Bad Guys Only Need to Win Once: Determining What’s of Value

Bad Guys Only Need to Win Once: Determining What’s of Value

Modern SOC
Security Trends

Determine the value for your organization & begin to rethink your prioritization and approach to managing threats

“Security is one of the sexiest verticals in the tech space,” Lucas Moody, head of security technology at Twitter, told our own Jade Catalano when they sat down for the “Unlock your SOC: Moving your Security from Tactical to Strategic” webinar. Moody, a veteran in the security space spanning some 22-years, has seen the security threat landscape drastically change.

‍The ever-changing security landscape has evolved a great deal from when Moody started. The complexity of not only the world itself but because of product scaling. No one person understands all the security of most organizations, even more in large ones like Twitter or Google. Moody says, “We have a hive mind now, and approaching security requires that kind of hive mind orientation.”

Determining value is not a one-size-fits-all

“Everything has value” is something he says had a different meaning from when he was at eBay and Paypal than at other companies, where it was more just accounts and account information. Now we live in a world where there is value in everything from driving clicks to the driving of audiences and content. It is because of this changed value that the “breadth of security has grown to the point it pretty much straddles everything we do.

”From value to threat detection, Moody believes there is a need for security customers to identify what the values are in their ecosystem, their critical data, and threat priorities. Understanding this can be very difficult, but identifying the threats beforehand enables companies to view security on a reactionary scale but more of a progressive front.

An approach for managing threat detection: Align to customers & get ahead of the bad guys

RECOMMENDATION: Approach managing threat detection from an almost project management perspective.

  • Take each threat as a different product
  • Threats don’t stay static, neither does your “product,” nor do any of the tools the “bad guys” are using

It’s a cat and mouse game or a bad math problem where we need to win every time, but the bad guys only have to win once. Companies need to tie their “product” back to their customer, and the customers often are the ones who know what is required and are more of an expert in the space of the subject matter.

Get Started or Just Get Better: Automation and Detection

Automation for your Security Operations

There are plenty of cross-sections between automation and detection. The first step to getting security operations moving forward is with the coupling of both automation and detection. Leveraging automation for your detection, hunting, and triage lifecycle can add value to peripheral parts of organizations and help solve future security challenges as adversaries advance. It’s harder to detect potential threats in organizations with many different business goals. It is more complex for internal teams to keep up with changing priorities.

“We need to think with a scale mindset because detection engineers are a “newer” group in the security landscape.”

Build vs. Buy: It always seems to be the question

How do you know if a vendor solution will help or create more work and noise? How do you measure if the cost, time, and maintenance are worth building?

Build vs. buy is essential not only for security practitioners to get right but also for any organization becoming more technology-centric. It’s also important to understand if the problems you are trying to solve are unique to your particular ecosystem?  If so, is it worth developing a whole engineering team? Which could mean not only innovating and getting to an MVP state but continuing to evolve the product over time and maintaining it. Building and maintaining tools can end up being costly, along with more work when institutional knowledge is lost, or you need a team to maintain the tools.

Moody realizes not all security problems are super complex; some are straightforward. He feels you must measure and understand what an acceptable level of investment would be for your desired outcome. He goes on to say, “generally speaking, there is a market solution for at least 50% to 70% of the things that we're trying to solve for security. But a matchmaking game needs to happen, so you can come to the table strong and evaluate for fit.”

Gaining Visibility

Different aspects of visibility across various silos are important for security, but it’s also vital to address visibility with a goal in mind. Otherwise, you’ll be just saying “we need visibility” until the end of time.

  1. Across your organization
  2. Across your security tools
  3. Across cloud platforms
  4. Various shared security responsibilities
  5. The list goes on

People, process, and technology are where visibility becomes important - both separately and across all three areas. By bringing together your people, process and technology can be a starting point for shared responsibility across organizations. Since security is everyone’s responsibility, it still seems to fall on security to lead that charge. As security professionals, we can continue to beat the drum and learn to incorporate new ways to gain visibility and connect your security and business priorities to show security shouldn’t be a bottleneck. Organizations will start to understand the enormous value proposition of enabling security and increasing the strength of that business relationship.


Managing a security operations center (SOC) requires a unique combination of technical knowledge, management skills, and leadership ability. Whether you are looking to build a new SOC or take your current team to the next level, providing the right balance of all of these elements can super-charge your people, tools, and processes.

See how Anvilogic can help you build a high-performing SOC tailored to your organization and the threats it faces. Get the insights, recommendations, content, and more to help you manage an effective defense, measure progress towards your goals and build out more advanced processes like threat hunting, detection, and continuous SOC assessment.

Check out how Anvilogic has helped customers unify everything from SOC maturity, data gaps, workflows, alerts, trending threats, and detection coverage – Get both valuable insights and the roadmap to continuously assess, detect, automate and respond. Anvilogic Case Studies

Experience how Anvilogic can help you determine what’s of value and stop your SOC Chaos - Request a Demo

Chat with our team to receive a free maturity assessment

Get in Touch

Ready to learn more about Anvilogic?

Kickstart your security operations

Anvilogic provided the necessary threat detection automation for our small SOC, adding a significant force-multiplier advantage for my team.