The Cyber5 Podcast

EP26: The Cyber5 – Appropriate Security Tools and Log Aggregation at Scale For Medium Size Enterprise with Cboe Security Manager Jan Grzymala-Busse

Episode 26 | October 1, 2020

Episode 26 | October 1, 2020

Episode 26 of the podcast with Cboe Global Markets Security Manager Jan Grzymala-Busse covers important tools that gives security teams a fighting chance to catch bad actors in the environment before they’ve met their collection and compromise objectives.


  • (01:07) Question 1: Organizations are never as well resourced as adversaries. What are the technical tactics that really underpin everything that advanced adversaries do in a network environment? (Gain foothold, Lateral movement (see MITRE ATT&CK for example, etc).
  • (02:13) Question 2: What is your general guidance for being lean in cyber security defense that gives an advantage for security teams over well-resourced adversaries? Sub question: Some say that organizations with limited resources should prioritize and “move left” on the MITRE ATT&CK framework and focus on initial access and execution because if they try and focus on signatures and behaviors that are associated with collection and command and control (LOLBINs, WMI, etc) that it gets far too complicated for an organization. Do you agree or disagree?
  • (05:01) Question 3: Odds are, the place a bad actor lands within the network of an organization, is not the place they need to be to achieve their operational and collection objective. They will need to move around and at some point, that will not be natural. What tooling (including threat intelligence) should be prioritized to trigger anomalous activity for medium sized organizations?
  • (10:09) Question 4: An adversary’s chance to be detected increases with time and it’s important to collect the logs that matter. What strategies have you used for implementing log aggregation at scale to reduce noise and reduce the time a SOC can detect and respond to actual bad events?
  • (12:00) Question 5: From a readiness and testing perspective, with many companies going to the cloud, what are the most effective testing mechanisms? Is escalating to domain administrator less important to protect against?