Josh Liburdi
Employment
Brex. Staff Security Engineer. October 2020 - Present.
- Tech lead for Security Operations (Detection and Response, Corporate Security, Security Awareness)
- Defined Brex's approach to threat intelligence, threat detection, and incident response
- Provides technical guidance and mentorship to a team of 6 engineers
- Promoted to Staff Security Engineer in August 2023
- Created Substation, a cloud-native, event-driven data pipeline toolkit built for security teams
- Formats, normalizes, and decorates all security event data to a common data model
- Processes 4+ billion events per day, 99.5+% of data delivered within 3 minutes
- Deploys pipelines to AWS Lambda and Kinesis in minutes using custom Terraform modules
- Led a cross-functional effort to enforce FIDO2 multifactor authentication (MFA) for 1,300+ employees
- Set strategic and technical direction for a group of 10+ contributors across 4 teams
- Increased FIDO2 enrollment from 15% to 99+% within 2.5 months
- Developed a custom alert management system that suppresses, deduplicates, and triages alerts
- Reduced total alert volume by 25% within the first two weeks of operation using automation
- Designed and implemented Brex's in-house threat detection methodology and systems
- Built using detection as code, including version control and continuous deployment in GitHub
- Wrote 350+ custom detection signals and alerts based on threat actor tactics and techniques
- Owner of several initiatives and responsibilities within the Security organization
- Multiple interview panels, including threat intelligence, threat detection, and code screen
- Multiple domains on the multi-year roadmap, including threat intelligence and threat detection
- Leads relationships with mission critical SIEM and SOAR vendors
Splunk. Senior Threat Hunter. September 2019 - October 2020.
- Created and led Splunk's Global Security threat hunting program
- Focused on searching for security incidents across cloud and corporate environments
- Operationalized program from ideation to production within 2 months
- Defined program goals, objectives, and key performance indicators (KPIs)
- Produced average of 20 findings per month, including 15 new detection signatures each month
- Trained Security Operations Center (SOC) of 12+ analysts on threat hunting procedures
Target Corporation. Lead Threat Intel Detection Engineer. March 2017 - August 2019.
- Created Strelka, an enterprise static file analysis system written in Python & Go
- Processes 300+ million files per day from nationally distributed endpoints and networks
- Led development of 1,800+ sensor network security monitoring (NSM) deployment
- Developed rule delivery system that reduced deployment time from days to minutes
- Developed packet capture retrieval system that reduced retrieval time from minutes to seconds
- Developed framework for stable, high-volume file extraction (400+ files per second)
- Provided technical leadership on migrating deployment from bare metal to containers
Sqrrl (acquired by Amazon / AWS). Security Technologist (Research). May 2016 - March 2017.
- Acted as a threat hunting subject matter expert for a startup of 50 people
- Led research focused on DNS that increased customer-facing detection analytics by 50%
- Regularly created, tested, and validated new threat hunting hypotheses and techniques across endpoint, network, and file data
CrowdStrike. Senior Consultant. June 2014 - April 2016.
- Performed threat hunting and incident investigation services for the Fortune 100
- Lead researcher and developer for CrowdStrike Services' NSM platform
- Built a custom, NSM-based threat hunting and investigation Splunk application
- Created and taught two threat hunting training courses (one publicly taught at Black Hat)
General Electric. Analyst (Detection Operations, CIRT). May 2013 – June 2014.
- Actively contributed to the removal of threat actors as part of an intelligence-driven CIRT
- Developed methods of validating, enriching, and scaling tens of thousands of indicators of compromise (IOCs) across the global enterprise
Education
Eastern Michigan University. Bachelor of Science, Information Assurance. April 2013.
Community Contributions
Open-Source Projects
- Substation (Brex, Creator/Lead)
- Strelka (Target, Creator)
- Bro/Zeek (ICSI, Contributor)
Presentations
- "Billions Served: Processing Security Event Logs with the AWS Serverless Stack". fwd:cloudsec, Jun. 2023.
- "Building Better Hunt Data". SANS Threat Hunting Summit, Oct. 2021.
- "Beyond AV: Detection-Oriented File Analysis". BSides San Francisco, Mar. 2019.
- "Beyond IDS: Practical Network Hunting". BSides New York, Jan. 2016.
Writing
- "Elevating Security Alert Management Using Automation". Medium, Jan. 2023.
- "Announcing Substation". Medium, Oct. 2022.
- "Structured and Task-Driven Threat Hunting". Medium, Mar. 2020.
- "Building Distributed, Scalable Python Apps". Medium, Jun. 2018.
- "Hunting for PowerShell Using Heatmaps". Medium, Jan. 2017.