• Renowned defender Liam O’Murchu shares how experience guides innovation to answer the pressing needs of organizations worldwide.
• From helping uncover Stuxnet to leading Symantec’s Security Technology and Response team, Liam’s curiosity and dedication fueled key breakthroughs.
• Even as ransomware operations expand, visibility and collective intelligence are the most powerful ways for defenders and organizations to stay ahead.

In our last Cyber Legends interview, veteran STAR (Security Threat Analysis and Response) expert Mark Kennedy reflected on 35 years of building groundbreaking defenses to address emerging risks in cybersecurity. 

This time, I had the opportunity to speak with Liam O’Murchu, a defender with more than two decades at Symantec and one of the key investigators behind the discovery of Stuxnet—the world’s first digital weapon targeting critical infrastructure. 

From his early engineering days to leading global defense strategies at Symantec, Liam opens up about the evolution of ransomware threats, the GenAI innovations reshaping our defenses, and the mindset needed to stay ahead of the curve. 

The early days 

What stands out to you when you think about your first years at Symantec?

You know, there was a lot of excitement back then—a very fast-paced environment. 

And of course, there was also the excitement of identifying your first attacker and working with law enforcement for the first time. Being able to lift the veil on these attack groups, see how they operate, follow them on their socials. Seriously, some of these attackers were not very smart and you could actually kind of see how they lived their life. 

How has cybersecurity changed since then?

Back when I started, threats were usually some sort of silly thing like defacements or social media worms that kept the environment light-hearted. Today, everything’s fast-paced, and carries much higher stakes. With ransomware so prevalent and critical infrastructure being targeted, attacks can have life-or-death consequences.

Into the trenches 

You’ve spent many years with Detection and Response. How’d you get into that side of cybersecurity? 

Some people like puzzles, but I prefer investigations, because you may not even have a puzzle yet. You're looking at something, and you have to actually gather the evidence and discover what's really happening. You may only understand what a small part does at first, but as you go you come to realize it’s part of a much larger operation. 

That takes critical thinking and weaving together the evidence to offer a compelling story when you’re still missing pieces. It’s something I find really satisfying. It's a grueling job if you don't love it, but I do. 

What would you say was your most memorable high profile investigation?

By far, the most memorable is Stuxnet, and I think that's proven by the fact that there was a documentary about it shortlisted for an Oscar. Plus a book. And multiple other documentaries. I mean, that was the threat that just kept on giving. So, of course, that stands out as the pinnacle but now, looking back on it years later, you can also see that it was a pivotal moment in the threat landscape.

Once we discovered that, it took maybe a year or two for an avalanche of other threats from governments to come down. But to be the first to see that really made it stand out for me. 

There’s also one particular case where I spent 13 years working alongside law enforcement to identify this group of hackers that were just constantly active. And there's this perception that the hackers always win and that there's very little we can do about that. But in reality we do see attackers getting arrested. It's a long, hard journey, and there are many obstacles, but it's very exciting and fulfilling when you get to see the full weight of justice come down on people who ruin other people's lives. 

How have these experiences shaped your approach to building cybersecurity technologies?

Well, after years in the industry, you start to see patterns—ideas that have come around before, why they failed, and how they sometimes resurface in a new form. That perspective helps me vet new concepts more effectively and helps me recognize what’s truly innovative versus what might struggle in the real world, and guide my teams toward solutions that are not only creative but also practical and workable for customers. 

The people, tech, and practices marking a difference 

You’ve previously mentioned being proud of Security Endpoint Complete’s Adaptive Protection—does that still ring true?

I strongly feel that if a customer is not using something as part of their day-to-day business, but an attacker could make use of that same thing, then that is a threat, customers should just not let it run. Too many general-purpose machines have unnecessary attack surfaces simply because customers aren’t using certain features or tools, but still keep them enabled allowing attackers options to use them when needed. 

We’ve also integrated GenAI into our console to make that insight even more accessible. Customers can interact with their data naturally, easily ask questions about investigations, telemetry, or incidents in their environment, and get clear guidance. This not only enhances visibility but helps customers move faster, improving protection and deployment cycles while reducing effort—doing more, but less.

What would you say is one of the biggest challenges professionals face in the industry and what’s actually helping? 

It’s a high-pressure environment with limited resources and growing complexity, so it’s critical we help teams prioritize and respond faster. That’s where our GenAI Security Assistant comes in. By bringing together visibility across firewalls, endpoints, and identity solutions into one place, analysts can focus on what actually matters. A powerful thing to have. 

Layering GenAI on top of rich data, we can connect the dots between alerts and reveal when seemingly separate events are part of a larger attack. That unified intelligence reduces noise and empowers security teams to act quickly and confidently in an environment that demands both speed and precision.

What emerging attack and behaviors are you most intrigued by?

Right now, the most interesting and consequential shift we’re seeing is how almost the entire threat landscape has gravitated toward ransomware. It’s become the dominant money-making engine for attackers, pulling in affiliates, brokers, and info-stealer operators who all feed into that ecosystem. Even many of the tools and techniques we see, like credential theft or cookie harvesting, are designed to fuel ransomware operations, and that’s what makes it so popular. They sell all the data they collect to other ransomware groups. It’s extraordinary how completely that model has taken over, and it continues to drive nearly all the innovation we see in the underground economy.

At Symantec we’ve focused on a wide breadth of solutions that excel at providing that baseline understanding, along with the ability to correlate telemetry across endpoints, identity, firewalls, and exfiltration events into a single investigation. That holistic view helps your SOC analysts connect seemingly small alerts into a larger story and respond quickly. When you can tie those threads together at speed, you dramatically improve your ability to detect, prioritize, and contain ransomware-driven attacks.

What’s something that’s helped you be a better defender and innovator?

For me, staying curious and constantly reading has been one of the most valuable habits. There’s so much happening across security and technology—new threats, breaches, vulnerabilities, and innovations—that keeping up requires genuine interest and consistent learning. It’s important to understand your area deeply, but also to look up and see the bigger picture. 

Your next move starts with the right intel

As ransomware actors continue to innovate at accelerating speeds, cybersecurity professionals need to stay informed on the trends, techniques, and groups slinking behind their defenses. At Symantec and Carbon Black, we keep global defenders informed and resilient with a wide selection of expert-driven resources created by those who live and breathe security. 

From deep technical breakdowns to emerging threat insights—and the invaluable intelligence our Threat Hunters pilfer from the frontlines—our experts help you stay up to date (and ahead) of the latest.

For more in-depth conversations like this, join me and Paul Mellinger for SECURITY.COM The Podcast, a show that bridges the gap between cutting-edge security tech and the humans who make it work.