Jason Chan: 0:00

I think we really do need to focus, when we are sort of telling our stories on security, right, it's not just about what we're protecting, but who we're protecting it from.

Rachael Tyrell: 0:08

Hello and welcome to Episode 12, season 1, of your Cyber Threat Intelligence Podcast. Whether you're a seasoned CTI expert, a cybersecurity professional or simply curious about the digital battlefield, our expert guests and hosts will break down complex topics into actionable insights. On this episode of season one, our host, pedro Kurtzman, will chat with Jason Chan, who has over 20 years of experience in cybersecurity and is especially passionate about large-scale systems, cloud security and improving security in modern engineering organizations. Jason built and led the security team at Netflix for over a decade. His team at Netflix was known for its contributions to the security community, including over 30 open source security releases and dozens of conference presentations. He also previously led the security team at VMware and spent most of his earlier career in security consulting. Over to you, pedro.

Pedro Kertzman: 0:59

Jason. Wow, being a fan for so many years now that I think it's just fair to say that I'm beyond excited to have you on the show. Thanks a lot for coming.

Jason Chan: 1:09

Oh, thanks, Pedro. Thanks for having me. I'm glad to be here.

Pedro Kertzman: 1:11

Amazing If maybe we can jump right in. Would you mind sharing your perspective like a general CISO view of CTI? It could be related to assets exposure threats, you name it.

Jason Chan: 1:24

It could be related to assets, exposures, threats, you name it, I think, from the CISOs perspective or security leaders perspective. I mean, obviously they're running the security organization, to which threat intelligence is a big part. But I think most of what we're trying to do is at the executive level. The leadership level this includes your peers and technical executives. Non-techn level the leadership level. This includes, you know, your peers and technical executives. Non-technical the board.

Jason Chan: 1:50

You're really trying to create a shared understanding of the security environment that the company is facing. So, I would, you know, I tried to keep that simple when I was doing those kinds of communications and it was really about you know, what are we trying to protect? Right, and and I don't mean you know the specific assets, but it's like we're trying to make sure this service remains available. Um, you're trying to make sure data remains protected, and then you're you're trying to, you're trying to think, well, what are the negative events that could affect those, those things you're trying to protect? And then, finally, you know what are the threats like, who are the adversaries? Right, and I think that's where cti comes in is you want to be able to reason about who, who is actually coming after you?

Jason Chan: 2:34

And, of course, as we know. You know, the adversary doesn't really make a habit of letting you know when they're coming after you or how they're going to do it or when, but you know which is what, to me, is what what threat intelligence is all about. So, yeah, I think about it at that level. Is you're going to do it or when? But you know which is what, to me, is what threat intelligence is all about. So, yeah, I think about it at that level, as you're trying to do some storytelling, you're trying to paint a picture of what the threat environment is like with as much information and detail as possible.

Pedro Kertzman: 2:55

That's amazing. I love how you put the storytelling part, and also to the non-technical, let's say, audience. So that's an interesting point any insights on how to properly fine-tune that message to that audience?

Jason Chan: 3:10

oh yeah, I mean, I I'd like to think of it really in terms of um, and I think this is pretty common in threat intel. You're really trying to like think about um, maybe not necessarily specific um, like adversary groups of threat actors, but the way at least the way I categorized them when I was at Netflix is we sort of would talk about uh, like groups, right, like who's actually coming after us and um, you know, at Netflix, we, we were, you could kind of think of of it as almost like two really large and complicated businesses that are kind of working together. One is on the on the streaming side. It's this, it's the world's largest streaming subscription platform, right. So you have, you know, 200 and something million members, 200 or so countries. So you know, you, you have kind of threats that are pretty common to running a large-scale consumer internet service. And then, in addition to that, you have the studio which is creating all the content that goes on Netflix, and, again, it's the world's largest studio. So, at least about the time I retired in 2021, we were doing about a thousand productions a year. And you know production is a, you know it's a stand up comedy or it's, you know, an animated series, it could be a movie and whereas, like most other studios are doing about 50 to 100 a year. So really really large scale. So really with that, we're trying to like create a understanding about like, well, who, who from the adversary side is interested in that, and we would kind of put them into buckets right. So you have, on the more kind of, if you think about like a spectrum or a continuum of adversary that goes from, say, kind of commodity or general to more specific. And I don't mean in terms of skill, I'm not talking about script kitty to APT, I'm thinking about what's a general threat versus more specific.

Jason Chan: 4:59

And the general threats for Netflix were, as I mentioned, right, you're running a large scale consumer internet service, so you're going to see a lot of things like credential stuffing and account takeover. We had, you know, a lot of cases where, of course, you know, people tend to reuse their passwords and their accounts get taken over, and there were certainly cases where the access to an account would be resold. So we want to understand, okay, well, who, who are the, who are the threat actors, who are the adversaries that are seeking to take over netflix accounts so they can monetize resale of those accounts. Um, we would also look on on the streaming side. We would think about, um, content protection, right. So, um, because you know whether, I guess, regardless of how you, how you may personally think about things like content protection and piracy and digital rights management, you know, to be able to put that kind of content on the internet and, working with these studios and these creatives, they have certain security requirements. So we, we obviously implemented all kinds of interesting content protection and digital rights management.

Jason Chan: 6:03

But you know, we, there were a separate set of adversaries you might even consider them researchers or, you know, like old school hackers that they were basically trying to break content protection, they were trying to break DRM. So there you also have to kind of pay attention to what's happening, like what's the state of the art in breaking DRM and breaking content protection. And then you know, on the studio side, you know, as you can imagine, you're dealing with a bunch of you know you're making content, you're working with a lot of celebrities, a lot of really well-known people or unique part, because you really start to have this uh, like cyber, physical crossover where you have you're trying to protect, you know, a-list talent and celebrities. Right, we were working with people like, you know, michelle and barack obama, and these are people. Obviously they're, they're um, they have their own kind of uh protection and things like that.

Jason Chan: 6:59

But we also we need to be able to protect the kind of digital assets that pertain to, for example, where a certain celebrity is going to be on a certain date, or or where filming is going to be for a particular series. So, you know, I would say, um, sorry for for rambling there, but you know, kind of a long story short in terms of that storytelling you're trying to create. Like, without going into the weeds about any, any specific thing, you're trying to say, hey look, these are kind of like the four or five main categories of adversary that we're really thinking about, and, of course, that doesn't mean that there might, you know, not be somebody new next year or next week. But if you want to have a long-term, you know, sustained kind of program, you have to kind of, you know, do some reasoning about who you're actually, um, working against, and it's not just some sort of like, you know, gray and shady, you know unknowns.

Pedro Kertzman: 7:53

You have to be able to put some, some kind of personas to those folks that that's amazing and it's a very, really unique, let's say, list of assets and, uh, if I'm not mistaken, I think I can remember from the top of my head any content if you will breach or like a new uh series or something like that being exposed before the real release date. And I do remember from many other studios. So I would say you guys, uh, did a, you know, really good job on keeping that stuff private.

Jason Chan: 8:26

Yeah, we did have one issue. I'm trying to remember what year it was, maybe 2016, 2015. We had a series of one of our original series called Orange is the New Black. We had the new series. Some of those episodes were leaked by. It was a fourth party vendor, so they were kind of an audio vendor from the studio that we had worked with to create that series. So yeah, it happened and to me that kind of is to some degree the nature of the sort of distributed nature of content production is you know you have a lot of third parties involved and fourth parties of content production is is you know you have a lot of third parties involved in fourth party. So the studio that you, that you work with, they have their own, you know, ecosystem of suppliers, um yeah yeah and so and that, but it was um, you know another.

Jason Chan: 9:15

I remember um kind of speaking about executive communications is.

Jason Chan: 9:19

I remember around that time, you know, we we had to really do a lot of education with our um, with our folks, because a lot of the really traditional, like folks that have worked in traditional studios, a lot of what you're trying to protect is that opening box office weekend right, because that's when, that's when everybody's buying their tickets, right, we just saw, you know, mission impossible just came out right, so you really got to take care to not have that get leaked because otherwise people are not going to get tickets.

Jason Chan: 9:49

So you know, the difference is on a streaming platform like Netflix, where you're really just paying one price and you get all the content is, you know, part of really what we were trying to do as a business is you're trying to create a service that is good enough in terms of the technology and the content so that people don't really bother with piracy or trying to see things. You know, a couple days early. So you know we we did a lot of communication about hey, obviously we don't want content to be leaked, but it's a just a fundamentally different business model than the traditional studio and traditional entertainment releases.

Pedro Kertzman: 10:25

Fair enough and I think, at least to me, one of the mind-blowing things is the scale that you're mentioning, where guys are operating in several countries, the amount of users and all that and all that, but also how disruptive from a never seen before type of technology you had to leverage to be able to deliver that content on that scale and I imagine the security was just kind of uh, enabling business at that point right. So you had to work hand in hand to be able to securely deliver that content at that scale. Any challenges around that, especially if it relates to cti at any at any point yeah, I mean, I would say I think you captured it well.

Jason Chan: 11:19

Right, you're trying to create a new business. Right, you're trying to create a subscription video. Right, you're trying to create a subscription video service, which you know Netflix's history? Its origin was really a DVD by mail service, right? So you would go to the website and we would mail you DVDs, and so you know a lot of the ways I would characterize my time at Netflix. You know, I spent a little over a decade there was. There was basically a constant change. So the business was changing from DVD by mail to streaming. We were changing the content we were providing, from licensing other studios' content to creating our own. And then, you know, going from like US only to global.

Jason Chan: 11:57

And then, on the tech side you mentioned tech we were going from a company that was pretty much run out of its own data center to being really probably the first large enterprise to go full scale into the public cloud. We started the journey into AWS in, I think, about 2008. When I started in 2011, it was quite early on, and it was quite early on. But I mean, you know, I think nowadays, if you were going to create a new company, it would be kind of a no-brainer, to be like, yeah, of course we're going to use, you know, aws or GCP, but you know, back then it was pretty unheard of to be that far in. But the reason why I mean beyond any kind of specific technical features is we were really trying to focus the business right, because when you're trying to create a new kind of business, you really need your people to focus on that and not focus on things like managing data centers and running networks and, you know, storage and all this kind of stuff. So that was really like a part of the key of the company's culture was like, let's let people focus. And I would say we did the same thing with security. Right, we were trying to create solutions that made it easy for developers to work with security.

Jason Chan: 13:10

Um, you know, on the threat intel side you mentioned, you know I one of the first. You know we were um, we did quite a lot of open source at netflix and you know one of our earliest projects, uh was this was a system called scumbler and you know really what it did and you know, I think this has become fairly common nowadays, but we released it I think in 2014 or so. Was you basically, you know, set up this system to kind of go out and look at various places on the web whether it was, you know, twitter or pastebin and you're trying to find intelligence. Right, you're trying to find, hey, is there anybody there, anybody out there, you know, talking about Netflix, talking about Netflix users, vulnerabilities, those kinds of things. This was really like in the early days of when you could procure something like, you know, managed threat intelligence and you could get feeds.

Jason Chan: 13:56

But to get, you know, more structured intelligence or more kind of like higher level work, it was a little bit more, a little more hard to come by. So, yeah, and it was. You know, we built that when the team was still pretty small. It was probably, you know, five or six of us total. So we didn't, you know, you're not able to dedicate full-time resources to just, you know, looking to see what might be out there of interest. So, you know, you create tools and you create automation, you create pipelines that allow you to go out and look for that information, bring it in, you know disposition and do what you may with it.

Pedro Kertzman: 14:28

That's amazing. What you made with it, that's amazing. And so you're mentioning the shift on the business, uh, the business side, right from dvd shipping uh up until like large-scale streaming. How was the uh cti also evolving with that uh shift? I imagine, like the threat actors tt you name, it will be fairly different, like the threat actors targeting that specific way of doing business up until like a large scale attack surface I cannot even imagine the size of the attack surface at the point Netflix is nowadays. So how's that shift from adversary understanding standpoint throughout those years?

Jason Chan: 15:18

Yeah, it's kind of funny because I would say most, at least when we got started with what I probably call a CTI, we may have bucketed it more in terms of customer trust or fraud and abuse. Um, you know, that's really where where we started to focus, because you're trying to figure out how are people trying to misuse the service, right? So you know, on the dvd side, it was fairly straightforward, like sometimes you would have people sign up and you know they give you a fake physical address and you know you would so, because they're trying to to get DVDs that they never have to return, or you know, certainly, things like credit card fraud and then when you went to streaming, there were the same thing kind of in that bucket of customer trust or you know, abuse, and I did a talk on this. I think you know Facebook had a kind of spam at scale conference back in 2016 or so and I kind of went through some of the different kind of abuse scenarios and how we thought about protecting against each of those and really the most common one and it was sort of came from different areas but was just, you know it was account takeover of came from different areas but was just, you know it was, it was account takeover, it was, it was through whether it was credential stuffing, you know password reuse, you know info stealers, whatever it might be.

Jason Chan: 16:39

There were people, there were you know, in fact, somewhat some pretty large and geographically distributed and fairly sophisticated threat actors that would gain access to netflix member accounts for the purpose of reselling those. Because you know you could, especially in you know, we found quite a lot in latin america, quite a lot in southeast asia, where you know you would, you would see, we actually have like pictures of like billboards and stuff where people would be selling, hey, here's netflix for two dollars a month, and of course it's not, like you know, legitimate net. But basically what they were doing was reselling access to an account that had been compromised. So, yeah, so we really had to shift from that, you know, the kind of physical, kind of credit card fraud, to more of like how are people going to abuse the service, how are people going to abuse our members? And that was really kind of how what got us started down down the road of a more formal kind of cti program awesome.

Pedro Kertzman: 17:37

You know we got the program started. Uh, any learnings or things worth mentioning how you matured? Uh, that program within those next few years having like a established cti program yeah, it's, it's um.

Jason Chan: 17:55

You know I would say similar to you. Know, I mentioned this idea of doing like using the public cloud as a means of creating focus for your business, and we would, we did the same thing, I would say with um, not just cti, but you know, to use that as an example. Is you think about, okay, if you want to create a program to allow you to better understand your adversary, like a CTI program, what do you decide to do yourself? What do you decide to outsource or use a vendor for? And, frankly, even above and beyond all that, what are you going to decide to do versus not do? Because I always, you know, I've said many times is like it's really about what you're not going to do. Right, because if you had unlimited time and resources, you'd say, yeah, sure, just do it all, but nobody has, nobody has the time or resources to do all that. So you have to be really strategic about absolutely saying, look, these are the things we're going to focus on. We're going to maybe lean on a vendor to do some of these other things, and then these other things we're just going to be. You know, we're not saying they're not important, but as of right now we're not going to do those.

Jason Chan: 19:02

So, you know, we really we really worked in a way of of you know, kind of going back to the beginning when I was talking about storytelling, and kind of you know what are the big buckets of adversary groups? We really focused there to be like, hey, who are the? You know what are the and this is kind of more from a quantitative perspective. It's like what are the threat scenarios that we're most worried about, that we think can have the biggest impact? And then you sort of match up okay, well, what are the adversary groups that could actually enact those threats scenarios? And that's really where you'd want to focus.

Jason Chan: 19:35

And you know, again, for us it's like most of when you think about how can things really go wrong for a large scale internet service? There's really kind of two main things that can go wrong, right. One is your service cannot be available, right, like, somehow it's whether it's ddos or any other any other reason that your service goes down and people, paying users can't use it. And then you can you know you can lose data, right, you, you, you have some kind of data breach or things like that. So really for most, uh, large-scale consumer internet services. Those are the two main things you're trying to protect. So that's really where we began focusing our Threat and Tail program was about. How do we make sure that we are investing to preserve those two primary functions, whether it's keeping the service available, protecting customer data and then kind of work out from there to your adversaries and things like that.

Pedro Kertzman: 20:27

That's amazing. I really love the way you put it from a priority standpoint. I see a lot of people kind of overwhelmed already just by thinking about a CTI program, the magnitude, the amount of information, telemetry from all over the place. But it's just, you don't need to embrace the whole thing. You can use it just to determine risk, for example, likelihood, impact and stuff and then take decisions based on that, maybe not doing anything. It's a decision as well. The way you put it. It's really good because it just feels that if you don't want to look into it, then it's like a dangerous spot to be. Like go do some research and that's okay. If after that you come to the conclusion I can take that risk.

Jason Chan: 21:24

It's all good. Yeah, you know, I think you cover two really important topics there, right? One is a lot of people can be overwhelmed with getting a program going or going, kind of going from zero to one right, like people would do with people. And we had that failure mode, you know, a number of times, uh, in the team, you know I'm not saying necessarily specific to CTI, but where you kind of you sort of want somebody to be the first hire in an area and they would have trouble getting that function off the ground because they kind of felt like geez, how can I do this as one person and do that? And it's like, well, again, it's about what are you not going to do? What are you specifically?

Jason Chan: 22:01

Because you know I would, I would try to support them and be like, hey look, you know, one time many years ago, like I was the first person working on this at Netflix and it was just me and you know, I kind of know you're the only person. Then you know you should be able to then figure out, okay, how am I going to spend my time most effectively? So I think that's a key thing is, you have to have a certain type of person who can feel comfortable, kind of going from zero to one and being the first person and not having a team, right, is it just being you and then the second one in terms of like what, what you're not going to do? I think? I think there's something relatively unique to security people where we we feel like if we know about something like whether it's a vulnerability, or we feel very uncomfortable not doing anything about it.

Jason Chan: 22:49

Right, we're like, oh geez, well, I know this, this problem exists. So, you know, I, I need to do something about it. But it's like I think people need to really start from kind of the opposite end. Right, it's like, hey, I need to have a really good reason to actually to of what I'm working on. Right, knowing that you know there's, if you think about it any given day. Right, you have an infinite number of things you could choose to do.

Jason Chan: 23:12

It's like, well, how are you going to choose those few things that you are going to do? And you know we're human, right? So a lot of times we're like, oh well, what's the shiny thing? What that seems interesting, let me go work on that. And then you know, in your heart of hearts you might say, oh, it's not actually the most important thing, but it just seems fun. So, oh, geez, I need to have, you know, this super mature program on day one. And then being like, hey, yeah, there might be, you know, 100 things I'd like to get done, but you know, in reality I'm only going to be able to do six of those, right? So, people. I think it just can make people really uncomfortable to make those kinds of decisions.

Jason Chan: 23:51

Yeah, that's, true, and you were mentioning also about vendor collaboration as well, any insights around that, how to better utilize that extra pair of hands to bring some extra value to the team or the organization. What is important for us to do ourselves and be great at, versus what could somebody else probably do better than us? And especially if it's like a really undifferentiated service. And I think probably the first one that comes to mind is kind of is like phishing, takedowns, right, and phishing sites and things like that. Is that that's such a common problem across the Internet, like we would have a program to sort of sort of um to to potentially do takedowns and things like that. But most of that was done by vendors who are going out, you know, finding the fishing kits and doing the analysis. They're doing the cease and desist right. There's no value in us doing that ourselves. So I think that was a great uh, a great case for kind of outsourcing Um. And then the other one was you know I mentioned this kind of markets for resale of Netflix accounts and you know there's also forums and things like that where people talk about how do you break, you know, digital rights management, how do you break copy protection, content protection, a lot of hardware research. So for us, like you know, to kind of create a persona, to kind of sit in those forums and understand what's going on, to do like controlled purchases of compromised accounts it's like we would leverage vendors to do that for us, because it's like it's not really, you know, to kind of set up the infrastructure to do those kinds of long term campaigns. It's not a ton of value in doing that yourselves, whereas, like you, have plenty of companies who, like that's what they do 24-7.

Jason Chan: 25:36

I would always use, you know this is not specifically around CTI, but you know things like reverse engineering, malware. You know malware analysis. It's like you know, most companies. It doesn't make sense to have that skill set on, you know, on staff, right, because you just go talk to, you know, mandiant or whoever, whoever, and they can kind of do it for you because that's all they do. It's the same thing where, if you think about a lot of what we've, what we've learned, outsourcing the security world, like think about penetration testing, right it's. You know, sure, there's, there's some teams that have internal pen testers. But you know, you go and you go to vendors and like that's, that's all they do. They're looking at applications and they're breaking them, you know, constantly, yeah, and so I think the same way around, threat intelligence is like what's really, really specialized that we want to work on and we want to get great at, and that's going to be like the highest touch work, and then, and it's and it's not that that's, like, you know, harder, easier, it's not really about that.

Pedro Kertzman: 26:33

It's just about what are the things, the tasks that are going to be the most specific to the company versus you know, what are the things like, say, phishing, takedown, that just they apply to everyone, so just better to use a service for that going back maybe to that topic of the, the open source tools, um, that netflix that your Netflix team was putting out there, any collaboration, special collaboration or tool things worth mentioning that you saw some extra success from that particular tool ended up being, I don't know, amalgamated on another platform or other frameworks, so on and so forth yeah, no, we, I would say, um, maybe like stepping back, just kind of like introducing, um, I think, open source.

Jason Chan: 27:22

Uh, you know, at netflix and specifically to netflix security, um, really early on, we decided almost really at like a strategic level that you know, we really looked at security as kind of a community kind of thing, right, it's like so we would lean into sharing rather than trying to keep it private. I remember, you know, when I started early in my career, like in the late 90s, it was very much of a like people didn't really talk about security, right, because they felt like they were going to give something away. And we really, I would say, took a much different approach. We were like, hey, we're not going to really compete on security, we're going to compete on entertaining the world. That's what Netflix needs to degrade at. Security is part of that. So we really leaned into this idea of sharing and some of that was through open source and some of that was through peer-to-peer collaborations with other companies, doing things like conference talks and things like that. So we were very, I would say, bullish on all those kinds of investments and, yeah, I would say we had some really, really, you know, part of the advantage of being in a really fast-growing company that's sort of doing something new, you know doing, you know, being very early in the public cloud was that, you know, back then, right when I started 2011, there wasn't a market for cloud security right. That didn't really exist. There were maybe some vendors that were like, hey, let me create a virtual appliance for this firewall, but you know, it's mostly just all garbage, right. So pretty much we had to create our own solutions.

Jason Chan: 28:56

So we created things like Security Monkey, right, which was, you know, really, looking back, was really the first CSPM. Right, it was CSPM before that acronym existed. You know, looked at our AWS environment and kind of found issues. We created Fido, which was, you know, the first SOAR program, soar platform. It was kind of SOAR before SOAR existed. And then Scumbler earlier on, which was really our kind of our thread, intel kind of. You know, basically go out and look on the web for things that you might care about and certainly, like, I think, any of those things. You know, if we had wanted to, you probably could create a company around those things, but we were, you know, ultimately we were just trying to protect the company, so we didn't, you know, we didn't go down that route, but yeah, so it was. You know, we certainly learned a lot.

Jason Chan: 29:45

Mostly what we were trying to do with open source, especially in the kind of cloud security space, was we were basically saying hey look, everybody is new at this, right, so this is our way of tackling this problem, like let's get feedback, like maybe it's helpful to you, but maybe you've developed a different way, and I think it's kind of nice to see now that, in sort of 2025, it's much more common for, you know, companies to open source security products, or for companies, you know, defenders working at large corporations or even small corporations, to go to conferences and talk about defending right.

Jason Chan: 30:25

Because when I started in security, you'd go to conferences like you know, not just Black Hat, but any of them. You're only ever talking about offensive stuff. You're talking about vulnerability research, you're talking about attacking, and now it's like there's tons and tons of talks on defense, and I think part of it was, you know, companies like netflix really kind of leaning into that that's amazing and uh any like a peer-to-peer collaboration or maybe even like facebook threat exchange that you saw advantages of leveraging from a maybe a cti standpoint as well yeah, yeah, we, we did get involved with a few sharing programs like threat exchange, um that you know they were like, I mean, I wouldn't say they were useless, but they were probably a little more trouble than at least in the early days when we were involved.

Jason Chan: 31:14

um, then it was worth anything kind of like formal. What I sort of found was like probably less valuable and what you really had value out of was the informal conversation. So we did a lot of um, peer-to-peer, you know, you know how it is right, there's so many like discords and slacks out there that were security people gather and they talk about stuff and like again, even even now, right, like that's such, it's such a huge advantage, right, like, if you think about, can you go and lean on somebody and say, hey, have you seen this before, have you seen this kind of activity before? Like, what would you do here?

Jason Chan: 31:49

And you know people, that's one of the things I've loved about the security community and you know why I've been in it for pretty much my entire career is that people they care, they care about what they're doing, they care about protecting their organizations and they also are generally in it to help them, want to help other people because they recognize that you know it's hard to just protect anything in isolation, really have to create a safe environment, a safe environment in isolation. Really have to create a safe environment, a safe interconnect. So, yeah, I think I've had, you know, really, really good sex, good success on the informal side, whether it's sharing with other cissos or you know other security engineers, um, where you know people are just more than willing to share their to, to give their time and energy to helping other people okay, no, that's perfect.

Pedro Kertzman: 32:33

And uh, from like learning cti standpoint, not necessarily you know, iocs or things like that, but how the industry is moving, how things are now shaping and and all that any new, uh interesting favorite sources, books, blogs, people, anybody to follow or learn from yeah, I would say you know, since retiring I'm a little bit, I'm less plugged in, right, so I don't do as much following.

Jason Chan: 33:00

But I think you know there's a saying in security, and especially in an incident response, right, you never really want to waste. You know a crisis, right, and especially if it's somebody else's crisis. So I think looking at incident reports to me is like such a great way of learning and looking at you know the different reports companies create around. You know tracking different adversaries. I think those are. Those are great because you can really understand. You know I'm not going to I tend not to name names, but when you look at big breaches, you know cause.

Jason Chan: 33:33

I would say one of the things I would always tell people is you know they would ask me hey, well, you know how do you prepare for a board meeting, or you know what's your slide president. I'm like I don't. I don't really, you know the prep I do is is I try to anticipate the questions they're going to ask, because it was always about what happened recently, like, oh, this company had a compromise, or what do you think about this? Or like, could this affect us? And those are really really good learning experiences because, you know, frankly, they happen to somebody else.

Jason Chan: 34:02

But some of that information is available, um, you know so, of course. And then there's there's things like the, you know, verizon's dbir. Um, I think you know I'm not on twitter anymore, but, um, you know one, one person you know I would say is just a great follow and I I get the newsletter now, but this is a gruck. So I mean, he's just been been in it for you know decades and just always has really, really interesting um, things to call out. So, yeah, get his, get his email newsletter. He probably has a sub stack in a medium that's amazing.

Pedro Kertzman: 34:33

Any final thoughts, any last things to share?

Jason Chan: 34:37

no, I think I appreciate the time, appreciate the conversation. I think, um, you're sort of tying it back to the beginning, it's like. I think I think we we really do need to focus when we are sort of telling our stories on security right, it's not just about what we're protecting but who we're protecting it from right and really think about how you can kind of put those together. It. It makes it much more, certainly much more compelling storytelling, but I think it's a little bit easier to connect to people as well If they can kind of, you know, understand what are motivations, what are techniques and really like, why are we putting in this investment to protection?

Pedro Kertzman: 35:08

That's perfect, Jason. Thank you so very much for coming to the show. I really appreciate your willingness to share your knowledge with us and I hope I'll see you around.

Jason Chan: 35:18

Yeah, my pleasure. Thanks, pedro, Appreciate it.

Pedro Kertzman: 35:21

Thank you

Rachael Tyrell: 35:24

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group Cyber Threat Intelligence Podcast. We'd love to hear from you If you know anyone with CTI expertise that would like to be interviewed in the show. Just let us know. Until next time, stay sharp and stay secure. We'll be right back.