7MS #529: Interview with Matthew Warner of Blumira
Today we're featuring a great interview with Matthew Warner, CTO and co-founder of Blumira. You might remember Matt from such podcasts as this one) when Matt gave us a fountain of info on why out-of-the-box Windows logging isn't awesome, and how to get it turned up to 11!
Today, we talk about a cool report that Blumira put out called 2022 Blumira's State of Detection & Response, and dive into some interesting topics within it, including:
-
How do companies like Blumira (who we rely on to stay on top of threats) keep their teams on top of threats?
-
Why open source detections are a great starting point - but not a magic bullet
-
Consider this "what if" - a C2 beacon lands on your prod file server in the middle of the work day. Do you take it down during a busy time to save/clean the box as much as possible? Or do you hope to be able to wait until the weekend and triage it on a weekend?
-
Why annoying traffic/alerts are still worth having a conversation about. For example, if you RDP out of your environment and into Azure, that might be fine. But what about when you see an RDP connection going out to a Digital Ocean droplet? Should you care? Well, do you use Digital Ocean for legit biz purposes?
-
Data exfiltration - where does it sit on your priority list? How hard is it to monitor/block?
-
Common lateral movement tools/techniques
-
Why honeypots rule!