The Cyber5 Podcast

Appropriate Security Tools and Log Aggregation at Scale For Medium Size Enterprise with Cboe Security Manager Jan Grzymala-Busse

Episode 26 of the podcast with Cboe Global Markets Security Manager Jan Grzymala-Busse covers important tools that gives security teams a fighting chance to catch bad actors in the environment before they’ve met their collection and compromise objectives.


  • (01:07) Question 1: Organizations are never as well resourced as adversaries. What are the technical tactics that really underpin everything that advanced adversaries do in a network environment? (Gain foothold, Lateral movement (see MITRE ATT&CK for example, etc).
  • (02:13) Question 2: What is your general guidance for being lean in cyber security defense that gives an advantage for security teams over well-resourced adversaries? Sub question: Some say that organizations with limited resources should prioritize and “move left” on the MITRE ATT&CK framework and focus on initial access and execution because if they try and focus on signatures and behaviors that are associated with collection and command and control (LOLBINs, WMI, etc) that it gets far too complicated for an organization. Do you agree or disagree?
  • (05:01) Question 3: Odds are, the place a bad actor lands within the network of an organization, is not the place they need to be to achieve their operational and collection objective. They will need to move around and at some point, that will not be natural. What tooling (including threat intelligence) should be prioritized to trigger anomalous activity for medium sized organizations?
  • (10:09) Question 4: An adversary’s chance to be detected increases with time and it’s important to collect the logs that matter. What strategies have you used for implementing log aggregation at scale to reduce noise and reduce the time a SOC can detect and respond to actual bad events?
  • (12:00) Question 5: From a readiness and testing perspective, with many companies going to the cloud, what are the most effective testing mechanisms? Is escalating to domain administrator less important to protect against?

Episode 26 | October 1, 2020

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks