Jul 5, 2022
Guest:
- Erik Bloch, Senior Director of Detection and Response at Sprinklr
Topics:
- You recently coined a concept of “output-driven Detection and Response” and even perhaps broader “output-driven security.” What is it and how does it work?
- Detection and response is alive (obviously), but sometimes you say SOC is dead, what do you mean by that?
- You refer to a federated approach for Detection and Response” (“route the outcomes to the teams that need them or can address them”), but is it workable for any organization?
- What about the separation of duty concerns that some raise in response to this? What about the organizations that don’t have any security talent in those teams?
- Is the approach you advocate "cloud native"? Does it only work in the cloud? Can a traditional, on-premise focused organization use it?
- The model of “security team as a decision-maker, not an implementer” has a bit of a painful history, as this is what led to “GRC-only teams” who lack any technical knowledge. Why will this approach work this time?
Resources:
- “RIP SOC. Hello D-IR”
- “Kill your SOC with a D-IR model”
- “Security De-Engineering: Solving the Problems in Information Risk Management” book
- “A SOCless Detection Team at Netflix”
- “Achieving Autonomic Security Operations: Automation as a Force Multiplier”
- “Start with Why: How Great Leaders Inspire Everyone to Take Action“ book
- “Think Like a Monk: The Secret of how to Harness the Power of Positivity and be Happy Now” book
- “On “Output-driven” SIEM”
- “SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond” (ep58)