In this episode of the ITSPmagazine On Location Event Coverage series, host Sean Martin and guest Allyn Stott discuss the intricacies of building a modern detection response program, the role of threat intelligence, and the importance of aligning with business risk.
Guest: Allyn Stott, Senior Staff Engineer
On LinkedIn | https://www.linkedin.com/in/whyallyn/
On Twitter | https://twitter.com/whyallyn
On Mastodon | https://infosec.exchange/@whyallyn
At Black Hat Europe | https://www.blackhat.com/eu-23/briefings/schedule/speakers.html#allyn-stott-42433
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
Episode Notes
In this episode of the ITSPmagazine On Location Event Coverage series, host Sean Martin engages in a thought-provoking conversation with guest Allyn Stott, a seasoned cybersecurity professional and senior staff engineer. The discussion orbits around the challenges and solutions in building a modern detection response program.
Allyn shares his unique perspective on why blue teams often fail. He suggests that the failure is not due to a lack of technical skills, but rather a lack of a broader strategy and understanding of the overall detection response program. He emphasizes the importance of integrating the detection response team into broader business conversations, thereby fostering a more holistic approach to managing risk.
The conversation also explores the role of threat intelligence and the need for continuous learning and adaptation in the face of evolving threats. Allyn underscores the importance of understanding the business's actual risk and aligning the detection response program accordingly.
Allyn also shares his experience in creating a framework to help teams understand their current capabilities and how to evolve towards a more effective detection response program. This framework, he suggests, can help prioritize work within the program and provide a roadmap for reporting out.
This episode is a treasure trove of insights for CISOs, managers, directors, and builders in the cybersecurity field. It provides a roadmap for identifying skill sets, prioritizing work within the program, and reporting out, all crucial elements in building a modern detection response program.
The conversation is a blend of practical advice and philosophical musings on the nature of cybersecurity, making it a must-listen for anyone interested or practicing in the field.
About Allyn's Black Hat Europe 2023 Session, 'How I Learned to Stop Worrying and Build a Modern Detection & Response Program': You haven't slept in days. Pager alerts at all hours. Constant firefights. How do you get out of this mess? This talk gives away all the secrets you'll need to go from reactive chaos to building and running a finely tuned detection & response program (and finally get some sleep).
Gone are the days of buying the ol' EDR/IDS/NGAV combo, throwing some engineers on an on-call rotation, and calling it your incident response team. You need a robust and comprehensive detection and response program to fight modern day attackers. But there are a lot of challenges in the way: alert fatigue, tools are expensive, hiring talent is impossibly difficult, and your current team is overworked from constant firefights.
How do you successfully build a modern detection and response program, all while riding the rocket of never ending incidents and unforgiving on-call schedules?
This talk addresses the lack of a framework, which has led to ineffective, outdated, and after-thought detection and response programs. At the end of this talk, you will walk away with a better understanding of all the capabilities a modern program should have and a framework to build or improve your own.
* How worrying can be a superpower
* Why blue teams fail
* The framework I've developed for building a detection and response program
____________________________
Resources
How I Learned to Stop Worrying and Build a Modern Detection & Response Program: https://www.blackhat.com/eu-23/briefings/schedule/#how-i-learned-to-stop-worrying-and-build-a-modern-detection--response-program-34241
A Security Newsletter with a Cute Cat: https://www.meoward.co/subscribe
Learn more about Black Hat Europe 2023: https://www.blackhat.com/eu-23/
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Black Hat Europe 2023 playlist: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllQXpNVL6L8zfXXDip7JtQY1
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel: 📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Hello everybody, you're very welcome to a new episode of Redefining Cybersecurity here on the ITSB Magazine Podcast Network. And, uh, I'm, I'm Sean, still Sean, uh, your host for the show where I get to have fun looking at different topics related to operationalizing. Security in the business and, uh, how do you build successful programs and teams and processes and tooling and communications and all the stuff that goes with it to, uh, to help protect the revenue the company generates and hopefully help them generate some more as well.
And, uh, Yeah, sometimes posts inspire me. Sometimes people inspire me. Sometimes events inspire us at ITSB Magazine. So this is part of our event coverage for Black Hat Europe, the EU of course, and, uh, and my guest Alan Stott kind of, kind of fits the, fits the mold of all of that. An event, cool dude, and a topic that's, uh, I think I'm going to geek out on today.
Uh, I often don't get to geek out. Um, I'm usually up at the business or, uh, the operations level, but I think we're going to get into some nitty gritty stuff today, which is going to be fun. Alan, thanks for, thanks for joining me.
[00:01:19] Allyn Stott: Thanks for having me
[00:01:21] Sean Martin: Before we get into your session, I'm just going to, I'm going to read the name of your session at Black Hat Europe.
It's how I learned to stop worrying and build a modern detection response program. So that'll keep people waiting for all the all the good stuff here. Not that your background isn't good, but let's tease a little bit. What's, what's your, you don't have to name company or anything, but describe what you do and What excites you about it and maybe a little bit about your journey to that point.
How did you land in that spot?
[00:01:57] Allyn Stott: Yeah, sure. Today I do, I do the fun things. I do Incidents and threat detection. So, uh, I like to tell people that generally speaking, my days are full of excitement and they're often people's worst day. Um, and, uh, I'm okay with that. So you have to be a bit of a special person to really love incident response.
And I guess I'm that person. Um, I've been doing detection response for the last 10 plus years, um, but I started my career actually more on the offensive red team side of things. So, um, I did a lot of stuff, pen testing. Did a little bit of security research and, um, when I was a red teamer, I got to see lots of blue teams fail, um, a lot.
And, uh, so when I got the opportunity to switch over to the blue team, uh, cause I thought, oh, I could do that so much better, right? You go out and you're, you're doing these pen tests.
[00:03:09] Sean Martin: They say the grass is always greener. It's probably not the right analogy, but things always look more funner. How come they can't figure that out?
[00:03:18] Allyn Stott: Maybe it's not the grass is always greener. It's just, uh, I could take so much better care of that lawn. I don't know.
[00:03:25] Sean Martin: Exactly. Exactly.
[00:03:27] Allyn Stott: Yeah. So yeah, I got to watch, I got to switch over then to, to do blue team stuff. And, uh, I think what, uh, you know, when you're a pen tester and you're coming in for like, you know, a, a very like set time or engagement, um, you know, you don't have, you have just that engagement and I, I always equate this to like, you know, the bad guys, like, you know, when they're, they're attacking, like they're focused on this, they come in, they show up, it's, you know, it's a job essentially, and they go and they put in their hours and on the blue team side of things.
We do defense, but we also work for a business, so we go to meetings. And we figure out planning and we do budgets and, uh, you know, it's just, it's a lot of, it's like, you don't, you're not constantly making progress against them. That's right. Um,
[00:04:20] Sean Martin: there's, there are MBOs, MBOs in there. Yes. Hopefully some time off as well.
So you don't burn out. Yeah. Lots of real world. Uh. Elements in, in the world of business for sure. Um, so I love that. And I know you do a lot, you do some stuff with B sides too, if I'm not mistaken. Is that right?
[00:04:43] Allyn Stott: Yeah, I've, uh, I, I decided I wanted to give a talk this year. I've, um, actually never given a talk until this year.
And then I've given talks at 12 different conferences this year, I think is the number. And so I've gotten to speak at lots of different B sides across. Uh, the US, and then I was in Singapore, um, for Derby sides, and then I've also gotten to speak at the Diana initiative, which I'd never been to, but it's.
If you're, if you're doing the Hacker Summer Camp, it's the first one, and then there's B Sides Las Vegas, and off it goes from there.
[00:05:25] Sean Martin: Yeah, that's a good group. I know Marco, uh, had a chance to chat with him. Yeah, Hacker Summer Camp 2023 in Vegas, which is a few months back. Yeah. Yeah, always a good group.
They do a lot of good stuff for everybody, which is important. Um, alright, so I want to maybe kind of start eye level. And you had this, you had this phrase as we, uh, as we were putting this together. Um, and it's part of your title as well, as well. So how I learned to stop worrying is your title. Um, But then you also note that how worrying can be a superpower.
So to me, that says, go ahead and worry, recognize it, embrace it, and then set it aside and use whatever inspiration or adrenaline or that's my take on it, but I'd love to hear what, what all this means to you in the context of blue teaming and detection response. I don't know, does it apply to Red Team as well?
[00:06:35] Allyn Stott: Oh, I'm sure it does. Um, I would say first and foremost, worrying applies to me because I'm a dad. And so, having a kid and being a worrier, I think, I think parents resonate with the idea that you're constantly thinking about. What could go wrong?
[00:06:56] Sean Martin: The worry level just rises and stays there. And then it's a whole new threshold, right?
[00:07:01] Allyn Stott: That's right. That's right. Um, and on Blue Team, that's you know, that's, that's what we do. We, we worry. We think about what what things could go wrong. We think about Um, all the different, uh, all the different ways that, like, the defenses that we put in the place, like, could be, uh, could be bypassed. Um, when I was thinking about Worry, when I was putting this talk together, I was, you know, just...
Sometimes, you know, you put something into Google search. I like to put something into Google Scholar because, you know, you, you might really find something interesting, um, and I put worrying in there, and I found this really cool paper out of the University of California, Riverside. It's called, uh, The Surprising Upsides of Worry, and, uh, in this paper, they argue that, obviously, worrying at extreme levels, It definitely has negative outcomes, but that worry has a really cool upside, um, in that it keeps something at the front of your mind and is a reminder that you are trying to prevent something, an undesirable outcome, and it just kind of lingers there.
And the talk is called How I Learned to Stop Worrying because, uh, you want to address that worry. You want to take... Action. And, uh, yeah, that's, that's, that's how the, that's how the worrying played in there besides being a, just a, a really great, uh, Stanley Kubrick movie. That's
[00:08:44] Sean Martin: right. That's right. Yeah, it's a, it's a cool word and makes you, it makes you pause for a moment, right?
Um, it's real, it's a feeling. Right? Yeah. At the end of the day, we are humans. I was actually, uh, chatting with, uh, the team at NIST and they have a whole team. Dedicated to human centered cyber security rooted in research and studies and academia. And so I love that you, you pulled on this thread of out of UCR, um, some research that studied worrying and, and how.
How it looks, right? I'm not, I haven't read the paper, of course, but, but then to use that for your talk as a, as an inspiration or as a, perhaps even some, some details within it is super cool and, uh, if they're listening, I'm sure they're going to, they're going to be applauding and the sidelines here. Um, so yeah, so I love that introduction.
Then I guess I think the next point we wanted to touch on maybe was why blue teams fail, but before we get there, um. I'd love your perspective. It's hard for me to stay on top of all the changes over time. And so I'd love for you, excuse me, to paint a picture of detection and response. I know there's a whole market category of XDR and, and of course you have Sim and Soar and threat intelligence and all this stuff that kind of comes together to help with all this stuff.
Can you paint a picture for everybody of what you're talking about in this context? That'd be, I think that'd be great.
[00:10:28] Allyn Stott: Yeah, um, I've gotten to be in this field for a little bit, so I've kind of gotten to see, uh, how, how things have evolved, um, and I, you know, I did a lot of, uh, non security IT work before I did security work.
And so I got to see from a distance, like the kind of creation of this thing that we call the security operations center. And, um, I was, uh, a sysadmin and, uh, we never let those guys do anything. We would, we'd be like, no, no, no, you're not having those. We're not giving you root access to that system. We're sorry.
Um, so watching, uh, watching it evolve from being this thing where I think, you know, essentially it was a group that inherited some of the, some of the like newer security tech things like at the time, like IDS like they were. You know, if, if then that, then the end group let them maybe the firewalls we didn't, uh, and then, uh, kind of move into this, this field where we're, it incorporates everything from threat Intel and understanding like what type of threats that the business that we protect.
And then just the general industry that we're in is being targeted for to building and tuning the things that We know are specific to the environment that we're in, that an attacker might want to, uh, gain access to or steal, and then having strong processes and automation and tooling that let you do that triage, that investigation, that response, um, and then this idea that Uh, detection and response has to kind of be like grouped all together and like kind of centrally held together by this, um, uh, like this, this constant, like almost a, a, a drum beat of like, here's, here's what we're actually seeing to the rest of the organization.
So I got, I'm a little biased. I've been in detection and response for a long time. So, like, I think it's the most important thing you could ever do, but. Informing like what controls that the organization's working on, uh, informing red teams on the type of simulations that we want to do against the rest of the organization.
Uh, and then even just like overall to the rest of the business, helping them understand, not just like risk because risk is. You know, risk is, it's, it's a little bit wishy-washy sometimes , you're talking
[00:13:21] Sean Martin: to a risk guy here now, because ,
[00:13:24] Allyn Stott: I know , somebody actually asked me after, because I, I, I talk about like, um, Intel, uh, Intel driven detections, and he's like, oh, well, you know, what do you think about like risk-based detections?
I was like, risk is really, I, when I think about like intel and threats, I think about like. Where risk is a hundred, you know, and so like I'm really focused on the things that are a hundred percent happening right now. And the, being able to tell the rest of the organization, like that these things are at risk, but actually like the risk is a hundred percent it's happened or it is happening as we speak, um, and helping to like bubble that up to the rest of the org.
[00:14:05] Sean Martin: Maybe, I mean, risk is a, an analysis and a calculation of right probability of something bad happening and perhaps the, the level of impact. You're, you're a hundred percent probability. What's the impact? Right. And how do we minimize that, uh, fast? Yeah.
[00:14:25] Allyn Stott: Um,
[00:14:27] Sean Martin: what, uh, let's talk about why teams are failing and, uh, sure you have your own points, but I'm wondering how some of the evolution has changed because, and the reason I'm asking this this way is I feel that we continue to.
Pump new technologies and tools and new ways of looking at things and the processes, and here's a new framework that helps you and organize all that stuff, which presumably are designed to help. Um, but then if you're not prepared, if you don't have the skills in those, all of those areas, or you don't have the team to pull in all that scope, it could be overwhelming.
So I don't know where things sit. So I'm asking, um, my perception is. Some of that, but, and then of course, I, I presume you have some more deeper analysis of, yeah, we just can't get our head wrapped around this or this, uh, this, this Intel we're getting is not great or whatever it is. So the question, why are a team blue teams?
[00:15:33] Allyn Stott: Yeah, well, I guess I'll, I'll first say that I actually don't think it's. It's our, uh, the teams and their technical skills on them. Um, you know, I've gotten to work with a lot of people and I meet a lot of people, especially, um, doing all the different B sides and I'm actually continuously impressed how, how smart people are in this field.
Like I'm actually a little intimidated. Like the first time I gave, uh, gave a talk at a B sides, I'm like, this is a room full of people that are way smarter than me. So this is, uh, this is exciting. I think that actually sometimes the problem is that We are so focused and honed in on the problems that we're solving.
Um, so I've worked with like some of the most incredible people, really smart. And we would always figure out and accomplish how to like figure out a technical problem, how to get past, how to detect this threat that seemed like really difficult, but these were singular one off. Very narrow way of thinking, and we didn't have this idea that the overall, you know, the first question you asked, like, what is detection and response?
Like, we didn't really think about that. What is detection and response? What is a detection and response program? And we would really just work on our tasks and work on projects ad hoc. But we didn't have a bigger picture or a strategy in mind on how to get there. And I think that's why blue teams fail a lot, because a lot of times, uh, we're, you know, we're an operational, I'm in an op, you know, I'm in an operational team, we're always busy, we're always busy, there's always things to do, and we get caught in this sick cycle where we're just constantly, you know, this next thing comes up, this next incident, this next new threat, this new report, this new intel, and instead of taking a step back and Thinking about where are we going and how are we going to get there in a reasonable amount of time that addresses the actual risk for the business through that risk.
[00:17:55] Sean Martin: I love that. Thank you so much. I appreciate it. I'm glowing now. This is a question I often ask, uh, people who join me. On my show. And I'm really interested to hear how you, how you respond. Um, cause it's, it's a hypothetical for me, um, cause I'm not in the sock. I'm not a CISO. I can only talk to as many people as I can who have these roles and do this cool work.
Um, but I have this fantasy that people like you will see a trend in how the business. Was defined, built and deployed in the first place that just has this unrealistic, unacceptable level of exposure, right? That's killing our patch team. And your team is, is up all night, uh, dealing with, with incidents in the same operating system, uh, or the same apps all the time because they weren't built and delivered and managed properly.
So I have this fantasy that. People like you can say, if you just go back and build this differently, or pick a different piece of the tech stack, or, or get rid of collecting this data, uh, we won't have to deal with responding here, or as much, or as often, or as quickly, because it's going to have less impact.
So,
[00:19:20] Allyn Stott: is... Is it
[00:19:21] Sean Martin: fantasy or do you actually
[00:19:24] Allyn Stott: see any of that? Oh yeah, um, I think we've gotten a lot better at, uh, so I would say historically, detection response teams in the SOC have been really good at siloing our ourselves away from the rest of the organization. I've certainly been guilty of this. Um, and I think some of that stems from this idea that like, we're trying to move fast and nothing's going to get our way, like the threat actors, they're going fast.
So we've got to go fast too. Um, but then by disconnecting from the business, we're not actually part of those conversations where new risks are being introduced. That are going to make, you know, our lives more difficult or being part of the conversation about, well, we did it that way. And maybe it made sense at that time, but now it doesn't make sense.
And so how can we, how can we solve that? I, I'm, I've been pretty fortunate that. All the organizations I've worked that that threat detection response has always been part of like the conversation, uh, within any sort of new major effort or project at the company. And so. You know, you have the folks there that are thinking about all the different preventative controls and how we can, you know, make smart security architecture decisions.
Um, but then having a threat detection response person who's thinking about the type of incidents, thinking about the type of detections, they're going to have to write for that is just really great to be part of that conversation and say, hey, so yes, that might work. It might work if. We isolate that environment entirely, but also, uh, we won't be able to get any visibility out of that environment or, uh, you know, just weighing those pros and cons.
I think threat detection folks think maybe even differently from the folks that do security architecture. So I don't think it's a, I don't think it's a dream. I think we can, we can get there. I love it.
[00:21:33] Sean Martin: I love it. So let's, um, I'm gonna, we're going to get to your session in a minute. I'm gonna, I want to tease that out and, and let people know who, who should, who should join you there for that, uh, for that talk.
Um, but I know you've, You've done some work on a, on a framework to help teams. Can you, can you share a little bit about that? Uh, what drove you to do that and what kind of, what kind of results are you getting from having it
[00:22:03] Allyn Stott: available? Yeah. So I've been an engineer most of my career. Um, but I did a. Uh, a, I shifted into a senior management position, uh, for a previous role.
And when I moved into that position, I realized that I needed to take a step back and think about that bigger picture. Think about what are the, all the activities that a threat detection response team needs to do. And then thinking about what are the different capabilities that you would need. The technical capabilities that you would need to accomplish that.
Um, and so, the, the, the thing I realize now that I'm back in an engineer position is that having this understanding of what. You're trying to do and the capabilities you're trying to get to are almost more important when you're an engineer because you're building those things and you're working on those things every day and so it helps prioritize but it also helps you have like a picture in your mind of like this is what we're building and this is what we're trying to get to.
So the, that's, that's, that's where this, this framework came from. I had this opportunity to really build from almost nothing and then get to think about it. In all of the different phases, and when I thought about, like, building a detection and response program, I took this, uh, I read a book again, uh, that I wouldn't have normally read.
I read this book about organizational design, and I will not, uh, say it was a thrilling read. And I'm
[00:23:47] Sean Martin: not a page turner, not for the right, not for the same reason that most people say it
[00:23:51] Allyn Stott: anyway. That's right. Um, and I, I hopefully won't offend them by saying that, although I don't think our worlds intersect too, too often.
So I don't think they'll be at my talk, but clearly
[00:24:05] Sean Martin: provided, gave you some value.
[00:24:07] Allyn Stott: Yeah. Yeah. So they, they have this like approach of how you build an organization And they have these phases and I, uh, borrow heavily from some of those of looking of how you approach looking at what you currently have. And what does that mean for the organization that you need to build?
So understanding what your actual vision and mission currently is, and how to shift that into this, this modern, you know, whatever you're trying to target. So in our case, a modern detection response. Um, and then that way before you go into building, you already have a strong idea of what people you have, their skill sets, so that as you're selecting technical capabilities, when you're selecting tools, you know, What training you're going to have to give them and then also, you know, what they already are going to be able to do and having this idea of like, um, of a target maturity of this is where we are today and Here's how we can get to the next step in this organization and so I took a lot of between thinking about building the program From a new having that opportunity and then also having this one building something new people built new, you know, whatever it is doesn't have to be detection and response like, you know, we've been building new new teams and new organizations for a long time.
Surely there's there's something to learn there and. I think, uh, just having a, uh, something to, to start with before putting the framework together that, that I took a lot of inspiration from that. I love it.
[00:25:55] Sean Martin: Super cool. Super cool. I don't know if, uh, that's public or not, but whatever, if it's shareable, uh.
Do share it. If not, they can talk to you more about it. Um, I do want to go in there. A few minutes we have left here and talk about your session again. It's how I learned to stop worrying and build a modern detection response program. Kind of lay out the framework What Don't give anything away. But what what are some of the key points you hope to make and and who are you telling those points to?
Yeah target audience.
[00:26:37] Allyn Stott: So my target audience is It could this is and I've had I've gotten to speak to people in all of these different ones. And so that's I can, I can say for a fact that I've heard people say, I enjoyed this, uh, about. This, uh, the one, the talk I'll give at Black Hat will be my best version of it, as there's a lot of stuff that I haven't talked about before.
It's some of my other bee science talks. So it's kind of exciting for me to talk about some of the work we've been doing. Um, but, uh, it, it could really be, uh, a CISO. That wants to understand how to, what does, what is modern detection response? Like, I know I have to have, you know, an instant response team, but what are actually like all the, what, like, how does it fit my overall security program?
It could be the managers and directors that are. Building the processes, hiring the people that, that do this work and giving them a, uh, a roadmap for how to find those, like, how to identify what skill sets you need based on what you're trying to build. And then the, you know, the builders, the people that are configuring the stuff that are writing the code, understanding how it all fits together.
Um, the. The big takeaways from the talk are, um, One is very, uh, I would say very manager focused in the beginning, especially where I, I talk a lot about like, how do you figure out what your people need from you to move forward into this modern design? And then I talk a lot, the, the two really neat things that I build during the presentation is this view of how do, how do all these, How does threat intelligence need to connect to our triage and response processes?
How does, how do we prioritize the work within this program? And then how do we report it out? And then, um, it was, uh, originally an afterthought to when I was originally thinking about this talk. And, uh, I was, I gave like a very early version of this at a conference. And somebody said, that should be like.
At least a quarter of it and it's how do you evaluate and report on the success and failures of the program? How do you really tell people what you do and whether you're performing and then how do you sell it? Because the, you know, you're You know, I do this talk and they talk about, you know, all these different processes and all these things you can do and all these technical capabilities and how the tools all fit together.
And, you know, I can see people being like, uh, that'll never happen where I'm at
[00:29:39] Sean Martin: on budget. I don't have people. Exactly. Well, this is one of the reasons I was, uh, I mean, I love, I love the whole, anything connected to the SOC. Having built a SIM product in, in yesteryear, uh, anything in there is of interest to me, but I've also, and I think I put a piece together on my newsletter that businesses are, they call it transformation, right?
Uh, businesses are transforming all over the place. Does, does cybersecurity get a shot at that at some point? So when you had, I, I, I equate transformation to modernization. So the word modern. Here's what what caught me as well because I do think it and it's not just buying the latest and greatest Technologies are getting the latest feed or five feeds instead of two that doesn't make it modern Modern is thinking differently about it and applying new ways and the new approaches leveraging new frameworks.
Yeah, and and maybe even redefining How to, like you said, measure and report out. Yeah. Um, if you, if you switch those up from the beginning, you might end up in a very different spot that's much more powerful and meaningful. Where, guess what, Alan? You might actually stop boring.
[00:31:02] Allyn Stott: That's the hope. That's the
[00:31:05] Sean Martin: hope.
Uh, this has been a fantastic chat. Um, Alan, did you have anything else you
[00:31:11] Allyn Stott: wanted to add? Uh, yeah, I, uh, I write a very infrequent newsletter, um, uh, it's called MEOWARD, M E O W A R D CO COM whatever you want to put in there, um, and, uh, the, uh, yeah, I just hope folks can, folks are interested in coming to the talk, uh, I like to say that, You know, for those that do incident response, especially, um, there's a, there's a moment that I, I always have with those folks where I say, you know, we're, we talk about what we do and like how it stops and, you know, we, we do this amazing work and then what we do is what we report is we just report.
Time to detect our time to respond and our time to contain . And we don't say anything about the impact we're having to the business and Right. What we need to change. Where we need to go.
[00:32:09] Sean Martin: Exactly. Exactly. Uh, this has been, uh, a ton of fun. I, uh, will include a link to your, your newsletter so people can connect to that.
Uh, so be sure to get me that, uh, meow word.com verbally there again. Um. How I Learned to Stop Worrying and Build a Modern Detection and Response Program, uh, by Alan Stott, of course. It's Tuesday, December 7th, at 11. 20. Uh, Black Hat Europe is December 4th through the 7th, uh, at the Excel London in England, of course.
Um, sad I won't be there for that. Maybe next time I'll get to join you in person. Um, if you're there or you have a way to, uh, to, to get, get a chance to see this talk, I would encourage it, uh, um, on the great topic. And it seems like you're doing some really good work there, Alan. So congratulations on the talk.
Um, hopefully, hopefully you get some good, good engagement in the session and uh yep, people can connect with you. Uh, LinkedIn will, will share that as well for folks if they wanna reach out to you there. So thanks again, appreciate your time and thanks everybody for, uh. Listening and watching and hopefully you learned something new and uh, and we made you think a little bit and go see Alan.
That's all I'm going to say there. Catch you later. Subscribe, share with your friends and enemies. See ya.