Do you have something cool to share? Some questions? Let us know:
Podcast Timeline of Key Discussions
Introduction and Guest Intro: The hosts introduce Manija Poulatova, Director of Security Engineering and Operations at Lloyd's Bank, as the guest. They highlight the episode's focus on a "sim not migration," which has been a popular topic for their audience.
Transformation vs. Migration: Poulatova immediately reframes the conversation by stating that a "migration" is an anti-pattern. Instead, she advocates for a full "transformation," which involves starting with a blank sheet of paper and building a modern SOC from scratch rather than simply moving existing, flawed processes.
Defining a Modern SOC: The discussion moves to what a modern SOC entails. Poulatova defines it as an "engineering-led" SOC that can detect any sophisticated attack. The core philosophy is "everything as code," which applies to process and technology, not just technical implementation.
Challenges and Solutions: The conversation addresses the biggest challenges of this transformation, which Manija identifies as data onboarding and, more importantly, the mindset and skillset of the team. She describes building a diverse "SWAT team" with members from various engineering and data science backgrounds to drive the change.
High-Fidelity Alerting (Not Funnels): Manija explains their approach to achieving high-fidelity alerts using a technique she calls "composite rule detection." This involves creating "feeder rules" (low/medium fidelity events) that are combined to create a single high-fidelity alert, which the hosts connect to the concept of Continuous Integration/Continuous Delivery (CI/CD) for detection.
Agile Methodology and Planning: She describes their nine-month transformation plan, which is broken down into two-week sprints with show-and-tell sessions. This agile approach allows for rapid course correction and encourages feedback from a wide range of security teams.
The Future with AI: The hosts ask about the role of AI. The guest states that their focus is to get the fundamentals right first, but they have a clear, intentional vision for AI. The goal is to use AI agents to automate Level 1 and Level 2 activities, freeing human analysts to focus on higher-value work like proactive threat hunting and pre/post-breach analysis.
Final Recommendations: Manija Poulatova final advice includes "just do it" by practicing hacking (using platforms like Hack The Box) to understand attacker mindsets. She also reiterates the importance of bringing a diversity of thought and skills to the team, even if it means recruiting from outside the traditional security org.
Detailed Podcast Debrief Summary
The podcast episode features a discussion on modernizing Security Operations Centers (SOCs), with Mania Poulatova of Lloyd's Bank as the guest. The central thesis, immediately established by Poulatova, is that organizations should avoid the pitfalls of a typical SIM migration and instead pursue a complete SOC transformation. This transformation is defined not by a lift-and-shift of existing tools and processes, but by designing a new SOC from a "blank sheet of paper" with an engineering-led mindset.
A cornerstone of this new approach is a commitment to an "everything as code" philosophy. This is not merely a technical directive but a strategic shift to codify and automate processes, allowing human analysts to focus on more critical, high-value work. Poulatova highlights that the two primary goals for analysts in this model are proactive threat hunting and incident response to high-fidelity alerts.
The conversation delves into the tactical execution of this nine-month transformation. Poulatova shares that the most significant challenges are not technical, but rather related to mindset and skillset. To overcome this, she created a cross-functional "SWAT team" comprising a diverse group of engineers and analysts, and she also partnered with PWC and Mandiant. The team adopted an agile methodology using two-week sprints and "show-and-tell" sessions, which allowed for fast iteration and course correction.
On the technical front, a key focus is on generating high-fidelity alerts without the use of a traditional "funnel." This is accomplished through composite rule detection, where multiple low- and medium-fidelity events are combined to trigger a single, high-confidence alert. This approach is supported by a Continuous Integration/Continuous Delivery (CI/CD) pipeline for detection, where every rule is tested, including through purple teaming exercises, before being deployed to production.
Looking toward the future, the conversation touches on the intentional use of AI. Poulatova's vision is not for AI to replace humans, but to serve them. The plan is to leverage AI agents to automate Level 1 and Level 2 activities, thereby freeing up experienced analysts to work on more complex pre- and post-breach activities, such as security posture improvement and finding new, non-existent attack paths. The goal is to avoid creating an environment where humans become mere "clickers" who rely on AI to do all the thinking.
The episode concludes with recommendations for others undertaking similar transformations. Poulatova advises security professionals to "just do it" and practice hacking to better understand attacker behavior. She also strongly advocates for building diverse teams by recruiting talent from across the entire organization, not just the security department, to foster a fresh perspective and avoid groupthink.
