Breach School - Threat Vector by Palo Alto Networks

Summary6 min read

Threat Vector by Palo Alto Networks

Episode: Breach School

Date: April 23, 2026
Guest: Steve Elvitz, VP and Managing Partner, Unit 42 North America
Main Theme:
An in-depth discussion with Steve Elvitz about his career journey through cybersecurity incident response, lessons from the frontlines, the rapid evolution of cyber threats, and key advice for security leadership.

Episode Overview

This episode of Threat Vector features Steve Elvitz, a cybersecurity veteran currently with Unit 42. The conversation explores his career evolution, lessons learned handling critical breaches, how incident response has shifted with today’s rapid attacks, and what “leading well” really means for security professionals. The episode is rich with advice—both technical and personal—for defenders at all levels.

Key Discussion Points & Insights

Steve Elvitz’s Career Journey in Security [(01:11)–(04:35)]

Started in general IT (building cables, patching servers), then moved into forensics/eDiscovery at PwC, and discovered a passion for incident response via collaboration with security teams.
Career path led from government incident response at Booz Allen to a decade at Mandiant, finishing at Unit 42.
Describes a strong draw to the adversarial, competitive nature of breach response.

“Once I got a taste for incident response...you have the adversary out there that is trying to respond to your response...I found very enjoyable.” — Steve Elvitz [(03:06)]
Important early case while at PwC helping a bank solidified his focus.

“That really, I think, codified for me the desire to focus on this for my career.” — Steve Elvitz [(04:44)]

The Mindset & Mission of Incident Responders [(05:28)–(07:51)]

Elvitz emphasizes a sense of mission: stopping real harms, supporting victims (especially sensitive sectors like hospitals).

“When you see children’s hospitals, for example, getting hit by ransomware groups...how can you not [help]?” — Steve Elvitz [(05:31)]
Joining Mandiant was a humbling experience with steep learning, shaped by the Dunning–Kruger effect.

“I realized how much I had to learn. But the team around you is so vested in your success...” — Steve Elvitz [(07:22)]

From Analyst to Executive Consultant: Staying Technical and Gaining Empathy [(07:51)–(13:04)]

Moving from hands-on analyst to boardroom briefings is about maintaining curiosity and authenticity.

“These are some of the smartest people in the world. They can see inauthenticity a mile away...” — Steve Elvitz [(08:30)]
Emphasis on mastering both technical details and business context.
- Need to “arm them [executives] with the data they need to know.”
Communication tip: Have multiple versions of your presentation, tailored to the unpredictable time and need scenarios of executive briefings.

“You have no idea how much time you have...coming prepared with the ability to tell them what they need to know...in different segments of time...” — Steve Elvitz [(11:04)]
In high-stress incident rooms, empathy and understanding team dynamics are vital.

“We’re talking about empathy, really, at the end of the day, understanding the position that my customer’s in, that the CISO I’m working with is in, all the way down to the members of the team.” — Steve Elvitz [(12:15)]

The Changing Nature of Cyber Threats: Speed, Scale & Identity [(14:02)–(23:41)]

The #1 change: Drastically reduced dwell time for attackers—from hundreds of days to just hours or even minutes for modern attacks.

“Back then...median dwell time...was like 229 days...now we’re talking attackers completing entire missions in 72 hours.” — Steve Elvitz [(14:19)]
Catalysts for speed:
- Rise of ransomware, automation, pandemic-driven remote work, less secure cloud transitions, and now AI/GenAI for attack automation.
“Now we’ve also started to see attackers leverage AI directly...really reduces the amount of time you have to respond.” — Steve Elvitz [(17:48)]
Identity is the key attack vector:
- 89% of investigations involve identity issues (misuse, lateral movement, privilege escalation).
“Active directory has existed long before, you know, cybersecurity has as an industry, and it tends towards entropy...identity really became more of the fabric that stitches different environments together...” — Steve Elvitz [(21:00)]
What’s not getting enough coverage:
- Active Directory (AD) sprawl and static privileges.
“If I had to pick just one [frustration], it would probably be that...just how an attacker can just move laterally, escalate privileges...” — Steve Elvitz [(22:25)]

Defensive Priorities & Common Investment Mistakes [(24:16)–(27:46)]

Where to invest:
- Reduce your attack surface/perimeter.
- Modernize authentication (use phishing-resistant MFA).
- Harden interior (tiering, just-in-time privileges).
- Centralize security visibility for effective detection and automation.
“You don’t want to be in the position where an attack can be conducted on you in 72 hours.” — Steve Elvitz [(24:23)]
What’s overhyped:
- Data Loss Prevention (DLP) is less effective against creative, advanced attackers.
“DLP is great at stopping accidental disclosure...But an advanced attacker could think of other covert channels...But it sounds great: Data loss prevention. I want one of those.” — Steve Elvitz [(27:16)]

Leadership Lessons and Career Advice [(27:46)–(29:25)]

Leadership & Team Building:
- Empathy and team investment are essential to preventing burnout and succeeding in high-stress environments.
“Security is 100% a team sport. You can’t do it alone.” — Steve Elvitz [(28:04)]
Advice for Early Career Pros:
- Identify and address personal “fatal flaws.”
- Focus on becoming “best” at your differentiating strengths, not just being well-rounded.
“Get those up to acceptable and then invest in your strengths...rather than just trying to be a well-rounded average person across the board.” — Steve Elvitz [(29:05)]

Notable Quotes & Moments

On Mission:

“Fight crime and find evil. And...we celebrated when we imposed costs to threat actors…” — Steve Elvitz [(05:42)]
On Mandiant’s Culture:

“Joining Mandiant was probably the most humbling experience of my life.” — Steve Elvitz [(06:52)]
On Attack Speed:

“Now when we’re talking 72 minutes for an entire mission, you know, it doesn’t cut it.” — Steve Elvitz [(18:36)]
On Privilege Management:

“Static privilege is something that doesn’t get enough attention...rather than being able to temporarily check out that privilege...” — Steve Elvitz [(22:35)]
On Leading Well:

“Build the people around you, have their backs, they’ll have your backs. It also has the benefit of being the right thing to do.” — Steve Elvitz [(28:18)]
On Career Development:

“Take care of your fatal flaws. Get those up to acceptable and then invest in your strengths.” — Steve Elvitz [(29:00)]

Important Timestamps

Guest Introduction & Career Path: 01:11–04:35
Mission-Driven Security Work: 05:28–07:51
From Analyst to Advisor, Empathy in Leadership: 07:51–13:04
Attack Evolution & Identity Focus: 14:02–23:41
Smart Investments & Pitfalls: 24:16–27:16
Advice for Security Leaders & Newcomers: 27:46–29:25
Light Dad Joke to Close: 29:52–30:16

Memorable Moments

Steve’s humility and honesty about the steep learning curves at top IR firms.
Anecdotes about seeing attacks accelerate from months to minutes, and the personal/professional impact of that “compression” on defenders.
Transparency around security tools and investment trade-offs—even DLP, a classic industry “must-have,” is challenged here.

TL;DR Summary

Steve Elvitz shares wisdom gained from decades in incident response, stressing the importance of empathy in leadership, business context for technical reporting, the relentless speed of modern attacks driven by automation and AI, and the growing centrality of identity security. He urges organizations to focus their efforts on perimeter reduction, privilege management, and integration of visibility/response, and reminds new professionals to shore up “fatal flaws” and play to their unique strengths. The episode concludes with a dash of much-needed security humor.

For security professionals, this “Breach School” offers both hard-won technical insight and timeless leadership lessons—with practical advice for today’s accelerated threat landscape.

Loading summary

Transcript67 lines

[00:02]
A
You're listening to the Cyberwire Network, powered by N2K.
[00:12]
B
There are humans involved on security teams, and we have to be empathetic and understand, you know, what they're going through and what they care about.
[00:36]
A
Today I'm speaking with Steve Elvitz, VP and managing partner for Unit 42's North America practice, about his career in the trenches of incident response and how that shapes the way he sees security leadership and what it really means to protect an organization. Steve, welcome to Threat Vector. It's really nice to see you again in person. We recently spoke, but that's always virtual and, you know, it's nice to have somebody in the room for one of these conversations here on threatvector.
[01:09]
B
Yeah, it's great to be here. Thanks for having me.
[01:11]
A
Well, let's start with a little bit about your path in this industry and talk to me a little bit about how you got here and, you know, share with the listeners the version of your career from the front lines to where you are now with. With unit 42.
[01:28]
B
Sure. Well, I mean, I started actually doing it work originally, everything from building patch cables to patching servers. And then I landed in forensics and eDiscovery with PwC. This was really before cyber was much of a thing. We had a separate security team that sat side by side, got to come on some of their pen tests. Eventually we found a few real cyber cases there where the teams worked together. And that's where I found that I had a passion for things. Moved over to Booz Allen to focus on. On exactly that. For a government agency for a number of years before eventually landing at Mandiant for about a decade, and then eventually made the move over here to unit 42.
[02:09]
A
Yeah. Well, I mean, you just mentioned Booz Allen, PwC. What drew you to the work in those early years, you know, and maybe talk about the differences of what you were doing at those organizations, how that shifted with Mandiant and then, you know, take us to a point in time to today.
[02:32]
B
Yeah.
[02:33]
A
So
[02:36]
B
back then, I don't want to age myself too much. The work was very different. Right. But it was still the adversarial nature that I really enjoyed that really drove me towards it. Doing the more ediscovery type forensics, traditional forensics, I didn't enjoy quite as much. But then once I got a taste for incident response, for breach response, and you have the adversary out there that is trying to respond to your response, that's trying to stay in an environment while you're trying to kick them out I found very enjoyable. And it allowed me to kind of merge my interest in security with my interest in forensics together. And I found that very interesting.
[03:20]
A
I'm curious, do you consider yourself a competitive guy?
[03:23]
B
Yes, I would say I'm very competitive.
[03:26]
A
And I know this isn't a video game, but as you're describing this back and forth and outmaneuvering and kicking out and then they're back in and just discovering. Is it similar in that sense of the feel of that excitement that you might get?
[03:40]
B
Yeah, I would say so, yeah. It was very different back then, though. Things were slower. Okay, so this was really pre edr. Right. So a lot of the work was taking forensic images, lots of chains of custody, and then analyzing the forensic image and then making kind of those organizational wide changes. Remediation plans were put together over days. Right. And then you would have a single remediation event where, you know, you have this coordination to kick an attacker out that doesn't really exist against, you know, some of the more financially motivated attackers today, where you really have to start remediation on, you know, hour zero.
[04:23]
A
Yeah. Is there a specific case or maybe a early moment in your career that clarified for you what this job is really about?
[04:35]
B
It's hard to name just one case at PwC. There was one bank that we helped that was one of the larger cases we did. And I got to actually work closer with some people who ended up, even today, I consider mentors today, where I learned a lot. And that really, I think, codified for me the desire to focus on this for my career. Yeah.
[04:59]
A
And you and I have had a couple of conversations. You were on threatvector before talking about our IR report, and it seems like you and a lot of folks in this industry are very mission oriented. What is it about somebody who is a mission oriented person that looks at this type of work and goes, yeah, these things come together. Is there a particular satisfaction that you get out of it? Is it just how you tell the story of yourself? Talk to me about that.
[05:29]
B
I mean, certainly, you know, I do feel a sense of duty to do this work. You know, when you see children's hospitals, for example, getting hit by ransomware groups, you know, and you have the talent to be able to assist even in, you know, whatever way. How can you not? Right. So the mission of joining Mandiant, the mission was fight crime and find evil. And, you know, that really spoke to me and that was the direction we moved in. Right. And that's. We celebrated when we imposed costs to threat Actors. We celebrated when we were able to evict threat actors from environments. Right. That was our DNA, and that really spoke a lot to me. Yeah.
[06:16]
A
I don't know if our guests can pick this up, maybe on the video feed, but your eyes kind of twinkle thinking about that, and I love it. When you were at mandiot, that was a. They had a really great reputation or a particular reputation at that time. What's it like to build your career inside an organization that storied, that was known for going and inflicting, you know, friction or cost on a threat actor and working some of the most consequential breaches? Yeah.
[06:48]
B
Well, I would. I hope they still have a good reputation.
[06:50]
A
Yes, they do.
[06:51]
B
Absolutely. While we're. While we're competitors, we have the same mission. Right. We just have different email addresses. Yeah. The. I'll say. Joining mandiant was probably the most humbling experience of my life. Yeah. You know, are you familiar with the cognitive bias of the Dunning Kruger effect?
[07:08]
A
Sure.
[07:09]
B
Yeah.
[07:09]
A
Yeah.
[07:10]
B
Where it's basically the less you know about something, the more you might think
[07:14]
A
you know about it.
[07:15]
B
Yeah. So joining that team was pretty humbling for me. I, you know, thought I, you know, working where I had worked before, I knew a lot, but I realized how much I had to learn. But it was just such a. Frankly, a busy organization that you get thrown right into it. But the team around you is so vested in your success that I learned so much so quickly. I think going into there, you needed to be able to eat that humble pie and realize that there was a lot for you to learn and dig in and do it.
[07:51]
A
So at some point in your career, you went from being the person who was analyzing the breach to the person that would walk into the room with the executive team, with the CEO, with the board to understand what had happened and then what that group needed to do next. I've talked to some of the forensic analysts and the deer folks here about how intimidating and empowering that feels. Talk to me about what you learned from that frontline to sitting at the table with the leadership teams.
[08:23]
B
So, you know, first off, I don't think you can ever truly stop being the person that analyzes the breaches if you want to be effective with the executives. These are some of the smartest people in the world. They can see inauthenticity a mile away. So having the interest and curiosity, I think, remains a requirement. Whenever I brief even a ciso, even let alone a board of directors, I'm still going to want to make sure that I get eyes on the actual data itself. Right. And I need to be able to understand the artifacts that went into forming the conclusions, especially on the key points like the initial entry, how did the attacker get into the environment? I'm going to want to understand what was the initial artifact that allowed us to form that conclusion. And you know, make sure it makes sense in the context of the organization and the rest of the incident. Things like espionage, data theft, anything that's, you know, really causes enterprise level risk or impact. I need to actually understand, show me the artifacts that allows us to limit our findings to what we're calling ad impact and making sure that I agree from the actual artifact. If you're unable to actually get into that granular level of detail, you're unable to really dig in when you get the eventual follow ups. And you become far less effective when you have that inauthenticity.
[09:57]
A
So Steve, when you're digging in, you're talking about the forensic data, the attack itself, is there also a level of understanding the business, the specifics of what their data or their business model is, why they might be targeted, that you have to get into as well?
[10:12]
B
Absolutely. Right. Because the kind of double edged sword of what I just said is that you could have a tendency to get into the minutiae that the organization may not care about. Right. It's your responsibility when you're presenting to these executives. You have to understand both what they want to know from you and what they need to know. Right. And it's your responsibility to arm them with the data they need to know. And you can't do that without understanding the business context.
[10:39]
A
Yeah. You mentioned presenting to them. Is there a particular communication skill or technique that you found is really helpful, but maybe it took you a while to develop, but now that you have it, you want to share it with the threat vector audience.
[10:54]
B
Today I think I'm still developing, having conversations in front of a camera. How am I doing? Fantastic.
[11:02]
A
Fantastic.
[11:03]
B
Yeah. I think it's one thing that I had to learn was probably having multiple versions of one presentation. You walk into a board meeting, you have no idea how much time you have. You might be scheduled for an hour and you get 15 minutes, you might be scheduled for five minutes and you're speaking for an hour. So coming prepared with the ability to again, tell them what they need to know and what they're interested in in different segments of time and being able to make that adjustment is very, very
[11:32]
A
important when an organization is in the middle of an active crisis. Right. Their executives are in the room that are under this. I don't know how to even describe the level of pressure. It's gotta be incredibly, incredibly stressful. What do you know now about managing that dynamic, Right. Managing that human factor of stress and how it affects people to take in information. You said what they need to know and what they want to know a moment ago. What do you understand now that you wish you would have understood earlier?
[12:09]
B
So I think it's something that you never stop learning and developing. Right. Because we're talking about empathy, really, at the end of the day, understanding the position that my customer's in, that the CISO I'm working with is in, all the way down to the members of the team. You know, if it's a public incident, everyone in that organization is feeling substantial pressure. You know, it's. They might be thinking about, will I have a job tomorrow? So it's really understanding the role that they play and trying to do your best to empathize with it. This could include things like, who is my contact, whoever I'm working with right now, who are they reporting to, what do they have to report, and when are they reporting it? How can I. How can I arm them to communicate up and out better? You know, what's. What's important to them, and how can I help them achieve it? Yeah.
[13:04]
A
Something I've heard recently, and I found, I keep reflecting on it, is when you go into a room, understand who's not in the room, that is in the room, and it sounds to me like you're talking to the ciso, and maybe they've got a boss or an executive that they've got to report to, or there are other folks that that board's worried about their shareholders. Those people are in the room even though they're not in the room. And you've got to consider those things. They're not your boss, but they're definitely influencing the situation that you find yourself in. All right, so you've been doing this work long enough to understand what attackers are doing and how they're evolving from one era to the next. When you compare the cases that you were working on back in Those early days, PwC, Mandian, what are the things that you're responding to now that strike you as the biggest changes?
[14:03]
B
Probably Speed, to be honest, is the biggest change back in before, I think 2016, give or take, was when the Samsam attacker started really doing enterprise, ransomware, cryptolocker, et cetera. Before that dwell time was measured in hundreds of days. Right. You had Attackers that would be environments. You know, if I recall the Mandiant M Trends report in 2014, it was like 229 days or something. Was the median dwell time that an attacker was in an enterprise before, you know, they were detected. Substantially longer than today. You know, when we're talking attackers completing entire missions in 72 hours. So you know, everything was, was quite a lot slower even post DDR. Right. The response is faster than the forensic image days we were talking about earlier, but the attacks were moving much, much slower. Attackers were generally trying for long term access to environments. Of course that still happens today, but just so much more of the work is that opportunistic, financially motivated attacker.
[15:15]
A
Is there anything from say 15, 20 years ago that is now making a return?
[15:23]
B
I would say the things that work then, that still work today never really go away. Social engineering is a great example of that. It's never really gone away. I'd say before AI Genai really became a thing, attackers finding these external vulnerabilities were able to be more scalable that way for initial access to environments. And that's still true today, of course, but now we've unfortunately unlocked scalability in social engineering and we're definitely seeing attackers leverage that more and more. But it was always effective. Just today, it's more often you're going to hear someone with an accent matching what you would expect, being able to speak in, you know, the local colloquialisms that you would expect, making him a more believable social engineer. And that's not even to mention gen AI and deep fakes and things like that.
[16:54]
A
So you mentioned a second ago attacks being compressed to 72 hours instead of 3/4 of a year. And I think that that was a stat that we saw a lot of the IR report, the incident response report that we put out in February. What is the effect of that compression time on defenders who are watching this happen in near real time?
[17:18]
B
Yeah, and I think the stat might have been 72 minutes even for some of the attacks. Right. It's very fast attackers. We've lowered the bar on automation for attackers. Right. Oftentimes a lot of these opportunistic attack, I mean obviously your nation states your highly skilled attackers always had the ability to engineer their own tools and tactics. But for the more opportunistic attackers, oftentimes we would see them leverage third party malware or working with something like a ransomware as a service. And a lot of the post exploitation phase of the attack was after they purchased the initial access, before it went to the ransomware as a service. And a lot of that was manual. An attacker moving laterally, escalating privileges, reconnoitering the environment. And this bar on automation has been lowered through genai so that attackers can more and more automate that phase of the attack with just scripts. Right now we've also started to see attackers leverage AI directly to actually outsource that phase of the attack. I think we're going to see more of that. But this really reduces the amount of time that you have to respond. Right. Fifteen years ago, a mean time to respond of a day for a SOC was pretty good. And now when we're talking 72 minutes for an entire mission, you know, it doesn't cut it. Yeah, right.
[18:48]
A
Somebody's got your lunch. If you're waiting around an entire day, and forgive me for misspeaking there, it still blows my mind that these attacks are happening, you know, basically in the bound of an hour, hour and change. When did you start to feel that speed increase in your career? And is there a moment where that speed really caught you off guard?
[19:11]
B
So I think it was gradual. I don't think it was overnight. And I would say actually if I had to name a time, it would probably be around the pandemic. And that's even predating AI. Right. But it was when we quickly had to, we as kind of, you know, I guess a people had to quickly make the change to remote work and we had much less of that castle and moat model. Of course, VPNs and remote access softwares existed back then, but they weren't as ubiquitous. And a lot of organizations were moving more to the cloud and more to these distributed models without the proper, you know, security controls to implement around them. And this led to broad scale attacks. This led to substantial amounts of vulnerabilities. If I recall, in that year we had a lot of zero days for remote or edge devices that allowed attackers to get into an environment. And we had very flat environments back then. So attackers were able to compromise an identity and start causing harm very, very quickly.
[20:26]
A
Well, you mentioned identity, and I recall in a report that we found identity playing a role in. I think it was 90% of 89%. Yeah, yeah, 89% of the investigations. You've been watching this, you said build for years is kind of gradual. When did identity start showing up consistently in the postmortems?
[20:51]
B
So as a contributing factor, always. Right. So, you know, Active directory has existed long before, you know, cybersecurity has as an industry, and it tends towards entropy. Right. So organizations have had active directories sometimes for, you know, 20 plus years. You know, they're older than some of the analysts. I was going to say they're active directories. And you know, a lot of organizations don't do a good job of going through and saying, okay, why did we create this ou. This organizational unit? Why does this group exist? Why does it have this privilege and this entitlement and let's trim that, let's remove it, or setting up temporary entitlements. A lot of organizations don't do that well, and that dates way back to then. And attackers looking at this kind of like a graph and how they can move from system to system to account to account has always been a weakness that organizations have faced. I'd say it got way worse around again 2020, when identity really became more of the fabric that stitches different environments
[22:07]
A
together with all the focus on identity. And I actually think this is a space that's going to only be more important. What's one thing that you're frustrated isn't getting more coverage given the risk that identity poses.
[22:25]
B
That's a good question. I only get one. So I would say probably it's that sprawl active directory. As I was just saying, if I had to pick just one, it would probably be that just how a attacker can just move laterally, escalate privileges, move laterally. If I get two, I would say probably static privilege is something that doesn't get enough attention. Having accounts that will take domain admin or enter global admin or something similar and retain that privilege versus being able to temporarily check out that privilege, requiring that modern Fido 2 MFA to check out the privilege and have it temporarily.
[23:12]
A
Yeah, no, I've actually noticed that as I've joined Palo Alto and I want to escalate my privilege. It's like going to the library, checking it out for a minute and then it goes away.
[23:26]
B
And that's for your local account.
[23:27]
A
Yeah.
[23:27]
B
Imagine how many organizations where the keys to the entire kingdom is assigned to a user and that account, it doesn't change. It's just a normal account that that user sometimes uses and sometimes they use it as their daily driver too.
[23:42]
A
I understand that it happens, but I, and I don't say the word befuddled when I hear this. I don't use that word often, but it blows my mind that that is a behavior that here in the world of 2026, that we're still going, you know, yeah, we're going to go ahead and give you the keys to everything. And in 2016 and here we are a decade on and it's still the same. And you're going to. I said we know that's a terrible idea. Why are we doing this? And yet here we are. Steve, where are organizations underestimating where they need to put their investments?
[24:16]
B
Sure. So there's a few different areas I'd mention. The first is we need to reduce our perimeter. We need to reduce the scope of where attackers can come in from to take pressure off the team. And then we need to harden the interior of environments to give teams more time to detect and respond. Right. You don't want to be in the position where an attack can be conducted on you in 72 hours. Right. On the first point we're talking about attack surface reduction, what's inside your perimeter and what's exposed to the world and then making the decisions on. Let's pull more of this inside or if it has to be on the Internet, let's put a SASE or something in front of it so that we're enforcing authentication before someone's able to connect. On the authentication front as well using a more modern type of multi factor authentication. Right. SMS is gone. One time PIN is going, should be gone. We should be working on leveraging the more phishing resistant MFAs, FIDO2 or device bound device registration authentication. Right. Something that someone can't convince you to give them over the phone. If you do that then you're much better protected, both your identity and any potential vulnerabilities that could exist in your perimeter. And then once an attacker gets inside, then we have to talk about what privileges are available to them. Right. So separating the privileged accounts away from the commonly compromised assets by setting up a tiering model or doing that that just in time authentication authorization rather that I mentioned where you check out a credential. Beyond that, putting all of our security visibility into a single platform I think is really critical. If you have your analysts constantly swivel chairing between platforms when an attacker is using an automated attack, you're never going to keep up. Right. So we need to be able to get all of our visibility together and then you're able to create your own automations off of it through something like a soar or more and more organizations are going to start moving towards creating agents to respond to more varied types of attacks. And I think that's going to be really where the future is.
[26:46]
A
So let's flip the question a little bit. What looks great on a budget item or is expected? Maybe it's those Executive conversations. They know that this is coming. But you're like, this is not good spend. Given the rapidly changing environment and in the way attacks are going, you know, it's just aged out at this point.
[27:06]
B
Gosh, this is a very dangerous question for me to answer given that I think Palo Alto Network sells one of everything. But I'll say dlp, an organization really needs to understand what they get out of a dlp. A creative human attacker can creatively think of different ways to exfiltrate data. DLP is great at stopping accidental disclosure or lower skilled potential insider threats. But an advanced attacker could think of other covert channels to exfiltrate data that a DLP likely won't prevent. But it sounds great. Data loss prevention. I want one of those.
[27:46]
A
Absolutely. You've spent your career with other people who are having their or maybe worst moment professionally. What has all that taught you about what it means to lead well in security and not just to respond well?
[28:03]
B
Yeah. So I think it comes down to empathy and investing in your team. Right. Security is 100% a team sport. You can't do it alone. Anyone who tries, even the most skilled, will eventually burn out, even incident response aside. So you've got to build the people around you have their backs, they'll have your backs. It also has the benefit of being the right thing to do.
[28:31]
A
Yeah, that doesn't hurt. For somebody who's earlier in their career or thinking about going into this space, how do you advise them on what they should focus on? Where do they put their energy?
[28:46]
B
That's hard to answer generally versus a specific person. Generally, I would say first identify if you have any fatal flaws, if there's anything that is going to keep you from being able to advance and then take care of your fatal flaws. Get those up to acceptable and then invest in your strengths, whatever area that you think that is a differentiator of yours, invest in it and try to become really the best at it rather than just trying to be a well rounded average person across the board.
[29:26]
A
Absolutely. Steve, I appreciate you pulling back the curtain on your career a little bit and sharing with me, joining us here on Threat Vector, sharing with our audience today some of your ideas, your insights, what you've learned going from that seat as a investigator, going into IR and then sitting side by side with some of these teams as they've, you know, these executive teams as they try to navigate these really stressful and important situations.
[29:53]
B
I appreciate you having me, but I don't think I can end this without now asking you for a dad joke.
[29:57]
A
Oh, well, do you want one that's a security themed dad joke? Like to really double down? All right. So my son, he's a drummer and it inspired me the other day when the bank said I needed to change my password. So I set it to hi hat. It didn't work. They said no symbols.
[30:16]
B
Ah, okay.
[30:32]
A
All right. Well, thanks for coming in, Steve. That's it for today. If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcast or Spotify. Your reviews and your feedback really do help me understand what you want to hear about on this show. You can email me@threatvectoraloalto networks.com I want to thank our executive producer, Michael Heller. Original mix and music by Elliot Heltzman. We'll be back next week. Until then, stay secure. Bye for now. Down. Sa.