Publications and Conferences

This blog discusses how LinkedIn rebuilt its security operations platform and teams, scaled to protect nearly 20,000 employees and more than 875 million members, and our approach and strategy to achieve this objective. In subsequent posts, we will do a deep dive into how we built and scaled threat detection, improved asset visibility, and enhanced our ability to respond to incidents within minutes, with many lessons learned along the way.

Co-authored this O'Reilly book on building an incident response program and creating the process, philosophy, and architecture for implementing an information security monitoring program. The book was also translated into Japanese.

While working with Cisco's CSIRT, I co-authored a blog post highlighting our encounter with a malspam campaign that misused the .IMG file extension. Following this, our team developed specific incident response rules. One rule identified malicious disk image files in user inboxes, which had a minimal false-positive rate. Another tracked unusual activities tied to the registry assembly executable, a target for the Nanocore malware. We also emphasized monitoring uncommon command executions. Our experience taught us three main lessons: the limitation of auto-mitigation tools, the challenges of implementing simple solutions like blocking extensions in diverse enterprises, and the significance of understanding attacker behavior (TTPs) over solely focusing on known threat indicators.

Presented at the SANS SIEM Summit on defining the right observability for security monitoring and how to apply the data collection principles to delivering security monitoring.

In the blog 'Cognitive Bias in Incident Response', I illustrate into the pitfalls of overconfidence in cybersecurity incident response, highlighting the Dunning–Kruger (DK) effect. This cognitive bias leads some less-experienced analysts to mistakenly believe they possess superior skills. Drawing from the words of Charles Darwin and supported by the findings of Dunning and Kruger's studies, I illustrate how this misplaced confidence can manifest in the realm of IT security. Through a real-world scenario, the dangers of the DK effect become apparent, revealing that a premature assurance can lead to incomplete threat analysis and responses. The article emphasizes the importance of standardized methodologies, comprehensive documentation, and continuous training to combat these biases.

Developed and delivered this presentation on enabling readiness and improving capabilities with evolving threat profiles that require new approaches and new skillsets for incident reponse teams.

Developed and delivered this presentation at LACNIC 29 in Panama on the topics of cyber threat intelligence and how to apply lessons to responding to incidents and enhancing security monitoring playbooks to detect threat actors based on known tactics, techniques, and procedures.

Developed and delivered this presentation at InterOp Japan on building a world class security team and demonstrating our approaches with web filtering and intrusion detection.

Developed and delivered this presentation at both Security B-Sides Asheville and LACNIC/LACNOG 26 in Costa Rica on the threat of Ad-ware in enterprise networks and some of the more problematic issues I worked on while security monitoring and responding to threats. This presentation shows some of the tactics used and some of the research involved in preventing data loss and other damange from malicious or problematic advertising software.

Presented at, and have organized and hosted for 10 years the annual FIRST Technical Colloquium in Amsterdam, Netherlands where in the decade of conference proceedings and trainings has produced hundreds of topical talks and presentations on threat actors, incident handling and management, threat research, malware analysis, threat intelligence, and many other varied information security related topics. The FIRST TC in Amsterdam is the longest running, free security conference in the world.

Developed and delivered this presentation at several Cisco Live events in both the United States and Australia. This in-depth presentation covered the state of the art for web based attacks at the time, include drive-by downloads and watering hole attacks. The presentation detailed how to protect enterprises from such threats through HTTP/S inspection and creative web-based logging and monitoring. The Australia presentation earned a Distinguished Speaker Award for positive audience feedback.

Discussed enterprise scale security observability for incident response and threat detection, and how to approach customizing on each organization's unique requirements on the Google Cloud Security Podcast

Additional Links

• International Women in Engineering Day LinkedIn live panel on achieving success and breaking into the cybersecurity field
• Cisco Security Blogs by Jeff Bollinger
• Cisco TAC Security Podcast: Web Security with Jeff Bollinger
• ZDNet article: LinkedIn has massively cut the time it takes to detect security threats.
• RSA: Crafting the Infosec Playbook by Jeff Bollinger Book Review.
• Book Review and ranking of Crafting the Infosec Playbook by Jeff Bollinger
• Interview with Jeff Bollinger and The Register on confirmation bias in incident response
• ACM SIGCAS Computers and Society: Responsible Disclosure by Jeff Bollinger
• Splunk blog review of Crafting the Infosec Playbook by Jeff Bollinger
• Interviewed, quoted, and consulted on Cisco's Cybersecurity Series: Threat Hunting article
• Intereviewed, quoted, and consulted on Cisco IT Infrastructure Case Study on Web Security
• Interviewed, quoted, and consulted on Cisco Datacenter Case Study on Network Intrusion Prevention
• Article on Jeff Bollinger from UNC School of Information and Library Science
• O'Reilly Author Page for Jeff Bollinger
• Crafting the Infosec Playbook by Jeff Bollinger on Awesome Incident Response Github collection