Chris Witter, D&R Leader at Spotify, on Running Highly Effective Teams at Scale

In this episode, Jack Naglieri chats with Christopher Witter (aka Witter),Engineering Manager, Detection & Response at Spotify and a founding member and former lead for Crowdstrike’s Falcon OverWatch managed hunting service. 

Witter has nearly two decades of experience in incident response and information security, holding leadership roles on computer security and incident response teams (CSIRT) with both a top five global bank and a top ten defense contractor. 

During this episode, Chris shares his behind the scenes experiences helping build the Falcon Overwatch Team at Crowdstrike, why it’s critical to measure queries in seconds, not minutes, his tips on running highly effective D&R teams at scale, and more! 

Topics discussed:

• Witter’s experience as one of the first 100 people on the Falcon Overwatch Team at Crowdstrike 
• Why the Overwatch team didn’t follow traditional SOC mentalities 
• The various data sources Witter uses to improve accuracy and gather context 
• How D&R is like going to court – telling the story around Who, What, Where, Why, How, to prove beyond a reasonable doubt that this incident happened
• Why Witter measures in seconds, not minutes and why timescale is critical 
• Why it could be a mistake to choose cybersecurity tools based on financial capability and budget and what criteria should be considered instead
• Why Witter still believes in custom systems 
• Witter’s rule of thumb that if a human does the same thing 10x manually, it should be automated  
• Managing a remote D&R team and building psychological safety
• Witter’s advice for how others can get involved in the D&R community 
• His 3 pieces of advice to build a high-performing D&R team at scale, including a focus on ‘Jack of all trades’ people, avoiding distractions, and why it’s critical to capture everything to improve search.