Guest:

• Rick Correa,Uber TL Google SecOps, Google Cloud

Topics:

• On the 3rd anniversary of Curated Detections, you've grown from 70 rules to over 4700. Can you walk us through that journey? What were some of the key inflection points and what have been the biggest lessons learned in scaling a detection portfolio so massively?
• Historically the SecOps Curated Detection content was opaque, which led to, understandably, a bit of customer friction. We’ve recently made nearly all of that content transparent and editable by users. What were the challenges in that transition?
• You make a distinction between "Detection-as-Code" and a more mature "Software Engineering" paradigm. What gets better for a security team when they move beyond just version control and a CI/CD pipeline and start incorporating things like unit testing, readability reviews, and performance testing for their detections?
• The idea of a "Goldilocks Zone" for detections is intriguing – not too many, not too few. How do you find that balance, and what are the metrics that matter when measuring the effectiveness of a detection program? You mentioned customer feedback is important, but a confusion matrix isn't possible, why is that?
• You talk about enabling customers to use your "building blocks" to create their own detections. Can you give us a practical example of how a customer might use a building block for something like detecting VPN and Tor traffic to augment their security?
• You have started using LLMs for reviewing the explainability of human-generated metadata. Can you expand on that? What have you found are the ripe areas for AI in detection engineering, and can you share any anecdotes of where AI has succeeded and where it has failed?

Resources

• EP197 SIEM (Decoupled or Not), and Security Data Lakes: A Google SecOps Perspective
• EP231 Beyond the Buzzword: Practical Detection as Code in the Enterprise
• EP181 Detection Engineering Deep Dive: From Career Paths to Scaling SOC Teams
• EP139 What is Chronicle? Beyond XDR and into the Next Generation of Security Operations
• EP123 The Good, the Bad, and the Epic of Threat Detection at Scale with Panther
• “Back to Cooking: Detection Engineer vs Detection Consumer, Again?” blog
• “On Trust and Transparency in Detection” blog
• “Detection Engineering Weekly” newsletter
• “Practical Threat Detection Engineering” book

Guest:

• Errol Weiss, Chief Security Officer (CSO) at Health-ISAC

Topics:

• How adding digital resilience is crucial for enterprises? How to make the leaders shift from “just cybersecurity“ to “digital resilience”?
• How to be the most resilient you can be given the resources? How to be the most resilient with the least amount of money?
• How to make yourself a smaller target?
• Smaller target measures fit into what some call “basics.” But “Basic” hygiene is actually very hard for many. What are your top 3 hygiene tips for making it happen that actually work?
• We are talking about under-resources orgs, but some are much more under-resourced, what is your advice for those with extreme shortage of security resources?
• Assessing vendor security - what is most important to consider today in 2025? How not to be hacked via your vendor?

Resources:

• ISAC history (1998 PDD 63)
• CISA Known Exploited Vulnerabilities Catalog
• Brian Krebs blog
• Health-ISAC Annual Threat Report
• Health-ISAC Home
• Health Sector Coordinating Council Publications
• Health Industry Cybersecurity Practices 2023
• HHS Cyber Performance Goals (CPGs)
• 10 ways to make cyber-physical systems more resilient
• EP193 Inherited a Cloud? Now What? How Do I Secure It?
• EP65 Is Your Healthcare Security Healthy? Mandiant Incident Response Insights
• EP49 Lifesaving Tradeoffs: CISO Considerations in Moving Healthcare to Cloud
• EP233 Product Security Engineering at Google: Resilience and Security
• EP204 Beyond PCAST: Phil Venables on the Future of Resilience and Leading Indicators

Guest:

• Craig H. Rowland, Founder and CEO, Sandfly Security

Topics:

• When it comes to Linux environments – spanning on-prem, cloud, and even–gasp–hybrid setups – where are you seeing the most significant blind spots for security teams today?
• There's sometimes a perception that Linux is inherently more secure or less of a malware target than Windows. Could you break down some of the fundamental differences in how malware behaves on Linux versus Windows, and why that matters for defenders in the cloud?
• 'Living off the Land' isn't a new concept, but on Linux, it feels like attackers have a particularly rich set of native tools at their disposal. What are some of the more subtly abused but legitimate Linux utilities you're seeing weaponized in cloud attacks, and how does that complicate detection?
• When you weigh agent-based versus agentless monitoring in cloud and containerized Linux environments, what are the operational trade-offs and outcome trade-offs security teams really need to consider?
• SSH keys are the de facto keys to the kingdom in many Linux environments. Beyond just 'use strong passphrases,' what are the critical, often overlooked, risks associated with SSH key management, credential theft, and subsequent lateral movement that you see plaguing organizations, especially at scale in the cloud?
• What are the biggest operational hurdles teams face when trying to conduct incident response effectively and rapidly across such a distributed Linux environment, and what's key to overcoming them?

Resources:

• EP194 Deep Dive into ADR - Application Detection and Response
• EP228 SIEM in 2025: Still Hard? Reimagining Detection at Cloud Scale and with More Pipelines