https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcTdf5qZOEBcb90wrrzkX06nmW3sgQJkmjptAfGHrHFLgfP5-GA
Guest: * Erik Bloch, Senior Director of Detection and Response at Sprinklr Topics: * You recently coined a concept of “output-driven Detection and Response” and even perhaps broader “output-driven security.” What is it and how does it work? * Detection and response is alive (obviously), but sometimes you say SOC is dead, what do you mean by that? * You refer to a federated approach for Detection and Response” (“route the outcomes to the teams that need them or can address them”), but is it workable for any organization? * What about the separation of duty concerns that some raise in response to this? What about the organizations that don’t have any security talent in those teams? * Is the approach you advocate "cloud native"? Does it only work in the cloud? Can a traditional, on-premise focused organization use it? * The model of “security team as a decision-maker, not an implementer” has a bit of a painful history, as this is what led to “GRC-only teams” who lack any technical knowledge. Why will this approach work this time? Resources: * “RIP SOC. Hello D-IR” * “Kill your SOC with a D-IR model” * “Security De-Engineering: Solving the Problems in Information Risk Management” book * “A SOCless Detection Team at Netflix” * “Achieving Autonomic Security Operations: Automation as a Force Multiplier” * “Start with Why: How Great Leaders Inspire Everyone to Take Action“ book * “Think Like a Monk: The Secret of how to Harness the Power of Positivity and be Happy Now” book * “On “Output-driven” SIEM” * “SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond” (ep58)