Jeff Nathan: Build Discipline into Threat Research for Detection Engineering that Benefits Customers
By Jennifer Leggio, CMO
Last week, we appointed Jeff Nathan as our Director of Detection Engineering here at Netography. He is a phenomenal addition to our team for many reasons – his experience working on and running some of the industry’s largest threat research teams, his affinity and understanding of where detection engineering needs to take inputs from and provide outputs for go-to-market, and his fearlessness in turning over every rock to create the best security possible. In short, Jeff brings an extreme amount of talent and empathy to solving our customers’ security challenges.
With nearly 24 years in the industry, and almost as much time rooted in the security community, I knew he’d have some interesting takes and wanted to be the one to get them. My short interview with him follows.
Please tell the readers a little bit about you.
I’ve been developing detections most of my career, with a big focus on threat research. In my earlier years I was part of developing security companies including @Stake, acquired by Symantec, and later held a threat research leadership role for NortonLifeLock. I also built and later led research and engineering efforts at Arbor Networks (now NetScout), Verizon Business, TrustWave, Vectra Networks, and Exabeam, and have done a lot of specialized consulting work as well. I’ve also been a member of The Honeynet Project for over 20 years.
My resumé aside, what’s most important are lessons learned in both threat research and engineering to improve the customer experience and give them confidence in the research and detections my team provides. This is so they can more quickly and effectively protect themselves. The reason we have jobs in security is that software isn’t always built scientifically, to understand how it doesn’t work. So, we need to offer detection and protection built with scientific rigor.
Why did you join Netography and why now?
I think the bigger question is, why not? It goes without saying that there is an amazing team across the company. More importantly, Netography is a greenfield to continue to do threat research while at the same time growing my knowledge, the company’s knowledge, and my team’s knowledge. This is not just helping the customers through effective detections and the insights to take action. It’s leveraging this large set of network metadata that hasn’t been effectively used to do enterprise security prior to Netography; to make those customers aware before they even knew they had something to investigate.
We can detect across data axes where their current solutions might not be able to, across both cloud and on-premises, and we will give them a library of detection models to complement their own – detections that can be relied upon to safely automate operational security responses. This is new, different, and exciting, and I look forward to helping my team find fun ways to do this for our customers.
Why the focus on a detection engineering team vs. a threat research team?
Detection engineering is applied threat research. Research can be nebulous and doesn’t necessarily have a deliverable beyond publication. Engineering is a discipline and the work is to develop and deliver solutions to problems based on some form of research. Engineers as a cohort are pretty risk-averse, and taking open-ended research and applying discipline to it will help us build the right detections for our customers and increase their confidence in Netography. Detection engineering is fed by threat research and engineering formalizes detections into our product, ensuring accountability, documentation, and communication.
Leading and building an always-learning team is also very important to me. I want to foster a culture of people thinking systemically and systematically to keep the work interesting and even smarter. Some of the best researchers in the world can find a class of vulnerability and then build a system that eliminates it from an entire code base. They think bigger – we are going to think bigger.
What is an aspect of detection engineering that many others may not think about?
The entire domain of information security is really about alternative analysis. We see things differently, often through the lens of those who work to subvert systems. The more we diversify our thinking, the better our ideation in problem-solving. For example, sales engineers are an untapped, incredibly valuable resource beyond the go-to-market organization. Sales engineers should be partners in researching and developing detection technologies for a few reasons. One; they have the most hands-on experience with the product most of the time and they are already out there interfacing with customers. Two; they really are “first-class citizens” in helping to improve detection and break down the barrier. Giving them the responsibility to come back to us authoritatively with what they see and working side-by-side to develop detections, can make a better process that ultimately helps our customers.
What is the greatest benefit that customers can gain from Netography?
If you want your customers to stay happy with you and have faith in your security detections, you must build processes around what you deliver so you don’t waste their time chasing false alarms. That is what we do here. It’s one thing to roll out detections, it’s another thing to build a formal engineering process that actively works to disprove hypotheses and eliminate bias. To avoid the pitfalls of only seeking evidence that confirms our ideas. To deliberately try to break our own detections to ensure they are of high quality and can safely and reliably be rolled out in customer environments. This may sound simple, but it’s a fundamental many others skip for speed. Accuracy is everything.
A key theme of Netography in everything we do with our platform is also context. Providing a list of detections to customers without the right context to help them best assess their risk and take the action that matters most to them is just hand waving. That is NOT what we will do here. Context, on top of accuracy, is also everything.
Beyond that, we can help our customers by making Netography a good citizen and active participant in the security community. Partnering with other researchers, informing research groups and alliances, and engaging in community conversations will help the industry at large – and also put us in line to bring back additional findings that will help the people who rely on us.