EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

Guest: Tim Nguyen, Director of Detection and Response @ Google Topics: I know we don’t like to say “SOC” here, so why don’t we talk about the role of automation in detection and response (D&R) at Google? One SRE concept we found useful in security operations is “toil” - How do we squeeze toil out of D&R practice at Google? A combined analyst and engineer role (just like an SRE) was critical for both increasing automation and reducing toil, how hard was it to put this into practice? Tell us about that journey? How do we automate security signal analysis, can you give us a few examples? D&R metrics have been a big pain point for many organizations, how does SRE thinking of SLOs and SLIs (and less about SLAs) helps us in our “not SOC”? How do we avoid falling into the “time to respond” trap that rewards fast response, sometimes at the cost of good? Resource: SRE book, Chapter 5 - Eliminating Toil SRE book, Chapter 4 - Service Level Objectives “Building Secure and Reliable Systems” book “Achieving Autonomic Security Operations: Automation as a Force Multiplier” “Achieving Autonomic Security Operations: Reducing toil” “Taking an autonomic approach to security operations” video “Modern Threat Detection at Google” (ep17)