It’s easy to focus on the latest advancements in security tooling. But security incidents often don’t happen because you lacked the latest and greatest technology. They happen because your work culture is actively working against your security efforts.
This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is our sponsored guest, Tim Leehealey, vp of corporate strategy and operations, Strike48.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Strike48
Security tip of the week – Qualys
Jump to the full tip here.
Head over to qualys.com to learn more.
Full Transcript
Intro
0:00.000
[Voiceover] Best advice for a CISO, go!
[Tim Leehealey] Well, I don’t know about best advice, but I like the best definition for you. The best definition I ever heard of a CISO is someone who can tell you why the protection architecture he had in place yesterday didn’t work. It’s just [Laughter] it’s the nature of the beast, right?
The attack profile is always built around whatever protection architecture’s out there today, but the reality is half of your job is explaining why what you had in place didn’t work. [Laughter] It’s a tough life to lead in some ways.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. And joining me as my co-host, you know him, you love him. It’s Andy Ellis, principal over at Duha. Andy, say hello to the audience.
[Andy Ellis] Good indeterminate time of the day, folks. I don’t know what time it is right now, and I don’t know what time you’re going to be listening, so enjoy.
[David Spark] By the way, Andy claims that he has a cold of some sort, but you sound perfectly fine, Andy.
[Andy Ellis] It is amazing what modern pharmacology will do for one.
[David Spark] I’m very impressed. We are available at CISOseries.com. You should check out all the wonderful programming we have over there. And a big shout out to our sponsor, brand-new sponsor, Strike48, the agentic log platform without blind spots.
So, Strike48 unifies your logs and agentic AI, making full coverage economically viable so agents can actually do the work, and we will be talking about that more later in the show. And actually, they’re responsible for our guest today.
But first, Andy, we’re going to give a little inside baseball to how this show is created. Before we hit Record, Andy and I decide what is going to be our opening banter. We have just like a minute of opening banter. And I’m always trying to think what is relevant for our audience.
Andy just thinks, “Oh, this episode’s going to come out on this date? Well, we should be talking about St. Patrick’s Day or Purim or whatever holiday is at the time.” And I always say people don’t care. Andy, what’s your say to this?
[Andy Ellis] I think that people do care. It helps humanize us a little bit. It helps anchor them in the world. Even though this content is evergreen, it does create a little rhythm and flow. Like we should talk a little bit about major sporting events and the various holidays, especially where they’re meaningful for us.
[David Spark] Andy, yes, some people care about this. I will agree that some people care, but I’m trying to hit more people that care about this.
[Andy Ellis] But I think the challenge is if your definition is everybody has to care about it…
[David Spark] Not everybody, the greater majority. [Laughter]
[Andy Ellis] Now, you’re not going to find anything the majority cares about. The goal is to create micro-inclusions, lots of little places that as long as somebody cares about one of them, then they feel included. But if you try the one thing that a majority cares about, well, what you’re really saying is that a near majority will not care or be outreached at all.
[Tim Leehealey] I just want to…
[David Spark] Tim’s jumping in as our guest. Go ahead.
[Tim Leehealey] I just want to say, yeah, if the audience doesn’t know, I did in fact hear these knuckleheads argue about this before the show.
[Laughter]
[Andy Ellis] I would like to say there’s only one knucklehead here. The other one’s a pinkyhead. You can decide which is which.
[David Spark] All right. Let me just point something out. This is something we debate about all the time. By the way, being the producer, I always pull rank and say, “We’re going to talk about this,” but this was the first time Andy truly won over and says, “Why don’t we talk about this debate we constantly have?”
[Andy Ellis] Yeah. So, folks, if you’re actually listening and you care one way or another, drop us a comment, either via LinkedIn, the CISO Series.
[David Spark] We actually have a feedback@CISOseries.com.
[Andy Ellis] Feedback message, lots of places where we will listen. Tell us what you think. Do you enjoy that we banter about pablum or do you want us to banter about things that you might not care about but are still relevant?
[David Spark] Well, this is dropping just a few weeks before RSA and I was going to bring up something about RSA and schwag, which I thought it was more relevant for everybody here.
[Andy Ellis] Oh, could have, but you didn’t mention that in our pre-banter banter. You just said nobody wants to hear about Purim, which is today as it drops, or the Super Bowl, which we happen to be recording this right before.
[David Spark] And he’s going to it as well.
[Andy Ellis] And I’m going to the Super Bowl.
[David Spark] Again, they’re all interesting, but the greater majority would care about schwag at RSA. My main comment about that.
[Andy Ellis] Maybe, but sometimes we banter about pinball, and so I’m not convinced that you can say it’s about the majority.
[David Spark] That was just leverage on you because we had a guest on who was also a pinball nerd like me. Let’s bring on our guest who you just heard moments ago. He hasn’t been introduced yet. All right? He called us knuckleheads, I don’t know how we’re…
[Laughter]
[Andy Ellis] I’m happy. He’s welcome back with that.
[David Spark] All right. Our sponsor guest, he is the VP of Corporate Strategy and Operations over at our sponsor, Strike48. So thrilled that he’s here, Tim Leehealey. Tim, thank you so much for joining us.
[Tim Leehealey] It is wonderful to be here. Thank you for having me. Despite the knuckleheads, I do, in fact, enjoy the banter. [Laughter]
[Andy Ellis] I got a question, Tim. Are you the VP of Corporate Strategy plus the VP of Operations or are you the VP of Corporate Strategy and the VP of Corporate Operations?
[Tim Leehealey] I am too old to care, my friend.
[Laughter]
[Tim Leehealey] They came in, they asked me a year ago to join the company and sort of repivot the company. So, it was sort of the strategy. And then over time, we’ve been successful. And so, I’ve assumed more and more of the org.
[Andy Ellis] There you go.
[Tim Leehealey] But at one point, they asked me if I wanted to be a senior VP or a VP. And I was like, “I’m too senior to care about [Laughter] either of those two things.”
[David Spark] Would it change your salary?
[Tim Leehealey] No!
[David Spark] Yeah. So, what does it matter?
[Andy Ellis] Yeah.
[Tim Leehealey] Yeah. Exactly.
[Andy Ellis] My general answer is if it’s not going to change the salary, you take the lower pay grade. So, by the time HR gets formalized, you can be like, “Oh, I need a promotion and a salary raise.” Whereas if you already have the promotion, you can’t get the salary raise with it.
Are we creating more problems?
6:17.555
[David Spark] “When everything is labeled high priority, the system forces a trade that nobody wants to admit out loud. Speed competes with quality while the demand for perfection stays absolute.” Now, unlike security teams responding to incidents in real time, forensic examiners – we rarely talk about this – face a different hell, argued Eric Waldrep of the Waldrep Company.
Their work must be 100% correct because opposing experts will retest everything, and small mistakes cascade into major legal consequences. They’re operating in a moving ecosystem where OS updates and AI-generated evidence shift what artifacts mean, all while being told every case is urgent.
Andy, is demanding perfection from forensics teams realistic? And how many security leaders understand the legal weight their forensics teams carry when an incident moves from response to litigation? What say you, Andy?
[Andy Ellis] So, I think the first thing to note is that most forensic investigations do not go to litigation.
[David Spark] That’s good.
[Andy Ellis] And maybe that’s a misuse of the term forensics, but there’s a lot of forensics professionals that are really just amazing incident responders, and they don’t need that level of perfection, right? We need to know what happened. We don’t need to prove it in a court of law.
We need to prove it to ourselves, much lower standard for perfection. When you’re going to go to litigation, it is going to be very different at that point. And I think it is reasonable to demand a type of perfection, but people often ask for the wrong one, right?
The perfection you need is the perfection of defensibility. Everything you say must be defensible. It is not that you have perfect knowledge of what happened. It is that you make no argument that is indefensible.
And that’s really hard for a lot of people to wrap their heads around, is that you’re basically, you’re a witness, and you have to say only the things that you can prove are true. And so, if you can’t prove it’s true, you have to put that caveat to say, “Well, I might think this, I had this picture, but I don’t know that the picture was really there.
In what way might I be wrong?”
[David Spark] Good point. All right, Tim, I throw this to you. First of all, have you dealt with forensics? I think you have a long history of this, yes?
[Tim Leehealey] I have a lifetime in forensics.
[David Spark] So, did you feel this level of pressure that I described here?
[Tim Leehealey] Well, so it’s funny, I think you go in with that assumption of that level of pressure, but actually, after you’ve been in the ring so many times, you sort of realize when a jab is coming versus a haymaker.
[David Spark] Mm-hmm.
[Tim Leehealey] And if you adjust accordingly, right? Perfect example would be any given piece of evidence on the computer, it just is what it is. You produce it, fine. But opposing counsel will often go after the procedures you utilized, the approach you took, the documentation.
And it’s so funny because you as a forensic practitioner, you’re worried about, hey, did I do the memory parsing correctly? Or did I do this right? And that is very much over the head generally of opposing counsel and not the sweet spot they’re coming after.
So, oftentimes, it’s not that you don’t have that level of pressure and that they won’t get you or they won’t come after you for it, but you have to put yourself in the mind of opposing counsel, and they will come at you where they think they’re strong, and that’s in procedures, in logistical stuff.
Generally in the stuff you as a technologist aren’t even paying attention to. And that’s when sort of like at AccessData, which is a company I ran for a long time, in the training courses. We would hope it focused heavily on that type of stuff because that’s what gets really attacked.
[Andy Ellis] Yeah, I think a great way to look at it is opposing counsel is attacking your credibility, not your conclusion because they don’t have the credibility to defeat your conclusion until they defeat your credibility first.
Managing security changes for business optimization.
10:25.965
[David Spark] “Your firewall isn’t the problem. Your SIEM isn’t the problem. That shiny new EDR tool you just bought, also not the problem.” Culture eats your security posture for lunch, and the proof is in every exception request you approve, argued Maman Ibrahim and Gavriel Schneider in a CSO Online piece.
Executives get device exceptions. Developers turn off security controls because they slow deployments. There’s an unspoken rule that senior enough people can overrule security. The list goes on. All this shows that you’ve got an anti-security culture actively working against you.
With all those exemptions, is that a failure of your security awareness program? Or is your approach just wrong when you’ve built friction that your existing business culture can’t accept? You’re always walking into a business culture in motion, and your job is figuring out how security fits within it.
I’m going to start with you, Tim. How do you know when to push back on culture versus when to redesign your controls around the culture you’ve got?
[Tim Leehealey] Yeah, I mean, my guiding rule here is security needs to be an enabler of business, right?
[David Spark] Right.
[Tim Leehealey] And too often professionals sort of come into a security profile and they know how security is supposed to be done, how it’s correct, how to protect the business best. But if you’re not enabling the business, particularly, I’ve lived my whole life in small tech, and you’re just trying to run fast.
Do you know what I mean? And security is critically important, don’t get me wrong, but so are the market forces that are coming after you. So, if you’re a security professional and you come into an organization that has to run fast to survive, then you have to understand that exceptions are going to be a part of the security profile, and how do you work around them?
You shouldn’t build this rigorous profile and then have these exceptions sort of just bleed out. They need to be part of the pre-thought-out solution. That’s the only way you survive.
[David Spark] That’s a good point. That if you do have exceptions, don’t think this is a hole in my security. This is something that is expected and I have to build around it.
[Andy Ellis] Yeah, I think that the challenge is the question was like, do you have an anti-security culture? And I think you have the opposite, which is you have an anti-business security culture.
[David Spark] Okay.
[Andy Ellis] Right? If you have a set of executives, and I remember when Blackberries were all the rage, like before the iPhone, and every sales rep wanted a Blackberry. And I got into a fight with our head of IT, and the head of IT is like, “We can’t support these so they’re not secure.” And I said, “The business needs them.
We have to figure it out.” This is the difference in those two cultures. It would be like saying, let’s say your first job was inside a skiff, inside a salt mine, buried under a mountain. Imagine the most insane level of security controls you could put around a building.
It’d be amazing, right? And you walked in and said, “That is how I’m going to secure everything I do from now on,” and then you went and opened a McDonald’s franchise, right?
[David Spark] Mm-hmm.
[Andy Ellis] You can’t run a McDonald’s franchise that way. Like this is not the security model for that business. It’s a very different one. And that’s what you have to do. You have to start from first principles when you walk into a new business and say, “What is the culture of this business?
What is the pace at which they operate? What is the risk they’re willing to take?” And now I’m going to have to figure out how to secure that, and that might require some really ugly trade-offs.
[Tim Leehealey] Can I give a great example of that?
[David Spark] Yes.
[Tim Leehealey] I had a security professional that came out of the Army and really talented, super smart guy, but the first thing he wanted to do in our small sort of startup mentality company was disable all the USBs. And he told stories about in the Army how they went through with a glue gun back in the day before they had security and they glued them shut.
And I’m like, “That is just not going to fly here, get your glue gun at home. We have to sort of adjust your brilliance to the way we need to do business.” He was able to adapt and we were successful, but the mentality was not appropriate for that business.
Sponsor – Strike48
14:45.826
[David Spark] Before I go on any further, I do want to tell you about our fantastic sponsor, and that would be Strike48. So, everyone’s talking about AI for security. You hear this on all our shows. Copilots, assistants, chatbots, the list goes on. However, it’s no secret that AI is only as effective as the data it can access.
So, how much time is AI really saving you? Can it query the data it needs or just a few isolated silos? Can you trust it to do real, reliable security work?
This is where Strike48 enters. The first agentic log intelligence platform that gives AI agents the visibility needed to take a load off your team. Now, if your SIEM costs force you to drop logs or put them in cold storage, any existing AI you deploy will have blind spots.
Not anymore. Now you can maximize log visibility without blowing the budget. Plus, the platform connects to your logs wherever they live, so you can keep the technology you already have. With Strike48, you can deploy pre-built agent clusters or build your own agents and workflows covering phishing, threat intel, alert triage, and more.
Go ahead, try Strike48 for free. You can do it. Just go to their website, strike48.com/security, and start deploying log intelligence agents today. Remember, that’s strike48.com/security.
It’s time to play “What’s Worse?”
16:22.802
[David Spark] Tim, are you familiar with this game?
[Tim Leehealey] I’ve never played it before, but let’s give it a go.
[David Spark] All right, it is a very simple concept. I’m going to give you two scenarios. They both stink. You have to determine from a risk management exercise which one is riskier, will cause more problems. Now, this comes from Joseph Carson of Segura, and we did a recording earlier, and he came up with what Andy believes the best “What’s Worse?” comparison because Andy truly struggled [Laughter] because it was something that could have been a big nothing or a big giant problem.
[Andy Ellis] Yep.
[David Spark] This one is definitely a problem, but definitely I think one side would definitely be a problem no matter what. I think the other side could conceivably be no problem, conceivably. So, here you go. Here are your two bad scenarios. Scenario number one, a temp worker with domain admin.
[Tim Leehealey] [Laughter] Okay.
[Andy Ellis] Wait, that alone is pretty problematic, okay.
[David Spark] All right, hold on, you haven’t heard the other one.
[Andy Ellis] What do they do with it?
[Tim Leehealey] [Laughter]
[David Spark] It’s pretty bad. I know it’s pretty bad. It’s a good one.
[Tim Leehealey] [Laughter]
[David Spark] Or no one has domain admin access when production is down.
[Tim Leehealey] Oh.
[David Spark] Just Tim, don’t answer first. We make Andy answer first, so hold tight.
[Andy Ellis] I have to answer.
[David Spark] Yes, and you have to agree or disagree with Andy. And I always love it when people disagree with Andy.
[Andy Ellis] So, I’m assuming implicit in this that we’re a Microsoft shop, so I can’t just go with the easy out of find that nobody has domain admin access because we have root access on all Linux machines, and that’s production.
[David Spark] Yeah, or Microsoft, yes.
[Andy Ellis] That would be the cop out. We’re disregarding that because that violates the Nir rule. I think this one actually, as much as I laughed right up front and said, “Okay, domain admin with this temp employee is bad,” I think nobody with domain admin when you need domain admin, that’s presumed in the everything is down.
I think not having anybody with domain admin is actually worse than that.
[David Spark] But let me argue with you. That is definitely bad when it’s down.
[Andy Ellis] Mm-hmm.
[David Spark] But that wouldn’t necessarily cause the havoc that a temp worker could do.
[Andy Ellis] Ah, wait.
[David Spark] [Laughter]
[Andy Ellis] You just had to do such a massive caveat – wouldn’t necessarily cause the thing that could maybe happen in this other scenario.
[David Spark] No, but you see, the domain admin, here’s the thing. Not having domain admin when production is down doesn’t mean you’ve had a hack or anything like that.
[Andy Ellis] No, but it means that I can’t necessarily get back from it.
[David Spark] Right, correct, correct.
[Andy Ellis] Because it’s not a bad scenario. So, I’m presuming that the not having a domain admin while production is down is impacting my recovery.
[David Spark] Yes.
[Andy Ellis] When if it’s impacting it, it’s in a big way for not having a domain admin.
[David Spark] Yes, it is. But I’m just throwing out, it’s not a hack where things are being stolen. It doesn’t have sort of that extended concern to it.
[Andy Ellis] So, I’ve been a temp worker before. In fact, I am a temp worker now.
[Laughter]
[Andy Ellis] I work for several companies on temporary contracts. So, I think that one of the…
[David Spark] But I just want to point out that the first one, where before we talked in a previous episode, it could be a big nothing or it could cause serious havoc.
[Andy Ellis] Yep. In this case, it could cause, which is a little bit different than it will cause.
[David Spark] No, it’s not a will, it’s a could, yeah.
[Andy Ellis] Yeah. So, I think this one’s going to come down to what do we define as a temp employee? Do we assume all temp employees are malicious? If we do, why do we have temp employees? There’s a lot of challenges around that.
[David Spark] Well, they all take Post-it notes, right?
[Andy Ellis] But that said, sometimes you are going to hire, like this is what VCISOs are, right? They’re temp employees that have domain admin access often because they’re the person at the root of your security. So, I can’t arbitrarily say that is bad.
[David Spark] When we say temp worker, we’re not talking about a VCISO.
[Andy Ellis] It wasn’t specified here. Maybe.
[David Spark] For the purpose of this, we’re talking a low-level peon. It’s a Kelly girl. [Laughter]
[Andy Ellis] Well, I was a Kelly girl, so maybe it was me.
[Tim Leehealey] [Laughter]
[David Spark] You were a beautiful Kelly girl. By the way, they don’t still use that term, do they?
[Andy Ellis] Well, when I worked for Kelly Services, I was a Kelly girl. So, I will still use that term.
[David Spark] Okay. All right. What are you picking here as worse?
[Andy Ellis] I’m saying the second one is worse because it is demonstrable and real problem impacting the business, and that impact came from our inability to have redundant domain admins.
[David Spark] All right, Tim, we throw this to you. Agree or disagree with Andy?
[Tim Leehealey] I’m going to agree with him under the premise he’s using. That said, I think the nature of the question, actually, assuming you have an admin that has domain access, I think that’s the essence of the question. Some random person has domain access.
And I live in a world in where with the mindset that if it could happen, it will happen. I have lived both of these scenarios.
[Andy Ellis] Mm-hmm.
[David Spark] Hold it, wait, wait. So, could happen, will happen. And you’re not leaning towards the first one being worse?
[Tim Leehealey] No, I only lean toward… I said, Andy is right using the premise he did, which is maybe it’s a CISO that has temp access or whatever. He sort of grabbed onto the temp. But in my mind, if the question is really, they’ve been so casual, they gave a random assistant domain access.
[David Spark] That’s the implied intent.
[Andy Ellis] No, that was not specified. And the Nir rule is very clear on this one.
[David Spark] When we say temp worker, we don’t consider a VC. We have in our mind what a temp worker is.
[Andy Ellis] Wait. Okay, I want to ask the audience to reach out to us. Do you consider a VCISO on a time-limited contract to be a temp worker or not?
[David Spark] Yes. Technically, yes, you’re right. You don’t need to ask the audience.
[Tim Leehealey] It’s not the nature of the question, though.
[David Spark] That’s technically correct. But in the spirit of this question, it is not considering a VC. So, go ahead, Tim.
[Tim Leehealey] Let me tell you the two scenarios I’ve lived through.
[David Spark] Okay.
[Tim Leehealey] I have routinely lived through the second scenario, in which I have been involved in a group where we didn’t have the access we needed, maybe it was domain, maybe it was whatever. We didn’t have the access we needed, and a customer needed us to have that access to get them back up and running.
It is like I’ve pulled so many all-nighters I can’t even tell you related to issues like that. It is painful. You have to report it immediately to the CEO, you get punched, but you did everything you could. Eventually, someone with domain access rolls in and everything gets better, right?
I’ve lived that. It is awful. And I’ve lived it a good number of times.
The other situation I lived only once. I was an investor in a company that was casual with its security. It was rolling, it was doing about 20 to 30 grand a month. It was a small company. It was a virtual desktop. And I got a call out of the blue from the CEO, “We’ve been completely encrypted.” Company shut down the next day.
So, if it’s going to happen, if you’re casual with security, it just does happen. It was like three years.
[David Spark] Well, that sounds a lot worse. I would think you’d lean towards the first one.
[Andy Ellis] Wait. But was that breach caused by a temp worker?
[Tim Leehealey] No, but my point is, if you’re that casual.
[Andy Ellis] You’re just saying that that’s an indicator of sloppy security, which I might agree with, but that’s definitely outside the realm of this scenario.
[David Spark] I think you are both arguing the first one but picking the second one. This is what I think’s happening.
[Tim Leehealey] I mean, again, it’s sort of definition of question. But I would say if you are truly as casual as to give domain access to some random person in your network, that’s worse because you will eventually get completely owned.
[David Spark] Then you’re picking the first and you’re disagreeing.
[Tim Leehealey] Yeah, again, it was under how the premise, how Andy was sort of viewing the question.
[Andy Ellis] Yeah, but he’s changed to a completely different premise. It’s not Carson’s question.
[David Spark] No, it is Carson’s question. You know what? Joseph Carson’s going to respond.
[Tim Leehealey] [Laughter]
[David Spark] He’s going to tell us what his intention, which I’m thinking is, what I’m thinking, I’m going to make sure that he lets us know.
[Andy Ellis] Yeah, you’re going to make sure that you can put words right in his mouth.
[David Spark] Essentially, under – so if I have this right, Tim – under Andy’s premise where the “temp worker” could be a VC, so it’s no big deal, you picked the second is worse. But if the temp worker is a rando, like you were saying earlier, then yes, the first one’s worse.
[Tim Leehealey] Hundred percent.
[David Spark] Okay.
[Andy Ellis] Like if the scenario was roll D100 and that employee has domain admin, I might’ve felt a little bit differently about it, but that was not. And just to be clear, I don’t think having a temp worker with domain admin access is good. I just don’t think it’s bad as the demonstrable incident of we are down and cannot recover because we don’t have anybody who has admin access.
[David Spark] Yes, but what I’m saying is that is a known entity of being bad where the other one could be catastrophic. Like the company shut down in Tim’s example.
[Andy Ellis] Yeah, but I’ve lived that. I’ve lived that one where it required me to hop in a Humvee, drive across the desert and reboot systems from master floppies to recover the admin access that we had lost.
[Tim Leehealey] Yeah, I mean, listen, I’ve lived the second one so many times. It’s just not uncommon, but I’ve also lived the first one, which I only lived once, and it was way worse than all the second ones put together.
Please enough! No, more!
26:02.136
[David Spark] Today on “Please enough! No, more!” we’re talking about the SIEM. You’re familiar with the SIEM, right, Andy? Have you seen one before?
[Andy Ellis] Maybe, just a little bit.
[Laughter]
[David Spark] Andy, we’ve heard a lot about the SIEM, and we’re hearing a lot more about it now that there’s AI. So, what have you heard enough about with the SIEM, and what would you like to hear a lot more?
[Andy Ellis] So, it’s hard to say what one [Laughter] thing I’ve heard a lot about because it feels like every other day, I see another startup that’s either they’re doing AI threat hunting or AI detection engineering or AI SIEM optimization or AI SOC or AI this or AI that.
They all have the word AI in it. And so, I guess what I’m tired of hearing is how is AI going to make yesterday’s log management world better and how is the future of incident management and event management going to be built on top of an AI model, rather than just trying to replace the people who aren’t doing the job with AIs that can do the job.
Like, what’s the new things we get? That’s what I want to hear about.
[David Spark] I like that. All right, this leans into you, I think, a little bit, Tim. I know you have a long history with SIEMs as well. So, tell me what you’ve heard enough about with SIEMs and what you’d like to hear a lot more.
[Tim Leehealey] Yeah, I mean, I couldn’t lean more into what Andy just sort of talked about. The reality is sort of the copilot on top of the SIEM, if you will. It’s cool. It’s got a big gee whiz factor to it, but it’s just sort of more of the same. Okay, now I’ve got an agentic SIEM versus a not agentic SIEM.
And it didn’t sort of broaden my view of the overall security architecture or the overall security profile. And I like to sort of think about how AI is changing even the place of the SIEM in the org, right? If you stop thinking of it as a siloed tool within security, and you do AI and agents correctly, like that’s what we’re trying to do at Strike48, the SIEM can become a whole lot more than just the place you go to throw alerts and do first pass investigations.
[David Spark] This is what I want to lean into right here. So, explain what Strike48 is doing that is not the traditional SIEM.
[Tim Leehealey] Yeah, I mean, we took the SIEM as the starting place, but we didn’t go to just agenticize it. The moment we sort of stepped into the AI microagent/agent workflow world, we started to say, “Hey, actually, there’s a whole lot more than just simple security we can do here.” Sure, we can automate what an L1 is doing, what an L2 is doing, root cause analysis.
That’s all cool. That’s really phenomenal gee whiz factor. But we don’t need to stop there. You can do observability workflows now. You can do an agentic knock. You can take the SIEM, if you will, and stop viewing it as a siloed security tool and view it as the central hub for your sort of agentic log management, if you will, and start to try to extract all the value that the logs bring.
Not just the tiny little sliver of alert profile information they can give you. Instead, hey, what can they tell me about my business? What can they tell me about my applications, about so on, so forth?
[David Spark] So, let’s get into some actual hard examples because I’m having a hard time understanding, well, what can I do with all the data versus just a sliver of data. Explain.
[Tim Leehealey] Yeah, so I can use a perfect example. We got involved in a company that was interested in agentic SOC. That is usually how we get involved. We have a SIEM history. We’ve got this phenomenal agentic layer now. So, agentic SOC is a good starting place.
It took about two weeks before they were far more interested in agentic fraud management. So, they are a finance organization, and they use logs as a way of first pass detecting fraud in their org. Two weeks into this, we were building bots and workflows and agents to agenticize that problem.
A more common example is we’ll get in under agentic SOC, and before we know it, we’re talking agentic NOC. Because if you think about a normal NOC workflow, it’s looking for some set of alerts, right? And then assessing whether the alert is valid or not.
And then filing some ticket in a ServiceNow or Salesforce or JIRA or whatever, that’s like a layup for an agentic solution. Agents do that kind of stuff so well. But yeah, it’s not the purview of the security org, right? It’s an adjacent org, and there are compliance use cases.
In my view, we should stop thinking of the SIEM as sort of this particular Gartner Magic Quadrant space and start to look at it as the hub for log-based intelligence, and that is the agentic approach we’ve taken. And it’s really paying dividends.
Security tip of the week – Qualys
31:21.299
[David Spark] Coming up next, how to handle exposure management as a business continuity discipline.
[Voiceover] Today’s exposure management tip is sponsored by Qualys.
[David Spark] Picture this, a nationwide retailer suffers a large-scale outage due to ransomware. The initial exposure was known about but had to be deprioritized because “it wasn’t critical.” In this attack, the exploited system supported logistics or point-of-sale synchronization, which are seldom prioritized as crown jewel databases, and the attack shut down stores nationwide.
The failure wasn’t due to lack of detection. It was due to a lack of understanding around business dependency.
Exposure management is more than security hygiene. It must also tackle business continuity issues. In a well-tuned security organization, the most mature programs don’t ask, “How bad is this vulnerability?” They ask, “What stops working if this gets exploited?” When exposures are mapped to revenue flows, safety systems, customer trust, or regulatory obligations, remediation stops being a technical argument and becomes an operational decision.
This is where exposure management programs level up. Instead of chasing severity scores, teams set their priorities based on what would actually disrupt the business. This kind of shift changes executive conversations from abstract security risks to real-world consequences, and this often makes the difference between fixing what’s simply loud and fixing what truly matters.
[Voiceover] Want to go beyond exposure visibility and actually reduce risk? Find out how by visiting qualys.com/ROC.
Surprising research just in.
33:17.421
[David Spark] “The lone wolf is often part of a pack, but a very specific temporary kind of pack.” New research presented at Black Hat 2025 analyzed over a thousand insider threat cases revealing nearly a third, 31%, involved collusion, but not the way we think.
These aren’t lifelong conspirators or close friends. They’re temporary heist crews who are there for that job, then immediately go their separate ways. Two employees with complementary access rights align just long enough to bypass controls, then they sever ties.
This creates a nightmare for detection because we’re hunting for lone wolves while missing these temporary packs forming right under our noses. So, Andy, I’m going to start with you. When you catch an insider threat, how do you determine if they acted alone, and how do you start to know how deep to dig?
Because this seems really tough.
[Andy Ellis] Oh, one of the very first insider cases I had to deal with was very much not a lone wolf.
[David Spark] Mm-hmm. But was it like the way they described it, like met and then dispersed, or it was a long-term thing?
[Andy Ellis] Actually, it was worse than that. The people who started it knew what they were doing was bad and they were really careful, but they left an email to each other about how bad this was, “Oh, my God. It’ll ruin our employer. They’ll go out of business if it ever comes out that we did this.” They were just trying to basically grift off of our service in a fashion.
I don’t want to leak sort of too much. And then one of them shared what they were doing with a friend, also inside the company, without all of the detail about it, without everything, just like, “Oh, hey, here. You can go do this thing.” And so, what happened was this like small grift grew and grew and grew, and how it finally came out was a brand-new employee to the company, during onboarding, got told by his manager, “Here’s a perk of being an employee.
You get to steal in this fashion.”
[David Spark] [Laughter]
[Andy Ellis] They didn’t use the word steal, but let’s just be very honest. It was a form of theft and was like, “Oh, totally cool,” and shared it with his brother-in-law, who shared it with the internet. And we had a very unhappy customer who was stolen from for a lot of money.
I had to go do the investigation starting from the very end, from these people who’d just gotten this like, oh, they got briefed by a manager. Okay, I got to go figure out who briefed them and then who that person… And so I did, and it basically was two years of communications that I went through to go back to find the original people who had done this.
So, absolutely. I think the myth of the complete lone wolf, I mean, the 31% surprises me. I haven’t looked at this research. That feels like a really, really big number.
[David Spark] Okay.
[Andy Ellis] But absolutely. This idea [Laughter] that only one person in your company is willing to screw you over is, I think, a blind spot companies might have. I think you create a lot of people who might want to screw you over and might bitch about it over coffee.
[David Spark] But I also don’t get the sense that the other conspirator is technically an insider. Like it might be an insider threat and some other support.
[Andy Ellis] Well, but I think in this one, they had 240 cases of the 313. So, more than two thirds were groups of two or three employees acting in concert versus an employee with somebody outside.
[David Spark] Tim, going to you, since you have a long background in forensics, I’m sure you’ve seen this stuff, but have you seen these blips of, oh, information was passed or there were more than one and then they disappeared and there’s only one acting alone at some point?
[Tim Leehealey] All the time.
[David Spark] And are you able to catch that moment though, where you see more than one happening?
[Tim Leehealey] So, in the forensics world, it is almost… I was surprised. I actually thought 31 was low, to be honest, because in forensics world, it’s almost always the case that if you find one, there’s one or two more that are involved. They like to share.
They think they’re sort of getting away with something and they’ve outsmarted the system and they almost invariably want to share that and want to pull in at least one co-conspirator. The place that I have found that not to be the case is in crimes in finance.
Crimes where you’re altering checks or where you’re altering routing numbers or stuff like that. Then it’s almost, in my experience, it’s almost always been lone wolf. But more sophisticated, more like IP theft-related things. I almost, when I roll in, I almost always expect for there to be at least one co-conspirator.
[Andy Ellis] You’ve seen the same thing in finance, and I’m very curious if that says that people who work in finance know what they’re doing is wrong and are ashamed and are going to hide it or whether it says they just don’t want to share.
[Tim Leehealey] I feel like in the finance, they know they’re committing financial fraud.
[Andy Ellis] Right. Yeah, there’s a much higher standard and they know they’re falling short of it.
[Tim Leehealey] And there’s actual money going to wrong accounts, right? And they’re like, “I’m not telling anyone.” Whereas in IT or in IP, they’re like, “I’m getting away with something, but I’m going to need help to monetize this, and so let me pull in my buddy.” Like I remember in the, I was involved in the Bratz investigation, Mattel Bratz investigation, and they literally, they had a bunch of co-conspirators, and they had folders that they called “Things to take.” Do you know what I mean?
And there was this whole sort of temporary pack that was robbing, and then they got successful and they hired them all over, and then of course, the lawsuit came. But yeah, so I generally, when I roll into a situation, if it’s finance, I’m expecting one.
If it’s anything else, I’m expecting more than one.
[David Spark] Excellent.
Closing
39:07.641
[David Spark] Well, that brings us to the end of the show. And so, if you think you’ve got an insider threat problem, you’ve got a multiple insider threat problem, according to Tim, our guest for today’s episode. [Laughter] Thank you very much, Tim. I’m going to let you have the very last word.
I want to thank your company, Strike48. Remember, go to strike48.com/security to get to test it out yourself. It’s the agentic log platform without blind spots. And I’m assuming, Tim, people can reach out to you if they have questions. Yes?
[Tim Leehealey] Absolutely. I would love it.
[David Spark] Please make a plug for Strike48 if you have any special offer you want to give to our audience, and I want to ask, are you hiring over at Strike48? Let us know.
[Tim Leehealey] Yeah. So, for the plug, listen, come to strike48.com. I think we are doing something very interesting, very unique, not just your generic no-code agent builder. We’ve got microagents and workflows delivering really sophisticated IT use cases.
And you can play with it yourself. You don’t have to believe anything I said. There’s a very full functionality solution on the website. You can just sign up for an account and go to town, and I think get a good sense of what we’re doing. And yeah, we are absolutely hiring, and if you’re interested in being in a really exciting new AI world, send us your resume.
We’d love to read it.
[David Spark] Awesome. Thank you very much, Tim. Thank you very much, Andy. And thank you to our audience, as I always say, and truly, truly mean it. See, I get more earnest as I talk like this. I really appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review.
This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com.
Thank you for listening to the CISO Series Podcast.