Interviewer Question 1 :
Your company processes 500 million events per day across a hybrid environment: AWS (primary), on-prem data centers (legacy), Azure (M365/identity). You have 200,000 endpoints (60% Windows, 30% Linux, 10% Mac), a globally distributed engineering org of 15,000 employees, and a SOC running 24/7 across 3 regions.
Your CISO walks in and says: “We just acquired a company with 50,000 employees. Their security posture is unknown. We need full detection coverage, integrated into our SIEM, with meaningful alerting — in 90 days. What do you build and how?”
Answer :
Phase 0: Day 1–7 — Threat Intelligence & Risk Scoping
Before touching a single tool, I need to answer: what is the blast radius if this acquisition is already compromised?
Immediately air-gap or firewall-segment the acquired network from production. No peering, no trust, zero by default.
Deploy read-only passive network sensors (Zeek/Suricata) at the interconnect boundary to baseline their traffic without disrupting operations.
Pull their AD/LDAP dump, analyze password policy, privileged group membership, stale accounts, and service accounts — this is your highest identity risk surface.
Request their existing vulnerability scan data, patch cadence, and any prior IR reports. If none exist, that tells you everything.
Assign a criticality tier to their asset inventory using a framework: revenue impact, data sensitivity (PII/PCI/IP), external exposure, and identity integration points.
Phase 1: Day 7–30 — Instrumentation & Log Ingestion Architecture
You cannot detect what you cannot see. Instrumentation comes before detection.
Endpoint Coverage:
Deploy EDR (CrowdStrike/SentinelOne) across all 50,000 endpoints in passive/monitor mode first — no blocking until you understand their environment.
Target: 95% EDR coverage within 21 days, tracked as a daily KPI reported to CISO.
Log Ingestion Pipeline Design:
Acquired Endpoints/Servers
↓
Regional Log Collectors (Fluentd/Cribl) ← normalize & filter here
↓
Kafka (streaming buffer — handles burst, prevents SIEM overload)
↓
SIEM (Splunk/Chronicle/Elastic)
↓
Detection Layer (correlation rules + ML anomaly)
↓
SOAR (automated triage + ticketing)
Why Kafka in the middle? Because onboarding 50,000 new endpoints will create ingestion spikes. Kafka decouples collection from processing and prevents SIEM brownouts.
Log Sources Priority Order:
Identity logs — AD, SSO, MFA (highest attacker value)
EDR telemetry — process, network, file events
Network flows — firewall, DNS, proxy
Cloud logs — if they have AWS/Azure footprint
Server auth logs — Linux auditd, Windows Security Event Log
Application logs — later, after baseline is established
Phase 2: Day 30–60 — Detection Coverage Using MITRE ATT&CK
I don’t write random rules. I use ATT&CK Navigator to map coverage gaps and prioritize by techniques most commonly used in initial access and lateral movement — because that’s where an already-compromised acquisition will show up.
Immediate Detection Layer — Highest ROI Rules:
TechniqueMITRE IDDetection Logic
#Pass-the-Hash–T1550.002 –NTLM auth from non-standard hosts, event ID 4624 type 3 without Kerberos
#Kerberoasting–T1558.003–TGS requests for SPN accounts from non-service hosts
#DCSyncT1003.006Replication requests from non-DC hosts via 4662 events
#Living off the LandT1218LOLBin execution — mshta, wscript, certutil spawning network connectionsLateral Movement via WMI/PSExecT1021
#Remote service creation event ID 7045, WMI consumer creation
#Anomalous Cloud API callsT1078.004IAM calls from new IPs, regions, or user agents in CloudTrail
Detection Philosophy : I favor behavioral detections over signature detections at ratio of roughly 70/30. Signatures break with every new malware variant. Behavior-based rules catch the technique regardless of tooling.
Phase 3: Day 60–90 — Validation, Tuning & Handoff
Run purple team exercises specifically against the acquired environment to validate detection coverage before declaring it production-ready.
Establish FP rate targets: no rule goes to production alerting if FP rate exceeds 5% — everything above that goes to a tuning queue.
Build a coverage scorecard mapped to ATT&CK: percentage of techniques with at least one validated detection. Present to CISO as a risk reduction metric.
Onboard acquired SOC analysts into your runbooks with a 2-week shadowing period before they handle alerts independently.
Business Impact Language for CISO/Board:
“We reduced the unmonitored attack surface from 50,000 endpoints to zero within 30 days. Detection coverage against the top 20 MITRE techniques associated with acquisition-related breaches is at 85% with a target of 95% by day 90. Estimated risk reduction in breach probability: 60% based on coverage delta.”
Interviewer Question 2 :
Your vulnerability scanner finds a critical CVE on 3,000 servers in the acquired company. Patching will take 45 days minimum. But the business says those servers must be network-integrated in 10 days for the acquisition deal terms to close legally.
How do you architect compensating controls, and how do you communicate residual risk to the CISO without blocking the business — while ensuring you’re not creating a pivot path into your production environment?