In this week’s episode of The Future of Security Operations podcast, I'm joined by Dane VandenBerg. Dane’s 16-year security career includes product-focused roles with vendors like Qintel and more recently, Microsoft, where he was Principal Technical Specialist supporting the development of their security copilot. He’s also spent a lot of time in fintech, serving as Vice President of Information Security at Prime Trust and, currently, Senior Director of Security Operations at Circle.
Dane and I discuss:
Why security teams are still stuck fighting the same battles they faced 15 years ago
How Dane’s vendor-side experience influences his SecOps leadership
Why threat intel should be embedded in security operations, and help drive detection and response
The real potential of security copilots, beyond the buzz
Where to find Dane:
Where to find Thomas Kinsella:
Resources mentioned:
In this episode:
[02:05] How Dane went from researching women’s health and animal cloning to public relations to security
[06:25] Why security teams are still fighting the same battles they were 15 years ago
[09:24] How Dane’s vendor-side threat intel work shapes his thinking as a SecOps leader
[12:00] What’s working - and what’s not - about how companies approach threat intelligence today
[12:51] Why threat intel should be an in-house function, not just a reporting feed
[15:30] What motivated Dane to move into the finance and crypto industry
[19:30] How parenthood reshaped the way Dane thinks about risk
[22:50] Tips for encouraging employees to report their security concerns
[26:00] What a great security-vendor customer experience look like - and what too many vendors get wrong
[29:10] The security tools and solutions Dane is most excited about right now
[32:45] Balancing the hype and potential of security copilots
[38:30] What cyberattacks might look like five years from now
[41:30] Connect with Dane
TL;DL? Read Dane’s take on:
How fatherhood influences Dane’s approach to risk assessment and management
“Here at Circle, I’ve learned a lot about how to manage and communicate risk internally. I have a two-year old son - when he first started walking, he was very unstable. I started thinking about it from a risk perspective, like, ‘Okay, he's on carpet, there's not a table nearby, we’re good.’ I noticed my wife didn’t want him to fall, period. I was like, ‘It’s okay if he falls here, he’s not going to break anything or get a bruise.’ Once you start seeing tables being introduced, or he starts walking on concrete or going outside, you start calculating risk a bit more.”
It’s definitely humbling when you think of what a loss can look like [in fintech]. There used to be a Blockchain Graveyard on GitHub, and when you go through it, you see that this is an industry where you can just lose $500 million, and it’s really no big deal. Can you imagine eBay losing $500 million? People would lose their minds.
Why AI copilots are currently in the “intern phase” - and where they’re headed next
“When I was at Microsoft working on the Copilot team, it was interesting because I was there very early. When we were still letting some of our our customers pilot it, the feedback was all over the map. It’s basically one of those tools that, if you understand how to use it and you have like a use case that works well for it, you’re obviously going to love it. And if you don’t, you won’t.”
I think we’re still in this “intern” phase [with AI]. We’re starting to deploy AI in our ticket systems around DNR. We’re using some of the in-house AI capabilities in Tines. We also have other tools with LLMs that are being trained on our Jira and Github data.
The innovative security tools and solutions that Dane’s most excited about
“I’m not saying this because I’m on your podcast, but I think how you’ve built [Tines] has been really remarkable. It’s really interesting to see it proliferate inside the organization. When people at the company get exposed to Tines, they’re immediately asking, ‘Can we get more stories for this?’ You’ve built a product where the value is immediately clear, and it’s just so hard to do that."
The vendors I’m most interested in tend to be some kind of commodity data provider. If you’ve got a weak signal, you can spend a lot of time looking into it. But odds are there’s some type of enrichment solution out there that’s going to help you zero in on how you can raise or lower the fidelity of that signal. And I’ve really been digging into the browser extension space. It’s one of those niches that nobody’s built great solutions around.
The essential ingredients for a stronger security culture
“Being a good communicator, I think, is the most important thing. As a security organization, it's obviously incumbent upon us to make sure we're communicating out threats, and that people understand it beyond the annual security training that people click through as fast as possible. It goes back to making it personal, right? We try to do PSAs that are relevant to the organization regularly through Slack. Not just, ‘Hey, this bad thing is happening,’ but more like, ‘This bad thing is happening - here’s how it translates to Circle, and here’s what to look for.’”
[The SOC] needs to have a very customer service-like mindset, and I think it’s really easy to lose sight of that inside organizations. You see it all over the place, where people don’t treat internal customers the same way they treat external customers... But I think the more you can see yourself as a service organization... the more good interactions you can have with people, and the more likely people are to come to you with issues that they're seeing.
What cyberattacks will look like in the near future
“We were just talking about how, 15 years ago, phishing and ATO were still issues. But you're starting to see all that stuff is changing, right? I think we’re in the middle of this seismic shift, particularly in the credential space where passkeys are becoming more popular. The whole concept of needing a username and password for an application is pretty much going by the wayside. From a defender standpoint, the malware space is almost totally dried up to an extent. There’s obviously browser stealers and things like that, but it's nowhere near as bad as it was 15 years ago. You’re seeing some of those problems getting cleaned up.”
The session token space will probably become more important for attackers, who will still try to find ways to authenticate in the platforms. I think that’s the name of the game, and we’re not going to get around it in the near future. We’re starting to excise the credential threat from it, but I think that token threat will be one of those things that we’ll still be talking about five years from now.
Listen to more episodes of the Future of Security Operations podcast.