Detection in Flux: Riding the Chaos with Day Johnson

Alex (Start)

In a world where job roles are vanishing as fast as new threats emerge, one voice seems to cut through the static with clarity, with empathy, and even a godly take on what it means to stay sharp in security. Today on the pod, we're joined by the amazing Dave Johnson. He's a detection engineer at Amazon and the man behind the cyber

Day Johnson (09:01)
They're totally fine.

Alex (09:28)
walks, lab setups, and newsletter, and all of the newbie to cyber sage, navigating, covers it all. Day, you were formerly at Data Dog, right? And now it seems like you're operating on the edge of what's possible in detection engineering and just making it look real good and effortless. Today, we're going to be peeling back the layers on what it really means, right? And in terms of how to evolve these detection strategies and

a threat landscape that can't seem to sit still. And so today with over 45,000 followers on LinkedIn and like 50,000, probably more on YouTube, lots, lots more on Twitter. Thank you so much for being here. It's been a true milestone of us to have you on our dispatch podcast. And I know that our community is going to really love this one. So thank you so much. Well, first and foremost,

Day Johnson (10:21)
Thanks for having me. I'm excited to be here.

Alex (10:26)
to get into it. How are you? How's your summer been? I know you had a really awesome trip lately. What's keeping you busy?

Day Johnson (10:36)
I'm doing good. My summer's been great. It's been ⁓ extra busy. I don't know for whatever reason. Like summers are usually more busy than the fall or winter, but I don't mind it at all. But yeah, I've just been busy, you know, getting work done, content, managing the community and all that fun stuff, but it's been great so far.

Alex (10:55)
Yeah, is. Interesting that summer is more busy. feel like our summers are very short lived here in Chicago, so that really sucks if that's the case. And I did want to ask, I was listening to a podcast on the plane right here. And the Theo Von, do you listen to Theo Von? Good.

Day Johnson (11:04)
Yeah.

no, I don't.

Alex (11:22)
Waste a lot of time. But ⁓ so but he started off with one of his guests with Mark Zuckerberg, actually, his guest, big guest. And he was like, dude, just randomly, like, do you like coffee? And he went on this whole spiel on how Zuckerberg doesn't like, like, he doesn't drink coffee, he'll drink decaf just for show. I guess like, so do you are you starting your day off with coffee?

Day Johnson (11:36)
Mmm.

Mmm. Yeah.

I also do not drink coffee. Yeah. ⁓ Well, I do. I do drink caffeinated drinks. I just can't do like, you know, regular coffee. I so I actually start my day off with a Celsius, believe it or not. ⁓ And then ⁓

Alex (11:54)
You do not, you're all okay. So maybe, okay, maybe smart people are on to something. ⁓

Is that sponsored? Is it sponsored by Selfie?

Day Johnson (12:13)
I

mean, I'd hope they would reach out because I drink one virtually every single day. And then I usually like, they usually last me till like around two, three. And then I have another drink that I drink. It's called Nutanic. It's more of like a productivity drink. It just kind of has caffeine in it. But it kind of, you know, has like nootropics that kind of keep her brain like primed for getting work done. So when I usually have that afternoon slump after work, I usually take it so I can at least get, you know, three more, four hours of focused work done.

Alex (12:29)
Okay.

Day Johnson (12:43)
the rest of the day so I do drink caffeine but not specifically coffee yeah yeah

Alex (12:48)
Okay, very nice. I might have to get on that. I don't typically

drink energy drinks unless it's getting real late at the club and I really need to stay awake. ⁓ Okay, well, thank you for sharing that. But it seems like smart people are onto something with ⁓ no more drinking coffee. That was a big trend coming out of Las Vegas and Black Hat and DEF CON this year. I notice more and more people are becoming sober and they are becoming

Day Johnson (12:55)
Yeah.

Yeah.

Yeah.

Good.

Alex (13:18)
Yeah, exactly. This is great. I've definitely something one should at least try or at least even for a small amount of time. It can't hurt.

Day Johnson (13:20)
Yeah.

Yeah,

I've not drank alcohol in like two years and I plan to keep best drink so I definitely recommend it.

Alex (13:32)
⁓

my gosh, good. I'm gonna have to try that. Maybe for a summer. No, maybe for the winter, because there's nothing going on here. There's nothing going on here.

Day Johnson (13:37)
You know, you know what's

you know what this sounds like this sounds like when you know you want to go on a diet and like you're like I'll start next week you're like you're like at the restaurant and you're like eating a lot of food you're like you know what I'll start next week and you just keep saying that

Alex (13:54)
Yeah, yeah, that's usually me with my, that's usually me with, ⁓ what was it? People usually don't drink in January or dry January. that, no, but then it's like New Year's and then my birthday is February 1st. And it's like, there's my friends always want to start celebrating a little bit beforehand. I'm like, no, I just can't do it.

Day Johnson (13:58)
You

Right.

Yeah.

That's correct. Cause my birthday

is actually February 25th, so we're kinda actually birthday mates. ⁓ I do not know, I actually don't like, you know, believe in star signs. I'm sorry. I know that's controversial, I'm sorry.

Alex (14:20)
Are you an Aquarius?

It's very controversial. mean, right now, everyone that my my my girlfriends will not date a guy if there are certain horoscope. So, yeah, I know. Okay, sorry. We backtracked. But great energy. But let's let's talk about the weird energy that's happening in the security job market right now.

Day Johnson (14:36)
Well, more power to them. No worries.

Yeah.

Alex (14:52)
I feel like in part and I've seen so many LinkedIn and Reddit post on people straight up quitting. They're like, I just can't do it anymore. It's taken it's literally to the point where I'm never going to make back the everything that I'm going to do now. And I'm just going to go and do something else. The market is hiring and firing at the same time. It feels like one minute it's layoffs. The next minute it's like, we're hiring 25 new detection engineers.

Day Johnson (15:00)
Yeah.

Yeah.

Alex (15:22)
And also you got to think about are those job postings even true? Because I saw somebody rightfully call out McDonald's recently for having this ghost of a job post that was running for like at least nine, 10 months and all these people were coming out of the woodwork saying, hey, this no nobody's actually interviewing like, no, I'm not getting ahold of anybody. And I was talking to Kyle from Netflix the other day and he was saying like open AI is

Day Johnson (15:26)
Hmm.

Yeah.

Yeah.

Alex (15:50)
is viciously stealing people away from companies. it's like, there's so many people that want a job. Don't steal people that have jobs already, right? You've written about this all the time, about the paradox of the job market. How are you seeing that, like, the reflective, you know, in the trenches? It's gotta be impacting the state of work of people.

Day Johnson (15:52)
Yeah.

Yeah.

Yeah.

Yeah, I want to first clarify that my opinions around this will be my personal opinion and my employer's opinion but I think that like it's it's definitely a very interesting job market that we're in I think one that I have not seen before like in my half decade career I think it's there's there's a there's obviously I think social media like obviously LinkedIn and other platforms like amplify the worst things So it's harder to keep

you know, sort of an optimistic perspective, right? That's just the truth. ⁓ But it's definitely, I think it's definitely a more difficult market. Like I think a lot of trends show that a lot of people are staying at their jobs. Like, you know, a lot of people are making a lot of considerations before they even move positions because it's like, you have to factor all these different things. ⁓ I think, I think there is some positivity there, but I think there's a lot of amplified negativity, right? And I usually like to focus on the positive personally.

Alex (16:54)
could step you up.

Yeah.

Day Johnson (17:08)
But I don't think it takes away from the fact that it's definitely a much harder job market. There's the requirements for what companies are looking for is a lot of experience, a lot of ⁓ skills that might not really be ⁓ attainable by more entry-level folks. And even for entry-level positions, it seems like employers are looking for a little bit more than entry-level. So it's definitely, I think, a more interesting.

Alex (17:08)
Bye.

Day Johnson (17:34)
a little bit harder job market than what we've seen in the past. But I do think that it's not different from what I believe history has shown over time. I think history has shown over time that there are going to be things that come in to the technology world and disrupt things, but people that are actually able to stay and grow and do their careers are the ones that can adapt. And I think it's an opportunity for us to learn how to adapt to this.

And the people that know how to adapt to this sort of like disruptions are the ones who are eventually gonna find some success. So that's kind of how I'm thinking about it.

Alex (18:09)
I

Extremely well said I do want to hone in on those skills, but you're right looking at the positive side of it It it does for those that do have jobs does make one really grateful to have what they have and it makes them want to keep doing a better job at it, you know knowing knowing how difficult it is for those that don't and so The skills I want to talk about that and also just the death of the traditional sock feels super real That's that's I feel like that's the way that

Day Johnson (18:21)
That's Very true. That's true.

Yeah.

Alex (18:40)
every single like workshop or conference session started like the traditional sock is no more. What skills or like mindsets are gonna future proof us so that we don't get automated out of a job?

Day Johnson (18:47)
Thank you.

Yeah.

Yeah, that's a great question. That's I mean, that's the million dollar question, right? ⁓ I think it's when you when you start talking about skills you with regards to this you started you'd need to get a little bit meta for a second, right ⁓ and start like going an abstraction above like, you know Python or Kubernetes or cloud security or whatever, right? I think ultimately it's problem-solving right even before problem-solving I think

Alex (19:03)
Yeah.

is.

Day Johnson (19:27)
The biggest skill now is going to be your ability to learn how to learn and learn how to learn fast, right? Because things are changing so far, new technologies are coming, right? So you need to learn how to learn, learn how to learn fast and also know how to prioritize what to learn.

because now with all these different things that are coming out, it's very easy to get distracted. Like today you can be learning how to use this particular AI tool, like learn how MCPs work or how rag architecture works. And then from that to like diving deep into like machine learning, it's like, there's a lot of things to learn. What are you going to choose to learn? And how is that going to be applicable to your career and actually help you grow in your current role or go take on another role that helps you grow in your career? So learn how to learn, learn how to learn fast, knowing the right thing to learn.

And obviously I think critical thinking and problem solving skills. ⁓ I think that's like the bedrock, like the foundation of everything else. If you're able to kind of have a strong grasp grasp over that, you're going to apply that to whatever it is you learn. And you know, it does help you out a lot. But if you don't have like those like meta skills, I just mentioned, I think you're just going to find yourself kind of going around in circles and end up not being able to, like I said earlier on, like adapt, right? Because ultimately, like

Every environment is different. Like every company is different, right? You can, you know, like myself, you can get thrown from doing cloud, you know, detection engineering to doing something entirely different at another company. So knowing how to learn, right? Those things that you don't have and kind of putting these like, ⁓ connecting the dots and the puzzle pieces together, I think is really what is going to help you like, you know, remain relevant as everyone is saying, like the traditional sock is dying and all of these different things.

Alex (21:11)
I love that. It's a mix of soft skill, intuition, critical thinking, problem solving. But I am worried about that skill not being as sharpened as it once was before because these younger kids are literally passing school with GPT. ⁓

Day Johnson (21:19)
Mm.

Hahaha

Yeah.

Alex (21:34)
I didn't do GBT

well 10 years ago and I kind of feel like proud about it but that's critical thinking is I'm really concerned for that especially as a lot of vendors are

Day Johnson (21:47)
Yeah.

Alex (21:51)
integrating their technologies like MCP to MCP, agent to agent communication, and building these systems that can reason for themselves, what is left for the analyst to reason?

Day Johnson (21:58)
Yeah. Yeah,

yeah. Rightfully so. Like it's rightfully so concerned. I think it's definitely one where ⁓ you have to make a conscious effort to not experience that like AI brain rot. I think I was talking with a friend recently about it and it's like now like, you know, it's a lot worse because you can have that social media brain rot plus the AI brain rot. So you have to really make a conscious effort.

⁓ You know, it's like it's it's your life like you you're essentially like in control of it So if you know that something is going to essentially like diminish your ability to think critically ⁓ I think like you have to like weigh the options of like is it worth like getting this thing done faster or Maybe spending a little bit more time like kind of dive in into the problem and trying to figure it out myself before I go You know use AI or whatever the case may be

Alex (22:35)
Yeah.

Yeah. And also, think school system should be adapting to like if, if we know that they're going to be using these things instead of just maybe AI brain rotting, dumping everything and trying to get, you know, outputs, maybe make your prompts in a way that optimizes and understand how the AI works so that you can work better with it. Like it should, it should, there's a better way of doing that instead of just like, like, you know, being dumb, like a monkey, like just try and expect something.

Day Johnson (23:05)
Yeah.

Yeah, Yeah,

I think ⁓ OpenAI recently released a study mode that is not like, it's not as, you know, essentially like giving you the answers directly. So it kind of puts a little bit pressure on you. So you can use the AI tools like, you know, correctly in a way that doesn't like essentially like causes you to not really know what you're doing and just like, you know, contributing to AI Slop really. So yeah, I think it's a means to an end. just got to be effective with the tool.

Alex (23:45)
Would you use AI or do you use an LLM to ask what you should, what threat you should focus on today? Because ⁓ there's so many threats, threats yes, but like which ones, right? When you step into a new and brand new environment, a new company, right? A new industry even, you're inheriting a whole new threat profile and beyond just onboarding, right? It's an entirely new ecosystem of tools and stacks and.

Day Johnson (23:52)
Mmm.

Yeah.

Yeah.

Alex (24:12)
geopolitics and quirks and even like even the tech stack, I guess if you're, do y'all use Slack or Teams? We use Slack here. The Google Calendar to culture, there's a certain way of how people like to be, you know, addressed or how people, there's a certain way to ask for a meeting.

at certain companies. Like sometimes you needed to let him know on Slack. Sometimes you could get an email. Our company barely uses email. our Slack is our main source of communication. And all of that really is going to change how threats can manifest. We just released a rule on how a run DLL like three two can open via a PDF via just a one drive sync synchronization. Right? So detection is going to change, right? You know, depending on what, what you're using, but also what

Day Johnson (24:33)
Yeah.

Yeah.

Yeah.

Yeah.

Yeah.

Yeah.

Alex (25:01)
defending. with it changing so much daily, how do you actually know what to focus on? And would you trust an alum to tell you that?

Day Johnson (25:08)
Yeah.

Yeah, no, that's a great question. ⁓ I think context is key here, right? ⁓ I think that like for I'm finding that so much that when you're dealing with like LLMs or, ⁓ you know, these AI chat bots, ⁓ or whatever AI tooling, ⁓ context is key, right? So usually what I've found is that if you just give if you just put it in a black box, and you're just like, hey, solve this problem, right, it's going to like it's going to give you an answer, like the the the AI tools are incentivized to give you an answer, right?

whether you have context or not. So it's going to give you an answer. That answer might work, but within the context of what you're doing, right, because you're in a black box, it might not fit into the context of that of that problem you're trying to solve. So I found that the more context that you give the AI tool or the LLM, like the better it's able to actually apply, you know, knowledge from that context to then give you the right solution to the problem. Now, another thing I've personally been exploring is like

I don't want the AI to essentially tell me what to do. So I usually start by saying, hey, this is what I want to do. This is my approach. Help reason with me about this. Or give me multiple options or alternatives for it. Because a lot of times, we usually just tend to tell it what to do and essentially just take what it gives us. But yeah, exactly the first response. It's like, well,

Alex (26:17)
Yeah.

Thank

first response.

Day Johnson (26:38)
At that point, you're essentially like outsourcing your reasoning to the LLM tool, right? So what I personally like to do is like, it's a partner for me, right? I'm like, hey, like this is what I'm thinking about. This is a problem. ⁓ Give me an idea of how to solve it or let's reason about it together. Like sometimes, like even personally, like when I have chat to to be on my phone, yeah, I just like have like a back and forth conversation with it. I'm like, hey, like don't give me an answer. Like ask me some questions. Let me answer those questions for you.

Alex (26:43)
of.

Board.

Day Johnson (27:07)
and then let's have this back and forth conversation about it. Now, obviously when you're doing stuff with tooling, it's a little bit different, but I think the context is ⁓ a lot more important in this situation because the more context you have, ⁓ the more context the LLM tool or the AI tool has, ⁓ the better it's actually able to help you solve the problem you're trying to solve.

Alex (27:13)
now.

And I think also that back and forth, it can be a very eye-opening thing and a lot of learning can happen even during that time as well. Yeah, I I like that. I have been using LLM's Allot Force, like getting documentation answers quick, but also in my personal life just to help me emotionally regulate back from an issue. Like, no, I don't need to be annoyed about that. I don't need to react about

Day Johnson (27:31)
Yeah.

Very much so.

Alex (27:57)
that like or should I? Yeah.

Day Johnson (27:57)
Yeah. Yeah. I

think there was a podcast recently where Sam Altman was talking about how the new update to ⁓ GBT five ⁓ actually like took away a lot of emotional support for people ⁓ who had relied on it. So they actually had to roll it back because a of people were there's like a actual like Reddit ⁓ thread about it.

Alex (28:11)
Okay.

one.

Day Johnson (28:23)
where people were like, this new 5.0 is not really doing it for me. It's not the same as the one I used to talk to and I used to interact with and I used to emotionally support me. So that's been a huge trend in AI children recently.

Alex (28:23)
Yeah.

Damn.

I,

I refuse to use five still because I have two very specific uses for the 3.0 model because that's better at data analysis and helping me with reporting and numbers. then the four is just good for copywriting and just LinkedIn posts and just anything I need to write in long form. I just don't want to change it right now. And I know that maybe there's new and better things, but yeah, and exactly.

Day Johnson (28:48)
Yeah.

Yeah.

Yeah. ⁓

Alex (29:10)
I use it as a therapist. But even then, with all the context in the world that you can give it, it still won't know these little things. It won't know the history of why you've done certain things at the company. It won't, it's not drinking with your people at the Four Seasons, right?

Day Johnson (29:26)
Yeah.

Mm-hmm.

Alex (29:32)
It doesn't understand why a rule was reverted because of so-and-so, because of some incident. It doesn't get it still. And then throw in a bunch of the fuzziness too around it and hallucinations. ⁓ I've been seeing it hallucinate like crazy ⁓ with, especially around quotes.

Day Johnson (29:37)
Yeah.

Yeah.

Yeah.

Alex (29:54)
I try to go back to on all the podcasts and extract some quotes from, ⁓ just to talk about different things. And it tells me, it's like, this is what it should say. They should say, like, yeah, but I want to look for what they're actually saying, not what they should be saying, right? I don't know. ⁓ All of that, it throws a lot of complexity into the mix.

Day Johnson (30:03)
Yeah.

Really soon.

Yeah. Yeah. Yeah.

Alex (30:24)
but.

Back on, I guess, the more psychology aspect. How do you stay grounded when this is in so much flux?

Day Johnson (30:38)
Sorry, could you say that question again?

Alex (30:38)
Yeah.

How, how do you stay grounded when there's so much flux? There's so much to do. There's so much things that you need to be prioritizing. Like how do you filter by, is it by impact? Is it by like a gut feeling? Is it pressure? Is it both? Yeah.

Day Johnson (30:52)
Yeah, yeah, yeah, yeah.

I think ⁓ reeling it back to security work, like prioritization, there's like this, I forget what exactly it's called, but there's like this prioritization matrix where there's like urgent and important, like urgent, not important, not urgent, but important, something like that. I usually like to, ⁓ it depends on the kind of work I'm doing, right?

My like my day-to-day work might range from like writing a doc or to reading a doc or to like Doing development work or hunting or doing like threat research, right? It's it's like there's so much I could be doing a single day But I actually try to prioritize on like what's the most important thing and also I think ⁓ Just with regards to like knowing yourself I would say ⁓ like if you're a detection engineer, right and you know that like you have to go through this like threat research report right in order to like look for

indicators ⁓ for like TTPs and stuff that you're gonna use to go like model a detection, right? And you know that the morning is not really the best time for you to really go reach through reports because your brain is too kind of slow, then you could put that in the evening, right? Stuff like that. So just kind of ⁓ sort of like having this dual sort of prioritization matrix where I manage what's most important, right? If I need to get it done today, I need to get it done today. So like,

that's given, but also kind of understanding how my brain works for certain type of tasks. So if I'm doing just some general log analysis, I'm trying to look through the logs, hunt for something, maybe I'm doing a detection, but I need to go do some historical analysis over a large scope. I'm not yet building the actual logic, but I'm just trying to understand how does this behavior work at a larger scale.

Like I might do that more in the morning or the afternoon, right? And that might be important because it might be like a high priority detection or whatever the case may be. So kind of having this balance between like knowing what's important or what's important for the organization, for the business, but also like aligning that with like how best I work, right? Whether it's like in the morning, afternoon, evenings, or on specific days of the week as well. Right? So it's a dual sort of.

methodology I personally use for prioritizing things because I feel like it's very easy to get fall into this trap, ⁓ whether personally or like insecurity where like everything is important. If everything is really important, then nothing really is important. So having a very like brutal prioritization of matrix helps me to stay grounded and you know, prioritize what truly is truly important.

Alex (33:25)
I love that. it's a little bit of, you know, backlog. It's whatever's on the news that day. And obviously, you're a list of tasks. I was talking to somebody recently that...

They get a lot of pressure from their leadership because they're head down into something and that's how he likes to work is he likes to do one thing at a time and not really multitask. Meanwhile, like to multitask. You saw my tabs yesterday. I have million tabs open. I like to multitask and I'm just really good at it. But he's one of those people that needs to just do one thing at a time because he'll do it really, really well.

Day Johnson (33:44)
me.

Yeah.

Alex (34:12)
stress because his leader will read something in the news that day and it's like okay everybody stop what they're doing we need to figure this out right now like this this TTP like are we covered and he needs and he really needs to just move on and do whatever he says and so and like that that kind of pressure is is is is pretty insane right and it almost kind of makes it such that ⁓ maybe you're it's not going to be a

Day Johnson (34:19)
Yeah.

Yeah.

Alex (34:42)
effective with all of the things that you're correlating. But another thing, yeah.

Day Johnson (34:48)
Yeah. Yeah.

think with that, that's definitely not a, I mean, that's definitely not a, ⁓ I would say safe work environment in the real sense of it, because I personally, I'm grateful for the fact that I have autonomy over certain things. So for example, the situation like that, A leader could be like, top down pressure, this thing happened in the news, we should go do this, right? But I also think the

Alex (35:07)
Okay.

Day Johnson (35:17)
people who are actually on the front lines who have the more like technical like business context should have autonomy over saying, like, yeah, it is important. Like it affected, you know, the airline industry for, for example, But like we're in the retail space. Like this isn't really fitting to our threat model. As a matter of fact, like we don't have, you know, we don't even have the telemetry like for this. Or we don't have systems that could be compromised by this particular vector. Like we could put like, we could put this on a watch list or something, but like, obviously there are things that need to be like

done like today, but whether it's like, you know, something that applies to us, but the, think the engineers themselves, right. The people who are actually on the front line should have some level of autonomy over saying, Hey, like based off of our own organizational context, right. Even though you, you, you see this breach or whatever the case is, or new attack vector, think in base of our context, like it's not really ⁓ applicable to us. And I think that's also important for prioritizing work because if we're constantly just like, essentially, you know, like following the news.

Alex (36:11)
were.

Day Johnson (36:15)
and trying to use everything that we find from there to essentially build stuff for our environment, whether it's detections or mitigative controls, whatever the case is. And it doesn't really fit into the context of our organization or our particular environment. Then we're essentially leaving the more important things out to just dry. So I think there should be some autonomy with the actual, you know, individual contributors to push back if needed or to even say, like, hey, this makes sense, but it doesn't really fit into...

Again, the context of what we do or our environment.

Alex (36:47)
100 % it's autonomy trust your people but also we're back to context threat profiles aren't universal and just because It's that was like the first thing you read today doesn't mean it's applicable to the organization right these threat groups are

specific to a geo or a nation state or maybe even an industry vertical and they are top of mind but you know everyone has to look at it very specifically to them and I also do like

Day Johnson (37:18)
Yeah.

Alex (37:23)
My mind is going to also the CrowdStrike and Microsoft are trying to also help bring a lot of order to the threat group namings too. They're kind of like OCSFing the naming conventions in a way, which is really nice and it also can help, I guess in this regard. I really, back to the context thing, security is completely contextual. Like what's true at a SaaS company is not gonna be true if you're a potato chip making factory, right?

Day Johnson (37:30)
Mm-hmm.

Yeah.

Yeah.

version. ⁓

Alex (37:52)
So how, tell us a little bit about how ⁓ folks can actually design detection in a way that reflects your organization's true risks and not someone else's, not what you're see-so-right on the news today.

Day Johnson (38:10)
Yeah, yeah, no,

very much so. I think it's it starts from kind of like understanding like, you know, first and foremost, like I personally do, I approach this as like, understand the business itself, right? Like, if you work at, I don't know, an e commerce company, right? Like, what's what's the business model, right? Like, how does the business work? And I'm not saying like, I'll learn about all the finances and all those different things, but it's saying like, what is what is your what does your company do? They sell products online.

All right, great. Okay, behind that is some technology that powers it, right? Whether it's cloud, whether it's like, you know, containers, whether it's, ⁓ you know, SaaS applications, you know, there's something that's powering the technology behind this, you know, e-commerce platform. All right, cool. So now you have the business and you have the technology as well, right? So we, we, as we as security kind of sit in between business and technology, right? We're like part of what a risk function, right? Is does is like essentially communicates like,

Alex (38:44)
Yeah.

Day Johnson (39:09)
risk, right, to the business, right? So like we constantly have to like sit in the middle of that, right? So I wanna kinda like dispel like, you know, usually the notion for detection engineers, like you just dive into the logs and like you just go view detections. I wanna take a step back from that, right? Like understand, like risk is super important, right? ⁓ Now obviously you should have like, you know, coverage and consider those things, but I wanna start from a...

Perspective of risk right so when you understand like what your business does you understand the technologies that power that they can you can then go into like okay? What does your environment look like right understanding like the assets you have understanding like the way the systems work right understanding how these different things connect with each other What are the most important things right whether known attack vectors for your particular sector? What are known attack vectors for the technologies that you use right? Do you have have you had previous incidents right you know sometimes like companies are just building out like

Alex (40:02)
Thank

Day Johnson (40:05)
brand new detection teams, right? But they might have had some breach in the past, right? So what happened there, right? You can go back into those past postmortems, right? Have you had like some right team assessments, right? And this is thinking from a perspective of like a new detection engineer at a new organization, right? You're essentially just getting a lay of the land, right? So you're building your own personal organizational context, right? I recently read the book, The Staff Engineer's Path. And the first chapter...

Alex (40:23)
up.

Day Johnson (40:32)
talks about building like a topology map, right? There's like your, what's that? ⁓ The attack surface, right? There's all these different aspects of the map that you're kind of essentially like, ⁓ whether you're physically or like logically like mapping that out, right? So once you have that, that's when you can start going into like prioritizing, know, detections based on like, you know, different things, right? Whether it's like systems that have like critical data, whether it's like based off of known previous breaches.

Alex (40:34)
Okay.

your attack surface. Your attack surface.

Day Johnson (41:01)
whether it's based off of known vulnerabilities, whether it's based off of known risks that might not have been explored yet. It could be also leadership requirements. Sometimes leadership has specific things that you're like, hey, we care specifically about website defacement because we're an e-commerce company. We have to make sure this is always online. So you essentially have a larger lay of the land, a larger understanding, a larger personal context.

they can then use to start like prioritizing. Then you start going deeper into like, you know, the more tactical stuff, right? So starting from strategy, then more tactical stuff, like understanding your log sources, understanding like what is normal, what is like deviating from normal, how do developers operate, right? And then you go deeper and deeper into that, then go into looking for, you know, ⁓ specific malicious activity, testing those things out, maybe through adversarial emulation or like sandboxes, and then going deeper into building out the logic of your detection. But

Alex (41:35)
Yeah.

Day Johnson (41:58)
I usually like to start from like a very like high level bird's eye view and then you just start going slowly deeper and deeper down. And that's more from the perspective of like a new detection engineer on a new detection team in a brand new organization. Obviously for like an existing team, like there's going to be a lot more stuff that you're going to have to inherit and then viewed from there. But that's kind of how I would think about it.

Alex (42:18)
Yeah. And also that got me thinking in how really the coming of this role came about is because of the need to build custom detections for your organization. can't just turn on these vendor provided detection, maybe that come with your SIEM Maybe they'll get you half the way there, but you need a detection engineer that really understands the lay of the land, like you said, to really fine tune it back into the organization, operationalize it. That really was the

Day Johnson (42:29)
Yes.

Yeah.

Yeah.

Alex (42:48)
birth of this role. ⁓ we're, and it's crazy to think that 10 years ago, nobody was hiring detection engineers. that maybe we were we were doing the work, but we weren't called that.

Day Johnson (42:57)
Yeah. Yeah. Yeah.

Alex (43:01)
So let's talk about detection engineering in the new work order because it's constantly changing. mean, and it's now that we've introduced MCPs into the mix and now that we bring our work home, right? And you probably are dealing with this a lot. You feel like your work and your influencer work is

Day Johnson (43:09)
Mm-hmm.

Alex (43:31)
is merging a lot too. Maybe you're on Discord, maybe you're on, you're using a lot of different systems that are kind of bridging both your job and your side gig here. And it came about because I've noticed that there's a lot more and more attack vectors happening through Discord environments.

We're using social engineering techniques to try to, ⁓ through mutual servers, start messaging somebody and hooking them that way. in this way, the attack surface is getting a little bit more personal. ⁓ So in this hyper-connected world where your work laptop

might also be like where you're logging into Discord. How do you decide what's in scope for detection from an analyst perspective? How can we control if people are playing games on their computer, if people are on Discord in their computer, if people are on various Slack channels, because you know how you can connect with different workspaces on Slack.

Day Johnson (44:47)
Yeah.

Alex (44:47)
And yeah, like our personal and work life is constantly merging. I guess that's a long-winded way of saying that.

Day Johnson (44:52)
Yeah. Yeah.

Yeah. Yeah. I mean, personally, I like to keep like both lives very, very different, very, separate. Matter of fact, ⁓

Alex (45:00)
Okay, so we have two

separate laptops. Turn that one off. Turn your other one on.

Day Johnson (45:05)
Yeah, like even

have two separate workstations, right? So I have this desk that I use for my own personal stuff. I no longer work from home, so I usually work in the office. So it's very, very different. I'm also keeping systems different. I personally don't even want to use my own personal tools or my own personal social media platforms on my work computer, just for personal reasons. So I think it starts from a personal responsibility thing. think if you can actually personally,

Alex (45:08)
Okay.

Okay.

Day Johnson (45:35)
separate work from non-work stuff, would go that approach. That's the approach I personally take. But ⁓ we're humans, right? We're bound to sort of like mix these different things. I mean, they are slowly converging, especially if you work remotely, right? ⁓ So I think ⁓ that's definitely a part of the attack surface, right? ⁓ Now, one could decide to approach it from that perspective of like, where personal life is mixing with like,

Alex (45:50)
⁓

Yeah.

his.

Day Johnson (46:04)
more work stuff.

But I think like, again, like looking at it from a different layer of abstraction, right? Let's say someone is like, you know, has a Discord on their work computer, right? And Discord is allowed by policy, right? Like that's totally fine, right? But ultimately, like someone tries to social engineer them, right? And then they click a link and downloads a dropper, right? Well, maybe Discord is allowed, but at the point where a dropper is about to be downloaded or is downloaded or is about to start doing some malicious activity, you're

Alex (46:25)
Yeah.

Day Johnson (46:34)
endpoint detection should be able to catch that, right? Like your, or your, could have browser policies that maybe like ensure like that doesn't happen, right? Maybe you're not allowed to like download certain things, right? So like there's layers of abstraction for that. You can start from like, okay, ⁓ detections wise, maybe you might not have browser detections, but you might have preventive controls at the level of your browser, right? That even if they like, you're logging into Discord from their browser and they maybe click some malicious link, it doesn't load up for them, right? And if it does,

Alex (46:37)
That's.

Day Johnson (47:02)
at the point at which it gets to your endpoint, like you're detecting that, you're eradicating that, you're containing that host, right? ⁓ Or if it starts to ⁓ exhibit some sort of malicious activity, maybe starts to try to beacon out, like you're detecting that at the network level. So I wanna bring in the concept of defense in depth here, right? Because we can't we wanna always know everything that's possible, right?

Alex (47:08)
Yeah.

Day Johnson (47:26)
but we can have different layers of defenses that go beyond just detections. And even at the detections level, I wrote a blog for detection dispatch, a Thor dispatch, and it was about detection in depth, where it's like you're looking at your detections from a multi-layered approach. You're not looking at it as just like, I'm gonna build cloud detections, or I'm gonna build endpoint detections. There's layers.

to your organization's complexity. There's also layers to the people you're working that you're protecting, right? They're in place of protecting. So taking a defensive approach, a detection approach that keeps that in mind, but also an overall defense approach that keeps that in mind. So we can't control what people would do, but we can essentially put controls in place, whether detective or preventive, to essentially mitigate the risk of actually allowing that as a vector for attacks within our environments.

Alex (48:20)
Absolutely, I love that. I love that. And then as these lines are getting blurry between Dev work, personal, think that the defense in Dev is the way to go here. ⁓ Last question I have in this topic is...

Where do you get your inspiration when with this kind of content is like, we monitoring? Are we still monitoring feeds on link on Twitter every single day? I know some people have like dedicated threat intelligence teams and maybe that maybe that's what they do and that kind of feeds your team. But where where do you get your inspo of deciding what TDP is to focus on?

Day Johnson (49:03)
I think it's a mix of everything really. There's different sources of it. Obviously there's threat intelligence that you can leverage as an intake. There's adversary emulation. if you have an actual offensive team that's constantly checking out, constantly running attacks in your environment and emulating adversary activity, that's also a source of that. There's also your response team as well. What is your response team dealing with? What are they finding? ⁓

⁓ If they're responding to breaches or responding to specific alerts and they find out that there's some detection misses there, that's a feedback loop for you as well. Your threat hunting team, right? Sometimes the detection and hunting team ⁓ are kind of in the same sort of role and expectations. Sometimes it's separate, right? So personally, I work on a team that focuses more on hunting in my current role. So that also feeds back into detections as well, right?

Alex (49:41)
Yeah.

Bye!

Day Johnson (49:59)
Risks as well, right? If you have like an ⁓ actual like risk function, right? That's constantly like evaluating like the risks that come from like your applications or from your tools or from your SaaS platforms or your integrations or your third party vendors or your partnerships, right? Those are also intakes for like detections as well. And obviously like there's ⁓ things that your leadership cares about, right? Like what the business you're supporting, what do they care about, right? And that might come from your

Alex (49:59)
Thanks

above.

Day Johnson (50:26)
Yeah, exactly. That might come from your sizzle,

like from above and like, hey, we need to focus on this because the business cares about this. And then also, also I think like as security professionals, we have a sort of like unsaid, unexpected, like personal responsibility to kind of keep our ears to the ground, whether it's on Twitter or it's on, you know, LinkedIn or on Reddit or whatever feed that we have to kind of, you know, understand what's going on in the cybersecurity world so we can then.

Alex (50:50)
Reddit

is source for me too.

Day Johnson (50:53)
Absolutely. So we can

just, you know, use that as well. So I think it's, there all these different sources. And then when you have all these things kind of coming together, like if you have a funnel, like all these things are coming in through that funnel, then you get to decide your prioritization matrix for what's the high priority detection, what's maybe medium or low priority detection. But I kind of see as I kind of see every, I see like several sources ⁓ as a sort of like ⁓ intake function that you funnel. And then you decide what is the most important priority for you.

Alex (51:22)
Yeah, absolutely. We have a similar team dynamic where we have detection engineers and threat hunters. I have, it always scratches this itch in my brain whenever a threat hunt gets, graduates into a rule, like a detection engineering rule. That is just, that's something about that day. It's like the whole day, the whole day is a main. But so what would you say are the three non-negotiables?

Day Johnson (51:43)
Yeah. Yeah.

Alex (51:51)
It doesn't have to be technical. It could be non-technical things that are absolutely mandatory to be a detection engineer in 2025.

Day Johnson (51:59)
Wow, non-negotiable, that's a great question. ⁓ Okay, like non-negotiable skills. ⁓

Alex (52:02)
Non-negotiable.

Yeah,

think you hit critical thinking was one. think that'd be number one for me, especially in this like GPT world. ⁓

Day Johnson (52:11)
Yeah. Yeah. Yeah.

Well, we have critical thinking. ⁓ I think second thing would be ⁓ ownership. I think ownership is another one, right? Like ownership of problems, right? Ownership of the space you're in. Like I think it's very easy for us to kind of get really like to like have a lot of tunnel vision on like just like this one thing that we're doing, which, which, is it's okay to like get fixated on what you're doing, but

Alex (52:25)
Mm-hmm.

Yeah.

Day Johnson (52:39)
I think ownership kind of sometimes like expands beyond like what you're just kind of laser focused on and allows you to like broaden your perspective. I think ownership in the context, I think, and this is a bit of a like more on a personal note, but I really do like to take ownership of like wherever I'm working, like wherever I work at, right? Like I am a, especially if you're the publicly traded company and you have RSUs, you're a co-owner of that company. like knowing that and like kind of taking that perspective, I was like, how do I...

Alex (53:04)
are.

Day Johnson (53:08)
actually work in a way that actually like supports the vision of this company. Whether it's like making sure that we're secure by being in the right detections, right? I think ownership is going to be good, right? Whether you're at the company already or you're trying to get into a company, right? Especially with this current job market and the way the world is evolving career wise, right? You really do want to enjoy where you're working. And I found that, I found that personally, like when I truly enjoy what I'm doing and where I'm working, it makes it so much easier to really like focus on the work and think of innovative ways to get things done.

Alex (53:14)
show. ⁓

Yeah.

Day Johnson (53:37)
So

I'd say ownership is a huge one and ownership I believe is, if I'm not mistaken, like one of the Amazon leadership principles, so kind of biased there. ⁓ But a third one will be, I'd say continuous learning. Like that's just a cyber security thing, right? You always want to kind of stay on your toes, like make sure you're constantly learning new things. if you, like, even if like, for example, like you observe a new TTP or attack vector, like in a threat intel report,

Alex (53:46)
love.

Thank you for your

Day Johnson (54:04)
And it doesn't really apply to your company. You could still like spin up a lab environment and like test it out. How does it work? How does like, how did this third actor use this, you know, in genuine way to like bypass these differences, right? Like that sort of like curiosity, right? I think matter of fact, like everything about cybersecurity and even more so detection engineering is like a ⁓ curiosity thing. Like you're trying to like scratch this itch, right? ⁓ So I think curiosity keeps you, you know, like motivated and keeps you like just learning new things and

Alex (54:25)
It is a hard recite. Yeah.

Day Johnson (54:34)
keeps your brain sharp from, you know, AI brain ride. So, yeah.

Alex (54:36)
It does.

It really does. does.

One thing for me, as of lately, I just want you to like have an opinion on something. It can kind of be double-edged sword, if you're very stubborn about it. But no, but even then, even if one is stubborn about it, like just have an opinion on something. I've been, think if someone just says like, doesn't matter, but it's whatever. Like, no, be strong, like strongly feel about something. It's okay to do that. And then, and then like,

Day Johnson (54:46)
Mmm.

Hahaha

Yes.

Yeah.

Alex (55:08)
tell me why and that's what I'm dealing with right now. Well thank you, thank you so much for, I think that's all the questions for this episode and I think overall, ⁓ safe to say that if you are not evolving and...

recalibrating your security strategy with all of these different changes in risk and detection work order and the blurry lines between your work, personal, dev. You're planning for a past that no longer exists. So it's so important to continue to keep learning, continue to understand, continue to keep growing yourself and.

And of course those around you. Day, thank you so, much for joining us on Detection Dispatch. You're most welcome back anytime and I hope you have a wonderful rest of your summer. And I hope that we can be in person someday.

Day Johnson (56:06)
Thanks for having me.

‍