Oct 2024 – Jun 2025 · 8 mos

• I lead the internal Security team that is responsible for securing Material's data and infrastructure and the Threat Research team which builds detection coverage across Google Workspace and Microsoft 365, which includes phishing, account takeover, and sensitive data exposure.
• Material maintains a strong internal security posture through the implementation of:
• Requiring the use of FIDO2 phishing-resistant authenticators for MFA
• Utilizing the least privilege principal combined with purpose-based account segregation
• Just-In-Time access controls for production and internal tooling (https://material.security/resources/reimagining-access-management-part-1)
• Extensive use of honeypots and custom monitoring and detection (https://material.security/resources/file-access-monitoring-with-osquery-weaponize-your-entire-macos-fleet-into-a-filesystem-based-honeypot)
• Requiring security review and approval for new browser extensions and OAuth applications

Aug 2022 – Oct 2024 · 2 yrs 2 mos

May 2021 – Aug 2022 · 1 yr 3 mos

Sep 2019 – May 2021 · 1 yr 8 mos

Jan 2017 – Sep 2019 · 2 yrs 8 mos

Aug 2015 – Dec 2016 · 1 yr 4 mos · San Francisco Bay Area

• Bootstrapping security monitoring infrastructure in a cloud-based network. Building and implementing novel detection mechanisms and leveraging security data to assist platform teams, fraud prevention, and internal investigations.
• Projects:
• Built and maintained the security team's Splunkcloud platform. Logstash-based log pipelines supply data to Splunk via Amazon S3 and Kafka. Custom monitoring notifies the team of any significant logging volume dropoff.
• Deployed osquery with a custom configuration to the entire production network and every OSX-based employee workstation. Automatic alerts created for adware/malware detection and anomalous activity. Contributed numerous OSX detection rules upstream to the core osquery project.
• Assisted with the push to get Uber using a "p=quarantine" DMARC policy from a "p=none" which had a drastic reduction on the amount of spammy and malicious email received by employees.
• Implemented custom Google Mail server-side rules to aid with the detection of "display name phishing" where attackers spoof the "Full name" field on an email account to appear to be an employee at the organization. Detection automatically notifies the Security Response team.
• Led multiple account takeover investigations with Uber's fraud team. Engaged with third-party vendors to obtain copies of leaked credential dumps in order to secure affected users on the Uber platform.
• Deployed a variety of physical and virtual honeypots including Canaries and HoneyTokens
• Build and contribute CarbonBlack detection rules to the team's internal rules repository
• Skills:
• Incident handling (IR, forensics, malware analysis)
• Internal investigations (leaks, theft, data abuse)
• Vulnerability management
• Stolen Credential Recovery and Analysis
• Building monitoring and detection infrastructure
• Honeypots
• Tooling:
• Splunk (usage and administration)
• Logstash
• Kafka
• CarbonBlack
• Google Apps Administration

Apr 2010 – Aug 2015 · 5 yrs 4 mos · San Francisco Bay Area

• Designing, building and maintaining systems to detect and monitor malicious and anomalous behavior. Modeling threat discovery around pragmatic and realistic threats. Responding to incidents with a sense of urgency and efficiency.
• Tooling:
• Splunk
• NetWitness
• Bit9
• FireEye (including custom backend scripting and logging)
• Maltego (including custom transform development)
• Nexpose
• Proofpoint
• Duo
• Language competencies:
• Shell scripting / parsing
• PHP / HACK
• Python
• In the Media:
• https://www.facebook.com/notes/protect-the-graph/keeping-passwords-secure/1519937431579736
• http://threatpost.com/facebook-tool-mines-stolen-passwords-notifies-affected-users/108901
• http://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/
• http://www.pcworld.com/article/2452080/facebook-kills-lecpetex-botnet-which-hit-250000-computers.html
• http://www.theguardian.com/technology/2012/feb/17/facebook-hacker-glenn-mangham-jailed