Mick Leach: Hello, and welcome to SOC Unlocked, Tales From the Cybersecurity Frontline. I'm Mick Leach, your host and guide on an exciting journey into the SOC universe. In each episode, I chat with various cybersecurity professionals about the latest in industry news, emerging threats, practical strategies to keep your organization safe, and more. And this week, I am excited to have on the show Marty McDonald. Marty, welcome to the show.

Marty McDonald: Thanks for having me, Mick.

Mick Leach: Yeah, absolutely. Well, Marty, first, I'd like to just kind of set the scene here a little bit, because you and I, we're just getting to know each other. So can you tell me a little bit about, and our listeners, a little bit about who you are, your current role, what you've been up to, and kind of how you got there as well?

Marty McDonald: Sure. I'm a principal security advisor at Optiv, which means I basically get to work with all of our clients in the pre-sales process and the services overlay for sales. I specifically work in the SIEM SOC SOAR world for all of our clients and try to do lot of education for them on what we're seeing, what we're hearing from others. Everybody wants to know about AI now, so it's a good time to talk about that, I guess. How I got here, I started doing small business consulting when I was in college and have been doing consulting ever since for firms as small as me and the owner and as large as Accenture. So kind of everything else in between over the course of many years. I've been at Optiv for almost 13 now and have had many roles from again, consultant all the way up through leadership and now on the pre-sale side.

Mick Leach: Great. Well, this is an exciting conversation for me because I think you probably have the broadest range of experience of anybody that I think I've spoken with only because many of us have worked at specific companies and protected those companies and that's great work. But you go in and you've probably seen more environments than anybody I've ever met. Is that a fair assessment?

Marty McDonald: I've seen a lot for sure, absolutely.

Mick Leach: Okay, well, in the vein of that, then what is one recent shift or challenge that you have seen where security operations teams are really facing some challenges in that space?

Marty McDonald: I think, again, the advent of all of the AI tools has really started people to focus on how do we do better? How do we move this forward? We've been stuck in the same tier one, tier two, tier three model for a very long time now. And folks are realizing that that may not be the best. So many clients, when SOAR came out, thought that was gonna be the answer, and then quickly realized that it was a lot more challenging than they expected it to be. And so didn't get as much done there. And so now that the promise of AI is a whole lot of what?

SOAR was, which is somewhat what SIEM was back in the early aughts. And so we're just reinventing it again. But I think if we continue to look at it in that same mentality and mindset, it's just going to be doomed to fail again. So, really helping clients think through what those processes are they're doing, and process automation, not necessarily task automation, is a big area that we're focusing on with a lot of clients right now. And it seems like everybody just wants to know what everyone else is doing, which, for the bulk of clients I talk to, is nothing. They're maybe doing a little experimenting here and there, but our top one or 2 % of clients is actually doing stuff and I'm happy to share what they're doing, but most are still just trying to figure it out or running behind the business just trying to figure out how to secure what they've already done, which has also been a big challenge.

Mick Leach: Okay, now you said something there that I want to tease out because I'd love to hear you kind of unpack it a little bit more, which is getting away from task automation and truly into like process automation. Can you describe for me the difference between the two?

Marty McDonald: Absolutely, yeah, with task automation, it's, you know, I'm following these six steps. I'm going to do these six steps every single time. And those are the six steps I'm going to follow. It doesn't matter. Whereas with process, we need that reasoning model. We need the agent to take a little bit more to be able to go, OK, I've completed step one. Now I have a decision tree. Step one replied to this. And so it's more of that I'm trying to get to this outcome. How you get there is important. And we still need to know that because sometimes it takes the wrong path—really thinking through how we can teach and train the models to do what we want them to do, not necessarily exactly how to do every single step. I don't know if you've ever, I'm sure all the listeners out there have worked in SOCs and know that no two analysts ever do the same thing the same way twice. And so, you know, we can allow the AI that little bit of leeway, but we still want it to get to the outcome that we expect.

Mick Leach: Okay, okay. I've always agreed with that. enjoy giving my analysts the freedom to innovate and figure things out. That's always exciting to allow them to do that. No, I appreciate that. So it's more in terms of like a holistic workflow automation, right? From cradle to grave, the whole idea of the beginning of this event to the end of this event.

Marty McDonald: And there's some of that. And also, we're finding with the agentic stuff today that if we let it run too many steps in a row, it fails or it gets way too off the reservation. So helping it understand what I've been listening to the Dune books, the golden path is, you know, finding out what that's going to be for it or just doing smaller chunks. So just a lot of what we used to do was soar. Start with the building blocks, the basic things, the smaller bits and pieces, and then work your way up to those larger playbooks. And so a lot of the same with some of the AI automation, we start with those smaller tasks and as we build out those individual task things then they can build into those larger processes for us.

Mick Leach: Okay. And it might be just a hallmark of how long I've been around that as soon as you talked about the challenges with SIEM and what we thought it was going to be. Then, SOAR came around and we thought it was going to be the savior, and then it wasn't. And now AI is here and we're all hoping, but, you know, an AI wasn't, but now there's agentic AI and maybe we'll see. So I feel like I get my hopes up every time. This is going to be the one, this is going to be the one that really saves us.

And maybe this time, I don't know how many more maybe this times I have left in me at this point, but before all hope is lost, but we'll get there. So talking about AI, right? What's one of the biggest misconceptions you often hear about AI and cybersecurity, especially since you see so many environments.

Marty McDonald: So many folks I talked to wanted to immediately replace their people. Not necessarily replace them, but allow them to do other things. We have a skills gap, we have a skills shortage. There's always a need for more people, not less. And what we're finding is it's kind of a junior intern right now. And so if you would allow the junior intern to run forward with something, awesome. AI can probably help you there. But if you're looking for a real tier one SOC analyst who's got some experience under their belt, we're not quite there yet. So having to burst that bubble for a lot of folks has been a little challenging sometimes. People who just want to buy a tool to replace everything, including all their people. There are some tools out there that are doing some really interesting things right now, I think. And they have the capability of replacing a lot and doing a little bit more cradle-to-grave type stuff. But we still need humans involved. We're always going to need humans involved because we're still better at pattern matching and finding things. And so, ensuring folks understand that humans are still really important. SOAR didn't get rid of humans; it just made them more efficient. AI is gonna be doing the same thing, hopefully with an easier path at this point.

Mick Leach: Yeah, it's funny. I sat on a panel. had the opportunity to speak at Sector in Toronto. So Black Hat organized a kind of conference in Toronto. So just this past week was up there and speaking on a panel. And that was exactly one of the things that we were talking about is around having human in the loop and why it remains important. I think a lot of that comes down to gut feel, business understanding and knowledge. Sometimes it's silly. It sounds silly, but I'm going to say it anyway. Knowing where the political landmines are at every organization, right? Like, there are certain servers or services or processes, applications that are so critical, and they're like, they're one of the sacred cows is that you cannot touch. And you know, your junior analyst AI bot isn't going to have that knowledge, it's not gonna have that understanding and sort of that experience to know, you know, some of the nuanced decisions. Do I go ahead and quarantine based on an alert, an executive's workstation, right? Do we knock that thing offline because we saw one alert with like a medium confidence? You know, a human analyst is gonna be like, you know, maybe.

Maybe we RTR into that system and we start taking a look before we just knock it offline because that's gonna generate a lot of interest from that person. at any rate, these are the kinds of things that we were discussing in that panel. It was a lot of fun, but exactly to your point, Marty. So let me, sorry, didn't mean start you, go ahead.

Marty McDonald: Yeah, that business context is huge. I think that's the biggest thing that is going to slow down some of the AI development is if you don't know who those people are, if you can't put them in a table that the AI can read to figure out if you're authorized, because that's what our humans do today, they go look it up, then we're going to cause a whole lot more trouble than we solve.

Mick Leach: Yes, yes, exactly, exactly. So let me flip this question kind of on its head and ask the opposite of it. Where have you seen AI or ML provide real value in the environments that you're working with and the customers that you're working with?

Marty McDonald: Two big use cases are the ones we're seeing. There's others, but two main ones are around threat hunting. So instead of the human needing to go and find the indicators and then go do the searches and pull all the data up and decide if they found anything or not, let the machines do that. So just whatever RSS feed, X feed, whatever you're getting your indicators from, feed that to the AI agent and let it go do that searching and hunting for you. And if it finds anything, bring it to the human so you can go to the detection engineering team, create the content and watch for it in the future. If we don't find anything, maybe we still do the same thing, but we at least know that the new thing isn't in our environment. So that can really cut down on that time, because most folks don't have a full-time dedicated threat hunter or threat hunting team. It's a part-time job here or there. And so if we can do that more at machine speed as those things are coming out, so much the better for us. The other.

Mick Leach: OK, have you seen anybody go in is just off the wall question, but have you seen anybody go so far as to have the AI agent also propose like Yara rules that you could quickly plug into a Splunk or a SIEM or a SOAR to identify anomalous activity going forward?

Marty McDonald: Yeah, absolutely, because they're having to create that content to start with, to do the searching, to find the things. And so they're always bubbling that back up. Depending on the SIEM platform, sometimes it's a little better than others from an efficiency standpoint. But it gives you a place to start, which is often what we need, that spark of, I can make that better. So yeah, absolutely, we're doing that. It's not so much on the full detection engineering side yet. I think we'll get there in a little. There's a couple of the vendors who have agentic AI coming out early next year that are purpose built for detection engineering, for creating that content. So that's going to be interesting to see how goes.

Mick Leach: Yeah, yeah, I know there are a number doing that. I've worked closely with Torq over the last couple of years. They're doing some really interesting things in that space as well. definitely, and they're not the only ones, right? Not to just call out anybody. I know Tines is working on some really cool stuff. So there's some other folks out there, but I've been really encouraged by what I've seen from some of these folks. So, you know, what is your approach to reducing analyst burnout or alert fatigue, especially when they're bringing you in as a consultant, there's already a problem. They've at least acknowledged a problem exists. It's probably this way. Either they're not getting enough alerts and they need to figure out how to curate them and find them. Or more commonly, I suspect, but keep me honest here, is that they're simply overwhelmed, right? They turned on everything out of the box and now they're really struggling to find the wheat and the chaff. So what approach are you seeing, recommending, what's working?

Marty McDonald: A lot of it goes back to governance, which is something we don't think about often. But if we aren't doing a good job of deciding what logs we're sending in, what outputs we're looking for, what metrics we're trying to meet, then we really struggle just across the board because we've added so much wheat to the pile, we're never gonna find our needles. And so really thinking through that governance and there's always been the two schools of thought in SIM. The one is…

Send it all, we'll figure it out later. And the other one was, here's our use cases, only send exactly what we need. Finding that happy medium between those two with the governance side is really, really helpful and really making sure that we understand what everyone's job role is. From a burnout standpoint, the thing that we do internally and that I think a lot of others of our clients are starting to do more and more of is job shifting. So today you're level one, two, three analyst. Next week or next month, you get to do some threat hunting and then you get to come back and do some detection engineering. The detection engineers are having to sit with their content so they know what to fix and change and make better over time. And so doing some of that switching of roles, because if you're just a tier one and you're just constantly working tickets all day long, it's not fun for anybody. And so being able to switch that out at least occasionally and know what the path forward is can really make things a lot better for everyone.

Mick Leach: Yeah, and I've heard that as well and seen some good results from that, getting folks into threat Intel and let them see the Intel side of things, getting them into forensics and letting them kind of unpack those kinds of things. Just really giving them a broader view, especially for newer analysts, right? Those level one, level two folks that are coming in, they may just not have had exposure to all the different aspects of cybersecurity to include governance, right? To your point, Liz Matten is our director here over GRC and she's dead brilliant. And I love working with her because she's so good at what she does. She loves what she does, which is great, because I do not love governance. is not my natural bend. I know that. But she does and she's so smart. And being able to cycle folks through an area like that where they can learn, they can see what's going on in that space.

And then they may realize, I love this. love, you know, creating, you know, responses to these things and defining and, you know, measuring where we're at, all of that. So that's, that's really exciting. Now, let me ask kind of double click into this just a little bit here. You know, how, how do you see or recommend that teams stay engaged and get, and stay motivated? Cause you probably come across teams that are kind of a little, you know, discouraged.

By the time they by the time you get the call, things are sometimes in a pretty bad state. I'm guessing. Have you seen that before?

Marty McDonald: Yes. Absolutely. And what we typically encourage folks to do at that point is to start doing more tabletops, which sounds weird. But in that tabletop, you're not necessarily just doing random things, right? You're inviting the Active Directory team to a meeting. You're testing all the content. You're validating the works. You're talking with them about what might be coming down the pipe from Microsoft. Are they changing this or that or the other? Are we deprecating some domain controllers and moving more to intra? Whatever that might look like.

And so you're getting to know them as humans. So when bad things happen, you already know each other as opposed to just everybody running out their hair on fire. Inviting the communications team in, inviting the lawyers in so that when that bad day happens, that NDA doesn't freak you out as much as it would have if it's the first time you've seen it. So building that relationship inside the company broader often can help bring teams out of that funk they're in of, we're doing so much stuff, we're grinding.

Is it even, are we making an impact or not? I think as you start to interact with those teams and you see that the content you've built is actually successful at doing something, it's not alerting anything and that's great, because we don't want it to. If it is, that's something really bad, but we see that it still works and that what we've done, the work that we've moved forward has continued to decrease the risk profile of our business, can be a real pick me up to a lot of teams. again, after those things, you go have a drink at a bar and everybody gets to know each other a little bit better and relaxes into it and it can make a huge difference because then you're not just showing up at somebody's desk every time there's a problem, you actually know them as a person.

Mick Leach: Yeah. Yeah. I can't, I can't agree more with this. I love it. I think, you know, the times that I've done tabletop exercises, at previous companies, you know, that that's when not only do we get to know each other. And I think there's tons of value in that, but also there were times when just talking through the situation, I would get logs from this. And then that team would go, know, did you know that we actually don't have any logs or that you're like, wait, what?

How is that even possible? And then you come to find out that there were some choices made back at some point in time in history where decisions were made. Don't log that stuff. These values, these events, we just scrap them. And then security's like, yeah, so let's change that like yesterday if we can.

Marty McDonald: Or you learn that the one person that everybody relies on couldn't be there that day, and everything falls apart because the one person's not there. So, you know, finding out all those things early is always very, very valuable.

Mick Leach: Yeah, yeah, absolutely. Okay, so changing gears a little bit. You know, what's one new or unexpected threat technique that has caught your eye in 2025? So this year, that's kind of new-fangled that you're seeing in the customer environments that you're going and supporting.

Marty McDonald: Yeah, and I don't see that as much anymore because I'm more on the pre-sale side. I think some of the interesting ones that clients have asked us to help them with that I've seen, again, not necessarily out in the field, but just heard about are some of the customer service type things people are trying to work their way in, whether it's with opening a new bank account on somebody else's behalf and then transferring money through some of the fintech companies. That one seems to be a difficult challenge for the banking industry to deal with right now. I'm trying to think of others that have come up. That one's been probably the most interesting one I've seen recently. And I don't know enough of the details to really describe it well, but that one's been interesting to see.

Mick Leach: Yeah, no, mean, social engineering continues to be what I'm hearing about constantly. I don't think it's news to anyone that hackers have learned that hacking humans is a whole lot easier than hacking systems. Right. I don't necessarily need any special infrastructure or coding skills. I just can pick up a phone and reach a help desk. You know, we as humans, there's, you know, far, I'm trying to think of a way to say it.

I don't think there's more powerful words in the human language than I need your help. Right? We are all sort of predisposed to respond to the need for help. And so if you can get an attacker that calls and reaches someone whose job it is to respond to the need for help and guide people through things, if you just call them and act a little lost, a little befuddled, I just, I don't know what to do. I got this email and here's a link and you can guide them through installing malware can give permissions away, give access away, all kinds of crazy things.

Marty McDonald: Yeah, no doubt. The meme on Twitter this week was, you have EDR, they have a phone. They win.

Mick Leach: Yes, yes, exactly. Because you can sidestep very easily a multi-million dollar tech stack. It doesn't matter. You've got upper right quadrant, everything, EDR, CASB, DLP, whatever you name it. Put all the letters together in any way you want. And bad guys will still find a way around that. So that's challenging. Now, are you seeing adversaries leverage AI to some extent on this front in terms of social engineering?

Marty McDonald: All right. I think we're definitely seeing the deep fake kind of thing where someone's copying a voice or a face when they're doing interviews or when they're trying to interact with folks, for sure. Phishing emails, obviously, have gotten way better over the course of time. The generative AI tools are still fairly easy to convince to spit you out some malware if you want to work through it hard enough and ask it in the right ways and fictitiously create some things for a movie or something. And so we're seeing a few things like that, but still not as much as I would have expected by now. I think they're using AI, much like we are, to help plan to do some intelligence gathering, whether it's just going and scraping everything off LinkedIn to give it to them. So it's more of their planning and preparation and less of their attacks at this point.

Mick Leach: Yeah, I mean, we're seeing that as well. Of course, I have a different perspective being on the front lines here at Abnormal, seeing that kind of stuff routinely, but things like even purpose-built AI bots, things like Worm GPT are created specifically to side-step. You don't even have to cleverly word it to trick ChatGPT into crafting a malicious message for you. Worm GPT is just like, got you. You can be as mean or as clear as you want and it will still generate exactly what you're looking for. It's pretty terrifying. Kind of shifting gears a little bit now, looking a little bit more towards like modernization. Pardon me. Have you seen any of your clients adopt like cloud native or API first platforms? And if so, you know, what's the result? What's changed?

Marty McDonald: Yeah, I think we're definitely seeing more and more of that. Everybody still has some tech debt. There's always some on-prem stuff, but the tools that are out there for the SOC today are generally gonna be more geared towards that. I've given up on the next-gen term. I think it's ridiculous, because we're on the eighth or ninth next gen now. So just call it modern, which may not be any better, but the modern tools definitely are focused a lot more on how can I do API integrations with different things. So that one of the ones I love is if your EDR fires an alert and your SIEM fires an alert, let's tie those together. So when we close, when it closes both. Yeah, yeah, because otherwise you look in your EDR and there's 10,000 alerts and you're like, because the MDR provider or the SIEM didn't take care of it for you. And so a lot of those simple integrations like that are making a huge difference for folks.

Again, doing some more of the SOAR automation, whether it's looking to do some additional enrichment or pull data from somewhere else, just to give us some more insights. An alert without enrichment to me is worthless. I need all the extra data I needed to be actionable and I can't do that if I don't know more then Bad thing happened. Okay, does that system is insusceptible to that bad thing? I don't know and so making sure we can pull all those things together, whether it's via API or automation or agentic AI now, I think is is definitely the things that we're pushing forward with and trying to get folks to think about more.

Mick Leach: Yeah, candidly. It's probably been, what's this 2025? So I mean, gosh, going back even to 2020 12, I mean, an event without context without enrichment was not useful even back then. And so it's not, it's not gotten better over time. Uh, you know, we're, we're expecting and frankly, the tools today are capable of bringing us so much more, you know, context in enrichment around the events that occur. So, because you are on the front lines of this with clients day in and day out, what advice are you giving to your clients that are navigating this legacy to modern transition, to use your word modern there?

Marty McDonald:

Yeah, it's a lot of just taking that step back and really thinking about what we are attempting to accomplish here. Is the goal to just take what we have and make it better incrementally or do we actually want to shift? And when we do a full shift, it's a lot more of a lift because we have to take that step back and look at everything that we're doing, how we're doing it, why we're doing it that way. Does it still make sense or not with the modern world we're doing? We got an RFP a few weeks ago, maybe a month.

And they were looking for help building a traditional tier one, tier two, tier three SOC. And we went back to the client before we ever filled out anything. We're like, is this really what you want to do? In today's day and age, that's not what you should be doing. You should be looking at SOAR or maybe thinking about agentic to start with, and building with all of that stuff in place so that our level one folks aren't needed as much. Things are already done at that level because those things should be fairly rigidly defined, and processes easy to follow the task you're laid out, we can automate that.

So why would we want to bring humans in to do that work? I get it, it's a rite of passage. We all had to go through it. But at the same time, let's don't do that anymore. And if you're starting from scratch or if you're trying to modernize. So taking that step back, looking at things more holistically is definitely a huge part of that. Looking at the tool stack, seeing where what they have makes sense and where it doesn't. We mentioned the context thing, the entity analytics that the UEBA platforms bring to you can help so much with telling the story out of the data, so you don't have to go find a bunch of stuff. And so if you have that legacy SIEM that's not doing that, that's definitely a huge step forward for you. So instead of needing to go look up the attack chain or the kill chain or the MITRE techniques or tactics, it's all built into the platform for you and can show you and tell you the story. That's one thing I've learned over the years, and this is a random side topic—if you can't tell a story, whether it's with the data or just in general, you're never going to get anywhere in this business. And so whether it's with metrics or just telling that attack chain story of XYZ happened, we expect now that A, B, and C are going to happen, and C is bad. Let me alert you early. It has really changed the game for a lot of our clients and made them so much more efficient and effective. That's where the machine learning starts to come in, which is kind of the precursor to a lot of the AI stuff.

Mick Leach: Okay, I like that. like that. Now shifting gears just a little bit more, especially, and I want to lean in here because you are an expert that, you know, goes and advises, you know, companies and customers all around the world, around, you know, improving their security program, particularly on the operations side of things. So do you help craft, like measuring and managing the environment, particularly around security operations? Is that, is that an aspect that you do?

Marty McDonald: Yeah, our team does. I'm not out in the field as much as I used to be, but yeah, well, metrics is a huge part of what we look to work with our clients on. And so often there, we start with who are all the stakeholders? Who cares? Does the board care? Some boards care about phishing statistics. Others just want to know how much risk they bought down by that big investment. So understanding what the board cares about and how you're to get your funding. So again, you're telling the right story to them. And then from the sizzle down to the individual contributor, what metrics are important for those people.

If I am a tier one, tier two, tier three SOC, seeing my mean time to detect and respond and engaging myself against my peers, if I'm competitive, which I am, is important, right? I need to know if I'm winning or not. And so that's a very different metric than I may need to feed up to the CISA, who's just, again, looking for that risk buy down. I just bought this new thing. We integrated it with all of our tools, and that moved us from here to there or moved our maturity up. And so really, working through making sure that we're telling that story with all the chaos of data we have now is a critical part of what we're working with clients to help facilitate and help them to get built out. And we're doing that more in like Power BI or Tableau now, not even in the traditional SIEM tools, because I need to pull data from a lot of different places. And while the SIEM has the bulk of it, those other tools are more executive-friendly and they're a little bit more drillable into, and we can do things at the right level for our different folks.

Mick Leach: Okay, I like that. I like that. I like how you also mentioned kind of understanding, you know, which metrics are gonna be useful at different levels. You know, so when we talk to our leadership, for example, and we need to communicate risk and security return on investment, you know, what are you advising clients, you know, to do in that way where they can not only communicate the current risks, you know, state, if you will. And then measure it against what maybe our risk appetite is. But then also talk to, as you pointed out, right, sisters have to justify the X number of dollars spent on the latest whiz-bang tool that's going to make us safer. How are you suggesting that they do that?

Marty McDonald: It varies somewhat from client to client, typical consultant answer, sorry. But the main thread there really is just getting that, we're buying a new vulnerability platform. Why? Is it just cheaper? Is that why? Are we looking is there any features or functionalities that we're buying it for? Is it something that, you know, it can scan things that the previous platform couldn't?

And so when we're making the investment, our business case, that why is gonna help drive some of the answers to the metric questions. Because if we're not measuring the things of, said we were buying it for this, we have to now measure those things to make sure that we're actually meeting them is really critical. I know in the SIEM space, a lot of clients are, they wanna reduce cost, which almost never happens. They want new features or new functionality.

They want to make their analysts more efficient. And so those are the things we need to measure at that point. Okay, we got the new functionality. We got the entity analytics now. What that bias, cool. Now we're instead of our analysts working four to eight cases an hour, roughly now they're working 15 or 20. And that's big improvement. And so looking at the outcome of the purchase when that's what we're trying to do is a definite driver. When it's on the risk side of things or the ROI, some of that stuff still applies, but on the risk side, it's really about, again, I made the investment, show me how this made our environment more secure. You gain more visibility, you gained additional functionality, again, whatever that may look like for the risk that we're trying to reduce for that particular instance.

Mick Leach: Okay, I like that. Now, I want to go back just for a moment because you brought up a huge fan of tabletop exercises. You brought that up. What is one, you know, tabletop exercise or crisis scenario that you have seen or helped run through for an organization over the years that led to real change that actually made a big difference in the security or risk posture of a company?

Marty McDonald: Often, just those general ones were the ones that we got really impactful value from because we validated that the content was still good. We understood what was changing. I'm a big fan of the fundamentals. If we don't do the fundamentals well, we fail. And I think in the security industry, we often focus on the shiny and forget about the fundamentals. And so sometimes just doing those fundamental things are the things that continue to advance the program forward and help you mature.

On the shinier side of things, this was many years ago, when I was consulting at a major retailer. And for them, access to all the PCI data was the thing. And so we simulated an attacker getting in via one of the PCs in a store and gaining access to all the data. And because they were in the store, the encryption wasn't working as it should have at that time.

And so they were able to access it all, pull it all down to a thumb drive, and walk out the door with it. And so, you know, walking through that simulation opened a lot of eyes and made sure that the encryption worked as it should have all the way through the process, as opposed to the way it was working at the time. And that USB drives were disabled in all of the POS machines. know, again, things that today everybody does, but this was several years ago, wasn't happening because anybody could come and plug their USB drive in and copy something off or add some new thing to it, which caused lots of problems beyond just the scenario. But that was probably the one that opened the most eyes and made a lot of institutional change.

Mick Leach: Okay, I like that. I had the opportunity to hear the Chief Journal Counsel from Anthem speak after their breach. This would have been back in something like 2019. So this has been quite some time ago now, but kind of to your point around there's an aha moment or a couple in every sort of scenario. She explained to us that there was a moment, now this unfortunately was not a tabletop scenario. This was the actual incident response life cycle. They're in the midst of this, and they realized how many people they would have to notify. And they realized, you know, there's some silly things that go along with that.

They had no idea that it was going to cost quite so much money to send out the breach notifications. Like if you have to send just stamps alone for notifying 30 million people or 100 million people. In their case, was a large number. I don't remember the exact number, but it was a large number. But her point was we had to realize we had to get access to that kind of money to simply buy stamps and get that stuff sent out. They never thought of that before. And I gotta be honest, I was sitting in the crowd going, my gosh, I never thought of that either. I mean, what other things haven't we thought about? The first time I did a ransomware tabletop exercise and we teased around the idea of, okay, fine, let's assume we're gonna just pay, right? It costs less than the operational impact. Who here has a Bitcoin wallet? How do we get X million dollars in Bitcoin into it? And how do we get it out of there? Like who's done this before? And we were all left with this moment of, yeah.

So about that, right? Because we just, we'd never thought of that. We'd never gone that far, right? Like isn't sometimes in these tabletop exercises, you have a tendency to go, well, and then we just pay, right? It's sort of the DND, the Dungeons and Dragons. This just happens and we move beyond that. But thankfully the person running it was like, okay, I hear you, but let's actually, you know, step this out. Let's see how this actually transpires. And then they started to ask some questions that we were like, I have no idea. I don't know who does that. I don't know who gets to make the call on whether we pay or not. And so we had to, they asked some really good hard questions that we had to spend a lot of time pinning down the answers to. So lots of value.

Marty McDonald: Yeah, having those communication teams in those tabletops and legal counsel and sometimes your insurance provider because they're going to decide some of that for you. Or at least understanding your policy well enough to know what they will or will not help you with your instant response company. So know what they're going to help you with. Often, they're ones running the tabletop for you. But, you know, there's so many things that go into that. It's just like a disaster recovery plan. If you don't actually go out in the field and flip some switches, you're probably never really gonna know if it works.

Mick Leach: Yes, exactly, exactly. Marty, this has been such a fun conversation. I appreciate it. Kind of my one last question to you is if somebody has been listening all this time, but they're going away and they can only take one thing away from this wide-ranging conversation, what would you have that be for them?

Marty McDonald: I'm going to go back to the fundamentals again. Doesn't really matter if it's onboarding our log sources or building agent to AI. We really have to focus on those fundamentals first. If we're not thinking about those smallest things that we do that maybe drive us the most crazy and starting there, we're often going to focus on the big giant thing. And before we ever get the big giant thing done, we run out of money and time and brain power. And so if we can start doing those smaller incremental things, our lives are going to get better hugely over time. And so the more we can focus on those small things, if you don't follow Swift on security on Twitter, you should absolutely do so. And one of the things they say all the time is I did all these things in my help desk days that I never thought were that big of a deal. And now I'm at this big giant company and so many things are happening. And it's I learned so much there focusing on those little things and going really deep in them. And I think that that makes such a huge difference and will generally make all of our, our life's better.

Mick Leach: Yeah, I agree. I subscribe to this idea about finding success in a small scale and then building momentum on these little wins. And then they become bigger and bigger, sort of a snowball effect to the success of these things, right? But don't try to grab the biggest, hairiest problem in your company and just throw all your weight at that. Start small. Start on the little things that you can solve, the low-hanging fruit. And then you're going to build trust with your key stakeholders and they're gonna understand that you're aligning with them and we're trying to make the company better and more efficient. And so I think you're gonna get more credibility, political capital, if you will, that you can then spend on the bigger things. So I like it. Great idea, Marty.

So, well, Marty, I just wanted to say thank you again. I appreciate it. You know, we certainly love having guests on the show, certainly with the wide-ranging background that you bring. So we are grateful.

Marty McDonald: Thank you so much for having me. This has been a great conversation. Really appreciate it.

Mick Leach: Awesome. Well, folks, this has been SOC Unlocked, Tales from the Cybersecurity Frontline. I am your host, Mick Leach, reminding all you cyber defenders out there to keep fighting the good fight. You're the tip of the spear, so stay sharp. Thanks for tuning in. Don't forget to like and subscribe, and check out our other SOC Unlocked episodes. We'll see you all next time. Thank you.