doanything jammy ever.
Right, you're going to be stuckbehind governance.
And so meeting governments atthe table, making sure that
they're stakeholders, makingsure that you're working hand in
glove with them, allows you torun with scissors.
It allows you to evolve faster.
Right, because you're going tohave to right and avoiding
(42:46):
governance in this day and ageis not an option.
Right, regulators are everywhere.
You know the ops people and theDFIR people.
I like to think we're theblackjack dealers, right?
You know we're out there.
We've got the eye in the skywatching over us.
We're just trying to make sureeveryone has a good time right,
and they do it safely.
Right, and going and making surethat you involve governance
(43:13):
very deeply in your sec ops is amaturity step that you really
want to take early on and youwant to make sure that you're
doing that in a way that isscalable, that is auditable and
that you can make sure thatyou've got all the checks and
balances.
You need to go and do thosejammy things quickly and respond
(43:35):
quickly and safely.
You don't want to harm yourcustomers, you don't want to
harm your own systems, you don'twant to break the law.
There's a whole lot of stuffthat, if you do this up front
and again, don't avoidgovernance, it's not something
that could or should ever bedone.
It's one of those things whereyou just need to sort of mature
at the beginning a little bitmore to make sure that your
(43:56):
governance program works in theway that you need to from an ops
perspective, and that'ssomething that a lot of people
overlook sometimes.
Having a good relationshipbetween your ops people and your
governance people will enablebetter velocity all over.
Yeah, that is interesting.
Speaker 1 (44:15):
Most security people don't ever want to even get on a
call with like governance andcompliance.
It's just, it's like the worstpart of our job that no one, no
one wants to do right.
So you know it at least fromyou.
Know what, what you were saying, alexa?
It sounds like this book iskind of like a one-stop shop for
(44:36):
you know getting your securitydata strategy, kind of you know
going and moving forward, anddoes it potentially include like
a next steps?
Right, okay, you got, you gotthe framework, you got the
scoring down, you know whereyou're at.
What are the next steps?
Where do I take it from here?
Speaker 2 (44:55):
Absolutely.
As a part of the appendices, wehave workbook templates, and a
lot of the authors providedreally good assets and materials
there to see this functioning.
It's not just a theoreticalguide, but it's a practical
guide.
So if you're on step two, wehelp you see what step three,
four, five would look like.
Ultimately, it's about gainingmaturity in every stage.
(45:19):
Usually people think as a whole, you have a maturity scale.
True, but you can be good inone phase and not so good in the
other phase.
Data strategy, like you couldbe really good in data
collection, but maybe you're notas strong in data storage or
data reporting, you know.
So we provide a scale for eachof those phases of your data
(45:42):
strategy and how to assess whereyou are and how to get to the
next state or what a maturestate of that phase would look
like.
So, by using the resources thatwe have in the appendices, the
examples, the lessons learned,as Justin mentioned, not just
the do this.
But what are the myths arounddata strategy?
(46:02):
Like log, everything.
Is that really the beststrategy?
Things like that breaking downthe myths, the don'ts of, are
the mistakes and pitfalls toavoid All of that, we're hoping
will help people to reallyrethink if they are already in
the middle of an architecture,make sure it's flexible and see
if they need to make any changesIf they are starting from
(46:23):
scratch.
This book is still for you, soit covers people wherever they
are in their journey.
Even if you are mature, it's agood way to just see does your
maturity really align with whatwe're seeing in the industry?
If you are a beginner, like youjust took on the role of trying
to architect something, whatare the things you have to watch
(46:44):
out for and how do you start ifyou're somewhere in the middle,
like you're going throughre-architecting?
I think someone that we were Iwas talking to as part of
security data strategyinterviews that I was doing.
They said it took them sixmonths to a year re-architect
everything because they wantedto change their SIM platform.
They wanted to change their enddestination.
(47:06):
They didn't realize how muchwork it would take until they
started doing it.
Just like you mentioned in yourexample with the Splunk to open
source.
It's not a two-day switch.
You have to redo everything Ifyou're not flexible in your
architecture.
That's a nightmare, which iswhy it's so important to have
this movement in the beginningof the cycle, and this book is
(47:29):
absolutely free, and when I sayfree, it's also non-gated.
We don't need an email for youto download your ebook, because
you know a lot of marketing andcompanies are like it's free,
but give us your email, give usyour details and then we'll send
you all this like scam emails,about spam emails about how you
can buy our product and makethings better.
No, it's purely for communityand it's a brainchild of people,
(47:53):
not just from abstract, butfrom outside of abstract,
although abstract.
I'm thankful to work in acompany that sponsored all costs
for it Publishing costs,printing costs, design costs,
editing costs, everything butwe're just giving it out for
free.
It will also be on Amazon,kindle, barnes and Noble Kindle.
We'll also have a few printedversions for anyone who's
(48:16):
interested in that.
But our main goal is to reallyamplify the messaging that you
need to think about it as astrategy, from a security lens,
and here's how you do it day,right, and I'm sure we're all in
(48:44):
back-to-back meetings, right.
Speaker 1 (48:44):
But you know, before, before I let you guys go on, I
definitely want to have both ofyou back on again, right,
probably individually, and we'llhave our own topics that we we
discussed and everything.
I think that'd be great.
I think my audience wouldreally love that and I'm
selfishly, I would.
I would really love it.
But you know, before I let youguys go, how about you guys tell
me you know where my listenerscan find you if they wanted to
(49:06):
connect with you on you knowLinkedIn, or if you have a
Twitter slash.
You know X I still call itTwitter and then you know where
they could potentially find.
You know abstract security, oreven you know the book, if the
book is, you know, published onabstract securities.
Speaker 3 (49:23):
Uh, once you can find me on LinkedIn.
It's the only.
It's the only social media I do.
My uh, my wife's marriagerequest is still pending in
Facebook.
I don't think I've logged insince I had clearance up in
Canada.
So for me, I'm not a big socialmedia guy.
I'm more of a behind the scenes, in the shadows, kind of guy.
Feel free to hit me up onLinkedIn If we have friends in
(49:46):
common.
I will likely be okay with that.
But again, I'm more of a behindthe scenes kind of guy.
Speaker 2 (49:54):
It was so hard to find his data that I was like I
can't find a photo of you.
I want to put a photo of you inthe book.
Others like there's nowhere andhe's like successful.
I work with a number of people.
Speaker 3 (50:24):
Every Wednesday night I do work building awesome cool
stuff with a good friend ofmine.
I have for the last 18 yearsand I definitely am still
participating very, veryactively.
I just try not to be loud aboutit.
I don't want to paint a targeton my back.
Speaker 1 (50:38):
Yeah, that makes sense, unlike me, he's a some
security guy.
Speaker 2 (50:43):
I'll probably have to say I'm the opposite of Justin
when it comes to online presence.
You can find me on LinkedIneasily because my name's pretty
unique, so I'll probably be onyour top of search results.
Even if you Google me, you'llfind, like resources that have
been associated with the booksthat I've written or the
podcasts and things I've beenLike said axel taylor's pretty
(51:05):
unique name, at least until now.
I'm also on twitter x, whatever, but it's I'm not as active now
as I used to be before, solinkedin would be the best way
to find me.
My name is aqsa t-m--L-O-R.
That's what you would put inthe direct URL for LinkedIn
profile as well.
Speaker 1 (51:25):
Awesome.
And then the book can be foundjust at Abstract Security.
Speaker 2 (51:30):
Yes, not yet.
Speaker 1 (51:31):
And Amazon and everything else right.
Speaker 2 (51:35):
March 18th is the date that we are targeting for
the launch and it will beavailable on online media on
March 18th.
It will be available onabstractsecurity website.
We will also have a direct linkto the book.
If you are curious or if youwant early access before that,
you can message me or DM me inthe LinkedIn and I'll see if I
(51:55):
can get you early access.
But the main launch will benext week.
Speaker 1 (52:01):
Awesome Sounds great.
Well, I'm looking forward togoing through it and seeing what
I can apply easily and whatphases in my own organizations
and whatnot.
So I really appreciate you guyscoming on.
I think we had a fantasticconversation.
I really enjoyed it.
Speaker 3 (52:17):
Yeah, I appreciate you having us here.
I could shoot the breeze withyou all day.
I mean, you're veryconversational.
I can blow hot air with thebest of them, awesome.
Speaker 2 (52:27):
Thank you for having us.
Joe, Really appreciate it.
Speaker 1 (52:30):
Yeah, absolutely, and thanks everyone for listening.
Be sure to check out theresources that we mentioned.
The links will be in thedescription of this episode.
Thanks everyone, Awesome.
Have a good one.
How's it going?
Aksa and Justin, it's great toget you guys on the podcast.
I think we've been workingtowards this for a while and I
know you guys have some reallyinteresting topics to bring up.
You guys are shortly herereleasing an e-book on it, on a
topic that I'm probably not aswell-versed in as I probably
should be, which is it's aninteresting side topic, but
(00:24):
how's it going?
Speaker 2 (00:26):
Going good.
Joe, thank you for having us.
I'm super excited and, knowingthat this is all just raw going
with the flow, I'm reallycurious and excited for this.
Speaker 1 (00:36):
It's interesting, people react differently to this
podcast format, right, I think.
A lot of podcasts out there,they probably offer up a lot of
podcasts out there, theyprobably like offer up, you know
, a lot of different questionsand they do a whole lot of
research and everything elselike that.
But I I feel, personally, ittakes away from the genuineness
of the podcast, right, like Ithink that there's a level of
(00:57):
authenticity that this formatcaptures where it's truly just
us having a conversation.
It's not, it's not scripted oranything like that.
You know, like I, I find thatwhenever I script something, I
do worse at it At least I feel Ido good at memorizing lines,
that's for sure, yeah.
Yeah, that's probably why Inever got into you know like
plays or speech, whatever thatwas like you know in high school
(01:20):
, know in high school, likenever did any of that and it was
.
It was literally the reading ofa script that was a part of.
It was like, okay, well, Ican't like react to this how I
would normally react more of anad lib guy myself yeah, yeah,
awesome.
Well, you know, first I'll startwith you know, you guys each
(01:41):
introducing yourselves.
You know we'll start with Alex.
So how did you get into IT?
How did you start to specializein security?
What made you go down that path?
Because you have a prettyinteresting background.
I think You're a bit of anauthor and security professional
, security expert.
So how did you start going downthis path?
Speaker 2 (02:05):
Yeah, good question.
I asked that to myself too.
So, interesting story I did mymaster's in electrical
engineering and you have to takean optional course outside of
your core, and so I took cloudcomputing as an optional course,
which kind of became my entirecareer journey since then.
So at that time when I wasdoing my master's, container
(02:27):
security was really the topicthat everyone was talking about,
and my professor wanted to mixquantum with container security,
cloud security.
So I got, I looked up companiesthat were doing it for my
research paper, got intoTwistlog, which got acquired by
Palo Alto Networks, and then Imoved to product management,
building these products forcustomers, for organizations
(02:49):
that are looking to strengthentheir cloud security, posture,
workload security and all.
And then came Abstract.
So I've been really fortunatein working with these startups,
successful startups andcompanies that are on the edge
of doing something new,something innovative, and I love
to write, so it was natural forme that when I learn something,
(03:11):
I learn it by writing or takingnotes.
So I thought what good way toshare the knowledge than in
books?
So my first book was ProcessMining Security Angle, and this
will be my second book, soon tobe released Applied Security
Data Strategy, a Leader's Guide,so pretty exciting.
Speaker 1 (03:31):
Wow, that's really fascinating.
And maybe, before I startdiving into your background a
little bit, justin, why don'tyou tell us a little bit about
your background, right, how yougot into IT?
What made you want to go downthe security rabbit hole?
Speaker 3 (03:50):
Yeah, sure.
So I was fortunate to start atAtomic Energy up in Canada and
so I had my secret clearancewhen I was in second year
college and so when I left thisis probably 17 years ago, when I
left college IT security wasstill pretty much in its infancy
.
A lot of places didn't have alot of mature programs and stuff
(04:11):
like that and so I went back toAtomic Energy and I started
building custom intrusiondetection systems snort boxes
back in the day and then I spentthe next probably 10 or 12
years building custom PCAPsystems.
I left Atomic Energy and wentto work at BlackBerry very much
in the heyday and built all ofthe custom packet capture
(04:34):
systems that we use on thecritical assets within there
Things like domain controllers,rsa servers, stuff like that.
I was building packet capturesystems and doing incident
response, malware reversing.
So I've had my Grem for I thinksomething like 15 years, like
Grem number 3300 and something.
(04:54):
So I've been doing that a very,very long time and doing
incident response.
Since then I had the opportunityto work at Equifax.
I ran their countermeasuresteam and then went to the Senate
for that incident.
My team found the breach.
My team built all the packetcapture systems there, and when
I left Equifax, we had rolledour own 80 gig per second
(05:18):
north-south in-house.
So we were building big packetcapture systems, writing, know,
writing a lot of IDS, ips rules,reversing malware finding
indicators, and you know I'vebeen very heavily involved in
the community for at least, atleast 15 years.
Just doing what I can becausethe bad folks tend to share
(05:40):
security data very well andthat's something that I've
always, you know, prided myselfon is trying to play a little
bit of open-handed poker withyour friends, letting people
know what works, what doesn'tand how we can sort of better
defend as a community.
Speaker 1 (05:55):
Yeah, that's really fascinating.
So, Axel, when you were in yourelectrical engineering program,
in your electrical engineeringprogram you decided to take a
(06:16):
cloud security course, which isinteresting because I didn't
have any semblance of cloudsecurity offering in my
bachelor's.
Going into it, did you thinkthat it would be an interesting
challenge for you compared tothe electrical engineering work
and it would work your brain inanother way?
I ask that because you saidthat you learn best when you
write things down.
Right, and I'm.
I'm the same way.
Actually, I have to write itdown, otherwise I'm not going to
figure it out.
I have to like at a minimum seea diagram, you know, and that's
(06:39):
how it kind of starts makingsense to me, and so I assume you
know in your you probablyfigured that out pretty quickly
if you didn't already know it.
Right, because you're not goingto be successful for sure in
electrical engineering if youdon't know how your brain works
to learn things.
Speaker 2 (06:55):
Yeah, so it's.
When they said optional course,I mean I didn't even think
about music and all the arts, Iguess.
Like psychology yeah, I guessthat's the Indian side of me,
but I knew that computerarchitecture something really
core I was anyways going tolearn as part of my electrical
(07:19):
engineering and computer coursesubjects.
So cloud computing that wasactually the first round of that
course in my college, in mybatch, during my batch.
So the professor was alsofiguring out like how to teach
cloud computing.
So I was like this is new.
There is no record of this inthe college.
It's also something that peopleare talking about in the
industry you know if you go onLinkedIn and so on so I thought
(07:42):
let's give it a try.
I mean, I don't know if it'sgoing to be super hard or super
easy, but either way, it's goingto challenge me to think
outside of my electricalengineering box.
So I was very happy that I didthat because it opened a lot of
opportunities for me.
I got to be a part of OCI, whichis like Open Cloud Institute
within UTSA for research, andthat's how I learned about
(08:05):
Dockers and containers, becauseDocker had just come out.
Docker was gaining traction atthis time like 2015, 2016.
So it was like there'sinnovation on every side in the
industry and with us and tryingto combine physics, concepts
like quantum computing and cloudcomputing together was also
(08:26):
quite interesting and unique.
So working on that as part ofmy thesis kind of opened my
brain on two different levelslike quantum and then cloud, and
so it was a really, really goodexperience for me.
I didn't reach everyone tosometimes think out of the box
For me.
I'd encourage everyone tosometimes think out of the box.
You know you might be a networkengineer or data engineer or
(08:49):
security engineer, but sometimesyou just have to touch boxes
outside of your routine and thatcan help you think about your
own core strategy in differentways, and I think that really
helped my career from thereforward, because I was like this
is what I really love and Iwant to do more of.
Speaker 1 (09:08):
Yeah, that is, you know, that's very true what you
said there, right, going outsideof your box and trying to, you
know, kind of, expand yourselfand see where it leads, right,
and so I've done that throughoutmy career personally, and I
typically, you know, somehow itcoincides with, like me, getting
a degree right.
(09:28):
So I got my master's got into,you know, cybersecurity and
cloud security, that sort ofthing.
Right Now I'm working on my PhDand actually earlier in the
week I finished up like the bulkmajority of my quantum security
section, right.
So I realized that I was likeexhausted from it when last
night I was like, okay, I'mgonna start on this satellite,
(09:49):
this communication satellitestuff, yeah, and I like couldn't
get past a sentence and I waslike I need a break, I'm gonna
give myself a break here, right.
So I just spent like a yearworking on the quantum stuff and
it is, um, I feel like I likescratched the surface, you know,
like not even coming close towhat it is, but having a broader
(10:11):
understanding of it, you know,kind of enables me to to provide
more value and more ways to,you know, the community, my
company and everything else,right.
So it's, um, it's definitelychallenging when you're going
through it yeah, yeah.
Speaker 2 (10:27):
On the day one, my professor started by saying
everything you learn in physics,throw it out of the box and you
have to like, start with anempty brain and start all over.
And it's like, what does hemean?
And then I was like, oh okay,this is what he means.
Because it's oh okay, this iswhat he means.
Speaker 1 (10:46):
Because, it's.
Yep, is difficult to then startsaying, okay, well, how is this
(11:10):
built off of quantum?
Right, because quantumimmediately starts, you know, in
several, several dimensions.
Right, it tears down everythingthat you used to know.
And the only way that you buildup, you know, or, I guess,
build up that foundation to theother side of physics is, by you
know, going all the way throughquantum.
(11:31):
That's the only way it makessense.
Speaker 2 (11:33):
I think it will be applicable to security sooner
than later.
I mean, we're already seeing,you know, the encryption models,
quantum key distributions andsuch concepts being more
relevant to the securityindustry, but that's not what
this podcast is about we can goa whole podcast episode on that
yeah, yeah, I'll bring you backon to talk an rsa thing that
(11:53):
dropped last week where it waslike you better use post quantum
stuff because it's as broken asyou think it is.
Speaker 1 (12:00):
Yeah, yeah, it is, so we can do like a two second
segue, right?
A part of you know the PhDright is that the industry
perceives migrating to quantumor post quantum encryption as
being like an extremely heavylift.
But what they don't understandis that 50% of that process is
already solved by what they callclassical encryption.
(12:24):
Right, so that's already thekey distribution.
That's a part of it.
Quantum is a layer ofabstraction on top of what we
already have, and so it's reallyjust adding in a new process,
procedure.
New.
You know any architecture andyou know physical.
You know like physical, youknow setups and whatnot.
(12:46):
Right, to actually make it work.
Speaker 2 (12:49):
Even that is funny.
I mean, there's experiments forquantum entanglement that are,
you know, proven for certaindistances.
People think quantum is justtheory, but I think it's like
it's happening.
Speaker 1 (13:01):
Yeah, yeah, I specifically I'm getting my PhD
in how to secure quantumcommunications from the ground
to communication satellites andthen across, right, and applying
zero trust to that, becausezero trust is just a framework.
So why don't we apply zerotrust to it?
It has to be zero trust withinthe actual satellite and then
between the satellites, withinthe architecture of that, right.
(13:24):
So in my research I actuallyfound two or three days ago that
China had been doing it andproved it all out and said that,
hey, this can actually work.
You just have to have relaysatellites between here and you
know 300,000 kilometers orwhatever it is you know, above
the Earth, right?
So that's the only way that itworks, because quantum is a
(13:45):
little bit more inefficient thelonger it goes and it's more
vulnerable to attack and whatnot.
Again, you know that's like nowwe're going.
Now we're going down a paththat, uh, you know we can easily
spend three hours on and noteven, not even get there right
second podcast episode yeah,yeah, absolutely.
I'll have both of you back onfor other podcasts, because I
(14:06):
definitely want to talk aboutEquifax with Justin, primarily
because I was working at a, acompetitor competitor to Equifax
, I won't I won't say the nameand when Equifax happened, we
got a blank check in securityand they said just do whatever
you need.
You know it's done.
And our security budget wentfrom you know a couple, a couple
(14:30):
hundred thousand to severalmillion, you know tens of
millions, overnight contracts tobring in new products and hire
people, like we were.
I can't remember how manyinterviews I actually did at the
bar, strictly because I justworked, you know 12 hours and
(14:52):
I'm like, okay, I can't, I can'tbe in this office anymore, like
let's just go across the street.
You know we'll do it over thereyeah, it's a mouth guard for
sure.
Speaker 3 (14:59):
I mean, there's a lot of people who work their entire
career and don't get to work.
Half the incidents that I'vegotten to, yeah, so I don't know
why that's, that's a me thingor that's the happenstance thing
, or maybe a little bit of both.
But, uh, I I've had a aninteresting career as it
pertains to incidents.
I've dealt with a ton of cnaptsince the 2010 era, 2009 era, so
(15:23):
I was just again very uh, Iguess fortunate from a dfir
perspective to have, you know,fun, cool, jammy incidents.
Is it stressful, for sure, andyou know, I got pulled into the
senate while on paternity leaveand and they gave me my own
counsel, right, so I was givenoutside, outside counsel, and a
(15:43):
lot of people again, they gotheir whole careers and they
don't have these types ofincidents that they get to work,
and so was it stressful, yeah,but it's something that you
can't take it away from me, it'sall up here.
There's a lot of stuff that thelessons learned happen when you
go through it and youunderstand what to do, what not
to do, how to make things better, faster, stronger.
(16:04):
You understand what to do, whatnot to do, how to make things
better, faster, stronger and anda lot of it is like making sure
, especially in threat detectionand and dfir and stuff like
survivability, and making surethat what you're doing is
defensible in the eyes of thelaw.
That means a lot and yeah, it's, it's again.
I could write a book just onthat, but yeah right after that,
(16:29):
I ended up open sourcing amalware analysis appliance, Um,
and so I had, uh, again my.
The malware game goes very,very deep with me.
But if you'd asked me when Iwas 25 or 26, what I wanted to
do is I'd want to catch spies, Iwant to catch bad people, and I
can tick that box yeah, that is, you know it's.
Speaker 1 (16:50):
It's interesting how life goes right, because I, I
feel, like you know, to be inthe seat that you're in, right,
the, the, you know, quoteunquote expert seat, to be able
to get there, which probablyeveryone wants to get there.
No one really wants to gothrough a situation like that.
I mean, they don't want to gothrough half of that.
You know and like, but you haveto cut your teeth somehow some
(17:14):
way.
You have to get that experienceand you can't read about it in
a book.
You know, you need no like the,the steering behind it.
You need no, maybe like a sayplan, you know, know, but when
you're going through that you're, you're reacting to more random
things than than you wouldexpect, right, sure.
Speaker 3 (17:34):
Bad in the unknown, unknowns, right so like,
especially when you're dealingwith the FIR stuff.
It's not what you read about inthe book last week.
It's about what the actors haveevolved into, and one of the
things that you have to be ableto do in order to stay ahead is
you have to be able to iterate,and the OODA loop is what wins
(17:54):
wars and what wins battles, andif you can evolve quicker than
your adversaries, then you'llwin the battle and then the war,
like that's.
It's sort of just that simple,like you are going to change.
A good countermeasure can go andcreate an evolution in an
adversary, and often you have tobe planning.
Do I put this countermeasure innow, or will that cause an
(18:17):
evolution that I'm not preparedto handle?
Right, sometimes it's better tounderstand and keep tabs on
your adversaries so you cantrack them better and then maybe
use that to scout ahead andthen get a lot more strategic in
how you're going and doing this, whether that's coordinated
takedowns or hypothesizing whatthey're going to do next.
(18:39):
It is a chess match.
It is very much a chess, andyou have to think about
countermeasures as moves and youhave to think about
countermeasures as moves and youhave to think two and three
steps ahead, if not more,because those evolutions not
only can you blind yourself,with that, you you can either
solve the problem or compound it.
(18:59):
Um, and, and it's uh.
You need to have a really goodfield of vision and understand
what tools you have at yourdisposal, how you can iterate
what you think they might bemoving to next.
That kind of thing want to saycompletely lessons learned, but
there are some tips and tricksthat definitely help set people
(19:25):
up for success, especially as itpertains to, like the rubber
hitting the road.
You know, because, again, thisis a lot of this stuff until you
go and experience it, it's hardto describe it, it's hard to
take it out of that textbook andmake it tangible and and have
have it be something that youreally viscerally understand,
(19:46):
right, because often it's thejourney that really helps shape
your thoughts on how you gotthere and where you're going,
right.
Speaker 1 (19:57):
So why don't we start with you know abstract security
, right, security, right.
So actually, why don't you tellus you know what abstract
security is, what we guysspecialize in, and kind of how
this book came about?
Speaker 2 (20:10):
Yeah, absolutely In a nutshell.
We saw that there was a problemwith the way data is handled by
organizations.
Data volume is growing, so youneed a strategy to help you do
more of the work in thebeginning, before your data
moves into the storage or itsdestinations.
(20:31):
Because what happens is a lotof times when you have direct
integration with your datasources and data destinations.
So, let's say, you have yourdata sources, like cloud
providers, you're trying to logthe audit trails for security
purposes, and then you say,logging is good, we need to log
everything, and you dumpeverything in a storage.
Well, now your storage sizesare increasing, that means the
(20:52):
query response times are longeror your cost is more and more.
But within that data, there isnoise, there are redundant
fields, there is no aggregation,there's nothing.
It's not manipulated enough tomake it compact for you, make it
useful for you, especially ifyou're looking for that needle
in the haystack like securityincidents and things that are
(21:14):
relevant to you.
Another side of it is it makesmigrations difficult, because if
you do point directintegrations, you learn the
query languages, whatever formatthe destination needs that data
, and you uniquely craft it tothat format and then, when you
want to do the migration toanother platform.
You have the heavy burden ofnow reformatting your
(21:38):
architecture and trying tomanage that scale, or trying to
bifurcate your data forcompliance purposes and other
purposes, right.
So that was the problem that wewanted to solve.
That's why Abstract came upwith this lightweight platform
where, instead of directlyintegrating with your
destinations, abstract'splatform becomes your helper in
(22:00):
the middle.
So we take the data from thedata sources, we remove the
noise or empty fields and thingsthat are not useful for you, we
aggregate the data, wededuplicate it, remove any
duplicate entries andessentially make that data
quality data, so that whatyou're storing is data that is
useful for you and you're payingfor what is useful instead of
(22:22):
unnecessary noise.
Not only that, not only do wemake the data better quality, we
also normalize the data in realtime, so that way, if you're
doing any migrations, it'seasier for you to switch.
As an example, amazon SecurityLake recently came up with hey,
you can now bring in your customsources outside of Amazon and
integrate with us, right, butyou have to normalize it into
(22:46):
OCSF format yourself.
So that's where abstract can belike.
Let us take that heavy liftingoff of your plate.
We will normalize the data tothe format and then you can
route it to any destinationwithout worrying about such
migration costs.
The second thing we do and Ithink is really unique to us, in
addition to the pipeliningfeatures that I mentioned, the
(23:06):
data pipeline telemetry featuresis live real-time security
analytics and Justin can talkmore about this.
He's an expert, he's actuallywritten content for it.
But just to give you ahigh-level overview, the problem
is when there is an incidentand you're storing it in a
storage, having all your data instorage, and then you're
querying against it.
(23:27):
It's post-index searches.
It takes longer time to getthose responses, but if you have
real-time streaming analyticswith Strat enrichments, then
it's faster results.
And also it's like the shiftleft moment for data strategy.
Just like the CNAP cloud nativeapplication platform had that
whole shift left fix yourvulnerabilities earlier in the
(23:50):
lifecycle kind of moment.
We're bringing that to datastrategy Like, hey, bring the
enrichments, bring thedetections more in the earlier
phases, so you are well-equipped, have faster mean time to
detect and mean time toremediate these forces.
And then our third module thatwe're working on is also the way
(24:10):
you store your data.
So, like I mentioned, there's aproblem of storage cost versus
retrieval or query speeds andretrieval speeds.
So the way we wanted to solveit is by giving you a tiered
storage model where you haveyour real-time storage, which is
faster responses, a higher costdisk, but for data that you
(24:31):
would query on a regular basis,like weekly metrics and so on.
But you also have somethinglike cold storage where you want
to store data for compliancepurposes that people not really
like weekly metrics and so onbut you also have something like
cold storage where you want tostore data for compliance
purposes that people not reallyretrieve or request queries for
too often, so they are a littlebit longer on query time, but
still you're saving costsbecause the storage is cheap.
So that's how we manage, likethe storage versus retrieval
(24:54):
speed, by bringing you thistiered model to make sure you're
getting the best of your datastretch.
Yeah, justin, why don't youtalk about our annual deployment
?
Speaker 3 (25:06):
Yeah, yeah.
So I'll just preface this bysaying I'm a rules guy, have
been for a very, very long time.
You know, I've been using Yarafor 15 years and Snort for
probably longer than that.
Sigma, for as soon as it cameout, I've written tens of
thousands of countermeasures andyou know the value of having a
(25:26):
really rock solid engine can'tbe understated enough or
overstated enough.
Rather, is your engine it is,it's how you go fast, it's how
you keep velocity and all ofthat fun stuff.
And so here at Abstract we havea lot of really cool features
that you know.
I'm a firm believer that a lotof these incident responders,
(25:47):
they're essentially datascientists.
It might be scoped a littlemore narrowly, but that's what
we're doing.
Right is data science.
You're finding the needles inthe haystack, you're finding the
outliers.
You're right is is data science.
You're finding the needles inthe haystack, you're finding the
outliers, you're doing what youcan to bring signal from the
noise.
And with our engine there's anumber of really, really cool
(26:07):
features that we have.
I've just released a number ofwhat we're calling abstract
amplify rules, which are thingswhere you know it will sort of
give you out of the boxcorrelation where we see, okay,
there were X number of lowalerts, but it was from a single
username.
Well, that's, that's now a,that's now a medium right, and
going and being able to see thatautomated bubbling up and and
(26:28):
having things sort of tell you,let the data tell you the story,
right, cause that's that's whatyou're doing.
You can't really force thatkind of thing.
But the other thing that I usequite heavily is this concept
that we have of models, andmodels are essentially an
(26:52):
in-memory database that can bepopulated dynamically by the
logs as they come in over thewire.
And so I'll give you an example.
Let's say you're an Okta shopand you have authentication data
and you want to go and keepthat authentication data in an
in-memory database so that youcan reference it from other
rules.
So then you can do things likestart doing really advanced
correlation, but on data that'sbeing dynamically populated.
(27:14):
So you want to go and enrichsomething.
Maybe your proxy logs don'thave the username on them, but
you get that from Okta, right?
Well, now you can go and say,all right, when, when this stuff
comes in over the wire, goahead and slap, enrich that
field onto something thatpreviously didn't have that data
.
Well, now you're going andempowering your analysts and
(27:36):
your engineers to go and dostuff that they couldn't do
before.
And the other one which I reallyreally like is the concept of
doing autonomic security.
So autonomic security is theidea of self-defending, and the
best example I can give of thatis if you have a series of
websites that your customers goto and they are logging into the
(28:00):
website because they have to dostuff and they need credentials
, well, you can then go and takea dynamically populated list of
people who have successfullyauthenticated to your platform
act.
You know, remote code execution, local file include, remote
file include.
If they start doing stuffthat's against the law and they
(28:21):
haven't logged in, there's nocustomer impact if I dynamically
block you, if my immune systemresponds and says whoa, whoa,
you, you didn't actually do whatyou were supposed to do and now
you're bringing a gun to theparty.
Uh, that's not how this works.
Right, like you, you have.
There's a.
There's a right way and a wrongway to do things.
And when you can build thesesystems such that you have those
(28:43):
checks and balances dynamicallypopulated and dynamically
leveraged, that's the kind ofstuff that's really going to
raise the cost of doing businessto your adversaries, right?
So now I'll give you a realworld example.
You've got pen testers orpeople that come in and they're
going to break in.
Pen testers and bad actorsRight.
But your pen testers, those arethe kind of people that you
(29:04):
want in a walled garden, right,you want to have to let them in
before they, you know, startdoing that really bad stuff.
And if your system canself-defend in real time or near
real time, now all of a suddenyour bad actors have to go and
burn infrastructure.
They came in, they got 10packets through, maybe even got
100 packets through, right.
(29:26):
But then they were dynamicallyblocked for seven days.
And then now they're going tohave to go and burn more IP
space.
And as they burn more IP space,you can start doing things like
seeing the patterns in who isattacking you.
So it takes these opportunisticattackers and it slams a door
(29:46):
on them, right, and it allowsyou to focus on the attackers
who are focusing on you, andthat's where you need to spend
your resources, right?
That's what a lot of people mayor may not understand.
It's not always the 12-year-oldor 16-year-old kid in the
basement who's doing this stuff.
But do you really want to bespending your tier three and
(30:07):
tier four IR cycles on somethingthat that person never had or
should have been able to throwremote code execution at your
website anyway.
That's something that shouldonly happen from a walled garden
, and so if you can startdetermining how you can go and
implement dynamic securitycontrols without impacting
(30:28):
business costs and withoutimpacting your customers, that's
incredibly powerful.
That is very much where we needto evolve to as industry.
Right, and some of us you knowthere's people out there who've
been doing this for a decadeplus, myself included that there
are ways to do this.
Historically speaking, it wasexpensive.
(30:50):
It cost you expensive queriesevery five minutes, every 10
minutes, going and boiling smalloceans or ponds and then going
and acting on that, when you cango and dynamically take this
data and funnel it to where youneed to to make those decisions
happen themselves.
Now your analysts and yourengineers they're focusing on
(31:11):
stuff that is more important.
The opportunistic attackers arenot doing the same kind of
damage in your environment.
Right, you're allowed to focuson the people who are focusing
on you.
You know, half of it wouldn'tbe an interview with me if I
didn't quote Sun Tzu, but youknow know thyself is is a very,
very big part of this.
And if you know your customers,why don't you act on that?
(31:32):
Why is that not something thatis dynamically happening in your
environment, where you canagain free up resources to do
harder tasks, to focus on theAPTs, to focus on the people who
are focusing on you, and that'sagain.
We have a really, really corefoundational building blocks
(31:53):
that are very powerful andadaptable to many different use
cases fraud, externalexploitation, right.
There's dozens of thesescenarios where the way I like
to think of it is if yourwebsite is a party and you tell
your friends not to step on yourlawn because you like your lawn
and someone steps on your lawnthey're not your friend, right
(32:16):
and you can say you know whatYou're not getting in the party.
You stepped on the lawn andthat's they're not your friend,
right, and you can say you knowwhat you're not getting in the
party.
You stepped on the lawn andthat's not how we do this, right
?
Or, better yet, you can startto do things which will take
that to the next level, andmaybe you put a sign on your
front door instead that says youknow what threat actor?
Go around back.
The entrance is actually aroundback right, and what you can
(32:38):
actually do is start redirectingresources and doing what we can
to make asymmetric warfarehappen to these threat actors.
So now, not only are you goingto be able to interdict them
more quickly, but you're goingto be able to get inside their
decision cycle and burn timewhich they can never get back
(32:59):
Right.
And so that's where we need toevolve to.
We need to get to the pointwhere, yeah, the system does
most of the work, but it does itbecause we know ourselves and
we've gone and said no, here'smy grass, and my friends know
where my grass is and they don'twalk on it in my grasses and
(33:19):
they don't walk on it.
Speaker 1 (33:20):
Yeah, that is that's fascinating, because it kind of
sounds like, you know, whatyou're describing is like the
next evolution of securitybecause, with, you know, with
the advent of the cloud, right,our data that we've been storing
and keeping and everything likethat, especially you know, with
the compliance requirements,right, I mean some of these
compliance requirements you haveto store, you know everything
that logs into a financial app,right, and so now we're in a
(33:41):
situation where it's like, yeah,we have petabytes of data,
right, like we have a wholebunch of data and I hope I never
have to query it because wedon't even have the data
scientists to query that data,right, like, because those are
not cheap resources and mostcompanies do not staff, you know
, data engineers, datascientists or anything like that
(34:05):
to actually pull it in, right,and so it's interesting because
it sounds like your solutionkind of it not only augments or
eliminates the need for thatresource, but it also builds in
security right from the verybeginning, right, and I think
that that's interesting and itkind of ties into you know what
(34:27):
you named, you know the book,right, security Data Strategy,
which is completely different,right, and you know you pointed
this out too, axel, before westarted is, you know, it's
security data strategy.
For a reason, right, normallyyou would think of it in terms
of data security strategy.
(34:47):
I have to have a strategy forsecuring my data.
Well, really, it's removing orshifting less.
You know where that security isactually applied, when it's
applied and things like that.
You know, really, that's theonly way to do it, because we're
moving into.
We're moving into likeuncharted territory, right?
Speaker 2 (35:11):
Yeah.
Speaker 1 (35:11):
We've never seen this amount of data, this amount of
resource before.
Right, and you're required todo something with it.
You're required to secure andensure the security of it, which
is always a challenge.
I was recently on a call Iwon't say the company, but it's
(35:31):
a financial sector company,right?
And they were telling me, ohyeah, we got rid of Splunk.
I said, okay, well, what didyou replace it with?
Because, right off the bat,that's the wrong answer, right.
And they were telling me, ohyeah, we got rid of Splunk.
So, okay, well, what'd youreplace it with?
Because, like, right off thebat, that's the wrong answer,
right, I got rid of Splunk.
Okay, now I'm worried, and youknow they said that they
basically replaced it with, youknow, an open source solution.
And so I asked, okay, howquickly do your logs roll over?
(35:54):
And they said, oh, we have, youknow, 10 tiers of logs and they
roll every couple minutes.
You know, every five to 15minutes.
These logs are rolling from a,you know, a high traffic
financial app, and so, you know,it started going down this
rabbit hole where, you know, youhave so much data that you
(36:16):
almost can't even afford thestorage costs of that data,
right, and so I bring that upbecause your solution sounds
like it's pretty unique.
Where it's able to, it's ableto really sift through these
vast amounts of data and say, ok, you need to pay attention to
this or you need to store thislong term right, exactly, it has
(36:39):
that built-in cost savingsfeature with it, which is really
interesting.
You don't see that normally.
Speaker 3 (36:46):
So I'll just jump in here.
Sorry, I didn't mean tointerrupt.
One of the things that I kindof think in my head is, like you
know, historically speaking,when you're doing this the
old-fashioned way, there's a busthat goes by, right, and
there's two people on the busthat are bad actors, right.
It's way harder to go back andchase that bus down and then
sift through everyone on the busthan it is to go and see people
(37:06):
walking down the street andpick them out and say, nope, do
not pass, go, do not collect$200, right.
And instead of having to go anddo the rework later on, the
streaming portion is obviouslyincredibly beneficial to getting
that signal out of the noise sothat you can go and do more
fancy stuff in real time.
(37:28):
Because, let's say, you go andsolve that problem and you go,
and you're not batch queryingand you're not doing this, and
you're not doing that, you'regoing to evolve.
You're going to go and hit theand you're not doing that,
you're going to evolve.
You're going to go and hit thebad guys where it hurts and then
they're going to evolve, right,and as they evolve, you have to
continually evolve, right, andthat's where people often forget
(37:50):
that, like you know, this is ajourney.
You're constantly evolving.
This isn't a set and forgetthing.
It never will be right.
No-transcript.
(38:20):
Historically speaking, yeah,they had data science teams that
often would hang off ofhome-brewed bifurcated data and
they would run custom tools.
I've been doing it for over adecade.
Right, we had a sim.
We also ran data analyticscomponents that were doing other
detection.
That was more involved becausewe had to do more advanced
(38:40):
correlation and stuff.
Well, there needs to be a toolto do that.
There needs to be somethingwhere you can go and build on
this stuff so that you candynamically steer data, so that
you can dynamically use thatdata.
And it opens doors thatpreviously were closed when it
comes to being able to evolvefaster than your adversary.
Speaker 1 (38:59):
That makes sense, Axel.
What were you going to bring upor mention?
Speaker 2 (39:04):
Yeah, I was going to say that's how industry itself
is evolving as well, joe,because you know CIO and CISO
roles are merging and people areunderstanding that.
Hey, when you look at data, youhave to merge the use cases
between security and the otheroperations, like analytics and
so on.
Now the security teams, as yourightly pointed out, may not
(39:26):
have data engineers or a wholeinvestment for data analysis,
but a lot of security needs relyon data logging and platforming
, just as much as other needsdata processing.
So this combination or thismerging is where we want to help
organizations move and that'swhat we talk about in the book
(39:47):
as well.
And if you see the cover page ofthe book, it shows data
governance is kind of like anumbrella over everything else,
all the different phases of datastrategy, and that's in line
with, if you see something likea NIST cybersecurity framework.
They say that governance ingeneral incorporates around
every other phase of yourorganization strategy for
(40:09):
cybersecurity maturity profile.
So just like that, I think,when it comes to data, what
we've learned with all the nineauthors, who are not even from
abstract but security industryexperts, is that when you are
thinking of strategy, you haveto think of volume, you have to
think of flexibility, becauseit's not going to stay the same,
(40:30):
it's going to scale, it's goingto evolve.
So you have to future-proofyour strategy.
So you have to think of that.
You have to think of how tomeasure it.
I mean, it's one thing to justsay in theory, like you have a
good strategy around it.
How good on a scale of one tosix, is it four, five, six, one,
two?
(40:50):
So we wanted to provide thatsecurity scale, maturity scale
for assessment as well, which ispart of the book, and then it's
are you thinking about securityand governance when you're
designing this?
So, throughout the phases,we're thinking about how do you
really make the most of the datathat's useful for security and
how do you combine dataanalytics with that in mind.
(41:13):
So it's something that, aswe're building the platform, we
are also trying to educate theindustry on that.
Security in data, or like youcan't separate the two and if
you want to make the most ofyour data strategy, security
leaders or CIO leaders or dataleaders need to work together to
get that effective strategy.
Speaker 1 (41:36):
Sure is yeah, it outage.
Speaker 3 (42:04):
And I had to do an RCA up to the president of the
Canada side and part of that wasmaking sure it never, ever
happened again.
And going and getting good atgovernance as you're doing
security operations is paramountright, governance, as you're
doing security operations isparamount.
(42:25):
Right Because if every time youhave to do something jammy,
you're stuck behind governance.
Then you're not going to doanything jammy ever.
Right, you're going to be stuckbehind governance.
And so meeting governments atthe table, making sure that
they're stakeholders, makingsure that you're working hand in
glove with them, allows you torun with scissors.
It allows you to evolve faster.
Right, because you're going tohave to right and avoiding
(42:46):
governance in this day and ageis not an option.
Right, regulators are everywhere.
You know the ops people and theDFIR people.
I like to think we're theblackjack dealers, right?
You know we're out there.
We've got the eye in the skywatching over us.
We're just trying to make sureeveryone has a good time right,
and they do it safely.
Right, and going and making surethat you involve governance
(43:13):
very deeply in your sec ops is amaturity step that you really
want to take early on and youwant to make sure that you're
doing that in a way that isscalable, that is auditable and
that you can make sure thatyou've got all the checks and
balances.
You need to go and do thosejammy things quickly and respond
(43:35):
quickly and safely.
You don't want to harm yourcustomers, you don't want to
harm your own systems, you don'twant to break the law.
There's a whole lot of stuffthat, if you do this up front
and again, don't avoidgovernance, it's not something
that could or should ever bedone.
It's one of those things whereyou just need to sort of mature
at the beginning a little bitmore to make sure that your
(43:56):
governance program works in theway that you need to from an ops
perspective, and that'ssomething that a lot of people
overlook sometimes.
Having a good relationshipbetween your ops people and your
governance people will enablebetter velocity all over.
Yeah, that is interesting.
Speaker 1 (44:15):
Most security people don't ever want to even get on a
call with like governance andcompliance.
It's just, it's like the worstpart of our job that no one, no
one wants to do right.
So you know it at least fromyou.
Know what, what you were saying, alexa?
It sounds like this book iskind of like a one-stop shop for
(44:36):
you know getting your securitydata strategy, kind of you know
going and moving forward, anddoes it potentially include like
a next steps?
Right, okay, you got, you gotthe framework, you got the
scoring down, you know whereyou're at.
What are the next steps?
Where do I take it from here?
Speaker 2 (44:55):
Absolutely.
As a part of the appendices, wehave workbook templates, and a
lot of the authors providedreally good assets and materials
there to see this functioning.
It's not just a theoreticalguide, but it's a practical
guide.
So if you're on step two, wehelp you see what step three,
four, five would look like.
Ultimately, it's about gainingmaturity in every stage.
(45:19):
Usually people think as a whole, you have a maturity scale.
True, but you can be good inone phase and not so good in the
other phase.
Data strategy, like you couldbe really good in data
collection, but maybe you're notas strong in data storage or
data reporting, you know.
So we provide a scale for eachof those phases of your data
(45:42):
strategy and how to assess whereyou are and how to get to the
next state or what a maturestate of that phase would look
like.
So, by using the resources thatwe have in the appendices, the
examples, the lessons learned,as Justin mentioned, not just
the do this.
But what are the myths arounddata strategy?
(46:02):
Like log, everything.
Is that really the beststrategy?
Things like that breaking downthe myths, the don'ts of, are
the mistakes and pitfalls toavoid All of that, we're hoping
will help people to reallyrethink if they are already in
the middle of an architecture,make sure it's flexible and see
if they need to make any changesIf they are starting from
(46:23):
scratch.
This book is still for you, soit covers people wherever they
are in their journey.
Even if you are mature, it's agood way to just see does your
maturity really align with whatwe're seeing in the industry?
If you are a beginner, like youjust took on the role of trying
to architect something, whatare the things you have to watch
(46:44):
out for and how do you start ifyou're somewhere in the middle,
like you're going throughre-architecting?
I think someone that we were Iwas talking to as part of
security data strategyinterviews that I was doing.
They said it took them sixmonths to a year re-architect
everything because they wantedto change their SIM platform.
They wanted to change their enddestination.
(47:06):
They didn't realize how muchwork it would take until they
started doing it.
Just like you mentioned in yourexample with the Splunk to open
source.
It's not a two-day switch.
You have to redo everything Ifyou're not flexible in your
architecture.
That's a nightmare, which iswhy it's so important to have
this movement in the beginningof the cycle, and this book is
(47:29):
absolutely free, and when I sayfree, it's also non-gated.
We don't need an email for youto download your ebook, because
you know a lot of marketing andcompanies are like it's free,
but give us your email, give usyour details and then we'll send
you all this like scam emails,about spam emails about how you
can buy our product and makethings better.
No, it's purely for communityand it's a brainchild of people,
(47:53):
not just from abstract, butfrom outside of abstract,
although abstract.
I'm thankful to work in acompany that sponsored all costs
for it Publishing costs,printing costs, design costs,
editing costs, everything butwe're just giving it out for
free.
It will also be on Amazon,kindle, barnes and Noble Kindle.
We'll also have a few printedversions for anyone who's
(48:16):
interested in that.
But our main goal is to reallyamplify the messaging that you
need to think about it as astrategy, from a security lens,
and here's how you do it day,right, and I'm sure we're all in
(48:44):
back-to-back meetings, right.
Speaker 1 (48:44):
But you know, before, before I let you guys go on, I
definitely want to have both ofyou back on again, right,
probably individually, and we'llhave our own topics that we we
discussed and everything.
I think that'd be great.
I think my audience wouldreally love that and I'm
selfishly, I would.
I would really love it.
But you know, before I let youguys go, how about you guys tell
me you know where my listenerscan find you if they wanted to
(49:06):
connect with you on you knowLinkedIn, or if you have a
Twitter slash.
You know X I still call itTwitter and then you know where
they could potentially find.
You know abstract security, oreven you know the book, if the
book is, you know, published onabstract securities.
Speaker 3 (49:23):
Uh, once you can find me on LinkedIn.
It's the only.
It's the only social media I do.
My uh, my wife's marriagerequest is still pending in
Facebook.
I don't think I've logged insince I had clearance up in
Canada.
So for me, I'm not a big socialmedia guy.
I'm more of a behind the scenes, in the shadows, kind of guy.
Feel free to hit me up onLinkedIn If we have friends in
(49:46):
common.
I will likely be okay with that.
But again, I'm more of a behindthe scenes kind of guy.
Speaker 2 (49:54):
It was so hard to find his data that I was like I
can't find a photo of you.
I want to put a photo of you inthe book.
Others like there's nowhere andhe's like successful.
I work with a number of people.
Speaker 3 (50:24):
Every Wednesday night I do work building awesome cool
stuff with a good friend ofmine.
I have for the last 18 yearsand I definitely am still
participating very, veryactively.
I just try not to be loud aboutit.
I don't want to paint a targeton my back.
Speaker 1 (50:38):
Yeah, that makes sense, unlike me, he's a some
security guy.
Speaker 2 (50:43):
I'll probably have to say I'm the opposite of Justin
when it comes to online presence.
You can find me on LinkedIneasily because my name's pretty
unique, so I'll probably be onyour top of search results.
Even if you Google me, you'llfind, like resources that have
been associated with the booksthat I've written or the
podcasts and things I've beenLike said axel taylor's pretty
(51:05):
unique name, at least until now.
I'm also on twitter x, whatever, but it's I'm not as active now
as I used to be before, solinkedin would be the best way
to find me.
My name is aqsa t-m--L-O-R.
That's what you would put inthe direct URL for LinkedIn
profile as well.
Speaker 1 (51:25):
Awesome.
And then the book can be foundjust at Abstract Security.
Speaker 2 (51:30):
Yes, not yet.
Speaker 1 (51:31):
And Amazon and everything else right.
Speaker 2 (51:35):
March 18th is the date that we are targeting for
the launch and it will beavailable on online media on
March 18th.
It will be available onabstractsecurity website.
We will also have a direct linkto the book.
If you are curious or if youwant early access before that,
you can message me or DM me inthe LinkedIn and I'll see if I
(51:55):
can get you early access.
But the main launch will benext week.
Speaker 1 (52:01):
Awesome Sounds great.
Well, I'm looking forward togoing through it and seeing what
I can apply easily and whatphases in my own organizations
and whatnot.
So I really appreciate you guyscoming on.
I think we had a fantasticconversation.
I really enjoyed it.
Speaker 3 (52:17):
Yeah, I appreciate you having us here.
I could shoot the breeze withyou all day.
I mean, you're veryconversational.
I can blow hot air with thebest of them, awesome.
Speaker 2 (52:27):
Thank you for having us.
Joe, Really appreciate it.
Speaker 1 (52:30):
Yeah, absolutely, and thanks everyone for listening.
Be sure to check out theresources that we mentioned.
The links will be in thedescription of this episode.
Thanks everyone, Awesome.
Have a good one.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!