Security Data Strategy: Lessons from the Equifax Breach with Justin Borland and Aqsa Taylor

Show Notes

 In this episode, we dive into the critical world of security data strategy with experts Aqsa Taylor and Justin Borland, authors of the upcoming book Applied Security Data Strategy: A Leader’s Guide. Justin, a veteran of the Equifax breach, shares firsthand lessons from one of the biggest security incidents in history, while Aqsa explores her journey from electrical engineering to cloud security and the role of governance in data management. Together, they unpack the challenges of handling massive security data, the power of real-time analytics, and how Abstract Security’s platform transforms data strategy with deduplication, normalization, and tiered storage. Perfect for CIOs, CSOs, and security pros looking to future-proof their organizations. Subscribe for more cybersecurity insights!
Key Points Covered:
Introduction to Aqsa Taylor and Justin Borland, emphasizing their expertise and new book.

Justin’s Equifax experience as a compelling narrative hook.

Aqsa’s background and insights on governance and cloud security.

Abstract Security’s innovative approach to data strategy (deduplication, real-time analytics, etc.).

Target audience callout (CIOs, CSOs, security professionals) and a subscription prompt.

Why this description? It’s concise, highlights the episode’s value, and uses action-oriented language to engage viewers. It balances technical appeal with accessibility for a broad cybersecurity audience. 

Support the show

Follow the Podcast on Social Media!

Tesla Referral Code: https://ts.la/joseph675128

YouTube: https://www.youtube.com/@securityunfilteredpodcast

Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast

Chapters

• 0:00: Introduction to Abstract Security and the Hosts
• 10:05: Axel's Journey into Cloud Security
• 17:09: Justin's Background in Security and Incident Response
• 30:15: Abstract Security's Platform and Data Solutions
• 39:23: Security Evolution Through Autonomic Defenses
• 47:55: Governance and Security Data Strategy
• 53:21: Upcoming Book Launch and Resources

Transcript

Speaker 1: 0:54

How's it going? Aksa and Justin, it's great to get you guys on the podcast. I think we've been working towards this for a while and I know you guys have some really interesting topics to bring up. You guys are shortly here releasing an e-book on it, on a topic that I'm probably not as well-versed in as I probably should be, which is it's an interesting side topic, but how's it going?

Speaker 2: 1:19

Going good. Joe, thank you for having us. I'm super excited and, knowing that this is all just raw going with the flow, I'm really curious and excited for this.

Speaker 1: 1:30

It's interesting, people react differently to this podcast format, right, I think. A lot of podcasts out there, they probably offer up a lot of podcasts out there, they probably like offer up, you know, a lot of different questions and they do a whole lot of research and everything else like that. But I I feel, personally, it takes away from the genuineness of the podcast, right, like I think that there's a level of authenticity that this format captures where it's truly just us having a conversation. It's not, it's not scripted or anything like that. You know, like I, I find that whenever I script something, I do worse at it At least I feel I do good at memorizing lines, that's for sure, yeah.

Speaker 1: 2:06

Yeah, that's probably why I never got into you know like plays or speech, whatever that was like you know in high school, know in high school, like never did any of that and it was. It was literally the reading of a script that was a part of. It was like, okay, well, I can't like react to this how I would normally react more of an ad lib guy myself yeah, yeah, awesome.

Speaker 1: 2:30

Well, you know, first I'll start with you know, you guys each introducing yourselves. You know we'll start with Alex. So how did you get into IT? How did you start to specialize in security? What made you go down that path? Because you have a pretty interesting background. I think You're a bit of an author and security professional, security expert. So how did you start going down this path?

Speaker 2: 2:58

Yeah, good question. I asked that to myself too. So, interesting story I did my master's in electrical engineering and you have to take an optional course outside of your core, and so I took cloud computing as an optional course, which kind of became my entire career journey since then. So at that time when I was doing my master's, container security was really the topic that everyone was talking about, and my professor wanted to mix quantum with container security, cloud security. So I got, I looked up companies that were doing it for my research paper, got into Twistlog, which got acquired by Palo Alto Networks, and then I moved to product management, building these products for customers, for organizations that are looking to strengthen their cloud security, posture, workload security and all.

Speaker 2: 3:47

And then came Abstract. So I've been really fortunate in working with these startups, successful startups and companies that are on the edge of doing something new, something innovative, and I love to write, so it was natural for me that when I learn something, I learn it by writing or taking notes. So I thought what good way to share the knowledge than in books? So my first book was Process Mining Security Angle, and this will be my second book, soon to be released Applied Security Data Strategy, a Leader's Guide, so pretty exciting.

Speaker 1: 4:24

Wow, that's really fascinating. And maybe, before I start diving into your background a little bit, justin, why don't you tell us a little bit about your background, right, how you got into IT? What made you want to go down the security rabbit hole?

Speaker 3: 4:44

Yeah, sure. So I was fortunate to start at Atomic Energy up in Canada and so I had my secret clearance when I was in second year college and so when I left this is probably 17 years ago, when I left college IT security was still pretty much in its infancy. A lot of places didn't have a lot of mature programs and stuff like that and so I went back to Atomic Energy and I started building custom intrusion detection systems snort boxes back in the day and then I spent the next probably 10 or 12 years building custom PCAP systems. I left Atomic Energy and went to work at BlackBerry very much in the heyday and built all of the custom packet capture systems that we use on the critical assets within there Things like domain controllers, rsa servers, stuff like that. I was building packet capture systems and doing incident response, malware reversing. So I've had my Grem for I think something like 15 years, like Grem number 3300 and something. So I've been doing that a very, very long time and doing incident response.

Speaker 3: 5:53

Since then I had the opportunity to work at Equifax. I ran their countermeasures team and then went to the Senate for that incident. My team found the breach. My team built all the packet capture systems there, and when I left Equifax, we had rolled our own 80 gig per second north-south in-house. So we were building big packet capture systems, writing, know, writing a lot of IDS, ips rules, reversing malware finding indicators, and you know I've been very heavily involved in the community for at least, at least 15 years. Just doing what I can because the bad folks tend to share security data very well and that's something that I've always, you know, prided myself on is trying to play a little bit of open-handed poker with your friends, letting people know what works, what doesn't and how we can sort of better defend as a community.

Speaker 1: 6:48

Yeah, that's really fascinating. So, Axel, when you were in your electrical engineering program, in your electrical engineering program you decided to take a cloud security course, which is interesting because I didn't have any semblance of cloud security offering in my bachelor's. Going into it, did you think that it would be an interesting challenge for you compared to the electrical engineering work and it would work your brain in another way? I ask that because you said that you learn best when you write things down. Right, and I'm. I'm the same way. Actually, I have to write it down, otherwise I'm not going to figure it out. I have to like at a minimum see a diagram, you know, and that's how it kind of starts making sense to me, and so I assume you know in your you probably figured that out pretty quickly if you didn't already know it. Right, because you're not going to be successful for sure in electrical engineering if you don't know how your brain works to learn things.

Speaker 2: 7:49

Yeah, so it's. When they said optional course, I mean I didn't even think about music and all the arts, I guess.

Speaker 2: 7:58

Like psychology yeah, I guess that's the Indian side of me, but I knew that computer architecture something really core I was anyways going to learn as part of my electrical engineering and computer course subjects. So cloud computing that was actually the first round of that course in my college, in my batch, during my batch. So the professor was also figuring out like how to teach cloud computing. So I was like this is new. There is no record of this in the college. It's also something that people are talking about in the industry you know if you go on LinkedIn and so on so I thought let's give it a try. I mean, I don't know if it's going to be super hard or super easy, but either way, it's going to challenge me to think outside of my electrical engineering box. So I was very happy that I did that because it opened a lot of opportunities for me.

Speaker 2: 8:50

I got to be a part of OCI, which is like Open Cloud Institute within UTSA for research, and that's how I learned about Dockers and containers, because Docker had just come out. Docker was gaining traction at this time like 2015, 2016. So it was like there's innovation on every side in the industry and with us and trying to combine physics, concepts like quantum computing and cloud computing together was also quite interesting and unique. So working on that as part of my thesis kind of opened my brain on two different levels like quantum and then cloud, and so it was a really, really good experience for me.

Speaker 2: 9:33

I didn't reach everyone to sometimes think out of the box For me. I'd encourage everyone to sometimes think out of the box. You know you might be a network engineer or data engineer or security engineer, but sometimes you just have to touch boxes outside of your routine and that can help you think about your own core strategy in different ways, and I think that really helped my career from there forward, because I was like this is what I really love and I want to do more of.

Speaker 1: 10:01

Yeah, that is, you know, that's very true what you said there, right, going outside of your box and trying to, you know, kind of, expand yourself and see where it leads, right, and so I've done that throughout my career personally, and I typically, you know, somehow it coincides with, like me, getting a degree right.

Speaker 1: 10:21

So I got my master's got into, you know, cybersecurity and cloud security, that sort of thing. Right Now I'm working on my PhD and actually earlier in the week I finished up like the bulk majority of my quantum security section, right. So I realized that I was like exhausted from it when last night I was like, okay, I'm gonna start on this satellite, this communication satellite stuff, yeah, and I like couldn't get past a sentence and I was like I need a break, I'm gonna give myself a break here, right. So I just spent like a year working on the quantum stuff and it is, um, I feel like I like scratched the surface, you know, like not even coming close to what it is, but having a broader understanding of it, you know, kind of enables me to to provide more value and more ways to, you know, the community, my company and everything else, right. So it's, um, it's definitely challenging when you're going through it yeah, yeah.

Speaker 2: 11:20

On the day one, my professor started by saying everything you learn in physics, throw it out of the box and you have to like, start with an empty brain and start all over. And it's like, what does he mean? And then I was like, oh okay, this is what he means. Because it's oh okay, this is what he means.

Speaker 1: 11:39

Because, it's. Yep, is difficult to then start saying, okay, well, how is this built off of quantum? Right, because quantum immediately starts, you know, in several, several dimensions. Right, it tears down everything that you used to know. And the only way that you build up, you know, or, I guess, build up that foundation to the other side of physics is, by you know, going all the way through quantum. That's the only way it makes sense.

Speaker 2: 12:26

I think it will be applicable to security sooner than later. I mean, we're already seeing, you know, the encryption models, quantum key distributions and such concepts being more relevant to the security industry, but that's not what this podcast is about we can go a whole podcast episode on that yeah, yeah, I'll bring you back on to talk an rsa thing that dropped last week where it was like you better use post quantum stuff because it's as broken as you think it is.

Speaker 1: 12:53

Yeah, yeah, it is, so we can do like a two second segue, right? A part of you know the PhD right is that the industry perceives migrating to quantum or post quantum encryption as being like an extremely heavy lift. But what they don't understand is that 50% of that process is already solved by what they call classical encryption. Right, so that's already the key distribution. That's a part of it. Quantum is a layer of abstraction on top of what we already have, and so it's really just adding in a new process, procedure. New. You know any architecture and you know physical. You know like physical, you know setups and whatnot. Right, to actually make it work.

Speaker 2: 13:42

Even that is funny. I mean, there's experiments for quantum entanglement that are, you know, proven for certain distances. People think quantum is just theory, but I think it's like it's happening.

Speaker 1: 13:54

Yeah, yeah, I specifically I'm getting my PhD in how to secure quantum communications from the ground to communication satellites and then across, right, and applying zero trust to that, because zero trust is just a framework. So why don't we apply zero trust to it? It has to be zero trust within the actual satellite and then between the satellites, within the architecture of that, right. So in my research I actually found two or three days ago that China had been doing it and proved it all out and said that, hey, this can actually work. You just have to have relay satellites between here and you know 300,000 kilometers or whatever it is you know, above the Earth, right? So that's the only way that it works, because quantum is a little bit more inefficient the longer it goes and it's more vulnerable to attack and whatnot. Again, you know that's like now we're going. Now we're going down a path that, uh, you know we can easily spend three hours on and not even, not even get there right second podcast episode yeah, yeah, absolutely.

Speaker 1: 14:56

I'll have both of you back on for other podcasts, because I definitely want to talk about Equifax with Justin, primarily because I was working at a, a competitor competitor to Equifax, I won't I won't say the name and when Equifax happened, we got a blank check in security and they said just do whatever you need. You know it's done. And our security budget went from you know a couple, a couple hundred thousand to several million, you know tens of millions, overnight contracts to bring in new products and hire people, like we were. I can't remember how many interviews I actually did at the bar, strictly because I just worked, you know 12 hours and I'm like, okay, I can't, I can't be in this office anymore, like let's just go across the street. You know we'll do it over there yeah, it's a mouth guard for sure.

Speaker 3: 15:52

I mean, there's a lot of people who work their entire career and don't get to work. Half the incidents that I've gotten to, yeah, so I don't know why that's, that's a me thing or that's the happenstance thing, or maybe a little bit of both. But, uh, I I've had a an interesting career as it pertains to incidents. I've dealt with a ton of cnapt since the 2010 era, 2009 era, so I was just again very uh, I guess fortunate from a dfir perspective to have, you know, fun, cool, jammy incidents.

Speaker 3: 16:24

Is it stressful, for sure, and you know, I got pulled into the senate while on paternity leave and and they gave me my own counsel, right, so I was given outside, outside counsel, and a lot of people again, they go their whole careers and they don't have these types of incidents that they get to work, and so was it stressful, yeah, but it's something that you can't take it away from me, it's all up here. There's a lot of stuff that the lessons learned happen when you go through it and you understand what to do, what not to do, how to make things better, faster, stronger. You understand what to do, what not to do, how to make things better, faster, stronger and and a lot of it is like making sure, especially in threat detection and and dfir and stuff like survivability, and making sure that what you're doing is defensible in the eyes of the law. That means a lot and yeah, it's, it's again.

Speaker 3: 17:15

I could write a book just on that, but yeah right after that, I ended up open sourcing a malware analysis appliance, Um, and so I had, uh, again my. The malware game goes very, very deep with me. But if you'd asked me when I was 25 or 26, what I wanted to do is I'd want to catch spies, I want to catch bad people, and I can tick that box yeah, that is, you know it's.

Speaker 1: 17:43

It's interesting how life goes right, because I, I feel, like you know, to be in the seat that you're in, right, the, the, you know, quote unquote expert seat, to be able to get there, which probably everyone wants to get there. No one really wants to go through a situation like that. I mean, they don't want to go through half of that. You know and like, but you have to cut your teeth somehow some way. You have to get that experience and you can't read about it in a book. You know, you need no like the, the steering behind it. You need no, maybe like a say plan, you know, know, but when you're going through that you're, you're reacting to more random things than than you would expect, right, sure.

Speaker 3: 18:27

Bad in the unknown, unknowns, right so like, especially when you're dealing with the FIR stuff. It's not what you read about in the book last week. It's about what the actors have evolved into, and one of the things that you have to be able to do in order to stay ahead is you have to be able to iterate, and the OODA loop is what wins wars and what wins battles, and if you can evolve quicker than your adversaries, then you'll win the battle and then the war, like that's. It's sort of just that simple, like you are going to change.

Speaker 3: 18:59

A good countermeasure can go and create an evolution in an adversary, and often you have to be planning. Do I put this countermeasure in now, or will that cause an evolution that I'm not prepared to handle? Right, sometimes it's better to understand and keep tabs on your adversaries so you can track them better and then maybe use that to scout ahead and then get a lot more strategic in how you're going and doing this, whether that's coordinated takedowns or hypothesizing what they're going to do next. It is a chess match. It is very much a chess, and you have to think about countermeasures as moves and you have to think about countermeasures as moves and you have to think two and three steps ahead, if not more, because those evolutions not only can you blind yourself, with that, you you can either solve the problem or compound it.

Speaker 3: 19:52

Um, and, and it's uh. You need to have a really good field of vision and understand what tools you have at your disposal, how you can iterate what you think they might be moving to next. That kind of thing want to say completely lessons learned, but there are some tips and tricks that definitely help set people up for success, especially as it pertains to, like the rubber hitting the road. You know, because, again, this is a lot of this stuff until you go and experience it, it's hard to describe it, it's hard to take it out of that textbook and make it tangible and and have have it be something that you really viscerally understand, right, because often it's the journey that really helps shape your thoughts on how you got there and where you're going, right.

Speaker 1: 20:50

So why don't we start with you know abstract security, right, security, right. So actually, why don't you tell us you know what abstract security is, what we guys specialize in, and kind of how this book came about?

Speaker 2: 21:03

Yeah, absolutely In a nutshell. We saw that there was a problem with the way data is handled by organizations. Data volume is growing, so you need a strategy to help you do more of the work in the beginning, before your data moves into the storage or its destinations. Because what happens is a lot of times when you have direct integration with your data sources and data destinations. So, let's say, you have your data sources, like cloud providers, you're trying to log the audit trails for security purposes, and then you say, logging is good, we need to log everything, and you dump everything in a storage. Well, now your storage sizes are increasing, that means the query response times are longer or your cost is more and more. But within that data, there is noise, there are redundant fields, there is no aggregation, there's nothing. It's not manipulated enough to make it compact for you, make it useful for you, especially if you're looking for that needle in the haystack like security incidents and things that are relevant to you. Another side of it is it makes migrations difficult, because if you do point direct integrations, you learn the query languages, whatever format the destination needs that data, and you uniquely craft it to that format and then, when you want to do the migration to another platform. You have the heavy burden of now reformatting your architecture and trying to manage that scale, or trying to bifurcate your data for compliance purposes and other purposes, right. So that was the problem that we wanted to solve. That's why Abstract came up with this lightweight platform where, instead of directly integrating with your destinations, abstract's platform becomes your helper in the middle. So we take the data from the data sources, we remove the noise or empty fields and things that are not useful for you, we aggregate the data, we deduplicate it, remove any duplicate entries and essentially make that data quality data, so that what you're storing is data that is useful for you and you're paying for what is useful instead of unnecessary noise. Not only that, not only do we make the data better quality, we also normalize the data in real time, so that way, if you're doing any migrations, it's easier for you to switch. As an example, amazon Security Lake recently came up with hey, you can now bring in your custom sources outside of Amazon and integrate with us, right, but you have to normalize it into OCSF format yourself. So that's where abstract can be like. Let us take that heavy lifting off of your plate. We will normalize the data to the format and then you can route it to any destination without worrying about such migration costs.

Speaker 2: 23:53

The second thing we do and I think is really unique to us, in addition to the pipelining features that I mentioned, the data pipeline telemetry features is live real-time security analytics and Justin can talk more about this. He's an expert, he's actually written content for it. But just to give you a high-level overview, the problem is when there is an incident and you're storing it in a storage, having all your data in storage, and then you're querying against it. It's post-index searches. It takes longer time to get those responses, but if you have real-time streaming analytics with Strat enrichments, then it's faster results. And also it's like the shift left moment for data strategy. Just like the CNAP cloud native application platform had that whole shift left fix your vulnerabilities earlier in the lifecycle kind of moment. We're bringing that to data strategy Like, hey, bring the enrichments, bring the detections more in the earlier phases, so you are well-equipped, have faster mean time to detect and mean time to remediate these forces.

Speaker 2: 24:59

And then our third module that we're working on is also the way you store your data. So, like I mentioned, there's a problem of storage cost versus retrieval or query speeds and retrieval speeds. So the way we wanted to solve it is by giving you a tiered storage model where you have your real-time storage, which is faster responses, a higher cost disk, but for data that you would query on a regular basis, like weekly metrics and so on. But you also have something like cold storage where you want to store data for compliance purposes that people not really like weekly metrics and so on but you also have something like cold storage where you want to store data for compliance purposes that people not really retrieve or request queries for too often, so they are a little bit longer on query time, but still you're saving costs because the storage is cheap. So that's how we manage, like the storage versus retrieval speed, by bringing you this tiered model to make sure you're getting the best of your data stretch. Yeah, justin, why don't you talk about our annual deployment?

Speaker 3: 25:59

Yeah, yeah. So I'll just preface this by saying I'm a rules guy, have been for a very, very long time. You know, I've been using Yara for 15 years and Snort for probably longer than that. Sigma, for as soon as it came out, I've written tens of thousands of countermeasures and you know the value of having a really rock solid engine can't be understated enough or overstated enough. Rather, is your engine it is, it's how you go fast, it's how you keep velocity and all of that fun stuff. And so here at Abstract we have a lot of really cool features that you know.

Speaker 3: 26:36

I'm a firm believer that a lot of these incident responders, they're essentially data scientists. It might be scoped a little more narrowly, but that's what we're doing. Right is data science. You're finding the needles in the haystack, you're finding the outliers. You're right is is data science. You're finding the needles in the haystack, you're finding the outliers, you're doing what you can to bring signal from the noise. And with our engine there's a number of really, really cool features that we have. I've just released a number of what we're calling abstract amplify rules, which are things where you know it will sort of give you out of the box correlation where we see, okay, there were X number of low alerts, but it was from a single username. Well, that's, that's now a, that's now a medium right, and going and being able to see that automated bubbling up and and having things sort of tell you, let the data tell you the story, right, cause that's that's what you're doing. You can't really force that kind of thing. But the other thing that I use quite heavily is this concept that we have of models, and models are essentially an in-memory database that can be populated dynamically by the logs as they come in over the wire. And so I'll give you an example. Let's say you're an Okta shop and you have authentication data and you want to go and keep that authentication data in an in-memory database so that you can reference it from other rules. So then you can do things like start doing really advanced correlation, but on data that's being dynamically populated. So you want to go and enrich something. Maybe your proxy logs don't have the username on them, but you get that from Okta, right? Well, now you can go and say, all right, when, when this stuff comes in over the wire, go ahead and slap, enrich that field onto something that previously didn't have that data. Well, now you're going and empowering your analysts and your engineers to go and do stuff that they couldn't do before.

Speaker 3: 28:32

And the other one which I really really like is the concept of doing autonomic security. So autonomic security is the idea of self-defending, and the best example I can give of that is if you have a series of websites that your customers go to and they are logging into the website because they have to do stuff and they need credentials, well, you can then go and take a dynamically populated list of people who have successfully authenticated to your platform act. You know, remote code execution, local file include, remote file include. If they start doing stuff that's against the law and they haven't logged in, there's no customer impact if I dynamically block you, if my immune system responds and says whoa, whoa, you, you didn't actually do what you were supposed to do and now you're bringing a gun to the party. Uh, that's not how this works. Right, like you, you have. There's a. There's a right way and a wrong way to do things.

Speaker 3: 29:33

And when you can build these systems such that you have those checks and balances dynamically populated and dynamically leveraged, that's the kind of stuff that's really going to raise the cost of doing business to your adversaries, right? So now I'll give you a real world example. You've got pen testers or people that come in and they're going to break in. Pen testers and bad actors Right. But your pen testers, those are the kind of people that you want in a walled garden, right, you want to have to let them in before they, you know, start doing that really bad stuff.

Speaker 3: 30:04

And if your system can self-defend in real time or near real time, now all of a sudden your bad actors have to go and burn infrastructure. They came in, they got 10 packets through, maybe even got 100 packets through, right. But then they were dynamically blocked for seven days. And then now they're going to have to go and burn more IP space. And as they burn more IP space, you can start doing things like seeing the patterns in who is attacking you. So it takes these opportunistic attackers and it slams a door on them, right, and it allows you to focus on the attackers who are focusing on you, and that's where you need to spend your resources, right?

Speaker 3: 30:48

That's what a lot of people may or may not understand. It's not always the 12-year-old or 16-year-old kid in the basement who's doing this stuff. But do you really want to be spending your tier three and tier four IR cycles on something that that person never had or should have been able to throw remote code execution at your website anyway. That's something that should only happen from a walled garden, and so if you can start determining how you can go and implement dynamic security controls without impacting business costs and without impacting your customers, that's incredibly powerful. That is very much where we need to evolve to as industry. Right, and some of us you know there's people out there who've been doing this for a decade plus, myself included that there are ways to do this.

Speaker 3: 31:41

Historically speaking, it was expensive. It cost you expensive queries every five minutes, every 10 minutes, going and boiling small oceans or ponds and then going and acting on that, when you can go and dynamically take this data and funnel it to where you need to to make those decisions happen themselves. Now your analysts and your engineers they're focusing on stuff that is more important. The opportunistic attackers are not doing the same kind of damage in your environment. Right, you're allowed to focus on the people who are focusing on you. You know, half of it wouldn't be an interview with me if I didn't quote Sun Tzu, but you know know thyself is is a very, very big part of this. And if you know your customers, why don't you act on that? Why is that not something that is dynamically happening in your environment, where you can again free up resources to do harder tasks, to focus on the APTs, to focus on the people who are focusing on you, and that's again. We have a really, really core foundational building blocks that are very powerful and adaptable to many different use cases fraud, external exploitation, right.

Speaker 3: 32:54

There's dozens of these scenarios where the way I like to think of it is if your website is a party and you tell your friends not to step on your lawn because you like your lawn and someone steps on your lawn they're not your friend, right and you can say you know what You're not getting in the party. You stepped on the lawn and that's they're not your friend, right, and you can say you know what you're not getting in the party. You stepped on the lawn and that's not how we do this, right? Or, better yet, you can start to do things which will take that to the next level, and maybe you put a sign on your front door instead that says you know what threat actor?

Speaker 3: 33:26

Go around back. The entrance is actually around back right, and what you can actually do is start redirecting resources and doing what we can to make asymmetric warfare happen to these threat actors. So now, not only are you going to be able to interdict them more quickly, but you're going to be able to get inside their decision cycle and burn time which they can never get back Right. And so that's where we need to evolve to. We need to get to the point where, yeah, the system does most of the work, but it does it because we know ourselves and we've gone and said no, here's my grass, and my friends know where my grass is and they don't walk on it in my grasses and they don't walk on it.

Speaker 1: 34:13

Yeah, that is that's fascinating, because it kind of sounds like, you know, what you're describing is like the next evolution of security because, with, you know, with the advent of the cloud, right, our data that we've been storing and keeping and everything like that, especially you know, with the compliance requirements, right, I mean some of these compliance requirements you have to store, you know everything that logs into a financial app, right, and so now we're in a situation where it's like, yeah, we have petabytes of data, right, like we have a whole bunch of data and I hope I never have to query it because we don't even have the data scientists to query that data, right, like, because those are not cheap resources and most companies do not staff, you know, data engineers, data scientists or anything like that to actually pull it in, right, and so it's interesting because it sounds like your solution kind of it not only augments or eliminates the need for that resource, but it also builds in security right from the very beginning, right, and I think that that's interesting and it kind of ties into you know what you named, you know the book, right, security Data Strategy, which is completely different, right, and you know you pointed this out too, axel, before we started is, you know, it's security data strategy.

Speaker 1: 35:34

For a reason, right, normally you would think of it in terms of data security strategy. I have to have a strategy for securing my data. Well, really, it's removing or shifting less. You know where that security is actually applied, when it's applied and things like that. You know, really, that's the only way to do it, because we're moving into. We're moving into like uncharted territory, right?

Speaker 2: 36:04

Yeah.

Speaker 1: 36:04

We've never seen this amount of data, this amount of resource before. Right, and you're required to do something with it. You're required to secure and ensure the security of it, which is always a challenge. I was recently on a call I won't say the company, but it's a financial sector company, right? And they were telling me, oh yeah, we got rid of Splunk. I said, okay, well, what did you replace it with? Because, right off the bat, that's the wrong answer, right. And they were telling me, oh yeah, we got rid of Splunk. So, okay, well, what'd you replace it with? Because, like, right off the bat, that's the wrong answer, right, I got rid of Splunk. Okay, now I'm worried, and you know they said that they basically replaced it with, you know, an open source solution.

Speaker 1: 36:44

And so I asked, okay, how quickly do your logs roll over? And they said, oh, we have, you know, 10 tiers of logs and they roll every couple minutes. You know, every five to 15 minutes. These logs are rolling from a, you know, a high traffic financial app, and so, you know, it started going down this rabbit hole where, you know, you have so much data that you almost can't even afford the storage costs of that data, right, and so I bring that up because your solution sounds like it's pretty unique. Where it's able to, it's able to really sift through these vast amounts of data and say, ok, you need to pay attention to this or you need to store this long term right, exactly, it has that built-in cost savings feature with it, which is really interesting. You don't see that normally.

Speaker 3: 37:39

So I'll just jump in here. Sorry, I didn't mean to interrupt. One of the things that I kind of think in my head is, like you know, historically speaking, when you're doing this the old-fashioned way, there's a bus that goes by, right, and there's two people on the bus that are bad actors, right. It's way harder to go back and chase that bus down and then sift through everyone on the bus than it is to go and see people walking down the street and pick them out and say, nope, do not pass, go, do not collect $200, right. And instead of having to go and do the rework later on, the streaming portion is obviously incredibly beneficial to getting that signal out of the noise so that you can go and do more fancy stuff in real time. Because, let's say, you go and solve that problem and you go, and you're not batch querying and you're not doing this, and you're not doing that, you're going to evolve. You're going to go and hit the and you're not doing that, you're going to evolve. You're going to go and hit the bad guys where it hurts and then they're going to evolve, right, and as they evolve, you have to continually evolve, right, and that's where people often forget that, like you know, this is a journey. You're constantly evolving. This isn't a set and forget thing. It never will be right. No-transcript.

Speaker 3: 39:13

Historically speaking, yeah, they had data science teams that often would hang off of home-brewed bifurcated data and they would run custom tools. I've been doing it for over a decade. Right, we had a sim. We also ran data analytics components that were doing other detection. That was more involved because we had to do more advanced correlation and stuff. Well, there needs to be a tool to do that. There needs to be something where you can go and build on this stuff so that you can dynamically steer data, so that you can dynamically use that data. And it opens doors that previously were closed when it comes to being able to evolve faster than your adversary.

Speaker 1: 39:52

That makes sense, Axel. What were you going to bring up or mention?

Speaker 2: 39:57

Yeah, I was going to say that's how industry itself is evolving as well, joe, because you know CIO and CISO roles are merging and people are understanding that. Hey, when you look at data, you have to merge the use cases between security and the other operations, like analytics and so on. Now the security teams, as you rightly pointed out, may not have data engineers or a whole investment for data analysis, but a lot of security needs rely on data logging and platforming, just as much as other needs data processing. So this combination or this merging is where we want to help organizations move and that's what we talk about in the book as well.

Speaker 2: 40:41

And if you see the cover page of the book, it shows data governance is kind of like an umbrella over everything else, all the different phases of data strategy, and that's in line with, if you see something like a NIST cybersecurity framework. They say that governance in general incorporates around every other phase of your organization strategy for cybersecurity maturity profile. So just like that, I think, when it comes to data, what we've learned with all the nine authors, who are not even from abstract but security industry experts, is that when you are thinking of strategy, you have to think of volume, you have to think of flexibility, because it's not going to stay the same, it's going to scale, it's going to evolve. So you have to future-proof your strategy. So you have to think of that. You have to think of how to measure it. I mean, it's one thing to just say in theory, like you have a good strategy around it. How good on a scale of one to six, is it four, five, six, one, two?

Speaker 2: 41:43

So we wanted to provide that security scale, maturity scale for assessment as well, which is part of the book, and then it's are you thinking about security and governance when you're designing this? So, throughout the phases, we're thinking about how do you really make the most of the data that's useful for security and how do you combine data analytics with that in mind. So it's something that, as we're building the platform, we are also trying to educate the industry on that. Security in data, or like you can't separate the two and if you want to make the most of your data strategy, security leaders or CIO leaders or data leaders need to work together to get that effective strategy.

Speaker 1: 42:29

Sure is yeah, it outage.

Speaker 3: 42:57

And I had to do an RCA up to the president of the Canada side and part of that was making sure it never, ever happened again. And going and getting good at governance as you're doing security operations is paramount right, governance, as you're doing security operations is paramount. Right Because if every time you have to do something jammy, you're stuck behind governance. Then you're not going to do anything jammy ever. Right, you're going to be stuck behind governance. And so meeting governments at the table, making sure that they're stakeholders, making sure that you're working hand in glove with them, allows you to run with scissors. It allows you to evolve faster. Right, because you're going to have to right and avoiding governance in this day and age is not an option.

Speaker 3: 43:43

Right, regulators are everywhere. You know the ops people and the DFIR people. I like to think we're the blackjack dealers, right? You know we're out there. We've got the eye in the sky watching over us. We're just trying to make sure everyone has a good time right, and they do it safely.

Speaker 3: 43:59

Right, and going and making sure that you involve governance very deeply in your sec ops is a maturity step that you really want to take early on and you want to make sure that you're doing that in a way that is scalable, that is auditable and that you can make sure that you've got all the checks and balances. You need to go and do those jammy things quickly and respond quickly and safely. You don't want to harm your customers, you don't want to harm your own systems, you don't want to break the law. There's a whole lot of stuff that, if you do this up front and again, don't avoid governance, it's not something that could or should ever be done. It's one of those things where you just need to sort of mature at the beginning a little bit more to make sure that your governance program works in the way that you need to from an ops perspective, and that's something that a lot of people overlook sometimes. Having a good relationship between your ops people and your governance people will enable better velocity all over. Yeah, that is interesting.

Speaker 1: 45:08

Most security people don't ever want to even get on a call with like governance and compliance. It's just, it's like the worst part of our job that no one, no one wants to do right. So you know it at least from you. Know what, what you were saying, alexa? It sounds like this book is kind of like a one-stop shop for you know getting your security data strategy, kind of you know going and moving forward, and does it potentially include like a next steps? Right, okay, you got, you got the framework, you got the scoring down, you know where you're at. What are the next steps? Where do I take it from here?

Speaker 2: 45:48

Absolutely. As a part of the appendices, we have workbook templates, and a lot of the authors provided really good assets and materials there to see this functioning. It's not just a theoretical guide, but it's a practical guide. So if you're on step two, we help you see what step three, four, five would look like. Ultimately, it's about gaining maturity in every stage. Usually people think as a whole, you have a maturity scale. True, but you can be good in one phase and not so good in the other phase. Data strategy, like you could be really good in data collection, but maybe you're not as strong in data storage or data reporting, you know. So we provide a scale for each of those phases of your data strategy and how to assess where you are and how to get to the next state or what a mature state of that phase would look like. So, by using the resources that we have in the appendices, the examples, the lessons learned, as Justin mentioned, not just the do this. But what are the myths around data strategy? Like log, everything. Is that really the best strategy? Things like that breaking down the myths, the don'ts of, are the mistakes and pitfalls to avoid All of that, we're hoping will help people to really rethink if they are already in the middle of an architecture, make sure it's flexible and see if they need to make any changes If they are starting from scratch. This book is still for you, so it covers people wherever they are in their journey. Even if you are mature, it's a good way to just see does your maturity really align with what we're seeing in the industry? If you are a beginner, like you just took on the role of trying to architect something, what are the things you have to watch out for and how do you start if you're somewhere in the middle, like you're going through re-architecting?

Speaker 2: 47:42

I think someone that we were I was talking to as part of security data strategy interviews that I was doing. They said it took them six months to a year re-architect everything because they wanted to change their SIM platform. They wanted to change their end destination. They didn't realize how much work it would take until they started doing it. Just like you mentioned in your example with the Splunk to open source. It's not a two-day switch. You have to redo everything If you're not flexible in your architecture. That's a nightmare, which is why it's so important to have this movement in the beginning of the cycle, and this book is absolutely free, and when I say free, it's also non-gated.

Speaker 2: 48:25

We don't need an email for you to download your ebook, because you know a lot of marketing and companies are like it's free, but give us your email, give us your details and then we'll send you all this like scam emails, about spam emails about how you can buy our product and make things better. No, it's purely for community and it's a brainchild of people, not just from abstract, but from outside of abstract, although abstract. I'm thankful to work in a company that sponsored all costs for it Publishing costs, printing costs, design costs, editing costs, everything but we're just giving it out for free. It will also be on Amazon, kindle, barnes and Noble Kindle. We'll also have a few printed versions for anyone who's interested in that. But our main goal is to really amplify the messaging that you need to think about it as a strategy, from a security lens, and here's how you do it day, right, and I'm sure we're all in back-to-back meetings, right.

Speaker 1: 49:38

But you know, before, before I let you guys go on, I definitely want to have both of you back on again, right, probably individually, and we'll have our own topics that we we discussed and everything. I think that'd be great. I think my audience would really love that and I'm selfishly, I would. I would really love it. But you know, before I let you guys go, how about you guys tell me you know where my listeners can find you if they wanted to connect with you on you know LinkedIn, or if you have a Twitter slash. You know X I still call it Twitter and then you know where they could potentially find. You know abstract security, or even you know the book, if the book is, you know, published on abstract securities.

Speaker 3: 50:16

Uh, once you can find me on LinkedIn. It's the only. It's the only social media I do. My uh, my wife's marriage request is still pending in Facebook. I don't think I've logged in since I had clearance up in Canada. So for me, I'm not a big social media guy. I'm more of a behind the scenes, in the shadows, kind of guy. Feel free to hit me up on LinkedIn If we have friends in common. I will likely be okay with that. But again, I'm more of a behind the scenes kind of guy.

Speaker 2: 50:47

It was so hard to find his data that I was like I can't find a photo of you. I want to put a photo of you in the book. Others like there's nowhere and he's like successful. I work with a number of people.

Speaker 3: 51:17

Every Wednesday night I do work building awesome cool stuff with a good friend of mine. I have for the last 18 years and I definitely am still participating very, very actively. I just try not to be loud about it. I don't want to paint a target on my back.

Speaker 1: 51:31

Yeah, that makes sense, unlike me, he's a some security guy.

Speaker 2: 51:36

I'll probably have to say I'm the opposite of Justin when it comes to online presence. You can find me on LinkedIn easily because my name's pretty unique, so I'll probably be on your top of search results. Even if you Google me, you'll find, like resources that have been associated with the books that I've written or the podcasts and things I've been Like said axel taylor's pretty unique name, at least until now. I'm also on twitter x, whatever, but it's I'm not as active now as I used to be before, so linkedin would be the best way to find me. My name is aqsa t-m--L-O-R. That's what you would put in the direct URL for LinkedIn profile as well.

Speaker 1: 52:18

Awesome. And then the book can be found just at Abstract Security.

Speaker 2: 52:23

Yes, not yet.

Speaker 1: 52:24

And Amazon and everything else right.

Speaker 2: 52:28

March 18th is the date that we are targeting for the launch and it will be available on online media on March 18th. It will be available on abstractsecurity website. We will also have a direct link to the book. If you are curious or if you want early access before that, you can message me or DM me in the LinkedIn and I'll see if I can get you early access. But the main launch will be next week.

Speaker 1: 52:54

Awesome Sounds great. Well, I'm looking forward to going through it and seeing what I can apply easily and what phases in my own organizations and whatnot. So I really appreciate you guys coming on. I think we had a fantastic conversation. I really enjoyed it.

Speaker 3: 53:10

Yeah, I appreciate you having us here. I could shoot the breeze with you all day. I mean, you're very conversational. I can blow hot air with the best of them, awesome.

Speaker 2: 53:20

Thank you for having us. Joe, Really appreciate it.

Speaker 1: 53:23

Yeah, absolutely, and thanks everyone for listening. Be sure to check out the resources that we mentioned. The links will be in the description of this episode. Thanks everyone, Awesome. Have a good one.